Cisco Small Business Pro SA 520W Administration Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Firewall
  5. Small Business Pro SA 520W
  6. Administration manual

Cisco Small Business Pro SA 520W Administration Manual

Small business pro sa 500 series security appliances
Hide thumbs Also See for Small Business Pro SA 520W:
Table of Contents

Advertisement

Quick Links

ADMINISTRATION
GUIDE
Cisco Small Business Pro
SA 500 Series Security Appliances

Advertisement

Table of Contents
loading

Related Manuals for Cisco Small Business Pro SA 520W

Summary of Contents for Cisco Small Business Pro SA 520W

  • Page 1 ADMINISTRATION GUIDE Cisco Small Business Pro SA 500 Series Security Appliances...
  • Page 2 Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...

  • Page 3: Table Of Contents

    DMZ for Public Web Sites and Services Configuring ProtectLink Web & Email Security Site-to-Site Networking and Remote Access Wireless Networking Chapter 2: Status Device Status Device Status Port Statistics Wireless Statistics for the SA 520W Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 4 Configuring Auto-Rollover, Load Balancing, and Failure Detection Configuring the Protocol Bindings for Load Balancing Configuring a DMZ Configuring the DMZ Settings DMZ Reserved IPs DMZ DHCP Leased Clients VLAN Configuration Default VLAN Settings Enabling or Disabling VLAN Support Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 5 IPv6 Multi LAN IPv6 Static Routing Routing (RIPng) 6to4 Tunneling IPv6 Tunnels Status ISATAP Tunnels MLD Tunnels Router Advertisement Daemon (RADVD) Configuring Router Advertisement Adding RADVD Prefixes 802.1p Enabling 802.1p 802.1p Mapping Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 6 Using Other Tools to Control Access to the Internet Configuring Content Filtering to Allow or Block Web Components Configuring Approved URLs to Allow Access to Websites Configuring Blocked URLs to Prevent Access to Websites Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 7 Creating the SSL VPN Policies Specifying the Network Resources for SSL VPN Configuring SSL VPN Port Forwarding SSL VPN Tunnel Client Configuration Viewing the SSL VPN Client Portal VeriSign™ Identity Protection configuration Configuring VeriSign Identity Protection Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 8 Local Logging Config IPv6 Logging Remote Logging Logs Facility Managing Certificates for Authentication Configuring RADIUS Server Records Chapter 10: Network Management RMON (Remote Management) SNMP Configuring SNMP Configuring SNMP System Info UPnP Bonjour Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 9 Appendix B: Standard Services Appendix C: Technical Specifications and Environmental Requirements Appendix D: Factory Default Settings General Settings Router Settings Wireless Settings Storage Security Settings Appendix E: Where to Go From Here Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 10: Chapter 1: Getting Started

    Feature SA 520 SA 520W SA 540 Firewall 200 Mbps 200 Mbps 300 Mbps Performance 200 Mbps 200 Mbps 300 Mbps 65 Mbps 65 Mbps 85 Mbps Performance Connections 15,000 15,000 40,000 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 11: Device Overview

    LAN. • SPEED LED—(Green or Orange) Indicates the traffic rate for the associated port. Off = 10 Mbps, Green = 100 Mbps, Orange = 1000 Mbps. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 12: Rear Panel

    USB Port—Connects the security appliance to a USB device. You can use a USB device to store configuration files for backup and restore operations. The back panel of the SA 520W includes three threaded connectors for the NOTE antennas. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 13: Installation

    To place the security appliance on a desktop, install the four rubber feet (included) on the bottom of the security appliance. Place the device on a flat surface. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 14 Getting Started Installation Wall Mounting Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9 STEP 1 inches). Leave 3-4 mm (about 1/8 inch) of the head exposed. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 15 Each security appliance requires 1 rack unit (RU) of space, which is 1.75 inches (44.45 mm) high. Do not overload the power outlet or circuit when installing multiple devices in a CAUTION rack. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 16: Hardware Installation

    For DSL, a cable modem, or other WAN connectivity devices, connect an Ethernet STEP 3 network cable from the device to the WAN port on the back panel. Cisco strongly recommends using Cat5E or better cable. For network devices, connect an Ethernet network cable from the network device STEP 4 to one of the dedicated LAN ports on the back panel.

  • Page 17: Getting Started With The Configuration Utility

    PC or laptop. You can access the router by using any web browser (such as Microsoft Internet Explorer or Mozilla Firefox). Connecting to the Configuration Utility Connect your computer to an available LAN port on the back panel of the security STEP 1 appliance. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 18 Safari: Click Continue to proceed, or click Show Certificate. On the Certificate page, click Install the Certificate. Follow the instructions in the Wizard to complete the installation. Enter the default user name and password: STEP 4 • Username: cisco • Password: cisco Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 19 STEP 5 Using the Getting Started Pages, page You can use the Cisco Configuration Assistant to launch the Configuration Utility if you are using the security appliance with a CCA-supported device, such as the UC 500. For more information about CCA, see: www.cisco.com/go/configassist.

  • Page 20: Using The Getting Started Pages

    Started button in the menu bar. • To prevent the Getting Started (Basic) page from appearing automatically after you log in, check the Don’t show this on start-up box at Figure 1 Getting Started (Basic) Page Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 21 Getting Started Getting Started with the Configuration Utility Figure 2 Getting Started (Advanced) Page Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 22: Navigating Through The Configuration Utility

    2. Navigation Tree: Top-level links are indicated by arrows. Click a top-level link to open a list of options. Then click a link in the list to open a page where you can review or modify the configuration. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 23: Using The Help System

    Help page, click the Help link in the top right corner of the screen. A new window appears with information about the page that you are currently viewing. Figure 4 Help Link Figure 5 Sample Help Screen Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 24: About The Default Settings

    The access point is enabled by default. The security profile has Open security and identifies itself to all wireless devices that are in range. These settings make it easy for you to begin using your wireless network. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 25: Basic Tasks

    IP address of 192. 1 68.75. 1 . You can log on by entering cisco for the username and cisco for the password. You are strongly encouraged to change the default username and password.

  • Page 26: Backing Up Your Configuration

    In the Upgrade Firmware section of the Getting Started (Basic) page, click the STEP 3 Install the updated firmware link. The Firmware & Configuration (Network) page appears. In the Firmware Upgrade area, click Browse. Find the file that you downloaded. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 27: Common Configuration Scenarios

    Scenario 7: DMZ for Public Web Sites and Services, page 32 • Scenario 6: Firewall for Controlling Inbound and Outbound Traffic, page 31 • Scenario 9: Site-to-Site Networking and Remote Access, page 33 • Scenario 10: Wireless Networking, page 37 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 28: Basic Network Configuration With Internet Access

    1. Review the WAN configuration and make any changes that are needed to set up your Internet connection. In the WAN & LAN Connectivity section of the Getting Started (Basic) page, click the WAN settings link. For more information, see Configuring the WAN Connection, page Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 29 LAN Settings link. For more information, see Configuring the LAN, page 3. If you are going to use your security appliance with your Cisco Smart Business Communications System (SBCS), install and configure your UC 500. Scenario 8: Cisco Smart Business Communications System Configuration, page 4.

  • Page 30: Cisco Smart Business Communications System Configuration

    Getting Started Common Configuration Scenarios Scenario 8: Cisco Smart Business Communications System Configuration You can use the security appliance to protect your Cisco Smart Business Communications System network. Laptop computer Outside Network Private Network Printer Internet Internet SA 500 Access Device...

  • Page 31: Firewall For Controlling Inbound And Outbound Traffic

    Translation (NAT), and SIP Application Layer Gateway (SIP-ALG) for your network, disable those functions on the UC 500. For instructions, refer to the documentation or online Help for the Cisco Configuration Assistant (CCA). Scenario 6: Firewall for Controlling Inbound and Outbound Traffic By default, all outbound traffic is allowed and all inbound traffic is denied.

  • Page 32: Dmz For Public Web Sites And Services

    Configuration tasks for this scenario: To start configuring a DMZ, use the links in the DMZ Port section of the Getting Started (Advanced) page. For more information, see Configuring a DMZ, page Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 33: Configuring Protectlink Web & Email Security

    Cisco ProtectLink Security services. By using these services, your network is protected from email threats in the Internet “cloud” and web threats in the Cisco security appliance, providing access only to email and websites that are appropriate for your business.
  • Page 34 Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client, page 153. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 35 Getting Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client, page 153. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 36 VPN users. Optionally, you can use other links to configure the policies, client settings, routes, and resources for your SSL VPN. For more information, see Configuring SSL VPN for Browser-Based Remote Access, page 167. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 37: Wireless Networking

    2. Although you can begin using your wireless network right away, you should configure the security settings to protect your network and the data that you transmit. To configure your wireless network, see Chapter 4, “Wireless Configuration for the SA 520W.” Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 38: Chapter 2: Status

    • System Name: The name of the device. • Primary Firmware Version: The version of the firmware that the router is currently using. By default, the router will boot from this version. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 39 NAT: The status of NAT mode for the current operation: enabled or disabled. If NAT is disabled, then the security appliance is in routing mode. • Wan State: The status of the WAN connection: UP or DOWN. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 40 Connection State: Indicates if the optional port is connected or not. • WAN Mode: Indicates whether the WAN mode is set to single port, load balancing or auto rollover mode. • Gateway: The Gateway IP address of the Optional port. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 41: Port Statistics

    This table indicates cumulative statistics for the radio. • Radio: This is a numerical identification of the radio. • Packets: The number of transmitted/received (tx/rx) wireless packets reported to the radio, over all configured access points. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 42 Poll Interval: Enter a value in seconds for the poll interval. To modify the poll interval, click the Stop button and then click Start to restart the automatic refresh using the specified poll interval. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 43: Vpn Status

    Stop button and then click Start to restart the automatic refresh using the specified poll interval. • Start: Click to enable the automatic page refresh feature. • Stop: Click to disable the automatic page refresh feature. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 44: Ssl Vpn Status

    Poll Interval: Enter a value in seconds for the poll interval. To modify the poll interval, click the Stop button and then click Start to restart the automatic refresh using the specified poll interval. • Start: Click to enable the automatic page refresh feature. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 45 Stop button and use Start to restart automatic refresh. • Start: Click to enable automatic page refresh feature. • Stop: Click Stop to disable the automatic page refresh feature. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 46: View Logs Status

    ProtectLink: Displays logs for ProtectLink Gateway and Endpoint services. VPN: Displays IKE and SSL VPN related logs. Firewall: Displays logs related to firewall rules, attacks, and content filtering. Network: Displays routing, DHCP, WAN, LAN and QoS logs. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 47: Ipsec Vpn Logs

    This shows the status of the recent IPSec VPN activity. • Click Refresh Logs to see the entries added after the page was opened. • Click Clear Logs to delete all entries in the log window. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 48: Policy Enforcement Logs

    IP address: The IP Address of the host from which the user accessed the Router. • Login Time: The timestamp of when the user first logged into the Router. • Disconnect: Terminate an active user's session and hence the associated SSLVPN-Tunnel (if any). Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 49: Cdp Neighbor

    CDP Neighbor CDP Neighbor The Cisco Discovery Protocol (CDP) provides information about other devices that are connected to this device and that support the CDP protocol. The page displays information specific to the device and identifies the network interface of this device on which the neighbor was discovered.

  • Page 50: Chapter 3: Networking

    Configuring the LAN • Configuring the Optional WAN • Configuring a DMZ • VLAN Configuration • Routing • Port Management • Bandwidth Profiles • Dynamic DNS • Configuring IPv6 Addressing • 802.1p Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 51: Configuring The Wan Connection

    User Name: The user name that is required to log in • Password: The password that is required to log in • Secret: Enter the secret phrase to log into the server (if applicable). Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 52 • DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.
  • Page 53 Port Mode and choose WAN for the port mode. After saving your settings on that page, click Optional Port > WAN to configure the WAN connection. For more information, see Configuring the Optional WAN, page Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 54: Viewing The Wan Status

    Click Renew to renew the connection. • Click Release to release the connection. If you are having problems with your WAN connection, see the Internet NOTE Connection, page 217 Appendix A, “Troubleshooting.” Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 55: Creating Pppoe Profiles

    Idle Time in minutes. This choice is recommended if your ISP fees are based on the time that you spend online. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 56: Configuring The Lan

    DHCP request from a DHCP client. • By default, your LAN is configured for IPv4 addressing. If you need to enable IPv6 addressing, see Configuring IPv6 Addressing, page 90 Configuring the IPv6 LAN, page Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 57: Configuring The Lan

    DHCP Relay: Choose this option to allow the security appliance to use a DHCP Relay. If you choose this mode, also enter the IP address of the Relay Gateway. • Domain Name (optional): Enter a name for the domain. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 58 Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Next steps: NOTE • If you are using the Getting Started (Basic) page, click Getting Started in the menu bar, and then continue with the list of configuration tasks. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 59: Viewing The Lan Status

    MAC address of the LAN interface • IP address and subnet mask of the interface • DHCP server mode Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 60: Dhcp Reserved Ips

    Enter the IP address and the MAC address of the device that you want to add. STEP 3 Each reserved IP address should be outside the configured DHCP pool addresses. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 61: Dhcp Leased Clients

    Port, click Set Optional Port to WAN. The Optional Port Mode page appears. b. Choose WAN. c. Click Apply to save your settings, or click Reset to revert to the saved settings. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 62 • My IP Address: Enter the IP address assigned to you by the ISP. • Server IP Address: Enter the IP address of the PPTP, PPPoE, or other server. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 63 • DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.
  • Page 64 ISP links, click Optional Port > WAN Mode. For more information, see Configuring Auto-Rollover, Load Balancing, and Failure Detection, page • If you are having problems with your WAN connection, see the Internet Connection, page 217 Appendix A, “Troubleshooting.” Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 65: Configuring Auto-Rollover, Load Balancing, And Failure Detection

    To maintain better control of WAN port traffic, consider making the WAN port Internet addresses public and keeping the other one private. Figure 7 shows an example of Dual WAN Ports configured with Load Balancing. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 66 Load Balancing: Choose this option if you have two ISP links that you want to use simultaneously. After you complete this procedure by clicking the Apply button, you need to configure the protocol bindings. See Configuring the Protocol Bindings for Load Balancing, page Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 67 • Failover after: Specify the number of retries after which failover is initiated. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 68: Configuring The Protocol Bindings For Load Balancing

    Configure Protocol Bindings (Optional - if WAN Mode set to Load Balancing). The Protocol Bindings page appears. Any existing protocol bindings appear in the List of Available Protocol Bindings table. Click Add. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 69: Configuring A Dmz

    DMZ but cannot penetrate the LAN. You should configure your DMZ to include any hosts that must be exposed to the WAN (such as web or email servers). Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 70 Internet Source Address Translation Public IP Address 209.165.200.225 172.16.2.30 209.165.200.225 DMZ Interface 172.16.2.1 SA 500 LAN Interface Web Server Private IP Address: 172.16.2.30 192.168.75.1 Public IP Address: 209.165.200.225 User User 192.168.75.10 192.168.75.11 Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 71 172. 1 6.2.30. The firewall rule specifies an external IP address of 209. 1 65.200.226. Internet users can enter the domain name that is associated with the IP address 209. 1 65.200.226, and they are connected to the web server. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 72: Configuring The Dmz Settings

    DHCP Server: Choose this option to allow the security appliance to act as a DHCP server and to assign IP addresses to all devices that are connected to the DMZ network. Also complete the fields that are highlighted with white backgrounds. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 73 DMZ. Also use the firewall rule to specify a public IP address for a server on your DMZ, if applicable. To get started, click Firewall on the menu bar. For more information, see Configuring a Firewall Rule for Inbound Traffic, page 125. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 74: Dmz Reserved Ips

    Other options: Click Edit to edit an entry. To delete an entry, check the box, and then click Delete. To select all entries in the table, check the box at the left side of the heading row. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 75: Dmz Dhcp Leased Clients

    LAN port is on a separate VLAN and cannot access other VLANs, unless you enable inter VLAN routing. Refer to the following topics: • Default VLAN Settings • Enabling or Disabling VLAN Support • Creating VLAN IDs • Assigning VLANs to LAN Ports Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 76: Default Vlan Settings

    IP Address: 10. 1 . 1 . 1 IP Address Distribution: DHCP Server Start IP Address: 10. 1 . 1 .50 End IP Address: 10. 1 . 1 .254 Subnet Mask: 255.255.255.0 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 77: Enabling Or Disabling Vlan Support

    After you click Add or Edit, the VLAN Configuration page appears. Enter the following information: STEP 3 • Name: Enter a descriptive name, for reference. • ID: Enter a unique identification number, which can be any number from 2 to 4091. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 78: Assigning Vlans To Lan Ports

    Access mode is recommended if the port is connected to a single end-user device which is VLAN unaware. If you choose this option, also enter a VLAN ID for the port, in the PVID field. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 79: Multiple Vlan Subnets

    > Available VLANs page appear in the List of available Multiple VLAN Subnets table. The Multiple VLAN Subnet Configuration page appears. In the Multiple VLAN Subnet section of the page, enter the following settings: STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 80 In the LAN Proxies section, check the Enable DNS Proxy box to allow the VLAN to STEP 5 act as a proxy for all DNS requests and to communicate with the DNS servers of Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 81: Routing

    IP address range while the WAN port on the router is configured with a single public IP address. Along with connection sharing, NAT also hides internal IP addresses from the computers on the Internet. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 82: Static Routing

    Active: Check this box to activate the route, or clear the box to deactivate a route that is not in use but that you do not want to delete. An inactive route is not broadcast if Routing Information Protocol (RIP) is enabled. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 83: Dynamic Routing

    Both: The router both broadcasts its routing table and also processes RIP information received from other routers. Out Only: The router broadcasts its routing table periodically but does not accept RIP information from other routers. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 84 Not Valid After: End date of the First Key for MD5 based authentication between routers. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 85: Port Management

    This feature may be useful for debugging or for traffic monitoring by an external application. You can choose one LAN port to monitor the traffic on all other LAN ports. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 86: Bandwidth Profiles

    The traffic selector identifies the stream of traffic, which will then be subject to the specified bandwidth control. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 87: Creating Bandwidth Profiles

    Minimum Bandwidth Rate and the Maximum Bandwidth Rate. • Choose the interface to which this bandwidth profile is applicable. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 88: Traffic Selectors

    Then enter the IP Address, MAC Address, Port Name, or VLAN, based on the chosen match type. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 89: Dynamic Dns

    DynDNS and keep the subscription active after the 30 day trial. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 90: Configuring Ipv6 Addressing

    • IPv6 Multi LAN • IPv6 Static Routing • Routing (RIPng) • 6to4 Tunneling • IPv6 Tunnels Status • ISATAP Tunnels • MLD Tunnels • Configuring Router Advertisement • Adding RADVD Prefixes Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 91: Ip Routing Mode

    To configure the WAN connection, click IPv6 > IPv6 WAN Config. For more information, see Configuring the IPv6 WAN Connection, page • To configure the LAN, click IPv6 > IPv6 LAN Config. For more information, Configuring the IPv6 LAN, page Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 92: Configuring The Ipv6 Wan Connection

    Stateful Address Auto Configuration: If you choose this option, the security appliance connects to the DHCPv6 server at the ISP to obtain a leased address. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 93: Configuring The Ipv6 Lan

    DHCP server that dynamically assigns IP addresses to all connected devices, click Enable DHCPv6 Server, and then complete all fields that are highlighted with white backgrounds. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 94 Router Advertisement Deamon (RADVD). For more information, see Router Advertisement Daemon (RADVD), page 101. • If you want to configure the LAN address pools, click IPv6 > IPv6 Address Pools. For more information, see IPv6 LAN Address Pools, page Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 95: Ipv6 Lan Address Pools

    All hosts in the network have the identical initial bits for the IPv6 address. The number of common initial bits in the addresses is set by the prefix length field. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 96: Ipv6 Multi Lan

    IPv6 address. The number of common initial bits in the addresses is set by the prefix length field. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 97: Ipv6 Static Routing

    15. If multiple routes to the same destination exist, the security appliance chooses route with the lowest metric. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 98: Routing (Ripng)

    WAN IPv4 network, and vice versa. You should enable this feature if you have an end site or end user that needs to connect to the IPv6 Internet using the existing IPv4 network. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 99: Ipv6 Tunnels Status

    Other options: Click the Edit button to edit an entry. To delete an entry, check the box and then click Delete. To select all entries in the table, check the box at the left side of the heading row. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 100: Mld Tunnels

    Enter a higher value if a link is expected to be lossy. The default value is 2. The minimum value of Robustness Variable is 2 and maximum value is 8. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 101: Router Advertisement Daemon (Radvd)

    • Advertise Mode: Choose one of the following modes: Unsolicited Multicast: Choose this option to send router advertisements to all interfaces belonging to the multicast group. Also enter the Advertise Internal. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 102: Adding Radvd Prefixes

    The Advertisement Prefixes page appears. Any existing prefixes appear in the List of Prefixes to Advertise table. To add a prefix to the table, click Add. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 103 Prefix Lifetime: Enter the maximum number of seconds that the requesting router is allowed to use the prefix. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 104: Enabling 802.1P

    For each 802. 1 p priority value (Priority 0, Priority 1, and so on), use the drop-down STEP 2 list to choose the corresponding queue: Lowest, Low, Medium or High. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 105: Dscp Remarking

    For each 802. 1 p priority value (Priority 0, Priority 1, and so on), enter a priority STEP 2 value. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 106: Chapter 4: Wireless Configuration For The Sa 520W

    A wireless profile specifies the security settings. Optionally, you can configure advanced wireless settings, QoS settings, and MAC filtering. After you configure a wireless profile, you can assign it to any access point. Cisco strongly recommends WPA2 for wireless security. Other security modes are NOTE vulnerable to attack.
  • Page 107 To protect your information as it is transmitted over the airwaves, you should enable the highest level of encryption supported by your network equipment. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 108 WEP Key boxes. The length of the key should be 5 ASCII characters (or 10 hex characters) for 64-bit WEP and 13 ASCII characters (or 26 hex characters) for 128-bit WEP. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 109: Profile Advanced Configuration

    The Profiles page appears. The existing profiles appear in the List of Profiles table. Find the profile that you want to edit, and click the button in the Adv Config STEP 2 column. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 110: Configuring The Qos Settings For A Wireless Profile

    IP data is sent to this queue. • Background: Lowest priority queue, high throughput. Bulk data that requires maximum throughput and is not time-sensitive is typically sent to this queue (FTP data, for example). Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 111: Controlling Wireless Access Based On Mac Addresses

    IMPORTANT: Any time that you add or delete addresses from the MAC Address table, click the Apply button to save your settings. The policy applies only to the addresses that are in the table when you click Apply. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 112 Deny: All of the devices in the MAC Address table are prevented from using this access point. All other devices are allowed access. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 6 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 113: Step 2: Configuring The Access Points

    SSID: Specify the Service Set Identifier, or network name, that clients use to connect to the access point. It is a good practice to replace the default SSID with a unique identifier. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 114: Configuring The Radio

    Country: Choose a country from the drop-down list of countries. This list is populated according to the region selected. This impacts the available Wi-Fi™ channels as determined by wireless authorities in the corresponding country/region. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 115 Default Transmit Power: Enter a value in dBm as the default transmitted power level for all APs that use this radio. The default is 20 dBm. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 116: Advanced Radio Configuration

    Preamble mode: 802. 1 1b requires that a preamble be appended to every frame before it is transmitted through the air. The preamble can be either the traditional long preamble, which requires 192 μs for transmission, or it can be Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 117 Retries are used for both long and short frames, of size less than or equal to the RTS threshold. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 118: Chapter 5: Firewall Configuration

    Direction of the traffic • Days of the week and times of day • Keywords in a domain name or on a URL of a web page • MAC addresses of devices • Port triggers Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 119: Preliminary Tasks For Firewall Rules

    Services.”) If you need to configure a firewall rule for a service that is not on the standard list, first you must identify the service by entering a name, specifying the type, and assigning the port range. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 120 Weekend that is active all day on Saturday and Sunday. For more information about the time settings for your security appliance, see Configuring the Time Settings, page 199. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 121 STEP 1 To add IP Aliases, click Add. STEP 2 Choose the WAN interface from the Interface drop-down menu. This is the STEP 3 interface where you will add the IP address to. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 122: Configuring The Default Outbound Policy

    This procedure explains how to configure a firewall rule for the following traffic flows: • From the LAN to the WAN • From the LAN to the DMZ • From the DMZ to the WAN For examples, see Firewall Rule Configuration Examples, page 129. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 123 • To Zone: For an outbound rule, choose INSECURE (WAN) if the traffic is going to the Internet, or choose DMZ if the traffic is going to a server on your DMZ. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 124 QoS Priority: You can use this rule to prioritize traffic. Each priority level corresponds to a Term of Service (ToS) value. Normal-Service: ToS=0 (lowest QoS) Minimize-Cost: ToS=1 Maximize-Reliability: ToS=2 Maximize-Throughput: ToS=4 Minimize-Delay: ToS=8 (highest QoS) Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 125: Configuring A Firewall Rule For Inbound Traffic

    In addition to configuring firewall rules, you can use the following methods to NOTE control inbound traffic: • You can prevent common types of attacks. For more information, see Configuring Attack Checks, page 133. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 126 LAN, or choose DMZ if the traffic is going to a server on your DMZ. If the From Zone is the WAN, the To Zone can be the public DMZ or secure LAN. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 127 Destination NAT Settings area: • Internal IP Address: Enter the IP address of the server that is hosting the service. • Enable Port Forwarding: Check the box to forward traffic to a particular port. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 128: Prioritizing Firewall Rules

    To view the list of rules belonging to the same group, choose the source and STEP 2 destination from the From Zone and To Zone drop-down menus and click Display Rules. Only the rules for the specified security zones appear. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 129: Firewall Rule Configuration Examples

    HTTP requests from any outside IP address. The inbound traffic is addressed to your WAN IP address but is directed to a web server. Solution: Create an inbound rule as follows: Parameter Value From Zone Insecure (WAN1) To Zone Service HTTP Action ALLOW always Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 130 IP addresses (132. 1 77.88.2 - 132. 1 77.88.254). Solution: Create an inbound rule as shown below. In the example, connections for CU-SeeMe (an Internet video-conferencing client) are allowed only from a specified range of external IP addresses. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 131 IP address range of 10. 1 . 1 . 1 to 10. 1 . 1 . 1 00. Parameter Value From Zone Secure (LAN) To Zone INSECURE (Dedicated WAN/Optional WAN) Service HTTP Action BLOCK by schedule Schedule Weekend Source Hosts Address Range From 10. 1 . 1 . 1 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 132: Using Other Tools To Prevent Attacks, Restrict Access, And Control Inbound Traffic

    • Configuring Attack Checks • Configuring MAC Filtering to Allow or Block Traffic • Configuring IP/MAC Binding to Prevent Spoofing • Configuring a Port Triggering Rule to Direct Traffic to Specified Ports Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 133: Configuring Attack Checks

    • Block Ping to WAN interface: Check this box to prevent attackers from discovering your network through ICMP Echo (ping) requests. Cisco recommends that you uncheck this box only if you need to allow the security appliance to respond to pings for diagnostic purposes.

  • Page 134: Configuring Mac Filtering To Allow Or Block Traffic

    STEP 1 navigation tree. The Source MAC Filter page appears. Before you can add any addresses to the table, you must check the box to enable MAC filtering, and then click Apply. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 135: Port Triggering

    LAN IP addresses or IP addresses ranges. In addition, the ports are not left open when they are not in use, thereby providing a level of security that static port forwarding does not offer. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 136: Configuring A Port Triggering Rule To Direct Traffic To Specified Ports

    In the Incoming (Response) Port Range area, enter the Start Port and End Port to STEP 5 specify the incoming port range for this rule. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 6 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 137: Viewing The Port Triggering Status

    ACK packet. Under normal circumstances, a session is allowed to remain in the half-open state for 10 seconds. The maximum value can range between 0 and 3,000. The default is 1,024 sessions. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 138: Using Other Tools To Control Access To The Internet

    Configuring Content Filtering to Allow or Block Web Components • Configuring Approved URLs to Allow Access to Websites • Configuring Blocked URLs to Prevent Access to Websites • Configuring IP/MAC Binding to Prevent Spoofing Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 139: Configuring Content Filtering To Allow Or Block Web Components

    Cookies: For added security, check this box to block cookies, which typically contain session information. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 140: Configuring Approved Urls To Allow Access To Websites

    Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 141: Configuring Blocked Urls To Prevent Access To Websites

    URL, then your users are prevented from accessing websites such as www.yahoo.com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 142: Configuring Ip/Mac Binding To Prevent Spoofing

    Status on the menu bar, and then clicking View Log > View All Logs in the navigation tree. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 143: Sip

    If this feature is disabled, the router will not allow incoming calls to the UAC (User Agent Client) behind the router. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 144: Chapter 6: Intrusion Prevention System

    You configure IPS from IPS Setup page. From this page you can enable IPS for the security zone you want to protect (LAN or DMZ), update the IPS signatures, and view the IPS status. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 145 • Manual Signature Updates: To manually update the latest signature file, click the Cisco.com link to obtain the file and download it to your computer. Browse to the location of the signature file on the local PC and then click Upload.

  • Page 146: Configuring The Ips Policy

    Disabled: Choose this option to disable inspection checking for this protocol. • Detect Only: Choose this option to check for attacks on this protocol and to log a message upon detection.This option is mostly used for troubleshooting purposes. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 147: Configuring Peer-To-Peer Blocking And Instant Messaging

    For IPS messages to be logged, you must configure IPS as the facility. For more information, see Logs Facility, page 204 Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 148: Chapter 7: Using Cisco Protectlink Security Services

    REVIEW DRAFT — CISCO CONFIDENTIAL Using Cisco ProtectLink Security Services The SA 500 Series supports Cisco ProtectLink Security Services. These services provide layers of protection against different security threats on your network. • Cisco ProtectLink Web provides all users with Web threat protection to prevent access to dangerous websites and URL filtering to control employee access to non-business related websites.

  • Page 149: Chapter 8: Configuring Vpn

    Remote Access with a Web Browser: A remote worker uses a web browser to initiate a VPN tunnel to access the available services on the corporate network. See Configuring SSL VPN for Browser-Based Remote Access, page 167. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 150: Configuring A Site-To-Site Vpn Tunnel

    —OR—From the Getting Started (Advanced) page, under Site-to-Site VPN, click VPN Wizard. The VPN Wizard page appears. In the About VPN Wizard area, choose Site-to-Site to create a site-to-site VPN STEP 2 tunnel from the security appliance to another VPN gateway. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 151 In the Secure Connection Remote Accessibility area, enter the following STEP 5 information about the LAN at the remote site: • Remote LAN IP Address: Enter the IP address of the remote LAN. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 152 For more information, see Configuring the IKE Policies for IPSec VPN, page 157. • To configure IPSec passthrough, click IPSec > Passthrough. For more information, see Configuring IPSec Passthrough, page 166. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 153: Configuring An Ipsec Vpn Tunnel For Remote Access With A Vpn Client

    Inside Outside Internet network 10.10.10.0 Personal Computer Using VPN Software Client WINS Server 10.10.10.133 Personal Computer Using VPN Software Client For information about the VPNC recommendations, visit the following website: NOTE www.vpnc.org/vpn-standards.html Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 154 Then enter that address or name in the Local WAN’s IP Address or Internet Name field. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 155: Configuring The User Database For The Ipsec Remote Access Vpn

    If you are using IPSec VPN for remote access by remote workers, use this page to manage the users (both XAUTH and Cisco QuickVPN). The VPN gateway authenticates the users in this list when XAUTH is used in an IKE policy.
  • Page 156 Quick VPN. This option should be selected when the clients use QuickVPN Client. • Allow user to change password?: If you chose Cisco QuickVPN for the Remote Peer Type, you can check this box to allow the user to change the password.

  • Page 157: Advanced Configuration Of Ipsec Vpn

    Optionally, review and modify the default settings and policies. See Advanced Configuration of IPSec VPN, page 157. • For Cisco QuickVPN, you also must enable Remote Management. See RMON (Remote Management), page 210. Advanced Configuration of IPSec VPN The following topics are helpful for users who want to review and modify the settings that are created by the VPN Wizard.
  • Page 158 In Aggressive Mode there are fewer key exchanges between the initiator and the receiver. Both sides exchange information even before there is a secure channel. This feature creates a faster connection but with less security than Main Mode. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 159 Authentication Algorithm: Specify the authentication algorithm for the VPN header. There are five algorithms supported by this router: MD5, SHA-1, SHA2-256, SHA2-384 and SHA2-512. Ensure that the authentication algorithm is configured identically on NOTE both sides. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 160 In this mode, the security appliance acts as a VPN Client of the remote gateway. If you choose this option, also enter a Username and Password. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 161: Configuring The Ipsec Vpn Policies

    Before you create an Auto Policy, first create an IKE policy. Then you can apply the NOTE IKE policy on this page. For more information, see Configuring the IKE Policies for IPSec VPN, page 157. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 162 Remote End Point: Choose to identify the remote end point by the IP address or the Internet Name/FQDN of the remote gateway or the client PC. Also enter the IP address or the Internet Name/FQDN in the field below the drop-down list. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 163 8 characters. For example: 0a1234. • Encryption Algorithm: Choose the algorithm that is used to encrypt the data. • Key-In: Enter the encryption key of the inbound policy. • Key-Out: Encryption key of the outbound policy. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 164 Kilobytes: If you specify the SA Lifetime in kilobytes, the SA is renegotiated after the specified number of kilobytes of data is transferred over the original SA. The minimum value is 300 seconds or 1920000 KB. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 165 2. The DPD should be enabled. 3. The Direction should be either initiator or both. 4. The XAuth configuration should be None or IPSec Host. 5. The policy should be Gateway only, not client. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 166 Check the box for each type of traffic that you want to allow to pass through the STEP 2 VPN tunnel. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 167: Configuring Ssl Vpn For Browser-Based Remote Access

    NT/Active Directory and FTP file shares • E-mail proxies, including POP3S, IMAP4S, and SMTPS • MS Outlook Web Access • MAPI • Applications (that is, port forwarding for access to other TCP-based applications) Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 168: Access Options For Ssl Vpn

    To do this, you could restrict the user from accessing general content on the Internet. Then, you could configure links to specific targets on the internal network that you want users of Clientless SSL VPN to be able to access. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 169: Elements Of The Ssl Vpn

    Port Forwarding: You can configure port forwarding to allow access to a limited set of resources. For example, you may want the SSL VPN users to access the email service only. See Configuring SSL VPN Port Forwarding, page 176. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 170: Scenario Step 1: Customizing The Portal Layout

    URL. The browser displays a login page with several features that you can configure: 1. Portal Site Title 2. Banner Title 3. Banner Message Figure 12 Configurable Areas of the SSL VPN Portal Layout Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 171 • ActiveX web cache cleaner: Check this box to load an ActiveX cache control whenever users login to this SSL VPN portal. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 172: Scenario Step 2: Adding The Ssl Vpn Users

    The User page appears. The default Administrator and Guest users appear in the List of Users table, along with any new users that you add. To add a user, click Add. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 173: Creating The Ssl Vpn Policies

    You can create user, group, and global policies. Policies are applied based on the following levels of precedence: • User-level policies take precedence over Group-level policies. • Group-level policies take precedence over Global policies. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 174 Policy For: Choose the type of policy: Global, Group, or User. If you choose Group, also choose the group from the Available Groups list. If you choose User, also choose the user from the Available Users list. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 175 Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 6 Next steps: NOTE Enable Remote Management (RMON), if you have not done so previously. If RMON is disabled, SSL VPN access is blocked. See RMON (Remote Management), page 210. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 176: Specifying The Network Resources For Ssl Vpn

    The following table lists some common applications and corresponding TCP port numbers: TCP Application Port Number FTP Data (usually not needed) FTP Control Protocol SMTP (send mail) Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 177 TCP Port Number: Enter the port number of the TCP application that enables port forwarding. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 178: Ssl Vpn Tunnel Client Configuration

    “network adapter” with an IP address from the corporate subnet, DNS and WINS settings is automatically created. This feature allows access to services on the private network without any special network configuration on the remote SSL VPN client machine. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 179 Client Routes for Split Tunnel Mode, page 180. • DNS Suffix (Optional): Enter the DNS Suffix for this client. • Primary DNS Server (Optional): Enter the IP address of the primary DNS Server for this client. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 180 Destination Network using this page. You can configure client routes only if Split Tunnel support is enabled on the SSL NOTE VPN Client page. See Configuring the SSL VPN Client, page 179. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 181: Viewing The Ssl Vpn Client Portal

    Port Forwarding information page appears. The user can click the Launcher icon to connect to the remote servers. • Change Password: The user can click this link to change his or her password. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 182: Verisign™ Identity Protection Configuration

    VIP Production: Choose this option if you have purchased VeriSign service. The service will use VIP production servers to authenticate your users. c. Click Apply to save your settings, or click Reset to revert to the saved settings. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 183: Managing User Credentials For Verisign Service

    Only available users are shown in the user list. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 184: Chapter 9: Administration

    To enable the account, edit the User Login Policies. See Adding or Editing User Login Policies, page 188. • SSL VPN: An SSL VPN account, which allows access to the services specified in the SSL VPN configuration. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 185: Domains

    When you create a domain, a group is created automatically. It has the same name as the domain and is associated with the domain. To edit the group settings, see Groups, page 186. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 186: Groups

    Adding or Editing User Settings The users are part of a group which in turn is a part of an authenticating domain. Before you configure users, configure the groups. See Groups, page 186. NOTE Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 187 Enter any value from 0 to 999. The timeout value for the individual user has precedence over the timeout for the group. If you want to ensure that the group’s timeout settings are used, set this value to 0. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 188: Adding Or Editing User Login Policies

    To delete a browser, check the box, and then click Delete. • User Login Policy By IP Address: Click the third button in the Edit User Policies column. When the User Policy By Source IP Address page appears, enter the following information: Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 189: Maintenance

    For the SA 540 model, a free upgrade to 50 seats is available. You must download a license key from Cisco to enable these seats. To obtain the license key, click the Upgrade to 50 Seats link on the License Management page.
  • Page 190 Status: Shows if the license is installed or not installed. Licenses cannot be transferred or revoked once they are installed. • Seats Available: Current number of licenses installed. • Expiration: Date on which the license expires shown in MM/DD/YYYY format. For example: 04/23/2010. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 191 Installation License Type License Code (PAK) from cisco.com: Automatically retrieves and installs the license on the device from the Cisco server. To use this option, enter your PAK ID and Cisco.com username and password. These credentials are required for the device to authenticate to the Cisco server.

  • Page 192: Upgrading Firmware And Working With Configuration Files

    Cisco.com. See http://www.cisco.com/en/US/products/ps9932/ tsd_products_support_series_home.html. If a firmware upgrade is available, select one of the following: Upload: Check this option to upgrade the firmware. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 193 Check for New Firmware & Download: Check Periodically: Check this option to automatically check for firmware updates on a daily basis (every 24 hours). Enter your Cisco User Name and Password and click Apply to save your settings. If new firmware is available it is automatically downloaded to your device and you are prompted to install it.

  • Page 194: Maintaining The Usb Device

    5. Do NOT remove or unmount the USB device. Click Administration on the menu bar, and then click Firmware & Configuration > STEP 1 USB in the navigation tree. The Firmware & Configuration (USB) page appears. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 195 Status > Device Status. The Firmware Version (Primary) should be the same as the version that you attempted to install. If the upgrade was unsuccessful, see Appendix A, “Troubleshooting.” • Reboot: Click Reboot if it is necessary to reboot the router. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 196: Using The Secondary Firmware

    To test connectivity between the security appliance and a connected device on the network, enter the IP Address of the device and then click Ping. The results appear in the Command Output page. Click Back to return to the Diagnostics page. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 197: Measuring And Limiting Traffic With The Traffic Meter

    The security appliance will keep a record of the volume of traffic going from this interface. You also can configure the security appliance to place a restriction on the volume of data being transferred. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 198 Send E-mail Report before restarting counter: Choose this option to send an email report before the traffic counter is restarted. The email is sent to the address configured in the Logging section, if logging is enabled. See Remote Logging, page 203. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 199: Configuring The Time Settings

    Time, and with which Network Time Protocol (NTP) server to synchronize the date and time. The security appliance then gets its date and time information from the NTP server. Please follow the steps below to configure NTP and time settings: Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 200 Administration Configuring the Time Settings Click Administration on the menu bar, and then click Time Zone in the navigation STEP 1 tree. The Time Zone page appears. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 201: Configuring The Logging Options

    MAC filtering. Enabling logging options can generate a significant volume of log messages and is NOTE recommended for debugging purposes only. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 202: Ipv6 Logging

    Accepted Packets: This logs packets that were successfully transferred through the segment. This option is useful when the Default Outbound Policy is “Block Always” (see the Firewall Rules page under the Firewall menu). Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 203: Remote Logging

    The log identifier is added to email and syslog messages. In the Enable E-Mail Logs area, enter the following information: STEP 3 • Enable E-Mail Logs: Check this box to enable email logs. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 204: Logs Facility

    A variety of events can be captured and logged for review. These logs can be sent to a syslog server or emailed to a specified address. You can also specify which system messages are logged based on the facility that generated the message and its severity level. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 205 Check the box for each event that you want to display in the local log or to send to STEP 3 the syslog server. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 206: Managing Certificates For Authentication

    The Certificate Signing Request table lists the name of the certificates you request and the certificate status. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 207 CSR. To include more than one subject field, enter each subject separated by a comma. For example: CN=hostname.domain.com, ST=CA, C=USA • Hash Algorithm: Algorithm used by the certificate. Choose between MD5 and SHA-1 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 208: Configuring Radius Server Records

    Secret: Enter the shared key that is configured on the Radius server. The Secret can contain all characters except for single quote, double quote and space. • Timeout: Enter the number of seconds that the connection can exist before re-authentication is required. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 209 Retries: Enter the number of retries for the device to re-authenticate with the Radius server. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 210: Chapter 10: Network Management

    Click Network Management on the menu bar, and then click Remote STEP 1 Management in the navigation tree. The Remote Management (RMON) page appears. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 211: Cdp

    Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco manufactured equipment. Each CDP enabled device sends periodic messages to a multicast address and also listens to the periodic messages sent by others in order to learn about neighboring devices and determine the status of these devices.

  • Page 212: Snmp

    Configuring SNMP Click Network Management on the menu bar, and then click SNMP > SNMP in STEP 1 the navigation tree. The SNMP page appears. To add an entry, click Add. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 213: Configuring Snmp System Info

    SysLocation: The physical location of the security appliance. • SysName: A name given for easy identification of the security appliance. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 214: Upnp

    This is the number of steps a packet is allowed to propagate before being discarded. Small values will limit the UPnP broadcast range. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 215: Bonjour

    The default services will only be visible to the hosts belonging to the associated VLANs. By default, LAN/Default-VLAN is the broadcasting domain. Click Apply to add the VLAN, or click Reset to revert to the previous settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 216 Network Management Bonjour The VLAN associated to the service appears in the List of VLANs table. To dissociate the VLAN from the service, check the box next the appropriate VLAN and click Delete. Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 217: Appendix A: Troubleshooting

    Ensure that you are using the correct login information. The factory default login STEP 6 name is cisco and the password is cisco. Ensure that CAPS LOCK is off when entering this information. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 218 When the modem LEDs indicate that it has resynchronized with the ISP, reapply STEP 4 power to the security appliance. If the security appliance still cannot obtain an ISP address, see the next symptom. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 219 Ask your ISP for the addresses of its designated Domain Name System (DNS) STEP 1 servers. Configure your PC to recognize those addresses. For details, see your operating system documentation. On your PC, configure the security appliance to be its TCP/IP gateway. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 220: Date And Time

    Click Administration on the menu bar, and then click Time Zone in the navigation STEP 1 tree. Check or uncheck Automatically adjust for Daylight Savings Time. STEP 2 Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 221: Pinging To Test Lan Connectivity

    Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC. • Verify that the IP address for the security appliance and PC are correct and on the same subnet. Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 222 MAC address of just a single PC connected to that modem. If this is the case, configure your firewall to clone or spoof the MAC address from the authorized PC. For more information, see Configuring the WAN Connection, page Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 223: Restoring Factory-Default Configuration Settings

    After a restore to factory defaults, the following settings apply: • LAN IP address: 192.168.75.1 • Username: cisco • Password: cisco • DHCP server on LAN: enabled • WAN port configuration: Get configuration via DHCP Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 224: Appendix B: Standard Services

    See Creating Custom Services, page 119. BOOTP_CLIENT BOOTP_SERVER CU-SEEME:UDP CU-SEEME:TCP DNS:UDP DNS:TCP FINGER HTTP HTTPS ICMP-TYPE-3 ICMP-TYPE-4 ICMP-TYPE-5 Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 225 Standard Services ICMP-TYPE-6 ICMP-TYPE-7 ICMP-TYPE-8 ICMP-TYPE-9 ICMP-TYPE-10 ICMP-TYPE-11 ICMP-TYPE-13 IMAP2 IMAP3 NEWS NNTP PING POP3 PPTP RCMD REAL-AUDIO REXEC RLOGIN RTELNET RTSP:TCP RTSP:UDP SFTP SMTP SNMP:TCP Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 226 Standard Services SNMP:UDP SNMP-TRAPS:TCP SNMP-TRAPS:UDP SQL-NET SSH:TCP SSH:UDP STRMWORKS TACACS TELNET TFTP VDOLIVE Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 227: Appendix C: Technical Specifications And Environmental Requirements

    1 X USB connector for USB 2.0 • 3 X external antennas Operating 32 to 104ºF (0 to 40ºC) 32 to 104ºF (0 to 40ºC) 32 to 104ºF (0 to 40ºC) Temperature Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 228 (H x W x D) Antenna adds approximately 6- 3/4 inches (171 mm) to height and 1-2/8 inches (30 mm) to depth. Weight (with 4.91 lb 5. 1 5 5. 1 4 lb Power Supply) Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 229: Appendix D: Factory Default Settings

    Date and Time - Time Zone Pacific Time (US & Canada) DDNS disable HTTP Remote Access enable HTTPS Remote Access enable Secure Telnet over SSL enable (if applicable) SNMP - Trusted Peer IP address Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 230 Changes Email Server Requires disable Authentication Cisco Discovery Protocol enabled on LAN / disabled on WAN port Bonjour enabled on LAN / disabled on WAN port UPnP disable Radius Server Port 1812 Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 231: Router Settings

    VLAN - Data, Start IP Address 192. 1 68.x.50 VLAN - Data, End IP Address 192. 1 68.x.254 VLAN - Data, Subnet Mask 255.255.255.0 VLAN - Data, Lease Time in 1440 Minutes HTTP Remote Access enable Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 232 IPSec - Signaling Authentication enable - Auto Reconnect IPSec - Signaling Authentication 192. 1 68. 1 0.0 - Local Subnet (Data VLAN subnet) IPSec - Signaling Authentication 255.255.255.0 - Local Subnet (Data VLAN subnet mask) Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 233 - Phase 2 - Use PFS IPSec - Signaling Authentication DH Group 2 (1024 bit) - Phase 2 - Group Description Attribute IPSec - Signaling Authentication SHA1 - Phase 2 - Hash Algorithm Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 234: Wireless Settings

    VLAN - Data, IP Address (Failover See Product Tab when no DHCP Server Available) VLAN - Data, Subnet Mask 255.255.255.0 (Failover when no DHCP Server Available) VLAN - Data, Name (optional) Data VLAN Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 235 Radio disabled 802.1x supplicant disabled Clustering of Access Points - disabled unique to AP54x Broadcast / Multicast Rate disabled Limiting Broadcast / Multicast Rate Limit 50pps Multicast traffic rate per radio auto Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 236: Storage

    4 queues = 3ms, 7ms, 15ms, 15ms Maximum Burst 4 queues - 1.5ms, 3ms, 0ms, 0ms Maximum contention window 4 queues = 7ms, 15ms, 15ms, 15ms Storage Feature Setting VLAN - Data, IP Address DHCP Client Assignment (Management) Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 237 Allow Anonymous File Upload disable Allow Anonymous File Download enable Maximum Anonymous Transfer Rate (0 - unlimited) in KB/s Disconnect Idle Sessions 5 minutes Disconnect Stalled Sessions 5 minutes Maximum Connections per IP Address Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 238: Security Settings

    Block UDP Flood Enable Block ICMP Notification Enable Block Fragmented Packets Enable Block Multicast Packets Enable SYN Flood Detect Rate 128 max/sec Echo Storm (ping packets/sec) 15 packets/sec ICMP Flood (ICMP packets/sec) 100 packets/sec Cisco SA 500 Series Security Appliances Administration Guide...
  • Page 239 Factory Default Settings Security Settings Cisco SA 500 Series Security Appliances Administration Guide...

  • Page 240: Appendix E: Where To Go From Here

    Where to Go From Here Cisco provides a wide range of resources to help you and your customer obtain the full benefits of the SA 500 Series Security Appliances. Product Resources Support Cisco Small Business www.cisco.com/go/smallbizsupport Support Community Cisco Small Business www.cisco.com/go/smallbizhelp...
  • Page 241 Where to Go From Here Cisco Small Business Cisco Partner Central for www.cisco.com/web/partners/sell/smb Small Business (Partner Login Required) Cisco Small Business www.cisco.com/smb Home Cisco SA 500 Series Security Appliances Administration Guide...

This manual is also suitable for:

Small business pro sa 540Small business pro sa 520

Table of Contents