Cisco QuickVPN - PC Administration Manual

Category
Routers
Type
Administration Manual
Cisco Small Business Pro
SA 500 Series Security Appliances
ADMINISTRATION
GUIDE
© 2009 Cisco Systems, Inc. All rights reserved. OL-19114-02
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower,
Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video
(Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and
Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP,
CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking
Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to
Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States
and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0907R)
Cisco SA 500 Series Security Appliances Administration Guide 3
Contents
Chapter 1: Getting Started 10
Feature Overview 10
Device Overview 11
Front Panel 11
Rear Panel 12
Installation 13
Installation Options 13
Hardware Installation 16
Getting Started with the Configuration Utility 18
Connecting to the Configuration Utility 18
Using the Getting Started Pages 20
Navigating Through the Configuration Utility 22
Using the Help System 23
About the Default Settings 24
Basic Tasks 25
Changing the Default User Name and Password 25
Backing Up Your Configuration 26
Upgrading the Firmware 26
Common Configuration Scenarios 27
Basic Network Configuration with Internet Access 28
Cisco Smart Business Communications System Configuration 30
Firewall for Controlling Inbound and Outbound Traffic 31
DMZ for Public Web Sites and Services 32
Configuring ProtectLink Web & Email Security 33
Site-to-Site Networking and Remote Access 33
Wireless Networking 37
Chapter 2: Status 38
Device Status 38
Device Status 38
Port Statistics 41
Wireless Statistics for the SA 520W 41
Cisco SA 500 Series Security Appliances Administration Guide 4
Contents
VPN Status 43
IPSec VPN Connection Status 43
SSL VPN Status 44
View Logs Status 46
View All Logs 46
IPSec VPN Logs 47
Policy Enforcement Logs 48
Active Users 48
CDP Neighbor 49
LAN Devices 49
Chapter 3: Networking 50
Configuring the WAN Connection 50
Viewing the WAN Status 54
Creating PPPoE Profiles 55
Configuring the LAN 56
About the Default LAN Settings 56
Configuring the LAN 57
Viewing the LAN Status 59
DHCP Reserved IPs 60
DHCP Leased Clients 61
Configuring the Optional Port as a LAN Port 61
Configuring the Optional WAN 62
Configuring Auto-Rollover, Load Balancing, and Failure Detection 65
Configuring the Protocol Bindings for Load Balancing 68
Configuring a DMZ 70
Configuring the DMZ Settings 73
DMZ Reserved IPs 75
DMZ DHCP Leased Clients 76
VLAN Configuration 77
Default VLAN Settings 77
Enabling or Disabling VLAN Support 78
Cisco SA 500 Series Security Appliances Administration Guide 5
Contents
Creating VLAN IDs 79
Assigning VLANs to LAN Ports 80
Multiple VLAN Subnets 81
Routing 83
Routing 83
Static Routing 84
Dynamic Routing 85
Port Management 86
Configuring the Ports 87
Configuring SPAN (Port Mirroring) 87
Bandwidth Profiles 88
Creating Bandwidth Profiles 88
Traffic Selectors 90
Dynamic DNS 91
Configuring IPv6 Addressing 92
IP Routing Mode 93
Configuring the IPv6 WAN Connection 94
Configuring the IPv6 LAN 95
IPv6 LAN Address Pools 97
IPv6 Multi LAN 98
IPv6 Static Routing 99
Routing (RIPng) 100
6to4 Tunneling 101
IPv6 Tunnels Status 101
ISATAP Tunnels 102
MLD Tunnels 103
Router Advertisement Daemon (RADVD) 104
Configuring Router Advertisement 104
Adding RADVD Prefixes 105
802.1p 107
Enabling 802.1p 107
802.1p Mapping 107
Cisco SA 500 Series Security Appliances Administration Guide 6
Contents
DSCP Remarking 108
Chapter 4: Wireless Configuration for the SA 520W 109
Configuring an Access Point 109
Step 1: Configuring the Wireless Profiles 110
Profile Advanced Configuration 113
Configuring the QoS Settings for a Wireless Profile 113
Controlling Wireless Access Based on MAC Addresses 114
Step 2: Configuring the Access Points 116
Configuring the Radio 118
Basic Radio Configuration 118
Advanced Radio Configuration 119
Chapter 5: Firewall Configuration 121
Configuring Firewall Rules to Control Inbound and Outbound Traffic 121
Preliminary Tasks for Firewall Rules 122
