Installing hard disk drives in the cisco wide area application engine (16 pages)
Summary of Contents for Cisco WS-CE500
Page 1
ADMINISTRATION GUIDE Cisco Small Business SA500 Series Security Appliances...
Page 2
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
DMZ for Public Websites and Services Configuring ProtectLink Web & Email Security Site-to-Site Networking and Remote Access Wireless Networking Chapter 2: Networking Configuring the WAN Connection Viewing the WAN Status Creating PPPoE Profiles Configuring an IP Alias Cisco SA500 Series Security Appliances Administration Guide...
Page 4
Configuring the Ports Configuring SPAN (Port Mirroring) QoS Bandwidth Profiles Creating QoS Bandwidth Profiles for WAN Interfaces Traffic Selectors LAN QoS Enabling LAN QoS Port CoS Mapping Port DSCP Mapping DSCP Remarking Dynamic DNS Cisco SA500 Series Security Appliances Administration Guide...
Page 5
Advanced Radio Configuration Chapter 4: Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic Preliminary Tasks for Firewall Rules Configuring the Default Outbound Policy Configuring a Firewall Rule for Outbound Traffic Cisco SA500 Series Security Appliances Administration Guide...
Page 6
Configuring IPS Configuring the IPS Policy Configuring the Protocol Inspection Settings Configuring Peer-to-Peer Blocking and Instant Messaging Chapter 6: Using Cisco ProtectLink Security Services Chapter 7: Configuring VPN About VPN Configuring a Site-to-Site VPN Tunnel Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client...
Page 7
Firmware and Configuration Upgrading Firmware and Working with Configuration Files Maintaining the USB Device Using the Secondary Firmware Diagnostics Measuring and Limiting Traffic with the Traffic Meter Configuring the Time Settings Configuring the Logging Options Cisco SA500 Series Security Appliances Administration Guide...
Page 8
Chapter 10: Status Device Status Device Status Resource Utilization Interface Statistics Port Statistics Wireless Statistics for the SA520W VPN Status IPsec VPN Status SSL VPN Status Quick VPN Status Active Users View Logs Cisco SA500 Series Security Appliances Administration Guide...
Page 9
Restoring Factory Default Configuration Settings Appendix B: Standard Services Appendix C: Technical Specifications and Environmental Requirements Appendix D: Factory Default Settings General Settings Router Settings Wireless Settings Storage Security Settings Appendix E: Where to Go From Here Cisco SA500 Series Security Appliances Administration Guide...
Demilitarized Zone or Demarcation Zone, which allows public services such as web servers, without exposing your LAN. • SPEED LED—(Green or Orange) Indicates the traffic rate for the associated port. Off = 10 Mbps, Green = 100 Mbps, Orange = 1000 Mbps. Cisco SA500 Series Security Appliances Administration Guide...
USB Port—Connects the security appliance to a USB device. You can use a USB device to store configuration files for backup and restore operations. The back panel of the SA520W includes three threaded connectors for the NOTE antennas. Cisco SA500 Series Security Appliances Administration Guide...
To place the security appliance on a desktop, install the four rubber feet (included) on the bottom of the security appliance. Place the device on a flat surface. Cisco SA500 Series Security Appliances Administration Guide...
Page 14
Getting Started Installation Wall Mounting Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9 STEP 1 inches). Leave 3-4 mm (about 1/8 inch) of the head exposed. Cisco SA500 Series Security Appliances Administration Guide...
Page 15
Each security appliance requires 1 rack unit (RU) of space, which is 1.75 inches (44.45 mm) high. Do not overload the power outlet or circuit when installing multiple devices in a CAUTION rack. Cisco SA500 Series Security Appliances Administration Guide...
For DSL, a cable modem, or other WAN connectivity devices, connect an Ethernet STEP 3 network cable from the device to the WAN port on the back panel. Cisco strongly recommends using Cat5E or better cable. For network devices, connect an Ethernet network cable from the network device STEP 4 to one of the dedicated LAN ports on the back panel.
SA500 Series Security Appliances from your administration PC or laptop. You can access the security appliance by using any web browser (such as Microsoft Internet Explorer or Mozilla Firefox). Cisco SA500 Series Security Appliances Administration Guide...
Click Log In. The Getting Started (Basic) window opens. For more information, see STEP 5 Using the Getting Started Pages, page You can use the Cisco Configuration Assistant (CCA) t to launch the Configuration NOTE Utility if you are using the security appliance with a CCA-supported device, such as the UC500.
Started button in the menu bar. • To prevent the Getting Started (Basic) page from appearing automatically after you log in, check the Don’t show this on start-up box. Getting Started (Basic) Page Cisco SA500 Series Security Appliances Administration Guide...
Page 20
Getting Started Getting Started with the Configuration Utility Getting Started (Advanced) Page Cisco SA500 Series Security Appliances Administration Guide...
Click on the triangle next to the main branch title to expand or contract its contents. Click on the title of a feature or subfeature to open it. Main Content The main content of the feature appears in this area. Cisco SA500 Series Security Appliances Administration Guide...
Optional Port: This port is preset to act as a secondary WAN port. Alternatively, you can configure the Optional port for use as a DMZ port or an extra LAN port. See Scenario 1: Basic Network Configuration with Cisco SA500 Series Security Appliances Administration Guide...
IP address of 192. 1 68.75. 1 . You can log on by entering cisco for the username and cisco for the password. You are strongly encouraged to change the default username and password.
Check to Edit Password: Check this box to enable the password fields. • Enter Your Password: Enter the current password. The default password for this new security appliance is cisco. • New Password: Enter a password that contains alphanumeric, ‘—’ or ‘_’...
As you get started using your security appliance, consider the following configuration scenarios: • Scenario 1: Basic Network Configuration with Internet Access, page 26 • Scenario 8: Cisco Smart Business Communications System Configuration, page 28 • Scenario 7: DMZ for Public Websites and Services, page 29 •...
1. Review the WAN configuration and make any changes that are needed to set up your Internet connection. In the WAN & LAN Connectivity section of the Getting Started (Basic) page, click the WAN settings link. For more information, see Configuring the WAN Connection, page Cisco SA500 Series Security Appliances Administration Guide...
Page 27
LAN Settings link. For more information, see Configuring the LAN, page 3. If you are going to use your security appliance with your Cisco Smart Business Communications System (SBCS), install and configure your UC500. Scenario 8: Cisco Smart Business Communications System Configuration, page 4.
