Cisco Small Business RV220W Administration Manual

Cisco Small Business RV220W Administration Manual

Wireless-n network security firewall
Hide thumbs Also See for Small Business RV220W:
Table of Contents

Advertisement

ADMINISTRATION
GUIDE
Cisco Small Business
RV220W Wireless-N Network Security Firewall

Advertisement

Table of Contents
loading

Summary of Contents for Cisco Small Business RV220W

  • Page 1 ADMINISTRATION GUIDE Cisco Small Business RV220W Wireless-N Network Security Firewall...
  • Page 2 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
  • Page 3: Table Of Contents

    Contents Chapter 1: Introduction Product Overview Configuring the RV220W Logging In Setting Up the Cisco RV220W Using the Setup Wizard Using the Getting Started Page Features of the User Interface Suggested Next Steps Chapter 2: Configuring Networking WAN Settings for IPv4...
  • Page 4 Wi-Fi Multimedia and Quality of Service Settings SSID Schedule for Network Availability Advanced Settings Wireless Distribution System (WDS) Chapter 4: Firewall Cisco RV220W Firewall Features Access Rules Setting the Default Outbound Policy and Managing Access Rules Adding and Editing Access Rules Cisco RV220W Administration Guide...
  • Page 5 Enabling IGMP and Managing the Allowed Networks Table Adding or Editing the Allowed Networks SIP ALG Firewall Configuration Examples Chapter 5: Cisco ProtectLink Web Getting Started with Cisco ProtectLink Web Global Settings for Approved URLs and Clients Cisco RV220W Administration Guide...
  • Page 6 Portal Layouts Managing Portal Layouts Adding or Editing a Portal Layout SSL VPN Policies About SSL VPN Policies Managing SSL VPN Policies Configuring an SSL VPN Policy Resources for SSL VPN Managing Resources Configuring a Resource Cisco RV220W Administration Guide...
  • Page 7 Importing a Trusted Certificate from a File Importing an Active Self Certificate from a File Generating a Certificate Request Viewing a Certificate Request Using the Cisco RV220W With a RADIUS Server Managing RADIUS Server Configurations Adding or Editing a RADIUS Server Configuration Configuring 802.1x Port-Based Authentication...
  • Page 8 SNMP System Information WAN Traffic Meter Diagnostics Network Tools Capture Packets Logging Logging Policies Managing Logging Policies Configuring a Logging Policy Firewall Logs Remote Logging Configuration Discovery Settings Discovery Settings for Bonjour UPnP Discovery Time Settings Cisco RV220W Administration Guide...
  • Page 9 Creating a CSV File Importing a CSV File Firmware Upgrade Rebooting the Cisco RV220W Restoring the Factory Defaults Chapter 10: Viewing the RV220W Status Viewing the Dashboard Viewing the System Summary Viewing the Wireless Statistics Viewing the IPsec Connection Status...
  • Page 10 Contents Attaching the Antennas Connecting the Equipment Verifying the Hardware Installation Connecting to Your Wireless Network Appendix B: Using Cisco QuickVPN Overview Before You Begin Installing the Cisco QuickVPN Software Installing from the CD-ROM Downloading and Installing from the Internet...
  • Page 11: Chapter 1: Introduction

    • Configuring the RV220W, page 12 • Setting Up the Cisco RV220W Using the Setup Wizard, page 13 Product Overview Thank you for choosing the Cisco Small Business RV220W Wireless-N Network Security Firewall. The Cisco RV220W is an advanced Internet-sharing network solution for your small business needs.
  • Page 12: Configuring The Rv220W

    Start a web browser on your PC. STEP 2 In the Address bar, enter the LAN IP address of the RV220W. (default 192. 1 68. 1 . 1 ). STEP 3 Note: If Bonjour is enabled (the default setting), the RV220W advertise its record information to any browsing device attached to its network.
  • Page 13: Setting Up The Cisco Rv220W Using The Setup Wizard

    Click Log In. STEP 5 Setting Up the Cisco RV220W Using the Setup Wizard With the Cisco RV220W powered on and connected to a PC, use the Setup Wizard to configure the network settings. To use the Setup Wizard: After logging in to the configuration utility, click Run Setup Wizard in the STEP 1 navigation tree.
  • Page 14: Features Of The User Interface

    Introduction Configuring the RV220W When you get a new router, be sure to check Cisco.com for firmware updates. Then NOTE in the Quick Access section of the Getting Started page, use the Update Device Firmware link to install your new firmware.
  • Page 15: Suggested Next Steps

    Alternatively, for a simpler VPN setup, you can enable remote management, configure user accounts, and distribute Cisco QuickVPN to your remote workers. The Cisco QuickVPN software is found on the CD that shipped with your router. Also see Using Cisco QuickVPN, page 218.
  • Page 16: Chapter 2: Configuring Networking

    • Configuring the IPv4 WAN Settings, page 17 • PPPoE Profiles for Point-to-Point Protocol over Ethernet Connections, page 20 For instructions on configuring your RV220W for an IPv6 network, see the “IPv6” NOTE section on page Cisco RV220W Administration Guide...
  • Page 17: Configuring The Ipv4 Wan Settings

    Tunneling Protocol (L2TP) connection to the Internet (used in Europe). In the L2TP section, enter your user name, password, and connection type, IP address, and server IP address. Optionally, enter the secret phrase. The fields are described in the table below this step. Cisco RV220W Administration Guide...
  • Page 18 Idle Time field. Server IP Enter the IP address of the PPTP or L2TP server specified Address by your service provider. Cisco RV220W Administration Guide...
  • Page 19 In the Router MAC Address section, specify the MAC address source. The STEP 3 RV220W has a unique 48-bit local Ethernet hardware address. In most cases, the RV220W’s default MAC address is used to identify your Cisco RV220W to your ISP.
  • Page 20: Pppoe Profiles For Point-To-Point Protocol Over Ethernet Connections

    To delete a profile, check the box and then click Delete. To select all profiles, check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel. Cisco RV220W Administration Guide...
  • Page 21: Adding And Editing Pppoe Profile Settings

    • Authentication Type—Choose one of the following options: Auto-negotiate—The server sends a configuration request specifying the security algorithm set on it. The RV220W then sends back authentication credentials with the security type sent earlier by the server. PAP—The RV220W uses Password Authentication Protocol (PAP) when connecting with the ISP.
  • Page 22: Lan Configuration For Ipv4

    The RV220W includes the WINS server IP address in the DHCP configuration when acknowledging a DHCP request from a DHCP client. You can also enable a DNS proxy. When enabled, the RV220W then acts as a proxy for all DNS requests and communicates with the ISP's DNS servers.
  • Page 23 DHCP Server—Choose this option to allow the Cisco RV220W to dynamically assign IP addresses to devices in the network. By default, the Cisco RV220W functions as a DHCP server to the hosts on the Wireless LAN (WLAN) or LAN network and assigns IP and DNS server addresses. With DHCP enabled, the RV220W's IP address serves as the gateway address to your LAN.
  • Page 24: Vlan Membership

    In the LAN (Local Network) Proxy section, check Enable to enable the Cisco STEP 4 RV220W to act as a proxy for all DNS requests and to communicate with the ISP's DNS servers. Click Save to save your settings, or click Cancel to reload the page with the STEP 5 current settings.
  • Page 25 Device Management—Check the box to enable this feature, or uncheck the box to disable it. This setting determines whether or not clients can access the Cisco RV220W Configuration Utility on this VLAN. To prevent access to this utility from this VLAN, disable this feature.
  • Page 26: Multiple Vlan Subnets

    DHCP Server—Choose this option to allow the Cisco RV220W to dynamically assign IP addresses to devices in the VLAN subnet. By default, the Cisco RV220W functions as a DHCP server to the hosts in the subnet. If you choose this option, enter this information: Domain Name—Enter the domain name for the VLAN subnet (optional).
  • Page 27 Click Save to save your settings, or click Cancel to reload the page with the STEP 4 current settings. If you are connected to the Cisco RV220W by the LAN port that is a member of this VLAN, the system reboots and connects you to the RV220W using its new IP address.
  • Page 28: Static Dhcp