Configuring the Default Outbound Policy 125
Configuring a Firewall Rule for Outbound Traffic 126
Configuring a Firewall Rule for Inbound Traffic 129
Prioritizing Firewall Rules 132
Firewall Rule Configuration Examples 133
Using Other Tools to Prevent Attacks, Restrict Access, and
Control Inbound Traffic 136
Configuring Attack Checks 136
Configuring MAC Filtering to Allow or Block Traffic 138
Port Triggering 139
Configuring a Port Triggering Rule to Direct Traffic to Specified Ports 140
Viewing the Port Triggering Status 141
Configuring Session Settings to Analyze Incoming Packets 141
Using Other Tools to Control Access to the Internet 142
Configuring Content Filtering to Allow or Block Web Components 143
Configuring Approved URLs to Allow Access to Websites 144
Configuring Blocked URLs to Prevent Access to Websites 145
Cisco SA 500 Series Security Appliances Administration Guide 7
Contents
Configuring IP/MAC Binding to Prevent Spoofing 146
SIP 147
Chapter 6: Intrusion Prevention System 148
Configuring IPS 148
Configuring the IPS Policy 150
Configuring the Protocol Inspection Settings 150
Configuring Peer-to-Peer Blocking and Instant Messaging 151
Chapter 7: Using Cisco ProtectLink Security Services 152
Chapter 8: Configuring VPN 153
About VPN 153
Configuring a Site-to-Site VPN Tunnel 154
Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client 157
Configuring the User Database for the IPSec Remote Access VPN 159
Advanced Configuration of IPSec VPN 161
Viewing the Basic Setting Defaults for IPSec VPN 161
Configuring the IKE Policies for IPSec VPN 162
Configuring the IPSec VPN Policies 166
Configuring SSL VPN for Browser-Based Remote Access 172
Access Options for SSL VPN 173
Security Tips for SSL VPN 173
Elements of the SSL VPN 174
Scenario Step 1: Customizing the Portal Layout 175
Scenario Step 2: Adding the SSL VPN Users 177
Creating the SSL VPN Policies 179
Specifying the Network Resources for SSL VPN 181
Configuring SSL VPN Port Forwarding 182
SSL VPN Tunnel Client Configuration 184
Viewing the SSL VPN Client Portal 187
VeriSign™ Identity Protection configuration 188
Configuring VeriSign Identity Protection 188
Cisco SA 500 Series Security Appliances Administration Guide 8
Contents
Managing User Credentials for VeriSign Service 189
Chapter 9: Administration 191
Users 191
Domains 192
Groups 193
Adding or Editing User Settings 194
Adding or Editing User Login Policies 195
Maintenance 197
Managing Licenses 197
Upgrading Firmware and Working with Configuration Files 199
Maintaining the USB Device 202
Using the Secondary Firmware 203
Diagnostics 204
Measuring and Limiting Traffic with the Traffic Meter 205
Configuring the Time Settings 207
Configuring the Logging Options 208
Local Logging Config 208
IPv6 Logging 209
Remote Logging 210
Logs Facility 211
Managing Certificates for Authentication 212
Configuring RADIUS Server Records 213
Chapter 10: Network Management 215
RMON (Remote Management) 215
CDP 216
SNMP 217
Configuring SNMP 217
Configuring SNMP System Info 218
UPnP 219
Cisco SA 500 Series Security Appliances Administration Guide 9
Contents
Appendix A: Trouble Shooting 220
Internet Connection 220
Date and Time 223
Pinging to Test LAN Connectivity 224
Restoring Factory-Default Configuration Settings 226
Appendix B: Standard Services 227
Appendix C: Technical Specifications and Environmental Requirements 230
Appendix D: Factory Default Settings 233
General Settings 233
Router Settings 235
Wireless Settings 238
Storage 240
Security Settings 242
Appendix E: Where to Go From Here 244
1
Cisco SA 500 Series Security Appliances Administration Guide 10
Getting Started
This chapter describes the SA 500 and provides scenarios to help you to begin
configuring your security appliance to meet the needs of your business.
Feature Overview, page 10
Installation Options, page 13
Hardware Installation, page 16
Getting Started with the Configuration Utility, page 18
About the Default Settings, page 24
Basic Tasks, page 25
Common Configuration Scenarios, page 27
Feature Overview
The features of the SA 520, SA 520W, and the SA 540 are compared in the
following table.