Getting Started Common Configuration Scenarios Scenario 8: Cisco Smart Business Communications System Configuration You can use the security appliance to protect your Cisco Smart Business Communications System network. Laptop computer Outside Network Private Network Printer Internet Internet SA 500 Access Device...
DMZ (Demarcation Zone or Demilitarized Zone). This zone acts as a separate network between your private LAN and the Internet. After you configure your DMZ, you can configure the firewall rules that enable traffic to connect only to the services that you specify. Cisco SA500 Series Security Appliances Administration Guide...
Page 30
Internet Access, page Configuration tasks for this scenario: To start configuring a DMZ, use the links in the DMZ Port section of the Getting Started (Advanced) page. For more information, see Configuring a DMZ, page Cisco SA500 Series Security Appliances Administration Guide...
Cisco ProtectLink Security services. By using these services, your network is protected from email threats in the Internet “cloud” and web threats in the Cisco security appliance, providing access only to email and websites that are appropriate for your business.
Page 32
Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration Guide...
Page 33
Getting Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration Guide...
Page 34
VPN users. Optionally, you can use other links to configure the policies, client settings, routes, and resources for your SSL VPN. For more information, see Configuring SSL VPN for Browser-Based Remote Access, page 154. Cisco SA500 Series Security Appliances Administration Guide...
2. Although you can begin using your wireless network right away, you should configure the security settings to protect your network and the data that you transmit. To configure your wireless network, see Chapter 3, “Wireless Configuration for the SA520W.” Cisco SA500 Series Security Appliances Administration Guide...
Configuring a DMZ • VLAN Configuration • Routing • Port Management • QoS Bandwidth Profiles • Dynamic DNS • Configuring IPv6 Addressing Networking To access the Networking pages click from the Configuration Utility menu bar. Cisco SA500 Series Security Appliances Administration Guide...
(Idle Time). Choose this option if your ISP fees are based on the time that you spend online. If you select option, also enter the Idle Time in minutes Cisco SA500 Series Security Appliances Administration Guide...
Page 38
• DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.
WAN and the optional WAN (if applicable): • Connection Time • Connection Type: Dynamic IP (DHCP) or Static IP • Connection State: Connected or Disconnected • Link State: Up or Down Cisco SA500 Series Security Appliances Administration Guide...
Click Networking > WAN > PPPoE Profiles, or from the Getting Started (Basic) STEP 1 page, under WAN & LAN Connectivity, click PPPoE profiles. The PPPoE profiles window opens. Click Add to create a new profile. STEP 2 Cisco SA500 Series Security Appliances Administration Guide...
The IP Aliases window opens. Any currently configured WAN IP aliases used by the WAN port appear in the List of IP Aliases table. Click Add to add a new alias. STEP 2 Cisco SA500 Series Security Appliances Administration Guide...
Page 42
IP Address: The IP address alias added to this WAN port of the router. • Mask: The Pv4 subnet mask Click Apply to save your changes. STEP 4 The new alias appears in the List of IP Aliases table. Cisco SA500 Series Security Appliances Administration Guide...
DHCP request from a DHCP client. • By default, your LAN is configured for IPv4 addressing. If you need to enable IPv6 addressing, see Configuring IPv6 Addressing, page 77 Configuring the IPv6 LAN, page Cisco SA500 Series Security Appliances Administration Guide...
DHCP Relay: Choose this option to allow the security appliance to use a DHCP Relay. If you choose this mode, also enter the IP address of the Relay Gateway. • Domain Name (optional): Enter a name for the domain. Cisco SA500 Series Security Appliances Administration Guide...
Page 45
Viewing the LAN Status, page • To reserve certain IP addresses always to be used by particular devices, click LAN > DHCP Reserved IPs. For more information, see DHCP Reserved IPs, page Cisco SA500 Series Security Appliances Administration Guide...
VLAN. Any PC that is connected to the specified LAN port is on a separate VLAN and cannot access other VLANs, unless you enable inter VLAN routing. Cisco SA500 Series Security Appliances Administration Guide...
Page 47
Voice VLAN: The VLAN is enabled with the VLAN ID 100. IP Address: 10. 1 . 1 . 1 IP Address Distribution: DHCP Server Start IP Address: 10. 1 . 1 .50 End IP Address: 10. 1 . 1 .254 Subnet Mask: 255.255.255.0 Cisco SA500 Series Security Appliances Administration Guide...
Page 48
After you click Add or Edit, the VLAN Configuration window opens. Enter the following information: STEP 3 • Name: Enter a descriptive name, for reference. • ID: Enter a unique identification number, which can be any number from 2 to 4091. Cisco SA500 Series Security Appliances Administration Guide...
Page 49
Untagged data coming into the port is assigned the specified PVID. Data that is sent out of the port from the same PVID is untagged. All other data is tagged. Cisco SA500 Series Security Appliances Administration Guide...
Page 50
STEP 2 • IP Address: Enter the VLAN subnet IP address. • Subnet Mask: Enter the subnet mask for this VLAN. In the DHCP section of the page, choose the DHCP mode: STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
Page 51
DNS requests and to communicate with the DNS servers of the ISP. When this feature is disabled, all DHCP clients on the VLAN receive the DNS IP addresses of the ISP. Cisco SA500 Series Security Appliances Administration Guide...
Enter the IP address and the MAC address of the device that you want to add. STEP 3 Each reserved IP address should be outside the configured DHCP pool addresses. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
Optional port for use as a LAN port. Click Networking > Optional Port > Optional Port Mode. STEP 1 The Optional Port Mode window opens. Choose LAN. STEP 2 Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
• PPPoE Profile Name: Choose a PPPoE profile. To manage the profiles in the drop-down list, see Creating PPPoE Profiles, page • User Name: The user name that is required to log in Cisco SA500 Series Security Appliances Administration Guide...
Page 55
• DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.
Page 56
Viewing the WAN Status, page • Recommended: To configure auto-rollover, load balancing, and failure detection for your ISP links, click Optional Port > WAN Mode. For more information, see Configuring Auto-Rollover, Load Balancing, and Failure Detection, page Cisco SA500 Series Security Appliances Administration Guide...
To maintain better control of WAN port traffic, consider making the WAN port Internet addresses public and keeping the other one private. Figure 2 shows an example of Dual WAN Ports configured with Load Balancing. Cisco SA500 Series Security Appliances Administration Guide...