    Click Save to save your settings, or click Cancel to reload the page with the STEP 2 current settings. After saving or canceling, you can add, edit, or delete other entries. Cisco RV220W Administration Guide...
  • Page 29: Advanced Dhcp Configuration

    LAN Configuration for IPv4 Advanced DHCP Configuration You can configure the Cisco RV220W to download a configuration file from a TFTP server by using Option 66, Option 67, and Option 160. You also can associate different client devices with different configuration files. When you reboot the router, it will download the specified files.
  • Page 30: Dhcp Leased Clients

    DHCP Leased Clients Use the Networking > LAN (Local Network) > DHCP Leased Client page to view the endpoints that are receiving IP addresses from the Cisco RV220W’s DHCP server. To open this page: In the navigation tree, choose Networking > LAN (Local Network) >...
  • Page 31: Routing

    Static Routes, page 33 • Dynamic Routing, page 35 Routing Mode The Cisco RV220W provides two different routing modes: Gateway (NAT) and Router. To open this page: In the navigation tree, choose Networking > Routing > Routing Mode. Choose one of the following options: STEP 1 •...
  • Page 32: Routing Table

    • Use—Count of lookups for the route. Depending on the use of -F and -C, this is either route cache misses (-F) or hits (-C). • Iface—Interface to which packets for this route will be sent. Cisco RV220W Administration Guide...
  • Page 33: Static Routes

    Add / Edit Static Route Configuration page. For more information, see Configuring Static Routes, page • To delete a route, check the box, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise, click Cancel. Cisco RV220W Administration Guide...
  • Page 34: Configuring Static Routes

    It will be listed in the routing table, but will not be used by the RV220W. The route can be enabled later. This feature is useful if the network that the route connects to is not available when you add the route.
  • Page 35: Dynamic Routing

    Use the Networking > Routing > Dynamic Routing page to enable and configure Routing Information Protocol (RIP). RIP is an Interior Gateway Protocol (IGP) that is commonly used in internal networks. When RIP is enabled, the Cisco RV220W can exchange its routing information automatically with other routers and can dynamically adjust its routing tables to adapt to changes in the network.
  • Page 36 • Not Valid After—Enter the end date and time when the authentication key is valid for authentication. Click Save to save your settings, or click Cancel to reload the page with the STEP 4 current settings. Cisco RV220W Administration Guide...
  • Page 37: Port Management

    Port Management Port Management The Cisco RV220W has four LAN ports and a dedicated WAN port. You can enable or disable ports, configure the duplex mode, and set the port speed. To open this page: In the navigation tree, choose Networking > Port Management.
  • Page 38: Dynamic Dns

    When this feature is enabled, and you have an active account with a DDNS provider, the Cisco RV220W notifies DDNS servers of changes in the WAN IP address, so that any public services on your network can be accessed by using the domain name.
  • Page 39: Ipv6

    IPv6 The IPv6 configuration information for your RV220W is performed in several windows in the Device Manager of the Cisco RV220W. Make sure you enable IPv4 and IPv6 Dual-Stack, configure the WAN, and configure the LAN. • IPv6 WAN (Internet), page 40 •...
  • Page 40: Ipv6 Wan (Internet)

    IPv6 IPv6 WAN (Internet) Use the IPv6 > IPv6 WAN (Internet) page to configure your Cisco RV220W in an IPv4 and IPv6 Dual-Stack network. Before you can configure your IPv6 WAN settings, you need to enable IPv4 and IPV6 Dual-Stack mode on the IPv6 > IP Mode page.
  • Page 41: Configuring Ipv6 Lan Properties

    Stateless Address Auto Configuration—An ICMPv6 discover message will originate from the RV220W and is used for auto-configuration, rather than the RV220W contacting the DHCP server at the ISP to obtain a leased address. • Stateful Address Auto Configuration—The RV220W connects to the ISP's DHCPv6 server for a leased address.
  • Page 42 In the IP Address Pool Table, manage the entries as needed. You can define the STEP 3 IPv6 delegation prefix for a range of IP addresses to be served by the Cisco RV220W’s DHCPv6 server. Using a delegation prefix, you can automate the process of informing other networking equipment on the LAN of DHCP information specific for the assigned prefix.
  • Page 43: Configuring Ipv6 Static Routing

    Some ISPs require static routes to build your routing table instead of using dynamic routing protocols. Static routes do not require CPU resources to exchange routing information with a peer router or RV220W. You can also use static routes to reach peer routers and RV220Ws that do not support dynamic routing protocols.
  • Page 44: Configuring An Ipv6 Static Route

    Otherwise, uncheck the box. When a route is added in an inactive state, it will be listed in the routing table, but will not be used by the Cisco RV220W. The route can be enabled later. This feature is useful if the network that the route connects to is not available when you add the route.
  • Page 45: Configuring Ipv6-To-Ipv4 Tunneling

    To add an entry, click Add. Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is a method to transmit IPv6 packets between dual-stack nodes over an IPv4 network. The Cisco RV220W is one endpoint (a node) for the tunnel. You must also set a local endpoint, as well as the ISATAP Subnet Prefix that defines the logical ISATAP subnet to configure a tunnel.
  • Page 46: Configuring An Isatap Tunnel

    IPv6 packets between dual-stack nodes over an IPv4 network. The Cisco RV220W is one endpoint (a node) for the tunnel. You must also set a local endpoint, as well as the ISATAP Subnet Prefix that defines the logical ISATAP subnet to configure a tunnel.
  • Page 47 1492 bytes. Unless your ISP requires a different setting, this setting should not be changed. • Router Lifetime—Enter the time in seconds that the Router Advertisement messages will exist on the route. The default is 3600 seconds. Cisco RV220W Administration Guide...
  • Page 48: Radvd Advertisement Prefixes

    Add/Edit Advertisement Configuration page. See Adding and Editing Advertisement Prefixes, page • To delete an entry, check the box and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel. Cisco RV220W Administration Guide...
  • Page 49: Adding And Editing Advertisement Prefixes

    Enter the Prefix Lifetime, which is the number of seconds that the requesting STEP 2 router is allowed to use the prefix. Click Save to save your settings, or click Cancel to reload the page with the STEP 3 current settings. Cisco RV220W Administration Guide...
  • Page 50: Chapter 3: Configuring The Wireless Network

    Like signals from your cellular or cordless phones, signals from your wireless network can also be intercepted. this information will help you to improve your security: • Wireless Security Tips, page 51 • General Network Security Guidelines, page 52 Cisco RV220W Administration Guide...
  • Page 51: Wireless Security Tips

    158. • Enable MAC address filtering Cisco routers and gateways give you the ability to enable Media Access Control (MAC) address filtering. The MAC address is a unique series of numbers and letters assigned to every networking device. With MAC address filtering enabled, wireless network access is provided solely for wireless devices with specific MAC addresses.
  • Page 52: General Network Security Guidelines

    Password Rules for Password Complexity, page 156. General Network Security Guidelines Wireless network security is useless if the underlying network is not secure. Cisco recommends that you take the following precautions: • Password protect all computers on the network and individually password protect sensitive files.
  • Page 53: Basic Settings

    Basic Settings Basic Settings The Cisco RV220W provides four SSIDs or virtual access points. These networks can be configured and enabled with individual settings. You can set up multiple networks to segment the network traffic, to allow different levels of access, such as guest access, or to allow access for different functions such as accounting, billing, and so on.
  • Page 54 • Channel—Choose the frequency that the radio uses to transmit wireless frames, or choose Auto to let the Cisco RV220W determine the best channel based on the environment noise levels for the available channels. The Current Channel field displays the currently selected channel and frequency.
  • Page 55 To restrict access to a wireless network based on the day and time, select a network and then click Edit SSID Scheduling. Then enter the settings on the SSID Schedule page. See SSID Schedule for Network Availability, page Cisco RV220W Administration Guide...
  • Page 56: Security Settings For Wireless Networks

    Use the Wireless > Basic Settings > Security Settings page to configure security for the selected wireless network. All devices on this network (SSID) must use the same security mode and settings to work correctly. Cisco recommends using the highest level of security that is supported by the devices in your network.
  • Page 57 Unmask Password—Check the box if you want to see the key as typed. Otherwise, the password is masked. • Key Renewal—Enter the number of seconds after which the Cisco RV120W will generate a new key. These keys are internal keys exchanged between the Cisco RV120W and connected devices. The default value (3600 seconds) is usually adequate unless you are experiencing network problems.
  • Page 58: Mac Filtering For Wireless Network Access Control

    In the Connection Control section, choose one of the following options to limit STEP 3 access to the selected network: • Block—Deny connections from the endpoints identified in the Connection Control List. Access is allowed from all other clients, subject to the security settings. Cisco RV220W Administration Guide...
  • Page 59: Connected Clients

    Tip: To copy an address, use your mouse to select it, then right-click and choose Copy. You can click the browser’s Back button to return to the Connection Control List, where you can paste the copied address into a MAC address field. Cisco RV220W Administration Guide...
  • Page 60: Wi-Fi Multimedia And Quality Of Service Settings

    STEP 4 current settings. Click Back to return to the Wireless > Basic Settings page. If you need to edit the settings for another network, select it from the SSID list, and then repeat this procedure. Cisco RV220W Administration Guide...
  • Page 61: Ssid Schedule For Network Availability

    STEP 3 current settings. Click Back to return to the Wireless > Basic Settings page. If you need to edit the settings for another network, select it in the SSID list, and then repeat this procedure. Cisco RV220W Administration Guide...
  • Page 62: Advanced Settings

    Protection Mode—Choose whether or not to enable CTS-to-Self Protection. This mechanism is used to minimize collisions among stations in a mixed 802. 1 1b and 802. 1 1g environment. This function boosts the Cisco RV220W’s ability to catch all wireless transmissions but severely decreases performance.
  • Page 63: Wireless Distribution System (Wds)

    3 WDS peers. To open this page: In the navigation tree, choose Wireless > WDS. Check the Enable box to enable WDS in the Cisco RV220W. Otherwise, uncheck STEP 1 the box. WDS is disabled by default.
  • Page 64: Chapter 4: Firewall

    Cisco RV220W Firewall Features You can secure your network by creating and applying access rules that the Cisco RV220W uses to selectively block and allow inbound and outbound Internet traffic. You then specify how and to what devices the rules apply. You can configure the following: •...
  • Page 65 WAN ports are configured; for the Cisco RV220W, you may use the IP address if a static address is assigned to the WAN port, or if your WAN address is dynamic, a DDNS (Dynamic DNS) name can be used.
  • Page 66: Access Rules

    In the Access Rule Table, perform these tasks: STEP 4 • To add a rule, click Add Rule. Then enter the settings on the Add/Edit Access Rule Configuration page. See Adding and Editing Access Rules, page Cisco RV220W Administration Guide...
  • Page 67: Adding And Editing Access Rules

    Outbound LAN (Local Network) to WAN (Internet)—Traffic from your network (LAN) to the Internet (WAN) • Action—Choose one of the following actions: Always Block—Always block the selected type of traffic. Always Allow—Never block the selected type of traffic. Cisco RV220W Administration Guide...
  • Page 68 ICMP (Internet Control Message Protocol) type 3 through 11 or 13 ICQ (chat) IMAP (Internet Message Access Protocol) 2 or 3 IRC (Internet Relay Chat) NEWS NFS (Network File System) NNTP (Network News Transfer Protocol) PING POP3 (Post Office Protocol) Cisco RV220W Administration Guide...
  • Page 69 TACACS (Terminal Access Controller Access-Control System) TELNET (command) TFTP (Trivial File Transfer Protocol) RIP (Routing Information Protocol) SHTTPD (Simple HTTPD web server) IPSEC-UDP-ENCAP (UDP Encapsulation of IPsec packets) IDENT protocol VDOLIVE (live web video delivery) SSH (secure shell) SIP-TCP or SIP-UDP Cisco RV220W Administration Guide...
  • Page 70 IP address), check the Enable box and then enter the public IP address in the SNAT IP field. Secure Network Address Translation (SNAT) maps a public IP address to an IP address on your private network. Cisco RV220W Administration Guide...
  • Page 71: Changing Access Rule Priorities

    Move the selection to a specific position within the list: Identify the insertion point by typing an existing priority number in the white text box. Then click Move To. Your selection will be moved immediately below the Cisco RV220W Administration Guide...
  • Page 72: Attack Prevention

    Attack Prevention Attacks are malicious security breaches or unintentional network issues that render the Cisco RV220W unusable. Attack prevention allows you to manage WAN security threats such as continual ping requests and discovery via ARP scans. TCP and UDP flood attack prevention can be enabled to manage extreme usage of WAN resources.
  • Page 73: Content Filtering

    Enable Check Referer: Check the box to enable checking the HTTP referer header for allowed URLs. When enabled, this feature allows a user to access a link on an allowed web page even if the link goes to a different domain. Cisco RV220W Administration Guide...
  • Page 74 Approved URLs List—Check the box to allow access to all URLs in the Approved URLs Table. Uncheck the box to disable this feature. Users will be allowed to access these web sites even if access would be blocked by other rules such as URL Blocking. Cisco RV220W Administration Guide...
  • Page 75: Url Blocking

    For example, if you choose Web site and enter www.cisco.com, users can always access that specific web site. If you choose URL Keyword and enter cisco, users can always access any web site whose URL includes that word.
  • Page 76: Port Triggering

    (TCP or UDP) and the range of incoming and outgoing ports to open when enabled. • Managing Port Triggering Rules, page 77 • Adding and Editing Port Triggering Rules, page 77 Cisco RV220W Administration Guide...
  • Page 77: Managing Port Triggering Rules

    If the outgoing connection uses only one port, then specify the same port number in the Start Port and End Port fields. Cisco RV220W Administration Guide...
  • Page 78: Port Forwarding

    Disabling a port forwarding rule does not delete the configuration. • Source IP—The source IP address for traffic from which traffic is forwarded (Any, Single Address or Address Range). Cisco RV220W Administration Guide...
  • Page 79: Adding Or Editing A Port Forwarding Rule

    Allow by Schedule—Allows the selected type of traffic according to a schedule. Choose the schedule from the drop-down list. To add a new schedule, click the Configure Schedules button. After configuring a schedule, you can use your browser’s Back button to return to this page. Cisco RV220W Administration Guide...
  • Page 80 SMTP (Simple Mail Transfer Protocol) IDENT protocol SNMP (Simple Network Management Protocol) TCP or UDP SNMP-TRAPS (TCP or UDP) IMAP (Internet Message Access SQL-NET (Structured Query Protocol) 2 or 3 Language) IPSEC-UDP-ENCAP (UDP SSH (secure shell) Encapsulation of IPsec packets) Cisco RV220W Administration Guide...
  • Page 81 Specify Port and then enter the port number in the Port Number field. Click Save to save your settings, or click Cancel to reload the page with the STEP 5 current settings. Click Back to return to the Firewall > Port Forwarding page. Cisco RV220W Administration Guide...
  • Page 82: Dmz Host

    DMZ Host DMZ Host The Cisco RV220W supports DMZ options. A DMZ is a sub-network that is open to the public but behind the firewall. DMZ allows you to redirect packets going to your WAN port IP address to a particular IP address in your LAN. It is recommended that hosts that must be exposed to the WAN (such as web or email servers) be placed in the DMZ network.
  • Page 83: One-To-One Network Address Translation (Nat)

    IP address. Perform these tasks: • To add a one-to-one NAT rule, click Add. Then enter the settings on the Add/ Edit One-to-One NAT Configuration page. See Adding or Editing a One-to- One NAT Rule, page Cisco RV220W Administration Guide...
  • Page 84: Adding Or Editing A One-To-One Nat Rule

    Service—Choose the service for which the rule applies. Click Save to save your settings, or click Cancel to reload the page with the STEP 2 current settings. Click Back to return to the Firewall > Advanced Settings > One- to-One NAT page. Cisco RV220W Administration Guide...
  • Page 85: Mac Address Filtering

    MAC address is not in the list. If the policy is “allow and block the rest,” then host1 is allowed to connect to a website, but host2 is blocked because its URL is not in the list. Cisco RV220W Administration Guide...
  • Page 86: Ip/Mac Address Binding

    IP address. If a specified device sends packets using an unexpected IP address, the Cisco RV220W drops the packets. To open this page: In the navigation tree, choose Firewall > Advanced Settings >...
  • Page 87: Custom Services

    To delete a service, check the box and then click Delete. To select all services, check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel. Cisco RV220W Administration Guide...
  • Page 88: Adding Or Editing A Custom Service

    Number field. (For example, if you are using RDP, enter 27 in the protocol number field.) Click Save to save your settings, or click Cancel to reload the page with the STEP 2 current settings. Click Back to return to the Firewall > Advanced Settings > Custom Services page. Cisco RV220W Administration Guide...
  • Page 89: Schedules For Firewall Rules And Port Forwarding Rules

    To delete a schedule, check the box and then click Delete. To select all schedules, check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel. Cisco RV220W Administration Guide...
  • Page 90: Adding Or Editing A Schedule

    Uncheck the box for each day when the schedule is inactive. Click Save to save your settings, or click Cancel to reload the page with the STEP 2 current settings. Click Back to return to the Firewall > Advanced Settings > Schedules page. Cisco RV220W Administration Guide...
  • Page 91: Session Settings

    Use the Firewall > Advanced Settings > Session Settings page to limit the maximum number of unidentified sessions and half-open sessions on the Cisco RV220W. You can also introduce timeouts for TCP and UDP sessions to ensure that Internet traffic is not deviating from expectations in your private network.
  • Page 92: Internet Group Management Protocol (Igmp)

    • After enabling or disabling the proxy, click Save to save your settings or click Cancel to reload the page with the current settings. Other features become available on the page when IGMP Proxy is enabled. Cisco RV220W Administration Guide...
  • Page 93: Adding Or Editing The Allowed Networks

    SIP messages (SIP headers and SDP body) to allow signaling and audio traffic between a client on your private network and a SIP endpoint. To open this page: In the navigation tree, choose Firewall > Advanced Settings > SIP ALG. Cisco RV220W Administration Guide...
  • Page 94: Firewall Configuration Examples

    Check the Enable box to enable SIP ALG support. If disabled, the router will not STEP 1 allow incoming calls to the UAC (User Agent Client) behind the Cisco RV220W. Click Save to save your settings, or click Cancel to reload the page with the STEP 2 current settings.
  • Page 95 LAN IP address: 192. 1 68. 1 . 1 ; subnet 255.255.255.0 • Web server PC in the DMZ, IP address: 192. 1 68. 1 .2 • Access to Web server: (simulated) public IP address 10. 1 .0.52 Cisco RV220W Administration Guide...
  • Page 96 Then create the outbound and inbound access rules as shown below. Create an outbound access rule with the following parameters: Parameter Value Connection Type Outbound Action Block by Schedule Schedule Weekend Service HTTP Source IP Address Range Cisco RV220W Administration Guide...
  • Page 97 IP address Destination IP Rule Status Enabled Create an inbound access rule with the following parameters: Parameter Value Connection Type Inbound Action Block by Schedule Schedule Weekend Service All Traffic Source IP Rule Status Enabled Cisco RV220W Administration Guide...
  • Page 98: Chapter 5: Cisco Protectlink Web

    Getting Started with Cisco ProtectLink Web You can purchase, register, and activate the service by using the links on the Cisco ProtectLink Web page. To open this page: In the navigation tree, click Cisco ProtectLink Web.
  • Page 99: Global Settings For Approved Urls And Clients

    Global Settings for Approved URLs and Clients After you activate your service, you can use the Cisco ProtectLink Web > Global Settings page to configure the approved clients and approved URLs that are free from the restrictions that you establish for website access.
  • Page 100: Approved Urls

    To open this page: In the navigation tree, choose Cisco ProtectLink Web > Global Settings > Approved Clients. This page is available only if you activated your Cisco ProtectLink Web service. See NOTE Getting Started with Cisco ProtectLink Web, page In the Approved URLs section, check the Enable box to enable this feature.
  • Page 101: Web Protection

    Use the Cisco ProtectLink Web > Web Protection > Overflow Control page to control how excess URL requests are handled. To open this page: In the navigation tree, choose Cisco ProtectLink Web > Web Protection > Overflow Control. This page is available only if you activated your Cisco ProtectLink Web service. See...
  • Page 102: Web Reputation

    URLs are checked against the set security level and the Trend Micro Web Security database in real-time. Only URLs that meet the criteria are accessible. To open this page: In the navigation tree, choose Cisco ProtectLink Web > Web Protection > Web Reputation.
  • Page 103: Url Filtering

    Web Protection URL Filtering Use the Cisco ProtectLink Web > Web Protection > URL Filtering page to control requests to web sites based on categories and the time of request. To open this page: In the navigation tree, click Cisco ProtectLink Web > Web Protection >...
  • Page 104: Updating The Protectlink License

    Use the Cisco ProtectLink Web > page to view your license information. To open this page: In the navigation tree, click Cisco ProtectLink Web > License > Summary. This page is available only if you activated your Cisco ProtectLink Web service. See...
  • Page 105: Renewal

    Follow the instructions to purchase and register your registration key and to use your activation code to enable Protect Link services on the Cisco RV220W. To open this page: In the navigation tree, click Cisco ProtectLink Web > License > Renewal. Cisco RV220W Administration Guide...
  • Page 106: Chapter 6: Configuring Virtual Private Networks (Vpns) And Security

    The following sections are covered: • Configuring VPNs, page 107 • Basic VPN Setup, page 109 • Configuring Advanced VPN Parameters, page 111 • SSL VPN Server, page 124 • SSL VPN Tunnel Client Configuration, page 136 Cisco RV220W Administration Guide...
  • Page 107: Configuring Vpns

    Remote Access with an IPsec Client (Client-to-Gateway VPN), page 107 • Remote Access with Clientless SSL VPN, page 108 • Remote Access with Cisco QuickVPN, page 109 • Remote access using PPTP, page 109 Site-to-Site Access with Gateway-to-Gateway VPN A gateway-to-gateway VPN connects two or more routers using an IPsec policy to secure traffic between two sites.
  • Page 108 If you configured the VPN policy to authenticate from an external database, configure the connection to the RADIUS server. See Using the Cisco RV220W With a RADIUS Server, page 146. Remote Access with Clientless SSL VPN SSL VPN is a flexible and secure way to extend network resources to virtually any remote user who has access to the Internet and a Web browser.
  • Page 109: Basic Vpn Setup

    1. Add the users on the VPN > IPsec > VPN Users page. Choose QVPN as the user protocol. See Configuring VPN Users, page 122. 2. Instruct users to obtain the free Cisco QuickVPN software from Cisco.com, and install it on their computers. For more information, see .Appendix B, “Using Cisco QuickVPN.”...
  • Page 110 Choose the type of peer that the VPN tunnel will connect: STEP 1 • Gateway—Connects the Cisco RV220W to a gateway, such as another Cisco RV220W at another site. • VPN Client—Connects the Cisco RV220W to remote clients. The remote clients must run VPN client software.
  • Page 111: Configuring Advanced Vpn Parameters

    The Advanced VPN Setup page allows you to configure advanced VPN parameters, such as IKE and other VPN policies. These policies control how the Cisco RV220W initiates and receives VPN connections with other endpoints. • Managing IKE and VPN Policies, page 112 •...
  • Page 112: Managing Ike And Vpn Policies

    Add/Edit VPN Policy Configuration page. See Configuring VPN Policies, page 117. • To delete a policy, check the box and then click Delete. To select all policies, check the box in the heading row, and then click Delete. When the Cisco RV220W Administration Guide...
  • Page 113: Configuring Ike Policies

    Note: If either the Local or Remote identifier type is not an IP address, then negotiation is only possible in Aggressive Mode. If FQDN, User FQDN or DER ASN1 DN is selected, the router disables Main mode and sets the default to Aggressive mode. Cisco RV220W Administration Guide...
  • Page 114 In the IKE SA Parameters section, enter these settings: STEP 4 The Security Association (SA) parameters define the strength and mode for negotiating the SA. • Encryption Algorithm—Choose the algorithm used to negotiate the SA: 3DES AES-128 AES-192 AES-256 Cisco RV220W Administration Guide...
  • Page 115 Detection Period—Enter the interval, in seconds, between consecutive DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the IPsec traffic is idle. Reconnect after Failure Count—Enter the maximum number of DPD failures allowed before tearing down the connection. Cisco RV220W Administration Guide...
  • Page 116 (CHAP). After completing this procedure, set up the RADIUS server on the Security > RADIUS Server page. See Using the Cisco RV220W With a RADIUS Server, page 146. IPsec Host—The router is authenticated by a remote gateway with a username and password combination.
  • Page 117: Configuring Vpn Policies

    Single—Limits the policy to one host. Enter the IP address of the host that will be part of the VPN in Start IP Address field. Then enter the IP address in the Start Address field. Cisco RV220W Administration Guide...
  • Page 118 Local Traffic Selector: 192. 1 68. 1 .0/24 Remote Traffic Selector: 192. 1 68.0.0/16 In the Split DNS section, check the Enable box to allow the Cisco RV220W to find STEP 3 the DNS server of the remote router without going through the ISP (Internet).
  • Page 119 SHA-1— 20 characters SHA2-256—32 characters SHA2-384— 48 characters SHA2-512—64 characters • Key-Out—Enter the integrity key (for ESP with Integrity-mode) for the outbound policy. The length of the key depends on the algorithm chosen, as shown above. Cisco RV220W Administration Guide...
  • Page 120 Configuring Advanced VPN Parameters, page 111. Click Save to save your settings, or click Cancel to reload the page with the STEP 6 current settings. Click Back to return to the VPN > IPsec > Advanced VPN Setup page. Cisco RV220W Administration Guide...
  • Page 121 Policy Type: Manual Policy Local Gateway: WAN1 Remote Endpoint: 10.0.0.1 Local IP: Subnet 192.168.2.0 255.255.255.0 Remote IP: Subnet 192.168.1.0 255.255.255.0 SPI-Incoming: 0x2222 Encryption Algorithm: DES Key-In: 33334444 Key-Out: 11112222 SPI-Outgoing: 0x1111 Integrity Algorithm: MD5 Key-In: 5566778888776655 Key-Out: 1122334444332211 Cisco RV220W Administration Guide...
  • Page 122: Configuring Vpn Users

    Use the VPN > IPsec > VPN Users page to configure PPTP Server settings (if applicable) and to add VPN clients for PPTP, XAUTH, and Cisco QuickVPN. VPN clients must be configured with the same VPN policy parameters used in the VPN tunnel that the client wishes to use: encryption, authentication, lifetime, and PFS key-group.
  • Page 123 Allow User to Change Password—Check the box if you want the user to be able to change the password. Otherwise, uncheck the box. Protocol—Choose the type of user: QuickVPN—The user uses the Cisco QuickVPN client and is authenticated by the VPN server. PPTP—The user is authenticated by a PPTP server.
  • Page 124: Configuring Vpn Passthrough

    VPN passthrough allows VPN traffic that originates from VPN clients to pass through the router. For example, if you are not using a VPN that is configured on the Cisco RV220W, but are using a laptop to access a VPN at another site, configuring VPN passthrough allows that connection.
  • Page 125: Access Options For Ssl Vpn

    LAN with pre-configured access/policy privileges. At this point a virtual network interface is created on the user’s PC and it is assigned an IP address and DNS server address from the Cisco RV220W. To create a VPN tunnel, see Elements of SSL VPN, page 126.
  • Page 126: Elements Of Ssl Vpn

    To access your network via SSL VPN, a user starts a web browser and then enters the URL for an SSL VPN portal. The Cisco RV220W is pre-configured with a portal that you can use for all users. You can modify title, banner heading, banner message, security settings, and access type (VPN tunnel, port forwarding, or both).
  • Page 127: Managing Portal Layouts

    Portal Layout Name—Enter a descriptive name for the portal that is being configured. The name will appear in the URL for the portal. Do not enter spaces or special characters. Only alphanumeric characters, hyphens (‘-’), and underscore (‘_’) characters are allowed for this field. Cisco RV220W Administration Guide...
  • Page 128 Configure your SSL VPN policies on the VPN > SSL VPN Server > SSL VPN Policies page. For more information, see SSL VPN Policies, page 129. • Add your SSL VPN users on the Administration > User Management > Users page. For more information, see Users, page 163. Cisco RV220W Administration Guide...
  • Page 129: Ssl Vpn Policies

    To open this page: In the navigation tree, choose VPN > SSL VPN Server > SSL VPN Policies. The SSL VPN Policies Table displays all existing SSL VPN policies. You can create queries to find particular policies. Cisco RV220W Administration Guide...
  • Page 130: Configuring An Ssl Vpn Policy

    Policy For—Choose the type of policy: Global, Group, or User. • Available Groups—If you choose Group, also choose the group from the list. • Available Users—If you choose User, also choose the user from the list. Cisco RV220W Administration Guide...
  • Page 131 Permission—Choose either Permit or Deny for this policy. Click Save to save your settings, or click Cancel to reload the page with the STEP 3 current settings. Click Back to return to the VPN > SSL VPN Server > SSL VPN Policies page. Cisco RV220W Administration Guide...
  • Page 132: Resources For Ssl Vpn

    Add or select a resource and then click Edit. Enter this information: STEP 1 • Resource Name—Enter a unique name to identify this resource. • Service—Choose one of the supported SSL VPN services to associate with this resource. Cisco RV220W Administration Guide...
  • Page 133: Ssl Vpn Port Forwarding

    In the Configured Host Names for Port Forwarding Table, perform these tasks: • To add an entry, click Add. Then enter the settings on the Port Forwarding Host Configuration page. See Configuring Host Name Resolution for Port Forwarding, page 135. Cisco RV220W Administration Guide...
  • Page 134: Configuring A Tcp Application For Ssl Vpn Port Forwarding

    TCP Application Port Number FTP Data (usually not needed) FTP Control Protocol SMTP (send mail) HTTP (web) POP3 (receive mail) NTP (network time protocol) Citrix 1494 Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 Cisco RV220W Administration Guide...
  • Page 135: Configuring Host Name Resolution For Port Forwarding

    TCP application. Click Save to save your settings, or click Cancel to reload the page with the STEP 2 current settings. Click Back to return to the VPN > SSL VPN Server > Port Forwarding page. Cisco RV220W Administration Guide...
  • Page 136: Ssl Vpn Tunnel Client Configuration

    LAN through the VPN tunnel. In addition, a static route on the private LAN’s firewall (typically this Cisco RV220W) is needed to forward private traffic through the VPN Firewall to the remote SSL VPN client.
  • Page 137 Click Save to save your settings, or click Cancel to reload the page with the STEP 2 current settings. If you enabled Split Tunnel Support, you will need to configure SSL VPN Client Routes. See Configured Client Routes for Split Tunnel Mode, page 138. Cisco RV220W Administration Guide...
  • Page 138: Configured Client Routes For Split Tunnel Mode

    To delete a route, check the box and then click Delete. To select all routes, check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel. Cisco RV220W Administration Guide...
  • Page 139: Configuring A Client Route

    Port Forwarding—After the user clicks the link in the navigation pane, the Port Forwarding information window opens. The user can click the Launcher icon to connect to the remote servers. • Change Password—The user can click this link to change his or her password. Cisco RV220W Administration Guide...
  • Page 140 1. The Change Password section is available only for users who belong to the local data base. 2. The administrator can enable or disable certain features. 3. The user must ensure that Java, Java Script, Active-X controls are enabled or allowed in the web browser settings. Cisco RV220W Administration Guide...
  • Page 141: Chapter 7: Configuring Security

    RADIUS server support, and 802. 1 x port-based authentication. • Using SSL Certificates for Authentication, page 141 • Using the Cisco RV220W With a RADIUS Server, page 146 • Configuring 802.1x Port-Based Authentication, page 148 Using SSL Certificates for Authentication Use the Security >...
  • Page 142 To view a certificate request, click View. For more information, see Viewing a Certificate Request, page 145. To delete a certificate request, check the box and then click Delete. To select multiple certificates, check the box in the heading row. Cisco RV220W Administration Guide...
  • Page 143: Importing A Trusted Certificate From A File

    • To export a file that can be downloaded on an endpoint that will connect to the Cisco RV220W as a VPN client, click Export for Client. Importing a Trusted Certificate from a File Follow this procedure to import a Trusted Certificate. These certificates are used to verify the validity of certificates signed by Certificate Authorities.
  • Page 144: Generating A Certificate Request

    Signature Key Length—Enter the signature key length, or the length of the signature (512, 1024, or 2048). • IP Address—(Optional) Enter the IP address of the router. • Domain Name—(Optional) Enter the domain name of the router. Cisco RV220W Administration Guide...
  • Page 145: Viewing A Certificate Request

    Right-click in the highlighted text, and then click Copy on the shortcut menu. STEP 2 Paste the copied text into a text file, and then save the file with a .pem extension. STEP 3 Send the text file to the CA for signing. STEP 4 Cisco RV220W Administration Guide...
  • Page 146: Using The Cisco Rv220W With A Radius Server

    Configuring Security Using the Cisco RV220W With a RADIUS Server Using the Cisco RV220W With a RADIUS Server You can use a RADIUS server to maintain a database of user accounts for authenticating users. • Managing RADIUS Server Configurations, page 146 •...
  • Page 147: Adding Or Editing A Radius Server Configuration

    Authentication Port—Enter the port number on which the RADIUS server sends traffic. • Secret—Enter the shared key that allows the Cisco RV220W to authenticate with the RADIUS server. This key must match the key configured on the RADIUS server. The single quote, double quote, and space characters are not allowed in this field.
  • Page 148: Configuring 802.1X Port-Based Authentication

    It also prevents access to that port in cases where the authentication fails. It provides an authentication mechanism to devices trying to connect to a LAN. The Cisco RV220W acts as a supplicant in the 802. 1 x authentication system.
  • Page 149: Chapter 8: Configuring Quality Of Service

    Configuring Quality of Service The RV220W provides configuration for Quality of Service (QoS) features, such as bandwidth profiles, traffic selectors, and traffic meters. It contains the following sections: • WAN QoS Profiles, page 149 • Profile Binding, page 151 •...
  • Page 150 To delete a profile, check the box and then click Delete. To select all profiles, check the box in the heading row. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel. Cisco RV220W Administration Guide...
  • Page 151: Profile Binding

    Configuring a Profile Binding Rule, page 152. • To delete a profile binding rule, check the box, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise, click Cancel. Cisco RV220W Administration Guide...
  • Page 152: Configuring A Profile Binding Rule

    Choose the access point from the Available SSIDs list. AP-1 through AP-4 correspond to the first through fourth networks in the Wireless Basic Setting Table on the Wireless > Basic Settings page (default IDs rv220_1 through rv220_4). Cisco RV220W Administration Guide...
  • Page 153: Cos Settings

    In the CoS to Traffic Forwarding Queue Mapping Table, choose a Traffic STEP 2 Forwarding Queue for each CoS Priority. Click Save to save your settings, or click Cancel to reload the page with the STEP 3 current settings. To reload the default settings, click Restore Default. Cisco RV220W Administration Guide...
  • Page 154: Cos To Dscp Remarking

    For each 802. 1 p Priority, enter a DSCP value. (Valid values are from 0 to 63). STEP 2 Click Save to save your settings, or click Cancel to reload the page with the STEP 3 current settings. To reload the default settings, click Restore Default. Cisco RV220W Administration Guide...
  • Page 155: Chapter 9: Administering Your Cisco Rv220W

    Administering Your Cisco RV220W This chapter describes the administration features of the RV220W, including creating users, configuring network management, diagnostics and logging, date and time, and other settings. It contains the following sections: • Password Rules for Password Complexity, page 156 •...
  • Page 156: Password Rules For Password Complexity

    Password Rules for Password Complexity Password Rules for Password Complexity Use the Administration > Password Rules page to enable the Cisco RV220W to enforce complexity requirements for passwords. To open this page: In the navigation tree, choose Administration > Password Rules.
  • Page 157: Remote Management

    Remote Management Remote Management The primary means to configure the Cisco RV220W is the Configuration Utility. A computer on the LAN can access the configuration utility by using the Cisco RV220W’s LAN IP address and HTTP. You can enable remote management to allow access from a device on the WAN or Internet, such as your home computer.
  • Page 158: User Management

    • Configuring a Domain, page 159 You can simplify user, group, and domain creation by creating a CSV file and NOTE importing it into the Cisco RV220W. See CSV File Import for User Accounts, page 186. Cisco RV220W Administration Guide...
  • Page 159: Managing Domains

    Domain Name—Enter a unique name to identify this domain. • Authentication Type—You can use the local user database of the RV220W or use another server for authentication. Choose one of the following options, and then complete the require fields, which are indicated by white backgrounds.
  • Page 160 Administering Your Cisco RV220W User Management Active Directory LDAP • Select Portal—Choose the portal that users will use to connect. Only users of domains associated with certain portals can use those portals to log in. A default SSLVPN portal is provided. For information about adding portal...
  • Page 161: Groups

    Administering Your Cisco RV220W User Management Groups A group is a subset of a domain. (See Domains, page 158.) When you create a domain, a default group is created automatically. You can modify the Idle Timeout setting for the group. You can add more groups to a domain to allow different timeout settings for different users in a domain.
  • Page 162: Configuring A Group

    Administering Your Cisco RV220W User Management Configuring a Group Use the Group Name page to enter the settings for a group. To open this page: From the Administration > User Management > Groups page, click Add or select a group and then click Edit.
  • Page 163: Users

    Use the Administration > User Management > Users page to view, add, edit, and delete users. To open this page: In the navigation tree, choose Administration > User Management > Users. When first configuring your Cisco RV220W, change the default administrator name CAUTION and password as soon as possible. Perform these tasks: •...
  • Page 164: Configuring A User

    Administering Your Cisco RV220W User Management • To set a user’s login policies based on the user’s IP address, check the box and then click Policies by IP. Then enter the settings on the User Policy By Source IP Address page. See...
  • Page 165: User Log In Policies

    Administering Your Cisco RV220W User Management • Enter Your Password (available when editing an existing user)—Enter the existing password. • Password (available when adding a user) or New Password (available when editing an existing user—Enter the desired password. When you are, a message indicates the relative strength of the password.
  • Page 166: User Log In Policies By Client Browser

    Administering Your Cisco RV220W User Management Click Save to save your settings, or click Cancel to reload the page with the STEP 2 current settings. Click Back to return to the Administration > User Management > Users page. User Log in Policies by Client Browser Use the User Policy By Client Browser page to specify the web browsers that a user can use when logging in.
  • Page 167: User Log In Policies By Ip Address

    Administering Your Cisco RV220W User Management User Log in Policies by IP Address You can allow or deny access to a user based on his or her IP address. • Managing IP Address Login Policies, page 167 • Configuring an IP Address Login Policy, page 168...
  • Page 168 Administering Your Cisco RV220W User Management Configuring an IP Address Login Policy Use the Defined Address Configuration page to enter an address that is subject to a login policy. Enter these settings: STEP 1 • Source Address Type—Choose the type of address.
  • Page 169: Network Management (Snmp)

    Administering Your Cisco RV220W Network Management (SNMP) Network Management (SNMP) Simple Network Management Protocol (SNMP) lets you monitor and manage your router from an SNMP manager. SNMP provides a remote means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.
  • Page 170: Configuring The User Security Settings For Snmp

    Administering Your Cisco RV220W Network Management (SNMP) • To edit an entry, check the box and then click Edit. Then enter the settings on the Add / Edit Trap Configuration page. See Configuring SNMP Traps, page 171. • To delete an entry, check the box and then click Delete. To select all entries, check the box in the heading row, and then click Delete.
  • Page 171: Configuring Snmp Traps

    Administering Your Cisco RV220W Network Management (SNMP) Configuring SNMP Traps Use the Add / Edit Trap Configuration page to identify SNMP agents to which the router will send trap messages (notifications). To open this page: From the Administration > Network Management > SNMP page, in the Traps Table, click Add or select a trap and then click Edit.
  • Page 172: Wan Traffic Meter