Table 1 Comparison of SA 500 Series Security Appliance Models
Feature SA 520 SA 520W SA 540
Firewall
Performance
200 Mbps 200 Mbps 300 Mbps
UTM 200 Mbps 200 Mbps 300 Mbps
VPN
Performance
65 Mbps 65 Mbps 85 Mbps
Connections 15,000 15,000 40,000
Getting Started
Feature Overview
Cisco SA 500 Series Security Appliances Administration Guide 11
1
Device Overview
Before you begin to use the security appliance, become familiar with the LEDs on
the front panel and the ports on the rear panel. Refer to the following illustrations
and descriptions.
Front Panel
RESET ButtonTo reboot the security appliance, push and release the Reset
button. To restore the factory default settings, press and hold the Reset button for
5 seconds.
DIAG LED—(Orange) When lit, indicates the appliance is performing the power-on
diagnostics. When off, indicates the appliance has booted properly.
POWER LED—(Green) When lit, indicates the appliance is powered on.
DMZ LED—(Green) When lit, indicates the Optional port is configured as a
Demilitarized Zone or Demarcation Zone, which allows public services such as
web servers, without exposing your LAN.
SPEED LED—(Green or Orange) Indicates the traffic rate for the associated port.
Off = 10 Mbps, Green = 100 Mbps, Orange = 1000 Mbps.
LAN Ports 448
Wireless
(802.11n)
No Yes No
IPsec (# seats) Yes (50) Yes (50) Yes (100)
SSL (# seats) Includes 2 seats.
With license, up
to 25 seats.
Includes 2 seats.
With license, up
to 25 seats.
Included (50)
Feature SA 520 SA 520W SA 540
Getting Started
Feature Overview
Cisco SA 500 Series Security Appliances Administration Guide 12
1
LINK/ACT LED—(Green) When lit, indicates that a connection is being made
through the port. When flashing, the port is active.
WLAN LED—(Green) When lit, indicates that wireless is enabled (SA 520W).
Rear Panel
POWER SwitchTurns the security appliance on or off.
POWER Connector—Connects the security appliance to power using the
supplied power cable.
LAN Ports—Connect computers and other network appliances to the security
appliance. The SA 520 and SA 520W have 4 LAN ports. The SA 540 has 8.
OPTIONAL PortCan be configured to operate as a WAN, LAN, or DMZ port. A
DMZ (Demilitarized Zone or Demarcation Zone) can be configured to allow public
access to services such as web servers without exposing your LAN.
WAN Port—Connects the security appliance to DSL, a cable modem, or another
WAN connectivity device.
USB Port—Connects the security appliance to a USB device. You can use a USB
device to store configuration files for backup and restore operations.
NOTE The back panel of the SA 520W includes three threaded connectors for the
antennas.
Getting Started
Installation
Cisco SA 500 Series Security Appliances Administration Guide 13
1
Installation
This section guides you through the installation of your security appliance. Refer to
the following topics:
Installation Options, page 13
Hardware Installation, page 16
Installation Options
You can place your security appliance on a desktop, mount it on a wall, or mount it
in a rack.
Placement Tips
Ambient TemperatureTo prevent the security appliance from
overheating, do not operate it in an area that exceeds an ambient
temperature of 104°F (40°C).
Air Flow—Be sure that there is adequate air flow around the device.
Mechanical Loading—Be sure that the security appliance is level and
stable to avoid any hazardous conditions.
To place the security appliance on a desktop, install the four rubber feet (included)
on the bottom of the security appliance. Place the device on a flat surface.
Getting Started
Installation
Cisco SA 500 Series Security Appliances Administration Guide 14
1
Wall Mounting
STEP 1 Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9
inches). Leave 3-4 mm (about 1/8 inch) of the head exposed.
Getting Started
Installation
Cisco SA 500 Series Security Appliances Administration Guide 15
1
STEP 2 Position the unit so that the wall-mount slots are over the two screws. Slide the unit
down until the screws fit snugly into the wall-mount slots.
Rack Mounting
You can mount the security appliance in any standard size, 19-inch (about 48 cm)
wide rack. Each security appliance requires 1 rack unit (RU) of space, which is 1.75
inches (44.45 mm) high.
!
CAUTION Do not overload the power outlet or circuit when installing multiple devices in a
rack.