Page 58
Load Balancing: Choose this option if you have two ISP links that you want to use simultaneously. After you complete this procedure by clicking the Apply button, you need to configure the protocol bindings. See Configuring the Protocol Bindings for Load Balancing, page Cisco SA500 Series Security Appliances Administration Guide...
Page 59
Retry Interval is: Specify how often, in seconds, the security appliance should run the above configured failure detection method. • Failover after: Specify the number of retries after which failover is initiated. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
Started (Advanced) page, under Secondary WAN Port, click Configure Protocol Bindings (Optional - if WAN Mode set to Load Balancing). The Protocol Bindings window opens. Any existing protocol bindings appear in the List of Available Protocol Bindings table. Click Add. STEP 2 Cisco SA500 Series Security Appliances Administration Guide...
DMZ but cannot penetrate the LAN. You should configure your DMZ to include any hosts that must be exposed to the WAN (such as web or email servers). Cisco SA500 Series Security Appliances Administration Guide...
Page 62
Internet Source Address Translation Public IP Address 209.165.200.225 172.16.2.30 209.165.200.225 DMZ Interface 172.16.2.1 SA 500 LAN Interface Web Server Private IP Address: 172.16.2.30 192.168.75.1 Public IP Address: 209.165.200.225 User User 192.168.75.10 192.168.75.11 Cisco SA500 Series Security Appliances Administration Guide...
Page 63
172. 1 6.2.30. The firewall rule specifies an external IP address of 209. 1 65.200.226. Internet users can enter the domain name that is associated with the IP address 209. 1 65.200.226, and they are connected to the web server. Cisco SA500 Series Security Appliances Administration Guide...
DHCP Relay: Choose this option to allow the security appliance to use a DHCP Relay. If you choose this mode, also enter the IP address of the Relay Gateway. • Domain Name (optional): Enter a name for the domain. Cisco SA500 Series Security Appliances Administration Guide...
Page 65
Configuring a Firewall Rule for Inbound Traffic, page 110. • If you want to reserve certain IP addresses for specified devices, click Optional Port > DMZ Reserved IPs. For more information, see Reserved IPs, page Cisco SA500 Series Security Appliances Administration Guide...
After you click Add or Edit, the DMZ Reserved IPs Configuration window opens. Enter the IP Address and the MAC Address. STEP 3 Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
DMZ. NAT is the default option. • Classic Routing: Choose this option if your ISP has assigned an IP address for each of the computers that you use. Cisco SA500 Series Security Appliances Administration Guide...
WAN, Optional WAN, DMZ or LAN), through which this route is accessible. • Gateway IP Address: Enter the IP address of the gateway router through which the destination host or network can be reached. Cisco SA500 Series Security Appliances Administration Guide...
RIP-2 includes all the functionality of RIPv1 plus it supports subnet information. Though the data is sent in RIP-2 format for both RIP-2B and RIP-2M, the mode in which packets are sent is different. Cisco SA500 Series Security Appliances Administration Guide...
The Port Management window opens. Choose the following options for each port: STEP 2 • Enable: Check this box to enable the port. To disable the port, uncheck the box. By default all ports are enabled. Cisco SA500 Series Security Appliances Administration Guide...
Do you want to enable Port Mirroring: Check this box to enable port mirroring. • Mirror all LAN Ports to: Choose the LAN port that will monitor all of the other LAN ports. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
Other options: Click the Edit button to edit an entry. To delete an entry, check the box and then click Delete. To select all entries in the table, check the box at the left side of the heading row. Cisco SA500 Series Security Appliances Administration Guide...
Other options: Click the Edit button to edit an entry. To delete an entry, check the box and then click Delete. To select all entries in the table, check the box at the left side of the heading row. Cisco SA500 Series Security Appliances Administration Guide...
STEP 3 choose either DSCP, which is a layer 3 IP field, or CoS, which is a layer 2 Ethernet header field, depending on your requirements. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
DSCP values. Click Networking > Remark CoS to DSCP. STEP 1 The Remark CoS to DSCP window opens. For each CoS value, use the drop-down list to choose the corresponding DSCP STEP 2 value. Cisco SA500 Series Security Appliances Administration Guide...
Update every 30 days: Check this box to allow the security appliance to update the host information on DynDNS and keep the subscription active after the 30 day trial. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
In the Internet(IPv6) Address area, choose Static IPv6 if your service provider STEP 2 assigned a fixed (static or permanent) IP address. If you were not assigned a static IP address, choose DHCPv6. Cisco SA500 Series Security Appliances Administration Guide...
Page 79
DHCPv6 server at the ISP to obtain a leased address. Click Apply to save your settings. STEP 5 Next steps: NOTE To configure the LAN, click IPv6 > IPv6 LAN Config. For more information, see Configuring the IPv6 LAN, page Cisco SA500 Series Security Appliances Administration Guide...
Disable DHCPv6 Server (the default setting). If you want the security appliance to act as a DHCP server that dynamically assigns IP addresses to all connected devices, click Enable DHCPv6 Server, and then complete all fields that are highlighted with white backgrounds. Cisco SA500 Series Security Appliances Administration Guide...
Page 81
Router Advertisement Deamon (RADVD). For more information, see Router Advertisement Daemon (RADVD), page • If you want to configure the LAN address pools, click IPv6 > IPv6 Address Pools. For more information, see IPv6 LAN Address Pools, page Cisco SA500 Series Security Appliances Administration Guide...
All hosts in the network have the identical initial bits for the IPv6 address. The number of common initial bits in the addresses is set by the prefix length field. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
To delete an entry, check the box and then click Delete. To select all entries in the table, check the box at the left side of the heading row. After you click Add or Edit, the IPv6 Static Route Configuration window opens. Cisco SA500 Series Security Appliances Administration Guide...
180 seconds, the routes learned from the neighbor are considered as unreachable. After another 240 seconds, if no routing update is received, the security appliance remove these routes from the routing table. Cisco SA500 Series Security Appliances Administration Guide...
WAN interface. The table shows two fields the name of tunnel and the IPv6 address that is created on the device. To open this page, click Networking > IPv6 > IPv6 Tunnels Status. Cisco SA500 Series Security Appliances Administration Guide...
LAN is an IPv4 network), or a specific LAN IPv4 address. • IPv4 Address: Enter the local end point address if not the LAN IPv4 address. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
MLD Queries to be sent less often. The minimum value of Query interval is 100 seconds and maximum value is 1800 seconds. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
Advertisement Interval. MinRtrAdvInterval = 0.33 * MaxRtrAdvInterval. The default is 30 seconds. • RA Flags: Choose one of the following options: Managed: Choose this option to use the administered/stateful protocol for address auto configuration. Cisco SA500 Series Security Appliances Administration Guide...
SLA ID. The SLA ID (Site-Level Aggregation Identifier) in the 6to4 address prefix is set to the interface ID of the interface on which the advertisements are sent. • IPv6 Prefix: Specify the IPv6 network address. Cisco SA500 Series Security Appliances Administration Guide...
Page 90
• Prefix Lifetime: Enter the maximum number of seconds that the requesting router is allowed to use the prefix. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
This configuration helps you to maintain better control over broadcast and multicast traffic, which affects network performance. For each access point, you can customize the security mode, the Quality of Service settings, and the radio. Cisco SA500 Series Security Appliances Administration Guide...
A wireless profile specifies the security settings. Optionally, you can configure advanced wireless settings, QoS settings, and MAC filtering. After you configure a wireless profile, you can assign it to any access point. Cisco strongly recommends WPA2 for wireless security. Other security modes are NOTE vulnerable to attack.
Page 93
(i.e. 64 WEP has a 40-bit key which is less secure than the 128 WEP which has a 104-bit key). Cisco SA500 Series Security Appliances Administration Guide...
Page 94
List of Available Access Points table. For more information, see Controlling Wireless Access Based on MAC Addresses, page • For RADIUS authentication, configure the RADIUS settings. See Configuring RADIUS Server Records, page 193. Cisco SA500 Series Security Appliances Administration Guide...
You can choose from four Class of Service queues to prioritize the data traffic over the wireless link: • Voice: Highest priority queue, minimum delay. Used typically to send time- sensitive data such as Voice over IP (VoIP). Cisco SA500 Series Security Appliances Administration Guide...
Any device can use this access point. MAC Filtering provides additional security, but it also adds to the complexity and maintenance. Be sure to enter each MAC address correctly to ensure that the policy is applied as intended. Cisco SA500 Series Security Appliances Administration Guide...
Page 97
Allow: All of the devices in the MAC Address table are allowed to use this access point. All other devices are denied access. • Deny: All of the devices in the MAC Address table are prevented from using this access point. All other devices are allowed access. Cisco SA500 Series Security Appliances Administration Guide...
Choose AM or PM from the drop-down list. • Max Associated Clients: Enter the maximum number of clients that can connect to this access point at any time. The default is 8 clients. Cisco SA500 Series Security Appliances Administration Guide...
Click Wireless > Radio Settings > Radio Settings. STEP 1 The Radio Settings window opens. Enter the following information: STEP 2 • Region: Choose a geographic region from the drop-down list of regions. Cisco SA500 Series Security Appliances Administration Guide...
Page 100
Default Transmit Power: Enter a value in dBm as the default transmitted power level for all APs that use this radio. The default is 20 dBm. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
96 μs. The long preamble is needed for compatibility with the legacy 802. 1 1 systems operating at 1 and 2 Mbps. The default is Long. Cisco SA500 Series Security Appliances Administration Guide...
Page 102
Retries are used for both long and short frames, of size less than or equal to the RTS threshold. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
• Direction of the traffic • Days of the week and times of day • Keywords in a domain name or on a URL of a web page • MAC addresses of devices Cisco SA500 Series Security Appliances Administration Guide...
Services.”) If you need to configure a firewall rule for a service that is not on the standard list, first you must identify the service by entering a name, specifying the type, and assigning the port range. Cisco SA500 Series Security Appliances Administration Guide...
Page 105
Weekend that is active all day on Saturday and Sunday. For more information about the time settings for your security appliance, see Configuring the Time Settings, page 184. Cisco SA500 Series Security Appliances Administration Guide...
Page 106
STEP 1 To add IP Aliases, click Add. STEP 2 Choose the WAN interface from the Interface drop-down menu. This is the STEP 3 interface where you will add the IP address to. Cisco SA500 Series Security Appliances Administration Guide...
This procedure explains how to configure a firewall rule for the following traffic flows: • From the LAN to the WAN • From the LAN to the DMZ • From the DMZ to the WAN For examples, see Firewall Rule Configuration Examples, page 114. Cisco SA500 Series Security Appliances Administration Guide...
Page 108
Internet, or choose DMZ if the traffic is going to a server on your DMZ. If the From Zone is the WAN, the To Zone can be the public DMZ or secure LAN. Cisco SA500 Series Security Appliances Administration Guide...
Page 109
QoS Priority: You can use this rule to prioritize traffic. Each priority level corresponds to a Term of Service (ToS) value. Normal-Service: ToS=0 (lowest QoS) Minimize-Cost: ToS=1 Maximize-Reliability: ToS=2 Maximize-Throughput: ToS=4 Minimize-Delay: ToS=8 (highest QoS) Cisco SA500 Series Security Appliances Administration Guide...
In addition to configuring firewall rules, you can use the following methods to NOTE control inbound traffic: • You can prevent common types of attacks. For more information, see Configuring Attack Checks, page 118. Cisco SA500 Series Security Appliances Administration Guide...
Page 111
If the From Zone is the WAN, the To Zone can be the public DMZ or secure LAN. If the From Zone is the LAN, then the To Zone can be the public DMZ or insecure WAN. Cisco SA500 Series Security Appliances Administration Guide...
Page 112
Enable Port Forwarding: Check the box to forward traffic to a particular port. • Translate Port Number: If you enabled port forwarding, enter the port number that will be the destination for the forwarded traffic. Cisco SA500 Series Security Appliances Administration Guide...
Rules. Only the rules for the specified security zones appear. For example: If you choose WAN and LAN from the Zone drop-down menus, only the rules for the WAN to LAN security zones appear. To reorder the rules, click Move. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
Solution: Create an inbound rule as follows: Parameter Value From Zone Insecure (WAN1) To Zone Service HTTP Action ALLOW always Source Hosts Internal IP Address 192. 1 68.5.2 External IP Address Dedicated WAN Cisco SA500 Series Security Appliances Administration Guide...
Page 115
Solution: Create an inbound rule as shown below. In the example, connections for CU-SeeMe (an Internet video-conferencing client) are allowed only from a specified range of external IP addresses. Parameter Value From Zone INSECURE (Dedicated WAN/Optional WAN) To Zone Secure (LAN) Service CU-SEEME:UDP Cisco SA500 Series Security Appliances Administration Guide...
Page 116
To Zone INSECURE (Dedicated WAN/Optional WAN) Service HTTP Action BLOCK by schedule Schedule Weekend Source Hosts Address Range From 10. 1 . 1 . 1 10. 1 . 1 . 1 00 Destination Hosts Cisco SA500 Series Security Appliances Administration Guide...
• Configuring Attack Checks • Configuring MAC Filtering to Allow or Block Traffic • Configuring IP/MAC Binding to Prevent Spoofing • Configuring a Port Triggering Rule to Direct Traffic to Specified Ports Cisco SA500 Series Security Appliances Administration Guide...
• Block Ping to WAN interface: Check this box to prevent attackers from discovering your network through ICMP Echo (ping) requests. Cisco recommends that you uncheck this box only if you need to allow the security appliance to respond to pings for diagnostic purposes.
In the MAC Filtering Enable area, enter the following information: STEP 2 • Enable MAC Address Filtering?: Check the box to enable Source MAC Address Filtering. • Policy for MAC Addresses listed below: Choose one of the following options: Cisco SA500 Series Security Appliances Administration Guide...
Delete. To change the status of a rule, check the box and then click Enable or Disable. To select all entries, check the box in the first column of the table heading. Cisco SA500 Series Security Appliances Administration Guide...
See Appendix B, “Standard Services.” Port triggering is not appropriate for servers on the LAN, since the LAN device must NOTE make an outgoing connection before an incoming port is opened. Cisco SA500 Series Security Appliances Administration Guide...
The ports are opened dynamically whenever the security appliance detects traffic that matches a port triggering rule. To view this page, click Firewall > Port Triggering > Port Triggering Status. The following information appears: Cisco SA500 Series Security Appliances Administration Guide...
0 and 4,294,967 seconds. The default is 120 seconds (2 minutes). • Other Session Timeout Duration (seconds): Inactive non-TCP/UDP sessions are removed from the session table after this duration. This value can range between 0 and 4,294,967 seconds. The default is 60 seconds. Cisco SA500 Series Security Appliances Administration Guide...
Enable Content Filtering: Check the box to enable content filtering. Enable this feature when you want to configure and use features such as a list of Trusted Domains, keyword filtering, and so on. Cisco SA500 Series Security Appliances Administration Guide...
Page 125
However, several websites use cookies to store tracking information and browsing habits. Enabling this option filters out cookies from being created by a website. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
URL box. For example, if you entered yahoo, then your users can access websites such as www.yahoo.com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp. Click Apply to save your settings. STEP 5 Cisco SA500 Series Security Appliances Administration Guide...
For example, if you enter yahoo for the URL, then your users are prevented from accessing websites such as www.yahoo.com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
After you enable the logging, you can view these logs by clicking NOTE Status on the menu bar, and then clicking View Log > View All Logs. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
Check the box to enable SIP ALG support or uncheck the box to disable this STEP 2 feature. If this feature is disabled, the router will not allow incoming calls to the UAC (User Agent Client) behind the router. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
Configuring IPS • Configuring the IPS Policy • Configuring the Protocol Inspection Settings • Configuring Peer-to-Peer Blocking and Instant Messaging To access the IPS pages click IPS from the Configuration Utility menu bar. Cisco SA500 Series Security Appliances Administration Guide...
IPS signatures when they become available. To enable the auto update option, check the Automatically Update Signatures box. Enter your Cisco.com User Name and Password to authenticate to the signature update server. These credentials are only required once. Click Apply to save your settings.
• Manual Signature Updates: To manually update the latest signature file, click the Cisco.com link to obtain the file and download it to your computer. Browse to the location of the signature file on the local PC and then click Upload.
For IPS messages to be logged, you must configure IPS as the facility. For more information, see Logs Facility and Severity, page 189 Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
For IPS messages to be logged, you must configure IPS as the facility. For more information, see Logs Facility and Severity, page 189 Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
The SA500 Series supports Cisco ProtectLink Security Services. These services provide layers of protection against different security threats on your network. • Cisco ProtectLink Web provides all users with web threat protection to prevent access to dangerous websites and URL filtering to control employee access to non-business related websites.
Remote Access with a Web Browser: A remote worker uses a web browser to initiate a VPN tunnel to access the available services on the corporate network. See Configuring SSL VPN for Browser-Based Remote Access, page 154. Cisco SA500 Series Security Appliances Administration Guide...
In the Connection Name and Remote IP Type area, enter the following information: STEP 3 • What is the new connection name?: Enter a name for the connection. The name is used for management and identification purposes. Cisco SA500 Series Security Appliances Administration Guide...
Page 138
For the example illustrated in Figure 5, the remote site, Site B, has a LAN IP address of 10.20.20.0. • Remote LAN Subnet Mask: Enter the associated subnet mask for the above entered subnet IP Address. Cisco SA500 Series Security Appliances Administration Guide...
The Wizard sets most parameters to defaults as proposed by the VPN Consortium (VPNC), and assumes a pre-shared key, which greatly simplifies setup For information about the VPNC recommendations, see: www.vpnc.org/vpn- standards.html. Cisco SA500 Series Security Appliances Administration Guide...
Page 140
Documentation at: www.cisco.com/go/sa500resources. The Cisco VPN client software is available for download at: www.cisco.com/go/ ciscovpnclient. For Windows, select Cisco VPN Client v5.x. For Mac OS, select Cisco VPN Client v4.x. A 3-year Cisco Small Business Support Service Contract (CON-SBS-SVC2) is NOTE required to download the client software.
Page 141
Configuring the IKE Policies for IPsec VPN, page 144. • To review or update the configured VPN policy click IPsec > VPN Policies. For more information, see Configuring the IPsec VPN Policies, page 148. Cisco SA500 Series Security Appliances Administration Guide...
RADIUS server, see Configuring the IKE Policies for IPsec VPN, page 144. If you are using the using the Cisco VPN Client, see the Application Note located under Technical Documentation at: www.cisco.com/go/sa500resources.
Page 143
Quick VPN. This option should be selected when the clients use QuickVPN Client. • Allow user to change password?: If you chose Cisco QuickVPN for the Remote Peer Type, you can check this box to allow the user to change the password.
VPN policies for a VPN tunnel. After the Wizard creates the matching IKE and VPN policies, you can make changes, as needed. Advanced users can create an IKE policy from Add but must be sure to use compatible encryption, authentication, and key-group parameters for the VPN policy. Cisco SA500 Series Security Appliances Administration Guide...
Page 145
Local device and the Remote device, below. If FQDN, User FQDN or DER ASN1 DN is selected as the identifier type, then Main Mode is disabled and Aggressive Mode is applied. Cisco SA500 Series Security Appliances Administration Guide...
Page 146
Selecting RSA-Signature disables the pre-shared key text box and uses the Active Self Certificate uploaded in the Certificates page. In that case, a certificate must be configured in order for RSA-Signature to work. Managing Certificates for Authentication, page 190. Cisco SA500 Series Security Appliances Administration Guide...
Page 147
The username can include any alphanumeric characters. Password: Enter the password for the security appliance to use when connecting to the remote server. Cisco SA500 Series Security Appliances Administration Guide...
You cannot enable, disable, edit, or delete the backup policies. You can only take actions on the primary policy, by using the buttons in the List of VPN Policies table. Cisco SA500 Series Security Appliances Administration Guide...
Page 149
WAN gateway for the tunnel based on the optional WAN link configuration. For this type of configuration, Dynamic DNS has to be configured because the IP address will change due to failover. See Dynamic DNS, page Cisco SA500 Series Security Appliances Administration Guide...
Page 150
Key-Out: Encryption key of the outbound policy. The length of the keys depends on the chosen algorithm: DES: 8 characters 3DES: 24 characters AES-128: 16 characters AES-192: 24 characters AES-256: 32 characters AES-CCM: 16 characters Cisco SA500 Series Security Appliances Administration Guide...
Page 151
SAs; otherwise the system could eventually run out of resources as a result of this asymmetry. The lifebyte specifications are generally recommended for advanced users only. Cisco SA500 Series Security Appliances Administration Guide...
Page 152
Status. For more information, see IPsec VPN Status, page 210. • To view IPsec VPN logs, click Status > View Logs > IPsec VPN Logs. For more information, see IPsec VPN Logs, page 215. Cisco SA500 Series Security Appliances Administration Guide...
Page 153
Otherwise, the changes will not take affect. Click VPN > IPsec > Dynamic IP Range. STEP 1 The Dynamic IP Range window opens. Enter a Start IP range and End IP range for the IP address. STEP 2 Cisco SA500 Series Security Appliances Administration Guide...
You can use SSL VPN to provide access to the following types of services on your network: • Internal websites • Web-enabled applications • NT/Active Directory and FTP file shares • E-mail proxies, including POP3S, IMAP4S, and SMTPS • MS Outlook Web Access • MAPI Cisco SA500 Series Security Appliances Administration Guide...
Limit Internet access for Clientless SSL VPN users, for example, by limiting which resources a user can access using a clientless SSL VPN connection. To do this, you could restrict the user from accessing general content on the Cisco SA500 Series Security Appliances Administration Guide...
Port Forwarding: You can configure port forwarding to allow access to a limited set of resources. For example, you may want the SSL VPN users to access the email service only. See Configuring SSL VPN Port Forwarding, page 163. Cisco SA500 Series Security Appliances Administration Guide...
URL. The browser displays a login page with several features that you can configure: 1. Portal Site Title: appears at the top browser 2. Banner Title 3. Banner Message Configurable Areas of the SSL VPN Portal Layout Cisco SA500 Series Security Appliances Administration Guide...
Page 158
• ActiveX web cache cleaner: Check this box to load an ActiveX cache control whenever users login to this SSL VPN portal. Cisco SA500 Series Security Appliances Administration Guide...
The User window opens. The default Administrator and Guest users appear in the List of Users table, along with any new users that you add. To add a user, click Add. STEP 2 Cisco SA500 Series Security Appliances Administration Guide...
You can create user, group, and global policies. Policies are applied based on the following levels of precedence: • User-level policies take precedence over Group-level policies. • Group-level policies take precedence over Global policies. Cisco SA500 Series Security Appliances Administration Guide...
Page 161
Policy For: Choose the type of policy: Global, Group, or User. If you choose Group, also choose the group from the Available Groups list. If you choose User, also choose the user from the Available Users list. Cisco SA500 Series Security Appliances Administration Guide...
Page 162
Click Apply to save your settings. STEP 6 Next steps: NOTE Enable Remote Management (RMON), if you have not done so previously. If RMON is disabled, SSL VPN access is blocked. See RMON (Remote Management), page 197. Cisco SA500 Series Security Appliances Administration Guide...
The following table lists some common applications and corresponding TCP port numbers: TCP Application Port Number FTP Data (usually not needed) FTP Control Protocol SMTP (send mail) Cisco SA500 Series Security Appliances Administration Guide...
Page 164
Local Server IP Address: Enter the IP address of the internal host machine or local server. • TCP Port Number: Enter the port number of the TCP application that enables port forwarding. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
“network adapter” with an IP address from the corporate subnet, DNS and WINS settings is automatically created. This feature allows access to services on the private network without any special network configuration on the remote SSL VPN client machine. Cisco SA500 Series Security Appliances Administration Guide...
Page 166
Client Routes for Split Tunnel Mode, page 167. • DNS Suffix (Optional): Enter the DNS Suffix for this client. • Primary DNS Server (Optional): Enter the IP address of the primary DNS Server for this client. Cisco SA500 Series Security Appliances Administration Guide...
Page 167
Destination Network using this page. You can configure client routes only if Split Tunnel support is enabled on the SSL NOTE VPN Client page. See Configuring the SSL VPN Client, page 166. Cisco SA500 Series Security Appliances Administration Guide...
Port Forwarding information window opens. The user can click the Launcher icon to connect to the remote servers. • Change Password: The user can click this link to change his or her password. Cisco SA500 Series Security Appliances Administration Guide...
VIP service during the initial stages of deployment. • VIP Production: Choose this option if you have purchased VeriSign service. The service will use VIP production servers to authenticate your users. c. Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide...
After the user has been associated with a credential, the same user cannot be associated with a different credential. Only available users are shown in the user list. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
There are two default accounts. You can change the user name and password for these accounts but you cannot change the user policies. • admin: The administrator account, which has read-write access to all settings. Cisco SA500 Series Security Appliances Administration Guide...
When you create a domain, a group is created automatically. It has the same name as the domain and is associated with the domain. To edit the group settings, see Groups, page 173. Cisco SA500 Series Security Appliances Administration Guide...
For security, a password should contain no dictionary words from any language, NOTE and should include a mixture of uppercase and lowercase letters, numbers, and symbols. The password can be up to 30 characters. Cisco SA500 Series Security Appliances Administration Guide...
Page 174
Every user is added as a local user with password, and when the user NOTE is assigned to an external authentication mechanism based on the group, certain attributes such as the local password are ignored. Cisco SA500 Series Security Appliances Administration Guide...
Policies column. When the User Policy By Source IP Address window opens, enter the following information: In the User Policy By Source IP Address area, choose whether to Deny Login from Defined Addresses or to Allow Login only from Defined Addresses. Cisco SA500 Series Security Appliances Administration Guide...
(not through the Configuration Utility). Cisco SA500 Series Security Appliances Administration Guide...
Page 177
Check for New Firmware & Download: Check Periodically: Check this option to automatically check for firmware updates on a daily basis (every 24 hours). Enter your Cisco User Name and Password and click Apply to save your settings. The Cisco username and password details once applied are NOTE applicable to all other services on the router which use them.
IMPORTANT! Restoring a saved configuration will remove your current settings. Firewall rules, VPN policies, LAN/WAN settings and all other settings will be lost. Back up your settings to ensure that you can restore them later if needed. Cisco SA500 Series Security Appliances Administration Guide...
Page 179
Backup / Restore Settings / Software Upgrade To save a backup copy of current settings and digital certificates, click Backup. The file is saved as cisco.cfg. To restore the settings from a previously saved configuration file, click Restore. Locate and select the backup file from the connected USB storage device.
Ping or Trace an IP Address: You can use these tools to test your network. Ping through VPN tunnel: Check the box to enable pinging through the VPN tunnel. Otherwise, uncheck the box. Cisco SA500 Series Security Appliances Administration Guide...
Page 181
Packet Trace. When the Capture Packets window opens, choose the interface: LAN, Dedicated WAN, or Optional WAN. Click Start to begin capturing packets. Click Stop to stop the capture. To download the report, click Download. Cisco SA500 Series Security Appliances Administration Guide...
(Download Only or Both) selected above. • Increase This Month's Limit: If the monthly traffic limit has been reached and you need to temporarily increase the limit, check this option and type in the amount of the increase. Cisco SA500 Series Security Appliances Administration Guide...
Page 183
Volume of traffic, in Megabytes, that was downloaded Volume through this interface. Total Traffic Volume Amount of traffic, in Megabytes, that passed through this interface in both directions. Average per day Average volume of traffic that passed through this interface. Cisco SA500 Series Security Appliances Administration Guide...
NTP servers, or enter the IP addresses of up to four custom NTP servers. The default NTP Server settings are as follows: 0.ciscosb.pool.ntp.org 1.ciscosb.pool.ntp.org 2.ciscosb.pool.ntp.org 3.ciscosb.pool.ntp.org Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
• Other Event Logs: Choose the other types of events to be logged. Source MAC Filter: If checked, logs packets matched due to source MAC filtering. Uncheck to disable source MAC filtering logs. Cisco SA500 Series Security Appliances Administration Guide...
Page 186
Logging for individual firewall rules should be enabled. WAN to DMZ Enable logging for firewall rules matching WAN to DMZ source and destination. Logging for individual firewall rules should be enabled. Cisco SA500 Series Security Appliances Administration Guide...
SSH traffic from the LAN to the WAN. The firewall rule also must allow logging. For more information, see Configuring Firewall Rules to Control Inbound and Outbound Traffic, page 103. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
This option is useful when you do not want to receive logs by email, but want to keep email options configured so that you can use the Send Log function from the Status > View Logs pages. Cisco SA500 Series Security Appliances Administration Guide...
CA Identity (Subject Name): The organization or person to whom the certificate is issued. • Issuer Name: The name of the CA that issued the certificate. • Expiry Time: The date after which the certificate becomes invalid. Cisco SA500 Series Security Appliances Administration Guide...
Page 191
To delete a certificate, check the box to select the certificate, and then click Delete. • To download the router’s certificate (.pem file), click the Download button under the Download Settings area. To request a certificate from the CA, click Generate CSR. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
Page 192
Click Generate. A new certificate request is created and added to the Certification Signing Request (CSR) table. To view the request, click the View button next to the certificate you just created. Cisco SA500 Series Security Appliances Administration Guide...
Timeout: Enter the number of seconds that the connection can exist before re-authentication is required. • Retries: Enter the number of retries for the device to re-authenticate with the Radius server. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
• For the SA540 model, a free upgrade to 50 seats is available. You must download a license key from Cisco to enable these seats. To obtain the license key, click the Upgrade to 50 Seats link on the License Management page.
Page 195
Action: Use to perform a next step action. Depending on what you want to do, click one of these links: Install: Install and activate the license. Free Trial: Download a trial license from Cisco.com. Renew: Renew your existing license if your license is about to expire or has already expired.
Page 196
Installation License Type License Code (PAK) from cisco.com: Automatically retrieves and installs the license on the device from the Cisco server. To use this option, enter your PAK ID and Cisco.com username and password. These credentials are required for the device to authenticate to the Cisco server.
IP address. Since a malicious WAN user can reconfigure the router and misuse it in many ways, it is highly recommended that you change the admin and guest passwords before continuing. Cisco SA500 Series Security Appliances Administration Guide...
Page 198
Port Number: Displays the port number used for the remote connection. • Remote SNMP Enable: Check the box to enable SNMP for the remote connection. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
Network Management Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco manufactured equipment. Each CDP enabled device sends periodic messages to a multicast address and also listens to the periodic messages sent by others in order to learn about neighboring devices and determine the status of these devices.
SysContact: The name of the contact person for this security appliance. • SysLocation: The physical location of the security appliance. • SysName: A name given for easy identification of the security appliance. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
Advertisement Time to Live: This is expressed in hops for each UPnP packet. This is the number of steps a packet is allowed to propagate before being discarded. Small values will limit the UPnP broadcast range. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
The default services will only be visible to the hosts belonging to the associated VLANs. By default, LAN/Default-VLAN is the broadcasting domain. Click Apply to add the VLAN. STEP 3 The VLAN associated to the service appears in the List of VLANs table. Cisco SA500 Series Security Appliances Administration Guide...
Page 203
Network Management Bonjour To dissociate the VLAN from the service, check the box next the appropriate VLAN and click Delete. Cisco SA500 Series Security Appliances Administration Guide...
To access the Status pages click Status from the Configuration Utility menu bar. Device Status The Device Status section consist of the following pages: • Device Status • Resource Utilization • Interface Statistics • Port Statistics • Wireless Statistics for the SA520W Cisco SA500 Series Security Appliances Administration Guide...
The number of logs in each level is displayed. Routing Mode Displays the routing mode of the router (NAT or Classical routing), WAN Mode Displays the WAN configuration mode of the router (Single WAN port, Auto- rollover, or Load Balancing). Cisco SA500 Series Security Appliances Administration Guide...
Page 206
All Tunnels Number of active Site-to-Site VPN tunnels and the total number of configured Site-to-Site VPN tunnels. Remote Access VPN SSL Users Number of active SSL users. IPsec Users Number of IPsec users. Cisco SA500 Series Security Appliances Administration Guide...
Stop button and then click Start to restart the automatic refresh using the specified poll interval. Start Enables the automatic page refresh. Stop Disables the automatic page refresh feature. Cisco SA500 Series Security Appliances Administration Guide...
The counters are reset when the device is rebooted. Radio Statistics The radio can have multiple virtual access points configured and active concurrently. This table indicates cumulative statistics for the radio. Cisco SA500 Series Security Appliances Administration Guide...
Page 209
Errors Number of transmitted/received (tx/rx) packet errors reported to the access point. Dropped Number of transmitted/received (tx/rx) packets dropped by the access point. Multicast Number of multicast packets sent over this access point. Cisco SA500 Series Security Appliances Administration Guide...
VPN tunnel is set up automatically. However, you can use the Connect/ Disconnect button to manually connect or disconnect the VPN tunnel. Cisco SA500 Series Security Appliances Administration Guide...
Click Disconnect to terminate an active user's session and hence the associated SSLVPN- Tunnel(if any). NOTE If the tunnel is not established by the user, the tunnel specific fields will have no values. Cisco SA500 Series Security Appliances Administration Guide...
Stop button and use Start to restart automatic refresh. Start Click to enable automatic page refresh feature. Stop Click Stop to disable the automatic page refresh feature. Cisco SA500 Series Security Appliances Administration Guide...
Logs Facility and Severity, page 189. For example: If you select Critical, all messages listed under the Critical, Error Warning, Notification, Information, and Debugging are displayed. Emergency, and Alert categories will not be displayed. Cisco SA500 Series Security Appliances Administration Guide...
Page 214
Click Clear Logs to delete all entries in the log window. • Click Send Logs to email the log messages that are currently displayed in the log window. The logs are sent to the email addresses that you configured in Cisco SA500 Series Security Appliances Administration Guide...
Send Log. CDP Neighbor The Cisco Discovery Protocol (CDP) provides information about other devices that are connected to this device and that support the CDP protocol. The page displays information specific to the device and identifies the network interface of this device on which the neighbor was discovered.
Click Refresh Data to update the data on the screen. • Click Reset Data to reset the values to 0. Elapsed Collection Time indicates the period of time in which the data was NOTE collected. Cisco SA500 Series Security Appliances Administration Guide...
Ensure that you are using the correct login information. The factory default login STEP 6 name is cisco and the password is cisco. Ensure that CAPS LOCK is off when entering this information. Cisco SA500 Series Security Appliances Administration Guide...
Page 218
When the modem LEDs indicate that it has resynchronized with the ISP, reapply STEP 4 power to the security appliance. If the security appliance still cannot obtain an ISP address, see the next symptom. Cisco SA500 Series Security Appliances Administration Guide...
Page 219
Ask your ISP for the addresses of its designated Domain Name System (DNS) STEP 1 servers. Configure your PC to recognize those addresses. For details, see your operating system documentation. On your PC, configure the security appliance to be its TCP/IP gateway. STEP 2 Cisco SA500 Series Security Appliances Administration Guide...
Possible cause: The security appliance does not automatically adjust for Daylight Savings Time. Recommended action: Click Administration > Time Zone. STEP 1 Check or uncheck Automatically adjust for Daylight Savings Time. STEP 2 Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC. • Verify that the IP address for the security appliance and PC are correct and on the same subnet. Cisco SA500 Series Security Appliances Administration Guide...
Page 222
MAC address of just a single PC connected to that modem. If this is the case, configure your firewall to clone or spoof the MAC address from the authorized PC. For more information, see Configuring the WAN Connection, page Cisco SA500 Series Security Appliances Administration Guide...
After a restore to factory defaults, the following settings apply: • LAN IP address: 192.168.75.1 • Username: cisco • Password: cisco • DHCP server on LAN: enabled • WAN port configuration: Get configuration via DHCP Cisco SA500 Series Security Appliances Administration Guide...
• 1 X USB connector for USB 2.0 • 3 X external antennas Operating 32 to 104ºF (0 to 40ºC) 32 to 104ºF (0 to 40ºC) 32 to 104ºF (0 to 40ºC) Temperature Cisco SA500 Series Security Appliances Administration Guide...
Page 228
(H x W x D) Antenna adds approximately 6- 3/4 inches (171 mm) to height and 1-2/8 inches (30 mm) to depth. Weight (with 4.91 lb 5. 1 5 5. 1 4 lb Power Supply) Cisco SA500 Series Security Appliances Administration Guide...
Date and Time - Protocol Date and Time - Time Zone Pacific Time (US & Canada) DDNS disable HTTP Remote Access enable HTTPS Remote Access enable SNMP - Trusted Peer IP address SNMP Agent disable Cisco SA500 Series Security Appliances Administration Guide...
Page 230
Changes Email Server Requires disable Authentication Cisco Discovery Protocol enabled on LAN / disabled on WAN port Bonjour enabled on LAN / disabled on WAN port UPnP disable Radius Server Port 1812 Cisco SA500 Series Security Appliances Administration Guide...
VLAN - Data, IP Address (Failover See Product Tab when no DHCP Server Available) VLAN - Data, Subnet Mask 255.255.255.0 (Failover when no DHCP Server Available) VLAN - Data, Name (optional) Data VLAN Cisco SA500 Series Security Appliances Administration Guide...
Page 235
100% Radio disabled 802.1x supplicant disabled Clustering of Access Points - disabled unique to AP54x Broadcast / Multicast Rate disabled Limiting Broadcast / Multicast Rate Limit 50pps Multicast traffic rate per radio auto Cisco SA500 Series Security Appliances Administration Guide...
Where to Go From Here Cisco provides a wide range of resources to help you and your customer obtain the full benefits of the SA500 Series Security Appliances. Product Resources Support Cisco Small Business Support www.cisco.com/go/smallbizsupport Community Online Technical Support and www.cisco.com/support...