    Cisco RV220W from the Internet. Both Directions—Choose this option to enforce a limit on traffic coming to the Cisco RV220W from the Internet, and traffic going from the Cisco RV220W to the Internet. If you configured a Traffic Limit above, enter the following settings: STEP 2 •...
  • Page 173 Administering Your Cisco RV220W WAN Traffic Meter • Increased This Month’s Limit By—If the monthly traffic limit has been reached and you need to temporarily increase the limit, check this box. Then type the amount of the increase, in megabytes.
  • Page 174: Diagnostics

    (The effective limit applies if the Monthly Limit was increased by using the Increase This Month’s Limit field.) Diagnostics Cisco provides tools to help you verify network connections and troubleshoot issues. • Network Tools, page 174 •...
  • Page 175 Administering Your Cisco RV220W Diagnostics Click Ping. Four ICMP echo requests are sent. STEP 2 The Command Output page displays the results. Click Back to return to the Administration > Diagnostics > Network Tools page. STEP 3 To trace the route to an IP address or domain: Use the traceroute tool to learn about all of the routers between this router and another device.
  • Page 176: Capture Packets

    Click Download to save a copy of the packet capture. STEP 3 Capture packets for another interface, or close the pop-up window. STEP 4 Logging You can configure the Cisco RV220W to log events and send notifications when specified events occur. • Logging Policies, page 176 •...
  • Page 177: Managing Logging Policies

    Administering Your Cisco RV220W Logging • Configuring a Logging Policy, page 177 Managing Logging Policies Use the Administration > Logging > Logging Policies page to view, add, edit, and delete logging policies. A default policy is provided and is enabled for IPsec VPN logs.
  • Page 178: Firewall Logs

    Administering Your Cisco RV220W Logging Emergency—Messages about events, such as an imminent system crash, that make the system unusable. Typically this type of message is broadcast to all users. Alert—Messages about conditions, such as a corrupted system database, that require immediate corrective action.
  • Page 179 Administering Your Cisco RV220W Logging For each log type, check the box to enable logging of the specified packet type. STEP 1 Uncheck the box to disable logging of the specified packet type. See the descriptions of the log types and packet types below.
  • Page 180: Remote Logging Configuration

    If you are using the same email address or Syslog server to receive logs for multiple devices, this prefix helps you to identify the source of the message. To enable the Cisco RV220W to send emails through your email service, enter the STEP 2 SMTP settings in the E-Mail Logs Settings section.
  • Page 181 Time—If you chose Daily or Weekly, enter the time of day when the logs will be sent. If you want to enable the Cisco RV220W to send logs to a Syslog server, enter the STEP 4 settings for up to eight syslog servers in the Syslog Server section. The log content is determined by the specified logging policy.
  • Page 182: Discovery Settings

    NOTE Utility works through a simple toolbar in your web browser. This utility discovers Cisco devices in the network and displays basic information, such as serial numbers and IP addresses, to aid in the configuration and deployment. For more information and to download the utility, please visit www.cisco.com/go/findit.
  • Page 183: Upnp Discovery

    UPnP on each VLAN. UPnP is enabled by default on the default VLAN ID 1. When this feature is enabled, the Cisco RV220W advertises itself to plug-and-play devices on VLAN 1, and these devices can join the network and connect to the Cisco RV220W.
  • Page 184: Time Settings

    Time Settings Use the Administration > Time Settings page to configure the date and time settings for your Cisco RV220W. After choosing your time zone and Daylight Savings Time settings, if applicable, you can enter the time manually or specify a Network Time Protocol (NTP) server to provide the time settings for your network.
  • Page 185: Backing Up Or Restoring A Configuration

    Administering Your Cisco RV220W Backing Up or Restoring a Configuration If you chose to use an NTP server, enter these settings in the NTP Server STEP 2 Configuration section: • NTP Server Settings—Choose one of these options: Default NTP Server—Choose this option to use a server from a pre-configured list of NTP servers for general use.
  • Page 186: Csv File Import For User Accounts

    Mirror to Startup or Copy Startup to Mirror. CSV File Import for User Accounts You can simplify user, group, and domain creation by creating a CSV file and importing it into the Cisco RV220W. • Creating a CSV File •...
  • Page 187 Administering Your Cisco RV220W CSV File Import for User Accounts "<AuthenticationRadiusSecret>", "<NTDomainWorkGroup>", "<LDAPBaseDN>", "<ActiveDirectoryDomain>" Possible Values: • SSLVPNDomain Code - 5 • Domain Name - String • PortalLayoutName - String • AutheticationType - String • AuthenticationServer - IP Address •...
  • Page 188 IPSECUSER Code: 1 • Username - String • Password - String • UserType - boolean (0 - Standard Ipsec / 1 - Cisco Quick VPN) • AllowChangePassword - boolean "<SSLVPNUSER Code>", "<UserName>", "<FirstName>", "<LastName>", "<GroupName>", "<UserType>", "<UserTimeOut>", "<DenyLogin>", "<DenyLoginFromWan>", "<LoginFromIP>", "<LoginFromBrowser>", "<Password>"...
  • Page 189: Importing A Csv File

    On your computer, locate and select the .csv file. Click Import. STEP 2 Firmware Upgrade Cisco may provide firmware upgrades for the Cisco RV220W. After downloading a firmware file to your computer, use the Administration > Firmware Upgrade to select the file and install it.
  • Page 190: Rebooting The Cisco Rv220W

    Administering Your Cisco RV220W Rebooting the Cisco RV220W The Current Firmware Version appears at the top of the page. Click Browse to locate and select the firmware that you downloaded from STEP 1 Cisco.com. If you want to abandon your current configuration settings and restore the default...
  • Page 191 Administering Your Cisco RV220W Restoring the Factory Defaults During a restore operation, do not try to go online, turn off the router, shut down the CAUTION PC, or do anything else to the router until the operation is complete. This should take about a minute.
  • Page 192: Chapter 10: Viewing The Rv220W Status

    Viewing the RV220W Status This chapter describes how to view real-time statistics for the RV220W and contains the following sections: • Viewing the Dashboard, page 193 • Viewing the System Summary, page 196 • Viewing the Wireless Statistics, page 199 •...
  • Page 193: Viewing The Dashboard

    Viewing the RV220W Status Viewing the Dashboard Viewing the Dashboard The Dashboard page provides you with a view of important router information. To open this page: In the navigation tree, choose choose Status > Dashboard. The Dashboard page displays this information: Panel View An image of the back panel shows you which ports are in use (colored in green).
  • Page 194 Viewing the RV220W Status Viewing the Dashboard Syslog Summary This summary lists the events that have been logged. Links provide quick access to the View Logs page. Click the details link to view the logs. For more information, see Viewing Logs, page 202.
  • Page 195 Viewing the RV220W Status Viewing the Dashboard WAN (Internet) Information To view the WAN settings, click details. For more information see Viewing Port Statistics, page 204. IP Address The IP address of the router’s WAN port. To change the IP address, see...
  • Page 196: Viewing The System Summary

    • PID VID—Product ID and vendor ID of the device. • Serial Number—RV220W serial number. ProtectLink License Info Contains licensing information for Cisco ProtectLink Web. LAN Information • MAC Address—Hardware address. • IPv4 Address—Address and subnet mask of the device.
  • Page 197 Viewing the RV220W Status Viewing the System Summary WAN Information (IPv4) The WAN Information provides the current status of the WAN interfaces. It provides details about WAN interface and also provides actions that can be taken on that particular WAN interface. The actions that can be taken differ with the connection type.
  • Page 198 Viewing the RV220W Status Viewing the System Summary Click Renew to release the current IP address and obtain a new one, or Release to release the current IP address only. WAN Information (IPv6) Provides IPv6 WAN information. • Connection Time—Displays the time duration for which the connection is •...
  • Page 199: Viewing The Wireless Statistics

    Viewing the RV220W Status Viewing the Wireless Statistics • Profile Name—This is the unique (alphanumeric) identifier of the wireless profile attached to the Access Point. • Security—This field displays the type of wireless security (if any) assigned to this profile.
  • Page 200: Viewing The Ipsec Connection Status

    Viewing the RV220W Status Viewing the IPsec Connection Status AP Statistics This table displays transmit/receive data for a given access point (AP). • AP Name—The name of the AP. • Packets—The number of Tx/Rx wireless packets on the AP. •...
  • Page 201: Viewing The Vpn Client Connection Status

    Viewing the RV220W Status Viewing the VPN Client Connection Status • State—The current status of the SA for IKE policies. Click Connect to establish an inactive SA (connection) or Drop to terminate an active SA (connection). The page refreshes automatically to display the most current status. To change the refresh settings, in the Poll Interval field, enter a value in seconds for the poll interval.
  • Page 202: Viewing Logs

    Viewing the RV220W Status Viewing Logs The page refreshes automatically to display the most current status. To change the refresh settings, in the Poll Interval field, enter a value in seconds for the poll interval. This causes the page to re-read the statistics from the router and refresh the page automatically.
  • Page 203: Viewing The Port Triggering Status

    Viewing the RV220W Status Viewing the Port Triggering Status Click Refresh to obtain the latest information. When you click Refresh, it can take up to 1 minute to obtain the latest information. NOTE This page lists all available LAN hosts in the LAN Hosts Table. For every host, the table lists the name, IP address, and MAC address.
  • Page 204: Viewing Port Statistics

    • Uptime—The duration for which the interface has been active. The uptime will be reset to zero when the RV220W or the interface is restarted. Poll Interval—Enter a value in seconds for the poll interval. This causes the page to re-read the statistics from the RV220W and refresh the page automatically. To modify the poll interval, click the Stop button and then Start to restart automatic refresh.
  • Page 205 Viewing the RV220W Status Viewing Port Statistics The Port Statistics page displays this information: Port The name of the port. Status The status of the port (enabled or disabled). Operational Mode The bandwidth the port is operating at. Packets The number of received/sent packets per second.
  • Page 206: Viewing Open Ports

    Viewing the RV220W Status Viewing Open Ports Viewing Open Ports The View Open Ports page displays a listing of all open ports. To view open ports, choose Status > View Open Ports. This page displays this information about open ports: Proto The protocol (TCP, UDP, and raw) used by the port.
  • Page 207: Viewing The Ssl Vpn Connection Information Status

    The following are the tunnel-specific fields: • Local PPP Interface—The name of the PPP interface on the RV220W associated with the SSL VPN tunnel. This information may be useful if telnet/console access is available to the user for cross-verification.
  • Page 208 Poll Interval field, enter a value in seconds for the poll interval. This causes the page to re-read the statistics from the RV220W and refresh the page automatically. To modify the poll interval, click the Stop button and then click Start to restart automatic refresh.
  • Page 209: Appendix A: Installing The Cisco Rv220W

    POWER—The Power light is green to indicate the unit is powered on. The light flashes green when the RV220W starts up. DIAG—If the DIAG light is off, the RV220W is ready. The light blinks red during firmware upgrades. DMZ—When the DMZ light is green, DMZ is enabled. When the light is off, DMZ is disabled.
  • Page 210: Back Panel

    Ethernet interface that is active on the RV220W. For example, if the light appears next to 100 in the LAN1 column, the RV220W’s LAN1 port is using a 100BASE-T connection. If the light appears next to 1000 in the LAN1 column, the RV220W’s LAN1 port is using a 1000BASE-T (Gigabit Ethernet) connection.
  • Page 211: Mounting The Cisco Rv220W

    Power Switch—Press this button up (toward the line) to turn the device on. Press this button down (toward the circle) to turn the device off. Mounting the Cisco RV220W You can place your Cisco RV220W on a desktop or mount it on a wall. Placement Tips •...
  • Page 212 Determine where you want to mount the RV220W. Verify that the surface is STEP 1 smooth, flat, dry, and sturdy. Take into account the dimensions of the RV220W and allow for 3 inches (76.2 mm) of clearance around it. For horizontal mounting, drill two pilot holes into the surface 5-7/8 inches (150 mm) STEP 2 apart.
  • Page 213 Installing the Cisco RV220W Mounting the Cisco RV220W Insert a screw into each hole in the surface, leaving a gap between the surface STEP 4 and the base of the screw head of at least 0. 1 inches (3 mm). Do not mount the screw heads flush with the surface;...
  • Page 214: Attaching The Antennas

    To attach an external antenna: Hold the antenna perpendicular to the round screw hole on the back of the unit. STEP 1 Screw the antenna clockwise until it is firmly secured to the RV220W. STEP 2 Repeat these steps to secure the second antenna.
  • Page 215 Installing the Cisco RV220W Connecting the Equipment Connect one end of an Ethernet cable to the WAN port of the RV220W and the STEP 1 other end to the Ethernet port of your cable or DSL modem. Connect one end of a different Ethernet cable to one of the LAN (Ethernet) ports on STEP 2 the back of the unit.
  • Page 216: Verifying The Hardware Installation

    STEP 5 specific plug (supplied) for your country. On the RV220W, push the power button to the on position to turn on the RV220W. STEP 6 The POWER light on the front panel is green when the power adapter is connected properly and the unit is turned on.
  • Page 217: Connecting To Your Wireless Network

    Choose the type of encryption and enter the security key that you chose when STEP 3 setting up the RV220W. If you did not enable security (not recommended), leave these fields blank. Verify your wireless connection and save your settings.
  • Page 218: Appendix B: Using Cisco Quickvpn

    Using Cisco QuickVPN Overview This appendix explains how to install and use the Cisco QuickVPN software that can be downloaded from Cisco.com. QuickVPN works with computers running Windows 7, Windows XP, Windows Vista, or Windows 2000. (Computers using other operating systems will have to use third-party VPN software.) This appendix includes the following sections: •...
  • Page 219: Installing The Cisco Quickvpn Software

    Installing the Cisco QuickVPN Software Share the following notes with users: NOTE • If Cisco QuickVPN is installed on a computer running Windows 7 or Vista, the Windows Firewall must be enabled. • Cisco QuickVPN uses several .exe programs in the QVPN installation directory.
  • Page 220 Using Cisco QuickVPN Installing the Cisco QuickVPN Software Choose the destination to which you want to copy the files (for example, C:\Cisco STEP 3 Small Business\QuickVPN Client). Click Browse and choose a new location if you don’t want to use the default location. Click Next.
  • Page 221: Downloading And Installing From The Internet

    Configuring VPN Users, page 122. In the Server Address field, enter the IP address or domain name of the RV220W. In the Port For QuickVPN field, enter the port number that the QuickVPN client will use to communicate with the remote VPN router, or keep the default setting, Auto.
  • Page 222 Using Cisco QuickVPN Using the Cisco QuickVPN Software QuickVPN Login If you check the Use Remote DNS Server box, Cisco QuickVPN Client will copy the NOTE DNS Server IP address provided by the QuickVPN Server into the TCP/IP property of the computer.
  • Page 223 Using Cisco QuickVPN Using the Cisco QuickVPN Software QuickVPN Status To terminate the VPN tunnel, click Disconnect. To change your password, click Change Password. For information, click Help. If you clicked Change Password and have permission to change your own STEP 5 password, you will see the Connect Virtual Private Connection window.
  • Page 224: Appendix C: Glossary

    Indication Message) clients of the next window for listening to broadcast and multicast messages. When the Cisco RV220W has buffered broadcast or multicast messages for associated clients, it sends the next DTIM with a DTIM Interval value. Its clients hear the beacons and awaken to receive the broadcast and multicast messages.
  • Page 225 The traditional long preamble requires 192 μs for transmission. A short pream- ble requires only 96 μs. A long preamble is needed for compatibility with the legacy 802. 1 1 systems operating at 1 and 2 Mbps. Cisco RV220W Administration Guide...
  • Page 226 RIPv2 supports subnet masks, allows more information to be included in RIP packets, and provides a simple authentication mechanism that is not supported by RIP. Cisco RV220W Administration Guide...
  • Page 227 A VLAN is a group of endpoints in a network that are associated by function or other shared characteristics. Unlike LANs, which are usually geographically based, VLANs can group endpoints without regard to the physical location of the equipment or users. Cisco RV220W Administration Guide...
  • Page 228: Appendix D: Where To Go From Here

    Where to Go From Here Cisco provides a wide range of resources to help you obtain the full benefits of the Cisco Small Business RV220W Wireless-N Network Security Firewall. Support Cisco Small Business www.cisco.com/go/smallbizsupport Support Community Online Technical Support and www.cisco.com/support...

Table of Contents