Getting Started
Installation
Cisco SA 500 Series Security Appliances Administration Guide 16
1
STEP 1 Remove the four screws from each side of the security appliance.
STEP 2 Place one of the supplied spacers on the side of the security appliance so that the
four holes align to the screw holes. Place a rack mount bracket next to the spacer
and reinstall the screws.
NOTE If the screws are not long enough to reattach the bracket with the spacer,
attach the bracket directly to the case without the spacer.
STEP 3 Install the security appliance into a standard rack as shown.
Hardware Installation
Follow these steps to connect the equipment:
STEP 1 Connect the security appliance to power.
STEP 2 If you are installing the SA 520W, screw each antenna onto a threaded connector
on the back panel. Orient each antenna to point upward.
STEP 3 For DSL, a cable modem, or other WAN connectivity devices, connect an Ethernet
network cable from the device to the WAN port on the back panel. Cisco strongly
recommends using Cat5E or better cable.
Getting Started
Installation
Cisco SA 500 Series Security Appliances Administration Guide 17
1
STEP 4 For network devices, connect an Ethernet network cable from the network device
to one of the dedicated LAN ports on the back panel.
STEP 5 For a UC 500, connect an Ethernet network cable from the WAN port of the UC 500
to an available LAN port of the security appliance.
NOTE For details about configuring the UC 500 and the security appliance to work
together, see the SA 500 Series Security Appliances Administration Guide
on Cisco.com. See the documentation links in the “Where to Go From
Here” section of this guide.
STEP 6 Power on the security appliance.
STEP 7 Power on the connected devices. Each LED lights to show an active connection.
A sample configuration is illustrated below.
Congratulations! The installation of the security appliance is complete.
Getting Started
Getting Started with the Configuration Utility
Cisco SA 500 Series Security Appliances Administration Guide 18
1
Getting Started with the Configuration Utility
The Configuration Utility web page is a web based device manager that is used to
provision the SA 500 Series Security Appliances. To use this utility, you must be
able to connect to the SA 500 Series Security Appliances from your administration
PC or laptop. You can access the router by using any web browser (such as
Microsoft Internet Explorer or Mozilla Firefox).
Connecting to the Configuration Utility
STEP 1 Connect your computer to an available LAN port on the back panel of the security
appliance.
STEP 2 Start a web browser, and enter the following address: 192.168.75.1
NOTE The above address is the factory default LAN address of the security
appliance. If you change this setting in the LAN configuration, you will need
to enter the new IP address to connect to the Configuration Utility.
STEP 3 When the Security Alert appears, accept or install the certificate:
Internet Explorer: Click Ye s to proceed, or click View Certificate for details.
On the Certificate page, click Install the Certificate. Follow the instructions
in the Wizard to complete the installation.
Firefox: Click the link to add an exception. Click the Add Exception button.
Click Get Certificate, and then click Confirm Security Exception.
Safari: Click Continue to proceed, or click Show Certificate. On the
Certificate page, click Install the Certificate. Follow the instructions in the
Wizard to complete the installation.
Getting Started
Getting Started with the Configuration Utility
Cisco SA 500 Series Security Appliances Administration Guide 19
1
STEP 4 Enter the default user name and password:
Username: cisco
Password: cisco
STEP 5 Click Log In. The Getting Started (Basic) page appears. For more information, see
Using the Getting Started Pages, page 20.
You can use the Cisco Configuration Assistant to launch the Configuration Utility if
you are using the security appliance with a CCA-supported device, such as the
UC 500. For more information about CCA, see: www.cisco.com/go/configassist.
Getting Started
Getting Started with the Configuration Utility
Cisco SA 500 Series Security Appliances Administration Guide 20
1
Using the Getting Started Pages
The Getting Started pages provide help with common configuration tasks.
Find a task that you need to perform, and then click a link to get started.
Proceed in order through the listed links.
To return to the Getting Started (Basic) page at any time, click the Getting
Started button in the menu bar.
For help with advanced configuration tasks, such as firewall/NAT
configuration, optional WAN configuration, DMZ configuration, and VPN
setup, click the Getting Started > Advanced link in the navigation pane,
and click the links to perform the tasks that you want to complete.
If you want to prevent the Getting Started (Basic) page from appearing
automatically after you log in, check the Don’t show this on start-up box at
Figure 1 Getting Started (Basic) Page
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244

Cisco QuickVPN - PC Administration Manual

Category
Routers
Type
Administration Manual

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI