Table of Contents
Advertisement
Advertisement
Table of Contents
Related Manuals for Cisco WS-CE500
Summary of Contents for Cisco WS-CE500
- Page 1 ADMINISTRATION GUIDE Cisco Small Business SA500 Series Security Appliances...
- Page 2 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
-
Page 3: Table Of Contents
DMZ for Public Websites and Services Configuring ProtectLink Web & Email Security Site-to-Site Networking and Remote Access Wireless Networking Chapter 2: Networking Configuring the WAN Connection Viewing the WAN Status Creating PPPoE Profiles Configuring an IP Alias Cisco SA500 Series Security Appliances Administration Guide... - Page 4 Configuring the Ports Configuring SPAN (Port Mirroring) QoS Bandwidth Profiles Creating QoS Bandwidth Profiles for WAN Interfaces Traffic Selectors LAN QoS Enabling LAN QoS Port CoS Mapping Port DSCP Mapping DSCP Remarking Dynamic DNS Cisco SA500 Series Security Appliances Administration Guide...
- Page 5 Advanced Radio Configuration Chapter 4: Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic Preliminary Tasks for Firewall Rules Configuring the Default Outbound Policy Configuring a Firewall Rule for Outbound Traffic Cisco SA500 Series Security Appliances Administration Guide...
- Page 6 Configuring IPS Configuring the IPS Policy Configuring the Protocol Inspection Settings Configuring Peer-to-Peer Blocking and Instant Messaging Chapter 6: Using Cisco ProtectLink Security Services Chapter 7: Configuring VPN About VPN Configuring a Site-to-Site VPN Tunnel Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client...
- Page 7 Firmware and Configuration Upgrading Firmware and Working with Configuration Files Maintaining the USB Device Using the Secondary Firmware Diagnostics Measuring and Limiting Traffic with the Traffic Meter Configuring the Time Settings Configuring the Logging Options Cisco SA500 Series Security Appliances Administration Guide...
- Page 8 Chapter 10: Status Device Status Device Status Resource Utilization Interface Statistics Port Statistics Wireless Statistics for the SA520W VPN Status IPsec VPN Status SSL VPN Status Quick VPN Status Active Users View Logs Cisco SA500 Series Security Appliances Administration Guide...
- Page 9 Restoring Factory Default Configuration Settings Appendix B: Standard Services Appendix C: Technical Specifications and Environmental Requirements Appendix D: Factory Default Settings General Settings Router Settings Wireless Settings Storage Security Settings Appendix E: Where to Go From Here Cisco SA500 Series Security Appliances Administration Guide...
-
Page 10: Chapter 1: Getting Started
Table 1 Comparison of SA500 Series Security Appliance Models Feature SA520 SA520W SA540 Firewall 200 Mbps 200 Mbps 300 Mbps Performance 200 Mbps 200 Mbps 300 Mbps 65 Mbps 65 Mbps 85 Mbps Performance Connections 15,000 15,000 40,000 Cisco SA500 Series Security Appliances Administration Guide... -
Page 11: Device Overview
Demilitarized Zone or Demarcation Zone, which allows public services such as web servers, without exposing your LAN. • SPEED LED—(Green or Orange) Indicates the traffic rate for the associated port. Off = 10 Mbps, Green = 100 Mbps, Orange = 1000 Mbps. Cisco SA500 Series Security Appliances Administration Guide... -
Page 12: Rear Panel
USB Port—Connects the security appliance to a USB device. You can use a USB device to store configuration files for backup and restore operations. The back panel of the SA520W includes three threaded connectors for the NOTE antennas. Cisco SA500 Series Security Appliances Administration Guide... -
Page 13: Installation
To place the security appliance on a desktop, install the four rubber feet (included) on the bottom of the security appliance. Place the device on a flat surface. Cisco SA500 Series Security Appliances Administration Guide... - Page 14 Getting Started Installation Wall Mounting Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9 STEP 1 inches). Leave 3-4 mm (about 1/8 inch) of the head exposed. Cisco SA500 Series Security Appliances Administration Guide...
- Page 15 Each security appliance requires 1 rack unit (RU) of space, which is 1.75 inches (44.45 mm) high. Do not overload the power outlet or circuit when installing multiple devices in a CAUTION rack. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 16: Hardware Installation
For DSL, a cable modem, or other WAN connectivity devices, connect an Ethernet STEP 3 network cable from the device to the WAN port on the back panel. Cisco strongly recommends using Cat5E or better cable. For network devices, connect an Ethernet network cable from the network device STEP 4 to one of the dedicated LAN ports on the back panel. -
Page 17: Getting Started With The Configuration Utility
SA500 Series Security Appliances from your administration PC or laptop. You can access the security appliance by using any web browser (such as Microsoft Internet Explorer or Mozilla Firefox). Cisco SA500 Series Security Appliances Administration Guide... -
Page 18: Connecting To The Configuration Utility
Click Log In. The Getting Started (Basic) window opens. For more information, see STEP 5 Using the Getting Started Pages, page You can use the Cisco Configuration Assistant (CCA) t to launch the Configuration NOTE Utility if you are using the security appliance with a CCA-supported device, such as the UC500. -
Page 19: Using The Getting Started Pages
Started button in the menu bar. • To prevent the Getting Started (Basic) page from appearing automatically after you log in, check the Don’t show this on start-up box. Getting Started (Basic) Page Cisco SA500 Series Security Appliances Administration Guide... - Page 20 Getting Started Getting Started with the Configuration Utility Getting Started (Advanced) Page Cisco SA500 Series Security Appliances Administration Guide...
-
Page 21: Navigating Through The Configuration Utility
Click on the triangle next to the main branch title to expand or contract its contents. Click on the title of a feature or subfeature to open it. Main Content The main content of the feature appears in this area. Cisco SA500 Series Security Appliances Administration Guide... -
Page 22: Using The Help System
Optional Port: This port is preset to act as a secondary WAN port. Alternatively, you can configure the Optional port for use as a DMZ port or an extra LAN port. See Scenario 1: Basic Network Configuration with Cisco SA500 Series Security Appliances Administration Guide... -
Page 23: Basic Tasks
IP address of 192. 1 68.75. 1 . You can log on by entering cisco for the username and cisco for the password. You are strongly encouraged to change the default username and password. -
Page 24: Backing Up Your Configuration
Check to Edit Password: Check this box to enable the password fields. • Enter Your Password: Enter the current password. The default password for this new security appliance is cisco. • New Password: Enter a password that contains alphanumeric, ‘—’ or ‘_’... -
Page 25: Common Configuration Scenarios
As you get started using your security appliance, consider the following configuration scenarios: • Scenario 1: Basic Network Configuration with Internet Access, page 26 • Scenario 8: Cisco Smart Business Communications System Configuration, page 28 • Scenario 7: DMZ for Public Websites and Services, page 29 •... -
Page 26: Basic Network Configuration With Internet Access
1. Review the WAN configuration and make any changes that are needed to set up your Internet connection. In the WAN & LAN Connectivity section of the Getting Started (Basic) page, click the WAN settings link. For more information, see Configuring the WAN Connection, page Cisco SA500 Series Security Appliances Administration Guide... - Page 27 LAN Settings link. For more information, see Configuring the LAN, page 3. If you are going to use your security appliance with your Cisco Smart Business Communications System (SBCS), install and configure your UC500. Scenario 8: Cisco Smart Business Communications System Configuration, page 4.
-
Page 28: Cisco Smart Business Communications System Configuration
Getting Started Common Configuration Scenarios Scenario 8: Cisco Smart Business Communications System Configuration You can use the security appliance to protect your Cisco Smart Business Communications System network. Laptop computer Outside Network Private Network Printer Internet Internet SA 500 Access Device... -
Page 29: Firewall For Controlling Inbound And Outbound Traffic
DMZ (Demarcation Zone or Demilitarized Zone). This zone acts as a separate network between your private LAN and the Internet. After you configure your DMZ, you can configure the firewall rules that enable traffic to connect only to the services that you specify. Cisco SA500 Series Security Appliances Administration Guide... - Page 30 Internet Access, page Configuration tasks for this scenario: To start configuring a DMZ, use the links in the DMZ Port section of the Getting Started (Advanced) page. For more information, see Configuring a DMZ, page Cisco SA500 Series Security Appliances Administration Guide...
-
Page 31: Configuring Protectlink Web & Email Security
Cisco ProtectLink Security services. By using these services, your network is protected from email threats in the Internet “cloud” and web threats in the Cisco security appliance, providing access only to email and websites that are appropriate for your business. - Page 32 Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration Guide...
- Page 33 Getting Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration Guide...
- Page 34 VPN users. Optionally, you can use other links to configure the policies, client settings, routes, and resources for your SSL VPN. For more information, see Configuring SSL VPN for Browser-Based Remote Access, page 154. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 35: Wireless Networking
2. Although you can begin using your wireless network right away, you should configure the security settings to protect your network and the data that you transmit. To configure your wireless network, see Chapter 3, “Wireless Configuration for the SA520W.” Cisco SA500 Series Security Appliances Administration Guide... -
Page 36: Chapter 2: Networking
Configuring a DMZ • VLAN Configuration • Routing • Port Management • QoS Bandwidth Profiles • Dynamic DNS • Configuring IPv6 Addressing Networking To access the Networking pages click from the Configuration Utility menu bar. Cisco SA500 Series Security Appliances Administration Guide... -
Page 37: Configuring The Wan Connection
(Idle Time). Choose this option if your ISP fees are based on the time that you spend online. If you select option, also enter the Idle Time in minutes Cisco SA500 Series Security Appliances Administration Guide... - Page 38 • DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.
-
Page 39: Viewing The Wan Status
WAN and the optional WAN (if applicable): • Connection Time • Connection Type: Dynamic IP (DHCP) or Static IP • Connection State: Connected or Disconnected • Link State: Up or Down Cisco SA500 Series Security Appliances Administration Guide... -
Page 40: Creating Pppoe Profiles
Click Networking > WAN > PPPoE Profiles, or from the Getting Started (Basic) STEP 1 page, under WAN & LAN Connectivity, click PPPoE profiles. The PPPoE profiles window opens. Click Add to create a new profile. STEP 2 Cisco SA500 Series Security Appliances Administration Guide... -
Page 41: Configuring An Ip Alias
The IP Aliases window opens. Any currently configured WAN IP aliases used by the WAN port appear in the List of IP Aliases table. Click Add to add a new alias. STEP 2 Cisco SA500 Series Security Appliances Administration Guide... - Page 42 IP Address: The IP address alias added to this WAN port of the router. • Mask: The Pv4 subnet mask Click Apply to save your changes. STEP 4 The new alias appears in the List of IP Aliases table. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 43: Configuring The Lan
DHCP request from a DHCP client. • By default, your LAN is configured for IPv4 addressing. If you need to enable IPv6 addressing, see Configuring IPv6 Addressing, page 77 Configuring the IPv6 LAN, page Cisco SA500 Series Security Appliances Administration Guide... -
Page 44: Configuring The Lan
DHCP Relay: Choose this option to allow the security appliance to use a DHCP Relay. If you choose this mode, also enter the IP address of the Relay Gateway. • Domain Name (optional): Enter a name for the domain. Cisco SA500 Series Security Appliances Administration Guide... - Page 45 Viewing the LAN Status, page • To reserve certain IP addresses always to be used by particular devices, click LAN > DHCP Reserved IPs. For more information, see DHCP Reserved IPs, page Cisco SA500 Series Security Appliances Administration Guide...
-
Page 46: Viewing The Lan Status
VLAN. Any PC that is connected to the specified LAN port is on a separate VLAN and cannot access other VLANs, unless you enable inter VLAN routing. Cisco SA500 Series Security Appliances Administration Guide... - Page 47 Voice VLAN: The VLAN is enabled with the VLAN ID 100. IP Address: 10. 1 . 1 . 1 IP Address Distribution: DHCP Server Start IP Address: 10. 1 . 1 .50 End IP Address: 10. 1 . 1 .254 Subnet Mask: 255.255.255.0 Cisco SA500 Series Security Appliances Administration Guide...
- Page 48 After you click Add or Edit, the VLAN Configuration window opens. Enter the following information: STEP 3 • Name: Enter a descriptive name, for reference. • ID: Enter a unique identification number, which can be any number from 2 to 4091. Cisco SA500 Series Security Appliances Administration Guide...
- Page 49 Untagged data coming into the port is assigned the specified PVID. Data that is sent out of the port from the same PVID is untagged. All other data is tagged. Cisco SA500 Series Security Appliances Administration Guide...
- Page 50 STEP 2 • IP Address: Enter the VLAN subnet IP address. • Subnet Mask: Enter the subnet mask for this VLAN. In the DHCP section of the page, choose the DHCP mode: STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
- Page 51 DNS requests and to communicate with the DNS servers of the ISP. When this feature is disabled, all DHCP clients on the VLAN receive the DNS IP addresses of the ISP. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 52: Dhcp Reserved Ips
Enter the IP address and the MAC address of the device that you want to add. STEP 3 Each reserved IP address should be outside the configured DHCP pool addresses. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide... -
Page 53: Dhcp Leased Clients
Optional port for use as a LAN port. Click Networking > Optional Port > Optional Port Mode. STEP 1 The Optional Port Mode window opens. Choose LAN. STEP 2 Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 54: Configuring The Optional Wan
• PPPoE Profile Name: Choose a PPPoE profile. To manage the profiles in the drop-down list, see Creating PPPoE Profiles, page • User Name: The user name that is required to log in Cisco SA500 Series Security Appliances Administration Guide... - Page 55 • DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.
- Page 56 Viewing the WAN Status, page • Recommended: To configure auto-rollover, load balancing, and failure detection for your ISP links, click Optional Port > WAN Mode. For more information, see Configuring Auto-Rollover, Load Balancing, and Failure Detection, page Cisco SA500 Series Security Appliances Administration Guide...
-
Page 57: Configuring Auto-Rollover, Load Balancing, And Failure Detection
To maintain better control of WAN port traffic, consider making the WAN port Internet addresses public and keeping the other one private. Figure 2 shows an example of Dual WAN Ports configured with Load Balancing. Cisco SA500 Series Security Appliances Administration Guide... - Page 58 Load Balancing: Choose this option if you have two ISP links that you want to use simultaneously. After you complete this procedure by clicking the Apply button, you need to configure the protocol bindings. See Configuring the Protocol Bindings for Load Balancing, page Cisco SA500 Series Security Appliances Administration Guide...
- Page 59 Retry Interval is: Specify how often, in seconds, the security appliance should run the above configured failure detection method. • Failover after: Specify the number of retries after which failover is initiated. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
-
Page 60: Configuring The Protocol Bindings For Load Balancing
Started (Advanced) page, under Secondary WAN Port, click Configure Protocol Bindings (Optional - if WAN Mode set to Load Balancing). The Protocol Bindings window opens. Any existing protocol bindings appear in the List of Available Protocol Bindings table. Click Add. STEP 2 Cisco SA500 Series Security Appliances Administration Guide... -
Page 61: Configuring A Dmz
DMZ but cannot penetrate the LAN. You should configure your DMZ to include any hosts that must be exposed to the WAN (such as web or email servers). Cisco SA500 Series Security Appliances Administration Guide... - Page 62 Internet Source Address Translation Public IP Address 209.165.200.225 172.16.2.30 209.165.200.225 DMZ Interface 172.16.2.1 SA 500 LAN Interface Web Server Private IP Address: 172.16.2.30 192.168.75.1 Public IP Address: 209.165.200.225 User User 192.168.75.10 192.168.75.11 Cisco SA500 Series Security Appliances Administration Guide...
- Page 63 172. 1 6.2.30. The firewall rule specifies an external IP address of 209. 1 65.200.226. Internet users can enter the domain name that is associated with the IP address 209. 1 65.200.226, and they are connected to the web server. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 64: Configuring The Dmz Settings
DHCP Relay: Choose this option to allow the security appliance to use a DHCP Relay. If you choose this mode, also enter the IP address of the Relay Gateway. • Domain Name (optional): Enter a name for the domain. Cisco SA500 Series Security Appliances Administration Guide... - Page 65 Configuring a Firewall Rule for Inbound Traffic, page 110. • If you want to reserve certain IP addresses for specified devices, click Optional Port > DMZ Reserved IPs. For more information, see Reserved IPs, page Cisco SA500 Series Security Appliances Administration Guide...
-
Page 66: Dmz Reserved Ips
After you click Add or Edit, the DMZ Reserved IPs Configuration window opens. Enter the IP Address and the MAC Address. STEP 3 Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide... -
Page 67: Dmz Dhcp Leased Clients
DMZ. NAT is the default option. • Classic Routing: Choose this option if your ISP has assigned an IP address for each of the computers that you use. Cisco SA500 Series Security Appliances Administration Guide... -
Page 68: Static Routing
WAN, Optional WAN, DMZ or LAN), through which this route is accessible. • Gateway IP Address: Enter the IP address of the gateway router through which the destination host or network can be reached. Cisco SA500 Series Security Appliances Administration Guide... -
Page 69: Dynamic Routing
RIP-2 includes all the functionality of RIPv1 plus it supports subnet information. Though the data is sent in RIP-2 format for both RIP-2B and RIP-2M, the mode in which packets are sent is different. Cisco SA500 Series Security Appliances Administration Guide... -
Page 70: Port Management
The Port Management window opens. Choose the following options for each port: STEP 2 • Enable: Check this box to enable the port. To disable the port, uncheck the box. By default all ports are enabled. Cisco SA500 Series Security Appliances Administration Guide... -
Page 71: Configuring Span (Port Mirroring)
Do you want to enable Port Mirroring: Check this box to enable port mirroring. • Mirror all LAN Ports to: Choose the LAN port that will monitor all of the other LAN ports. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 72: Qos Bandwidth Profiles
Other options: Click the Edit button to edit an entry. To delete an entry, check the box and then click Delete. To select all entries in the table, check the box at the left side of the heading row. Cisco SA500 Series Security Appliances Administration Guide... -
Page 73: Traffic Selectors
Other options: Click the Edit button to edit an entry. To delete an entry, check the box and then click Delete. To select all entries in the table, check the box at the left side of the heading row. Cisco SA500 Series Security Appliances Administration Guide... -
Page 74: Lan Qos
STEP 3 choose either DSCP, which is a layer 3 IP field, or CoS, which is a layer 2 Ethernet header field, depending on your requirements. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide... -
Page 75: Port Cos Mapping
DSCP values. Click Networking > Remark CoS to DSCP. STEP 1 The Remark CoS to DSCP window opens. For each CoS value, use the drop-down list to choose the corresponding DSCP STEP 2 value. Cisco SA500 Series Security Appliances Administration Guide... -
Page 76: Dynamic Dns
Update every 30 days: Check this box to allow the security appliance to update the host information on DynDNS and keep the subscription active after the 30 day trial. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide... -
Page 77: Configuring Ipv6 Addressing
IPv6 LAN Address Pools • IPv6 Multi LAN • IPv6 Static Routing • Routing (RIPng) • 6to4 Tunneling • IPv6 Tunnels Status • ISATAP Tunnels • MLD Tunnels • Configuring Router Advertisement • Adding RADVD Prefixes Cisco SA500 Series Security Appliances Administration Guide... -
Page 78: Ip Routing Mode
In the Internet(IPv6) Address area, choose Static IPv6 if your service provider STEP 2 assigned a fixed (static or permanent) IP address. If you were not assigned a static IP address, choose DHCPv6. Cisco SA500 Series Security Appliances Administration Guide... - Page 79 DHCPv6 server at the ISP to obtain a leased address. Click Apply to save your settings. STEP 5 Next steps: NOTE To configure the LAN, click IPv6 > IPv6 LAN Config. For more information, see Configuring the IPv6 LAN, page Cisco SA500 Series Security Appliances Administration Guide...
-
Page 80: Configuring The Ipv6 Lan
Disable DHCPv6 Server (the default setting). If you want the security appliance to act as a DHCP server that dynamically assigns IP addresses to all connected devices, click Enable DHCPv6 Server, and then complete all fields that are highlighted with white backgrounds. Cisco SA500 Series Security Appliances Administration Guide... - Page 81 Router Advertisement Deamon (RADVD). For more information, see Router Advertisement Daemon (RADVD), page • If you want to configure the LAN address pools, click IPv6 > IPv6 Address Pools. For more information, see IPv6 LAN Address Pools, page Cisco SA500 Series Security Appliances Administration Guide...
-
Page 82: Ipv6 Lan Address Pools
All hosts in the network have the identical initial bits for the IPv6 address. The number of common initial bits in the addresses is set by the prefix length field. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide... -
Page 83: Ipv6 Multi Lan
To delete an entry, check the box and then click Delete. To select all entries in the table, check the box at the left side of the heading row. After you click Add or Edit, the IPv6 Static Route Configuration window opens. Cisco SA500 Series Security Appliances Administration Guide... -
Page 84: Routing (Ripng)
180 seconds, the routes learned from the neighbor are considered as unreachable. After another 240 seconds, if no routing update is received, the security appliance remove these routes from the routing table. Cisco SA500 Series Security Appliances Administration Guide... -
Page 85: 6To4 Tunneling
WAN interface. The table shows two fields the name of tunnel and the IPv6 address that is created on the device. To open this page, click Networking > IPv6 > IPv6 Tunnels Status. Cisco SA500 Series Security Appliances Administration Guide... -
Page 86: Isatap Tunnels
LAN is an IPv4 network), or a specific LAN IPv4 address. • IPv4 Address: Enter the local end point address if not the LAN IPv4 address. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide... -
Page 87: Mld Tunnels
MLD Queries to be sent less often. The minimum value of Query interval is 100 seconds and maximum value is 1800 seconds. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 88: Router Advertisement Daemon (Radvd)
Advertisement Interval. MinRtrAdvInterval = 0.33 * MaxRtrAdvInterval. The default is 30 seconds. • RA Flags: Choose one of the following options: Managed: Choose this option to use the administered/stateful protocol for address auto configuration. Cisco SA500 Series Security Appliances Administration Guide... -
Page 89: Adding Radvd Prefixes
SLA ID. The SLA ID (Site-Level Aggregation Identifier) in the 6to4 address prefix is set to the interface ID of the interface on which the advertisements are sent. • IPv6 Prefix: Specify the IPv6 network address. Cisco SA500 Series Security Appliances Administration Guide... - Page 90 • Prefix Lifetime: Enter the maximum number of seconds that the requesting router is allowed to use the prefix. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
-
Page 91: Chapter 3: Wireless Configuration For The Sa520W
This configuration helps you to maintain better control over broadcast and multicast traffic, which affects network performance. For each access point, you can customize the security mode, the Quality of Service settings, and the radio. Cisco SA500 Series Security Appliances Administration Guide... -
Page 92: Step 1: Configuring The Wireless Profiles
A wireless profile specifies the security settings. Optionally, you can configure advanced wireless settings, QoS settings, and MAC filtering. After you configure a wireless profile, you can assign it to any access point. Cisco strongly recommends WPA2 for wireless security. Other security modes are NOTE vulnerable to attack. - Page 93 (i.e. 64 WEP has a 40-bit key which is less secure than the 128 WEP which has a 104-bit key). Cisco SA500 Series Security Appliances Administration Guide...
- Page 94 List of Available Access Points table. For more information, see Controlling Wireless Access Based on MAC Addresses, page • For RADIUS authentication, configure the RADIUS settings. See Configuring RADIUS Server Records, page 193. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 95: Profile Advanced Configuration
You can choose from four Class of Service queues to prioritize the data traffic over the wireless link: • Voice: Highest priority queue, minimum delay. Used typically to send time- sensitive data such as Voice over IP (VoIP). Cisco SA500 Series Security Appliances Administration Guide... -
Page 96: Controlling Wireless Access Based On Mac Addresses
Any device can use this access point. MAC Filtering provides additional security, but it also adds to the complexity and maintenance. Be sure to enter each MAC address correctly to ensure that the policy is applied as intended. Cisco SA500 Series Security Appliances Administration Guide... - Page 97 Allow: All of the devices in the MAC Address table are allowed to use this access point. All other devices are denied access. • Deny: All of the devices in the MAC Address table are prevented from using this access point. All other devices are allowed access. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 98: Step 2: Configuring The Access Points
Choose AM or PM from the drop-down list. • Max Associated Clients: Enter the maximum number of clients that can connect to this access point at any time. The default is 8 clients. Cisco SA500 Series Security Appliances Administration Guide... -
Page 99: Configuring The Radio
Click Wireless > Radio Settings > Radio Settings. STEP 1 The Radio Settings window opens. Enter the following information: STEP 2 • Region: Choose a geographic region from the drop-down list of regions. Cisco SA500 Series Security Appliances Administration Guide... - Page 100 Default Transmit Power: Enter a value in dBm as the default transmitted power level for all APs that use this radio. The default is 20 dBm. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
-
Page 101: Advanced Radio Configuration
96 μs. The long preamble is needed for compatibility with the legacy 802. 1 1 systems operating at 1 and 2 Mbps. The default is Long. Cisco SA500 Series Security Appliances Administration Guide... - Page 102 Retries are used for both long and short frames, of size less than or equal to the RTS threshold. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
-
Page 103: Chapter 4: Firewall Configuration
• Direction of the traffic • Days of the week and times of day • Keywords in a domain name or on a URL of a web page • MAC addresses of devices Cisco SA500 Series Security Appliances Administration Guide... -
Page 104: Preliminary Tasks For Firewall Rules
Services.”) If you need to configure a firewall rule for a service that is not on the standard list, first you must identify the service by entering a name, specifying the type, and assigning the port range. Cisco SA500 Series Security Appliances Administration Guide... - Page 105 Weekend that is active all day on Saturday and Sunday. For more information about the time settings for your security appliance, see Configuring the Time Settings, page 184. Cisco SA500 Series Security Appliances Administration Guide...
- Page 106 STEP 1 To add IP Aliases, click Add. STEP 2 Choose the WAN interface from the Interface drop-down menu. This is the STEP 3 interface where you will add the IP address to. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 107: Configuring The Default Outbound Policy
This procedure explains how to configure a firewall rule for the following traffic flows: • From the LAN to the WAN • From the LAN to the DMZ • From the DMZ to the WAN For examples, see Firewall Rule Configuration Examples, page 114. Cisco SA500 Series Security Appliances Administration Guide... - Page 108 Internet, or choose DMZ if the traffic is going to a server on your DMZ. If the From Zone is the WAN, the To Zone can be the public DMZ or secure LAN. Cisco SA500 Series Security Appliances Administration Guide...
- Page 109 QoS Priority: You can use this rule to prioritize traffic. Each priority level corresponds to a Term of Service (ToS) value. Normal-Service: ToS=0 (lowest QoS) Minimize-Cost: ToS=1 Maximize-Reliability: ToS=2 Maximize-Throughput: ToS=4 Minimize-Delay: ToS=8 (highest QoS) Cisco SA500 Series Security Appliances Administration Guide...
-
Page 110: Configuring A Firewall Rule For Inbound Traffic
In addition to configuring firewall rules, you can use the following methods to NOTE control inbound traffic: • You can prevent common types of attacks. For more information, see Configuring Attack Checks, page 118. Cisco SA500 Series Security Appliances Administration Guide... - Page 111 If the From Zone is the WAN, the To Zone can be the public DMZ or secure LAN. If the From Zone is the LAN, then the To Zone can be the public DMZ or insecure WAN. Cisco SA500 Series Security Appliances Administration Guide...
- Page 112 Enable Port Forwarding: Check the box to forward traffic to a particular port. • Translate Port Number: If you enabled port forwarding, enter the port number that will be the destination for the forwarded traffic. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 113: Prioritizing Firewall Rules
Rules. Only the rules for the specified security zones appear. For example: If you choose WAN and LAN from the Zone drop-down menus, only the rules for the WAN to LAN security zones appear. To reorder the rules, click Move. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 114: Firewall Rule Configuration Examples
Solution: Create an inbound rule as follows: Parameter Value From Zone Insecure (WAN1) To Zone Service HTTP Action ALLOW always Source Hosts Internal IP Address 192. 1 68.5.2 External IP Address Dedicated WAN Cisco SA500 Series Security Appliances Administration Guide... - Page 115 Solution: Create an inbound rule as shown below. In the example, connections for CU-SeeMe (an Internet video-conferencing client) are allowed only from a specified range of external IP addresses. Parameter Value From Zone INSECURE (Dedicated WAN/Optional WAN) To Zone Secure (LAN) Service CU-SEEME:UDP Cisco SA500 Series Security Appliances Administration Guide...
- Page 116 To Zone INSECURE (Dedicated WAN/Optional WAN) Service HTTP Action BLOCK by schedule Schedule Weekend Source Hosts Address Range From 10. 1 . 1 . 1 10. 1 . 1 . 1 00 Destination Hosts Cisco SA500 Series Security Appliances Administration Guide...
-
Page 117: Using Other Tools To Prevent Attacks, Restrict Access, And Control Inbound Traffic
• Configuring Attack Checks • Configuring MAC Filtering to Allow or Block Traffic • Configuring IP/MAC Binding to Prevent Spoofing • Configuring a Port Triggering Rule to Direct Traffic to Specified Ports Cisco SA500 Series Security Appliances Administration Guide... -
Page 118: Configuring Attack Checks
• Block Ping to WAN interface: Check this box to prevent attackers from discovering your network through ICMP Echo (ping) requests. Cisco recommends that you uncheck this box only if you need to allow the security appliance to respond to pings for diagnostic purposes. -
Page 119: Configuring Mac Filtering To Allow Or Block Traffic
In the MAC Filtering Enable area, enter the following information: STEP 2 • Enable MAC Address Filtering?: Check the box to enable Source MAC Address Filtering. • Policy for MAC Addresses listed below: Choose one of the following options: Cisco SA500 Series Security Appliances Administration Guide... -
Page 120: Configuring Ip/Mac Binding
Delete. To change the status of a rule, check the box and then click Enable or Disable. To select all entries, check the box in the first column of the table heading. Cisco SA500 Series Security Appliances Administration Guide... -
Page 121: Port Triggering
See Appendix B, “Standard Services.” Port triggering is not appropriate for servers on the LAN, since the LAN device must NOTE make an outgoing connection before an incoming port is opened. Cisco SA500 Series Security Appliances Administration Guide... -
Page 122: Configuring A Port Triggering Rule To Direct Traffic To Specified Ports
The ports are opened dynamically whenever the security appliance detects traffic that matches a port triggering rule. To view this page, click Firewall > Port Triggering > Port Triggering Status. The following information appears: Cisco SA500 Series Security Appliances Administration Guide... -
Page 123: Configuring Session Settings To Analyze Incoming Packets
0 and 4,294,967 seconds. The default is 120 seconds (2 minutes). • Other Session Timeout Duration (seconds): Inactive non-TCP/UDP sessions are removed from the session table after this duration. This value can range between 0 and 4,294,967 seconds. The default is 60 seconds. Cisco SA500 Series Security Appliances Administration Guide... -
Page 124: Using Other Tools To Control Access To The Internet
Enable Content Filtering: Check the box to enable content filtering. Enable this feature when you want to configure and use features such as a list of Trusted Domains, keyword filtering, and so on. Cisco SA500 Series Security Appliances Administration Guide... - Page 125 However, several websites use cookies to store tracking information and browsing habits. Enabling this option filters out cookies from being created by a website. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
-
Page 126: Configuring Approved Urls To Allow Access To Websites
URL box. For example, if you entered yahoo, then your users can access websites such as www.yahoo.com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp. Click Apply to save your settings. STEP 5 Cisco SA500 Series Security Appliances Administration Guide... -
Page 127: Configuring Blocked Urls To Prevent Access To Websites
For example, if you enter yahoo for the URL, then your users are prevented from accessing websites such as www.yahoo.com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide... -
Page 128: Configuring Ip/Mac Binding To Prevent Spoofing
After you enable the logging, you can view these logs by clicking NOTE Status on the menu bar, and then clicking View Log > View All Logs. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide... -
Page 129: Sip
Check the box to enable SIP ALG support or uncheck the box to disable this STEP 2 feature. If this feature is disabled, the router will not allow incoming calls to the UAC (User Agent Client) behind the router. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 130: Chapter 5: Intrusion Prevention System
Configuring IPS • Configuring the IPS Policy • Configuring the Protocol Inspection Settings • Configuring Peer-to-Peer Blocking and Instant Messaging To access the IPS pages click IPS from the Configuration Utility menu bar. Cisco SA500 Series Security Appliances Administration Guide... -
Page 131: Configuring Ips
IPS signatures when they become available. To enable the auto update option, check the Automatically Update Signatures box. Enter your Cisco.com User Name and Password to authenticate to the signature update server. These credentials are only required once. Click Apply to save your settings. -
Page 132: Configuring The Ips Policy
• Manual Signature Updates: To manually update the latest signature file, click the Cisco.com link to obtain the file and download it to your computer. Browse to the location of the signature file on the local PC and then click Upload. -
Page 133: Configuring The Protocol Inspection Settings
For IPS messages to be logged, you must configure IPS as the facility. For more information, see Logs Facility and Severity, page 189 Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 134: Configuring Peer-To-Peer Blocking And Instant Messaging
For IPS messages to be logged, you must configure IPS as the facility. For more information, see Logs Facility and Severity, page 189 Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 135: Chapter 6: Using Cisco Protectlink Security Services
The SA500 Series supports Cisco ProtectLink Security Services. These services provide layers of protection against different security threats on your network. • Cisco ProtectLink Web provides all users with web threat protection to prevent access to dangerous websites and URL filtering to control employee access to non-business related websites. -
Page 136: Chapter 7: Configuring Vpn
Remote Access with a Web Browser: A remote worker uses a web browser to initiate a VPN tunnel to access the available services on the corporate network. See Configuring SSL VPN for Browser-Based Remote Access, page 154. Cisco SA500 Series Security Appliances Administration Guide... -
Page 137: Configuring A Site-To-Site Vpn Tunnel
In the Connection Name and Remote IP Type area, enter the following information: STEP 3 • What is the new connection name?: Enter a name for the connection. The name is used for management and identification purposes. Cisco SA500 Series Security Appliances Administration Guide... - Page 138 For the example illustrated in Figure 5, the remote site, Site B, has a LAN IP address of 10.20.20.0. • Remote LAN Subnet Mask: Enter the associated subnet mask for the above entered subnet IP Address. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 139: Configuring An Ipsec Vpn Tunnel For Remote Access With A Vpn Client
The Wizard sets most parameters to defaults as proposed by the VPN Consortium (VPNC), and assumes a pre-shared key, which greatly simplifies setup For information about the VPNC recommendations, see: www.vpnc.org/vpn- standards.html. Cisco SA500 Series Security Appliances Administration Guide... - Page 140 Documentation at: www.cisco.com/go/sa500resources. The Cisco VPN client software is available for download at: www.cisco.com/go/ ciscovpnclient. For Windows, select Cisco VPN Client v5.x. For Mac OS, select Cisco VPN Client v4.x. A 3-year Cisco Small Business Support Service Contract (CON-SBS-SVC2) is NOTE required to download the client software.
- Page 141 Configuring the IKE Policies for IPsec VPN, page 144. • To review or update the configured VPN policy click IPsec > VPN Policies. For more information, see Configuring the IPsec VPN Policies, page 148. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 142: Configuring The User Database For The Ipsec Remote Access Vpn
RADIUS server, see Configuring the IKE Policies for IPsec VPN, page 144. If you are using the using the Cisco VPN Client, see the Application Note located under Technical Documentation at: www.cisco.com/go/sa500resources. - Page 143 Quick VPN. This option should be selected when the clients use QuickVPN Client. • Allow user to change password?: If you chose Cisco QuickVPN for the Remote Peer Type, you can check this box to allow the user to change the password.
-
Page 144: Advanced Configuration Of Ipsec Vpn
VPN policies for a VPN tunnel. After the Wizard creates the matching IKE and VPN policies, you can make changes, as needed. Advanced users can create an IKE policy from Add but must be sure to use compatible encryption, authentication, and key-group parameters for the VPN policy. Cisco SA500 Series Security Appliances Administration Guide... - Page 145 Local device and the Remote device, below. If FQDN, User FQDN or DER ASN1 DN is selected as the identifier type, then Main Mode is disabled and Aggressive Mode is applied. Cisco SA500 Series Security Appliances Administration Guide...
- Page 146 Selecting RSA-Signature disables the pre-shared key text box and uses the Active Self Certificate uploaded in the Certificates page. In that case, a certificate must be configured in order for RSA-Signature to work. Managing Certificates for Authentication, page 190. Cisco SA500 Series Security Appliances Administration Guide...
- Page 147 The username can include any alphanumeric characters. Password: Enter the password for the security appliance to use when connecting to the remote server. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 148: Configuring The Ipsec Vpn Policies
You cannot enable, disable, edit, or delete the backup policies. You can only take actions on the primary policy, by using the buttons in the List of VPN Policies table. Cisco SA500 Series Security Appliances Administration Guide... - Page 149 WAN gateway for the tunnel based on the optional WAN link configuration. For this type of configuration, Dynamic DNS has to be configured because the IP address will change due to failover. See Dynamic DNS, page Cisco SA500 Series Security Appliances Administration Guide...
- Page 150 Key-Out: Encryption key of the outbound policy. The length of the keys depends on the chosen algorithm: DES: 8 characters 3DES: 24 characters AES-128: 16 characters AES-192: 24 characters AES-256: 32 characters AES-CCM: 16 characters Cisco SA500 Series Security Appliances Administration Guide...
- Page 151 SAs; otherwise the system could eventually run out of resources as a result of this asymmetry. The lifebyte specifications are generally recommended for advanced users only. Cisco SA500 Series Security Appliances Administration Guide...
- Page 152 Status. For more information, see IPsec VPN Status, page 210. • To view IPsec VPN logs, click Status > View Logs > IPsec VPN Logs. For more information, see IPsec VPN Logs, page 215. Cisco SA500 Series Security Appliances Administration Guide...
- Page 153 Otherwise, the changes will not take affect. Click VPN > IPsec > Dynamic IP Range. STEP 1 The Dynamic IP Range window opens. Enter a Start IP range and End IP range for the IP address. STEP 2 Cisco SA500 Series Security Appliances Administration Guide...
-
Page 154: Configuring Ssl Vpn For Browser-Based Remote Access
You can use SSL VPN to provide access to the following types of services on your network: • Internal websites • Web-enabled applications • NT/Active Directory and FTP file shares • E-mail proxies, including POP3S, IMAP4S, and SMTPS • MS Outlook Web Access • MAPI Cisco SA500 Series Security Appliances Administration Guide... -
Page 155: Access Options For Ssl Vpn
Limit Internet access for Clientless SSL VPN users, for example, by limiting which resources a user can access using a clientless SSL VPN connection. To do this, you could restrict the user from accessing general content on the Cisco SA500 Series Security Appliances Administration Guide... -
Page 156: Elements Of The Ssl Vpn
Port Forwarding: You can configure port forwarding to allow access to a limited set of resources. For example, you may want the SSL VPN users to access the email service only. See Configuring SSL VPN Port Forwarding, page 163. Cisco SA500 Series Security Appliances Administration Guide... -
Page 157: Scenario Step 1: Customizing The Portal Layout
URL. The browser displays a login page with several features that you can configure: 1. Portal Site Title: appears at the top browser 2. Banner Title 3. Banner Message Configurable Areas of the SSL VPN Portal Layout Cisco SA500 Series Security Appliances Administration Guide... - Page 158 • ActiveX web cache cleaner: Check this box to load an ActiveX cache control whenever users login to this SSL VPN portal. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 159: Scenario Step 2: Adding The Ssl Vpn Users
The User window opens. The default Administrator and Guest users appear in the List of Users table, along with any new users that you add. To add a user, click Add. STEP 2 Cisco SA500 Series Security Appliances Administration Guide... -
Page 160: Creating The Ssl Vpn Policies
You can create user, group, and global policies. Policies are applied based on the following levels of precedence: • User-level policies take precedence over Group-level policies. • Group-level policies take precedence over Global policies. Cisco SA500 Series Security Appliances Administration Guide... - Page 161 Policy For: Choose the type of policy: Global, Group, or User. If you choose Group, also choose the group from the Available Groups list. If you choose User, also choose the user from the Available Users list. Cisco SA500 Series Security Appliances Administration Guide...
- Page 162 Click Apply to save your settings. STEP 6 Next steps: NOTE Enable Remote Management (RMON), if you have not done so previously. If RMON is disabled, SSL VPN access is blocked. See RMON (Remote Management), page 197. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 163: Specifying The Network Resources For Ssl Vpn
The following table lists some common applications and corresponding TCP port numbers: TCP Application Port Number FTP Data (usually not needed) FTP Control Protocol SMTP (send mail) Cisco SA500 Series Security Appliances Administration Guide... - Page 164 Local Server IP Address: Enter the IP address of the internal host machine or local server. • TCP Port Number: Enter the port number of the TCP application that enables port forwarding. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide...
-
Page 165: Ssl Vpn Tunnel Client Configuration
“network adapter” with an IP address from the corporate subnet, DNS and WINS settings is automatically created. This feature allows access to services on the private network without any special network configuration on the remote SSL VPN client machine. Cisco SA500 Series Security Appliances Administration Guide... - Page 166 Client Routes for Split Tunnel Mode, page 167. • DNS Suffix (Optional): Enter the DNS Suffix for this client. • Primary DNS Server (Optional): Enter the IP address of the primary DNS Server for this client. Cisco SA500 Series Security Appliances Administration Guide...
- Page 167 Destination Network using this page. You can configure client routes only if Split Tunnel support is enabled on the SSL NOTE VPN Client page. See Configuring the SSL VPN Client, page 166. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 168: Viewing The Ssl Vpn Client Portal
Port Forwarding information window opens. The user can click the Launcher icon to connect to the remote servers. • Change Password: The user can click this link to change his or her password. Cisco SA500 Series Security Appliances Administration Guide... -
Page 169: Verisign™ Identity Protection Configuration
VIP service during the initial stages of deployment. • VIP Production: Choose this option if you have purchased VeriSign service. The service will use VIP production servers to authenticate your users. c. Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide... -
Page 170: Managing User Credentials For Verisign Service
After the user has been associated with a credential, the same user cannot be associated with a different credential. Only available users are shown in the user list. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide... -
Page 171: Chapter 8: Administration
There are two default accounts. You can change the user name and password for these accounts but you cannot change the user policies. • admin: The administrator account, which has read-write access to all settings. Cisco SA500 Series Security Appliances Administration Guide... -
Page 172: Domains
When you create a domain, a group is created automatically. It has the same name as the domain and is associated with the domain. To edit the group settings, see Groups, page 173. Cisco SA500 Series Security Appliances Administration Guide... -
Page 173: Groups
For security, a password should contain no dictionary words from any language, NOTE and should include a mixture of uppercase and lowercase letters, numbers, and symbols. The password can be up to 30 characters. Cisco SA500 Series Security Appliances Administration Guide... - Page 174 Every user is added as a local user with password, and when the user NOTE is assigned to an external authentication mechanism based on the group, certain attributes such as the local password are ignored. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 175: Adding Or Editing User Login Policies
Policies column. When the User Policy By Source IP Address window opens, enter the following information: In the User Policy By Source IP Address area, choose whether to Deny Login from Defined Addresses or to Allow Login only from Defined Addresses. Cisco SA500 Series Security Appliances Administration Guide... -
Page 176: Firmware And Configuration
(not through the Configuration Utility). Cisco SA500 Series Security Appliances Administration Guide... - Page 177 Check for New Firmware & Download: Check Periodically: Check this option to automatically check for firmware updates on a daily basis (every 24 hours). Enter your Cisco User Name and Password and click Apply to save your settings. The Cisco username and password details once applied are NOTE applicable to all other services on the router which use them.
-
Page 178: Maintaining The Usb Device
IMPORTANT! Restoring a saved configuration will remove your current settings. Firewall rules, VPN policies, LAN/WAN settings and all other settings will be lost. Back up your settings to ensure that you can restore them later if needed. Cisco SA500 Series Security Appliances Administration Guide... - Page 179 Backup / Restore Settings / Software Upgrade To save a backup copy of current settings and digital certificates, click Backup. The file is saved as cisco.cfg. To restore the settings from a previously saved configuration file, click Restore. Locate and select the backup file from the connected USB storage device.
-
Page 180: Using The Secondary Firmware
Ping or Trace an IP Address: You can use these tools to test your network. Ping through VPN tunnel: Check the box to enable pinging through the VPN tunnel. Otherwise, uncheck the box. Cisco SA500 Series Security Appliances Administration Guide... - Page 181 Packet Trace. When the Capture Packets window opens, choose the interface: LAN, Dedicated WAN, or Optional WAN. Click Start to begin capturing packets. Click Stop to stop the capture. To download the report, click Download. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 182: Measuring And Limiting Traffic With The Traffic Meter
(Download Only or Both) selected above. • Increase This Month's Limit: If the monthly traffic limit has been reached and you need to temporarily increase the limit, check this option and type in the amount of the increase. Cisco SA500 Series Security Appliances Administration Guide... - Page 183 Volume of traffic, in Megabytes, that was downloaded Volume through this interface. Total Traffic Volume Amount of traffic, in Megabytes, that passed through this interface in both directions. Average per day Average volume of traffic that passed through this interface. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 184: Configuring The Time Settings
NTP servers, or enter the IP addresses of up to four custom NTP servers. The default NTP Server settings are as follows: 0.ciscosb.pool.ntp.org 1.ciscosb.pool.ntp.org 2.ciscosb.pool.ntp.org 3.ciscosb.pool.ntp.org Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 185: Configuring The Logging Options
• Other Event Logs: Choose the other types of events to be logged. Source MAC Filter: If checked, logs packets matched due to source MAC filtering. Uncheck to disable source MAC filtering logs. Cisco SA500 Series Security Appliances Administration Guide... - Page 186 Logging for individual firewall rules should be enabled. WAN to DMZ Enable logging for firewall rules matching WAN to DMZ source and destination. Logging for individual firewall rules should be enabled. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 187: Ipv6 Logging
SSH traffic from the LAN to the WAN. The firewall rule also must allow logging. For more information, see Configuring Firewall Rules to Control Inbound and Outbound Traffic, page 103. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 188: Remote Logging
This option is useful when you do not want to receive logs by email, but want to keep email options configured so that you can use the Send Log function from the Status > View Logs pages. Cisco SA500 Series Security Appliances Administration Guide... -
Page 189: Logs Facility And Severity
Critical conditions. Syslog definition is LOG_CRIT. Error (level 3) Error conditions. Syslog definition is LOG_ERR. Warning (level 4) Warning conditions. Syslog definition is LOG_WARNING. Notification (level 5) Normal but significant condition. Syslog definition is LOG_NOTICE. Cisco SA500 Series Security Appliances Administration Guide... -
Page 190: Managing Certificates For Authentication
CA Identity (Subject Name): The organization or person to whom the certificate is issued. • Issuer Name: The name of the CA that issued the certificate. • Expiry Time: The date after which the certificate becomes invalid. Cisco SA500 Series Security Appliances Administration Guide... - Page 191 To delete a certificate, check the box to select the certificate, and then click Delete. • To download the router’s certificate (.pem file), click the Download button under the Download Settings area. To request a certificate from the CA, click Generate CSR. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
- Page 192 Click Generate. A new certificate request is created and added to the Certification Signing Request (CSR) table. To view the request, click the View button next to the certificate you just created. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 193: Configuring Radius Server Records
Timeout: Enter the number of seconds that the connection can exist before re-authentication is required. • Retries: Enter the number of retries for the device to re-authenticate with the Radius server. Click Apply to save your settings. STEP 4 Cisco SA500 Series Security Appliances Administration Guide... -
Page 194: License Management
• For the SA540 model, a free upgrade to 50 seats is available. You must download a license key from Cisco to enable these seats. To obtain the license key, click the Upgrade to 50 Seats link on the License Management page. - Page 195 Action: Use to perform a next step action. Depending on what you want to do, click one of these links: Install: Install and activate the license. Free Trial: Download a trial license from Cisco.com. Renew: Renew your existing license if your license is about to expire or has already expired.
- Page 196 Installation License Type License Code (PAK) from cisco.com: Automatically retrieves and installs the license on the device from the Cisco server. To use this option, enter your PAK ID and Cisco.com username and password. These credentials are required for the device to authenticate to the Cisco server.
-
Page 197: Chapter 9: Network Management
IP address. Since a malicious WAN user can reconfigure the router and misuse it in many ways, it is highly recommended that you change the admin and guest passwords before continuing. Cisco SA500 Series Security Appliances Administration Guide... - Page 198 Port Number: Displays the port number used for the remote connection. • Remote SNMP Enable: Check the box to enable SNMP for the remote connection. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide...
-
Page 199: Cdp
Network Management Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco manufactured equipment. Each CDP enabled device sends periodic messages to a multicast address and also listens to the periodic messages sent by others in order to learn about neighboring devices and determine the status of these devices. -
Page 200: Configuring Snmp
SysContact: The name of the contact person for this security appliance. • SysLocation: The physical location of the security appliance. • SysName: A name given for easy identification of the security appliance. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 201: Upnp
Advertisement Time to Live: This is expressed in hops for each UPnP packet. This is the number of steps a packet is allowed to propagate before being discarded. Small values will limit the UPnP broadcast range. Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 202: Bonjour
The default services will only be visible to the hosts belonging to the associated VLANs. By default, LAN/Default-VLAN is the broadcasting domain. Click Apply to add the VLAN. STEP 3 The VLAN associated to the service appears in the List of VLANs table. Cisco SA500 Series Security Appliances Administration Guide... - Page 203 Network Management Bonjour To dissociate the VLAN from the service, check the box next the appropriate VLAN and click Delete. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 204: Chapter 10: Status
To access the Status pages click Status from the Configuration Utility menu bar. Device Status The Device Status section consist of the following pages: • Device Status • Resource Utilization • Interface Statistics • Port Statistics • Wireless Statistics for the SA520W Cisco SA500 Series Security Appliances Administration Guide... -
Page 205: Device Status
The number of logs in each level is displayed. Routing Mode Displays the routing mode of the router (NAT or Classical routing), WAN Mode Displays the WAN configuration mode of the router (Single WAN port, Auto- rollover, or Load Balancing). Cisco SA500 Series Security Appliances Administration Guide... - Page 206 All Tunnels Number of active Site-to-Site VPN tunnels and the total number of configured Site-to-Site VPN tunnels. Remote Access VPN SSL Users Number of active SSL users. IPsec Users Number of IPsec users. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 207: Resource Utilization
Stop button and then click Start to restart the automatic refresh using the specified poll interval. Start Enables the automatic page refresh. Stop Disables the automatic page refresh feature. Cisco SA500 Series Security Appliances Administration Guide... -
Page 208: Port Statistics
The counters are reset when the device is rebooted. Radio Statistics The radio can have multiple virtual access points configured and active concurrently. This table indicates cumulative statistics for the radio. Cisco SA500 Series Security Appliances Administration Guide... - Page 209 Errors Number of transmitted/received (tx/rx) packet errors reported to the access point. Dropped Number of transmitted/received (tx/rx) packets dropped by the access point. Multicast Number of multicast packets sent over this access point. Cisco SA500 Series Security Appliances Administration Guide...
-
Page 210: Vpn Status
VPN tunnel is set up automatically. However, you can use the Connect/ Disconnect button to manually connect or disconnect the VPN tunnel. Cisco SA500 Series Security Appliances Administration Guide... -
Page 211: Ssl Vpn Status
Click Disconnect to terminate an active user's session and hence the associated SSLVPN- Tunnel(if any). NOTE If the tunnel is not established by the user, the tunnel specific fields will have no values. Cisco SA500 Series Security Appliances Administration Guide... -
Page 212: Quick Vpn Status
Stop button and use Start to restart automatic refresh. Start Click to enable automatic page refresh feature. Stop Click Stop to disable the automatic page refresh feature. Cisco SA500 Series Security Appliances Administration Guide... -
Page 213: Active Users
Logs Facility and Severity, page 189. For example: If you select Critical, all messages listed under the Critical, Error Warning, Notification, Information, and Debugging are displayed. Emergency, and Alert categories will not be displayed. Cisco SA500 Series Security Appliances Administration Guide... - Page 214 Click Clear Logs to delete all entries in the log window. • Click Send Logs to email the log messages that are currently displayed in the log window. The logs are sent to the email addresses that you configured in Cisco SA500 Series Security Appliances Administration Guide...
-
Page 215: Ipsec Vpn Logs
Send Log. CDP Neighbor The Cisco Discovery Protocol (CDP) provides information about other devices that are connected to this device and that support the CDP protocol. The page displays information specific to the device and identifies the network interface of this device on which the neighbor was discovered. -
Page 216: Lan Devices
Click Refresh Data to update the data on the screen. • Click Reset Data to reset the values to 0. Elapsed Collection Time indicates the period of time in which the data was NOTE collected. Cisco SA500 Series Security Appliances Administration Guide... -
Page 217: Appendix A: Troubleshooting
Ensure that you are using the correct login information. The factory default login STEP 6 name is cisco and the password is cisco. Ensure that CAPS LOCK is off when entering this information. Cisco SA500 Series Security Appliances Administration Guide... - Page 218 When the modem LEDs indicate that it has resynchronized with the ISP, reapply STEP 4 power to the security appliance. If the security appliance still cannot obtain an ISP address, see the next symptom. Cisco SA500 Series Security Appliances Administration Guide...
- Page 219 Ask your ISP for the addresses of its designated Domain Name System (DNS) STEP 1 servers. Configure your PC to recognize those addresses. For details, see your operating system documentation. On your PC, configure the security appliance to be its TCP/IP gateway. STEP 2 Cisco SA500 Series Security Appliances Administration Guide...
-
Page 220: Date And Time
Possible cause: The security appliance does not automatically adjust for Daylight Savings Time. Recommended action: Click Administration > Time Zone. STEP 1 Check or uncheck Automatically adjust for Daylight Savings Time. STEP 2 Click Apply to save your settings. STEP 3 Cisco SA500 Series Security Appliances Administration Guide... -
Page 221: Pinging To Test Lan Connectivity
Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC. • Verify that the IP address for the security appliance and PC are correct and on the same subnet. Cisco SA500 Series Security Appliances Administration Guide... - Page 222 MAC address of just a single PC connected to that modem. If this is the case, configure your firewall to clone or spoof the MAC address from the authorized PC. For more information, see Configuring the WAN Connection, page Cisco SA500 Series Security Appliances Administration Guide...
-
Page 223: Restoring Factory Default Configuration Settings
After a restore to factory defaults, the following settings apply: • LAN IP address: 192.168.75.1 • Username: cisco • Password: cisco • DHCP server on LAN: enabled • WAN port configuration: Get configuration via DHCP Cisco SA500 Series Security Appliances Administration Guide... -
Page 224: Appendix B: Standard Services
See Creating Custom Services, page 104. BOOTP_CLIENT BOOTP_SERVER CU-SEEME:UDP CU-SEEME:TCP DNS:UDP DNS:TCP FINGER HTTP HTTPS ICMP-TYPE-3 ICMP-TYPE-4 ICMP-TYPE-5 Cisco SA500 Series Security Appliances Administration Guide... - Page 225 Standard Services ICMP-TYPE-6 ICMP-TYPE-7 ICMP-TYPE-8 ICMP-TYPE-9 ICMP-TYPE-10 ICMP-TYPE-11 ICMP-TYPE-13 IMAP2 IMAP3 NEWS NNTP PING POP3 PPTP RCMD REAL-AUDIO REXEC RLOGIN RTELNET RTSP:TCP RTSP:UDP SFTP SMTP SNMP:TCP Cisco SA500 Series Security Appliances Administration Guide...
- Page 226 Standard Services SNMP:UDP SNMP-TRAPS:TCP SNMP-TRAPS:UDP SQL-NET SSH:TCP SSH:UDP STRMWORKS TACACS TELNET TFTP VDOLIVE Cisco SA500 Series Security Appliances Administration Guide...
-
Page 227: Appendix C: Technical Specifications And Environmental Requirements
• 1 X USB connector for USB 2.0 • 3 X external antennas Operating 32 to 104ºF (0 to 40ºC) 32 to 104ºF (0 to 40ºC) 32 to 104ºF (0 to 40ºC) Temperature Cisco SA500 Series Security Appliances Administration Guide... - Page 228 (H x W x D) Antenna adds approximately 6- 3/4 inches (171 mm) to height and 1-2/8 inches (30 mm) to depth. Weight (with 4.91 lb 5. 1 5 5. 1 4 lb Power Supply) Cisco SA500 Series Security Appliances Administration Guide...
-
Page 229: Appendix D: Factory Default Settings
Date and Time - Protocol Date and Time - Time Zone Pacific Time (US & Canada) DDNS disable HTTP Remote Access enable HTTPS Remote Access enable SNMP - Trusted Peer IP address SNMP Agent disable Cisco SA500 Series Security Appliances Administration Guide... - Page 230 Changes Email Server Requires disable Authentication Cisco Discovery Protocol enabled on LAN / disabled on WAN port Bonjour enabled on LAN / disabled on WAN port UPnP disable Radius Server Port 1812 Cisco SA500 Series Security Appliances Administration Guide...
-
Page 231: Router Settings
VLAN - Data, Start IP Address 192. 1 68.x.50 VLAN - Data, End IP Address 192. 1 68.x.254 VLAN - Data, Subnet Mask 255.255.255.0 VLAN - Data, Lease Time in 1440 Minutes HTTP Remote Access enable Cisco SA500 Series Security Appliances Administration Guide... - Page 232 IPSec - Signaling Authentication enable - Auto Reconnect IPSec - Signaling Authentication 192. 1 68. 1 0.0 - Local Subnet (Data VLAN subnet) IPSec - Signaling Authentication 255.255.255.0 - Local Subnet (Data VLAN subnet mask) Cisco SA500 Series Security Appliances Administration Guide...
- Page 233 - Phase 2 - Use PFS IPSec - Signaling Authentication DH Group 2 (1024 bit) - Phase 2 - Group Description Attribute IPSec - Signaling Authentication SHA1 - Phase 2 - Hash Algorithm Cisco SA500 Series Security Appliances Administration Guide...
-
Page 234: Wireless Settings
VLAN - Data, IP Address (Failover See Product Tab when no DHCP Server Available) VLAN - Data, Subnet Mask 255.255.255.0 (Failover when no DHCP Server Available) VLAN - Data, Name (optional) Data VLAN Cisco SA500 Series Security Appliances Administration Guide... - Page 235 100% Radio disabled 802.1x supplicant disabled Clustering of Access Points - disabled unique to AP54x Broadcast / Multicast Rate disabled Limiting Broadcast / Multicast Rate Limit 50pps Multicast traffic rate per radio auto Cisco SA500 Series Security Appliances Administration Guide...
- Page 236 4 queues = 1ms, 1ms, 3ms, 7ms (AIFS) Minimum contention window 4 queues = 3ms, 7ms, 15ms, 15ms Maximum Burst 4 queues - 1.5ms, 3ms, 0ms, 0ms Maximum contention window 4 queues = 7ms, 15ms, 15ms, 15ms Cisco SA500 Series Security Appliances Administration Guide...
-
Page 237: Storage
Idle Drive Spin Down (1-8 hours, 8 hours 1 day) Public access to share Read-only Idle Disconnect Timeout 5 minutes Banner Welcome to the Cisco Small Business FTP Server Allow Anonymous Access disable Allow Anonymous File Upload disable Allow Anonymous File Download enable... -
Page 238: Security Settings
Enable Block TCP Flood Enable Block UDP Flood Enable Block ICMP Notification Enable Block Fragmented Packets Enable Block Multicast Packets Enable SYN Flood Detect Rate 128 max/sec Echo Storm (ping packets/sec) 15 packets/sec Cisco SA500 Series Security Appliances Administration Guide... - Page 239 Factory Default Settings Security Settings Feature Setting ICMP Flood (ICMP packets/sec) 100 packets/sec Cisco SA500 Series Security Appliances Administration Guide...
-
Page 240: Appendix E: Where To Go From Here
Where to Go From Here Cisco provides a wide range of resources to help you and your customer obtain the full benefits of the SA500 Series Security Appliances. Product Resources Support Cisco Small Business Support www.cisco.com/go/smallbizsupport Community Online Technical Support and www.cisco.com/support...