Cisco QuickVPN - PC Administration Manual

Cisco Small Business Pro

SA 500 Series Security Appliances

ADMINISTRATION

GUIDE

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower,

Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video

(Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and

Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP,

CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,

Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,

iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking

Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to

Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States

and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a

partnership relationship between Cisco and any other company. (0907R)

Cisco SA 500 Series Security Appliances Administration Guide 3

Contents

Chapter 1: Getting Started 10

Feature Overview 10

Device Overview 11

Front Panel 11

Rear Panel 12

Installation 13

Installation Options 13

Hardware Installation 16

Getting Started with the Configuration Utility 18

Connecting to the Configuration Utility 18

Using the Getting Started Pages 20

Navigating Through the Configuration Utility 22

Using the Help System 23

About the Default Settings 24

Basic Tasks 25

Changing the Default User Name and Password 25

Backing Up Your Configuration 26

Upgrading the Firmware 26

Common Configuration Scenarios 27

Basic Network Configuration with Internet Access 28

Cisco Smart Business Communications System Configuration 30

Firewall for Controlling Inbound and Outbound Traffic 31

DMZ for Public Web Sites and Services 32

Configuring ProtectLink Web & Email Security 33

Site-to-Site Networking and Remote Access 33

Wireless Networking 37

Chapter 2: Status 38

Device Status 38

Port Statistics 41

Wireless Statistics for the SA 520W 41

Cisco SA 500 Series Security Appliances Administration Guide 4

Contents

VPN Status 43

IPSec VPN Connection Status 43

SSL VPN Status 44

View Logs Status 46

View All Logs 46

IPSec VPN Logs 47

Policy Enforcement Logs 48

Active Users 48

CDP Neighbor 49

LAN Devices 49

Chapter 3: Networking 50

Configuring the WAN Connection 50

Viewing the WAN Status 54

Creating PPPoE Profiles 55

Configuring the LAN 56

About the Default LAN Settings 56

Configuring the LAN 57

Viewing the LAN Status 59

DHCP Reserved IPs 60

DHCP Leased Clients 61

Configuring the Optional Port as a LAN Port 61

Configuring the Optional WAN 62

Configuring Auto-Rollover, Load Balancing, and Failure Detection 65

Configuring the Protocol Bindings for Load Balancing 68

Configuring a DMZ 70

Configuring the DMZ Settings 73

DMZ Reserved IPs 75

DMZ DHCP Leased Clients 76

VLAN Configuration 77

Default VLAN Settings 77

Enabling or Disabling VLAN Support 78

Cisco SA 500 Series Security Appliances Administration Guide 5

Contents

Creating VLAN IDs 79

Assigning VLANs to LAN Ports 80

Multiple VLAN Subnets 81

Routing 83

Static Routing 84

Dynamic Routing 85

Port Management 86

Configuring the Ports 87

Configuring SPAN (Port Mirroring) 87

Bandwidth Profiles 88

Creating Bandwidth Profiles 88

Traffic Selectors 90

Dynamic DNS 91

Configuring IPv6 Addressing 92

IP Routing Mode 93

Configuring the IPv6 WAN Connection 94

Configuring the IPv6 LAN 95

IPv6 LAN Address Pools 97

IPv6 Multi LAN 98

IPv6 Static Routing 99

Routing (RIPng) 100

6to4 Tunneling 101

IPv6 Tunnels Status 101

ISATAP Tunnels 102

MLD Tunnels 103

Router Advertisement Daemon (RADVD) 104

Configuring Router Advertisement 104

Adding RADVD Prefixes 105

802.1p 107

Enabling 802.1p 107

802.1p Mapping 107

Cisco SA 500 Series Security Appliances Administration Guide 6

Contents

DSCP Remarking 108

Chapter 4: Wireless Configuration for the SA 520W 109

Configuring an Access Point 109

Step 1: Configuring the Wireless Profiles 110

Profile Advanced Configuration 113

Configuring the QoS Settings for a Wireless Profile 113

Controlling Wireless Access Based on MAC Addresses 114

Step 2: Configuring the Access Points 116

Configuring the Radio 118

Basic Radio Configuration 118

Advanced Radio Configuration 119

Chapter 5: Firewall Configuration 121

Configuring Firewall Rules to Control Inbound and Outbound Traffic 121

Preliminary Tasks for Firewall Rules 122

Configuring the Default Outbound Policy 125

Configuring a Firewall Rule for Outbound Traffic 126

Configuring a Firewall Rule for Inbound Traffic 129

Prioritizing Firewall Rules 132

Firewall Rule Configuration Examples 133

Using Other Tools to Prevent Attacks, Restrict Access, and

Control Inbound Traffic 136

Configuring Attack Checks 136

Configuring MAC Filtering to Allow or Block Traffic 138

Port Triggering 139

Configuring a Port Triggering Rule to Direct Traffic to Specified Ports 140

Viewing the Port Triggering Status 141

Configuring Session Settings to Analyze Incoming Packets 141

Using Other Tools to Control Access to the Internet 142

Configuring Content Filtering to Allow or Block Web Components 143

Configuring Approved URLs to Allow Access to Websites 144

Configuring Blocked URLs to Prevent Access to Websites 145

Cisco SA 500 Series Security Appliances Administration Guide 7

Contents

Configuring IP/MAC Binding to Prevent Spoofing 146

SIP 147

Chapter 6: Intrusion Prevention System 148

Configuring IPS 148

Configuring the IPS Policy 150

Configuring the Protocol Inspection Settings 150

Configuring Peer-to-Peer Blocking and Instant Messaging 151

Chapter 7: Using Cisco ProtectLink Security Services 152

Chapter 8: Configuring VPN 153

About VPN 153

Configuring a Site-to-Site VPN Tunnel 154

Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client 157

Configuring the User Database for the IPSec Remote Access VPN 159

Advanced Configuration of IPSec VPN 161

Viewing the Basic Setting Defaults for IPSec VPN 161

Configuring the IKE Policies for IPSec VPN 162

Configuring the IPSec VPN Policies 166

Configuring SSL VPN for Browser-Based Remote Access 172

Access Options for SSL VPN 173

Security Tips for SSL VPN 173

Elements of the SSL VPN 174

Scenario Step 1: Customizing the Portal Layout 175

Scenario Step 2: Adding the SSL VPN Users 177

Creating the SSL VPN Policies 179

Specifying the Network Resources for SSL VPN 181

Configuring SSL VPN Port Forwarding 182

SSL VPN Tunnel Client Configuration 184

Viewing the SSL VPN Client Portal 187

VeriSign™ Identity Protection configuration 188

Configuring VeriSign Identity Protection 188

Cisco SA 500 Series Security Appliances Administration Guide 8

Contents

Managing User Credentials for VeriSign Service 189

Chapter 9: Administration 191

Users 191

Domains 192

Groups 193

Adding or Editing User Settings 194

Adding or Editing User Login Policies 195

Maintenance 197

Managing Licenses 197

Upgrading Firmware and Working with Configuration Files 199

Maintaining the USB Device 202

Using the Secondary Firmware 203

Diagnostics 204

Measuring and Limiting Traffic with the Traffic Meter 205

Configuring the Time Settings 207

Configuring the Logging Options 208

Local Logging Config 208

IPv6 Logging 209

Remote Logging 210

Logs Facility 211

Managing Certificates for Authentication 212

Configuring RADIUS Server Records 213

Chapter 10: Network Management 215

RMON (Remote Management) 215

CDP 216

SNMP 217

Configuring SNMP 217

Configuring SNMP System Info 218

UPnP 219

Cisco SA 500 Series Security Appliances Administration Guide 9

Contents

Appendix A: Trouble Shooting 220

Internet Connection 220

Date and Time 223

Pinging to Test LAN Connectivity 224

Restoring Factory-Default Configuration Settings 226

Appendix B: Standard Services 227

Appendix C: Technical Specifications and Environmental Requirements 230

Appendix D: Factory Default Settings 233

General Settings 233

Router Settings 235

Wireless Settings 238

Storage 240

Security Settings 242

Appendix E: Where to Go From Here 244

1

Cisco SA 500 Series Security Appliances Administration Guide 10

Getting Started

This chapter describes the SA 500 and provides scenarios to help you to begin

configuring your security appliance to meet the needs of your business.

• Feature Overview, page 10

• Installation Options, page 13

• Hardware Installation, page 16

• Getting Started with the Configuration Utility, page 18

• About the Default Settings, page 24

• Basic Tasks, page 25

• Common Configuration Scenarios, page 27

Feature Overview

The features of the SA 520, SA 520W, and the SA 540 are compared in the

following table.

Table 1 Comparison of SA 500 Series Security Appliance Models

Feature SA 520 SA 520W SA 540

Firewall

Performance

200 Mbps 200 Mbps 300 Mbps

UTM 200 Mbps 200 Mbps 300 Mbps

VPN

Performance

65 Mbps 65 Mbps 85 Mbps

Connections 15,000 15,000 40,000

Getting Started

Feature Overview

Cisco SA 500 Series Security Appliances Administration Guide 11

1

Device Overview

Before you begin to use the security appliance, become familiar with the LEDs on

the front panel and the ports on the rear panel. Refer to the following illustrations

and descriptions.

Front Panel

RESET Button—To reboot the security appliance, push and release the Reset

button. To restore the factory default settings, press and hold the Reset button for

5 seconds.

DIAG LED—(Orange) When lit, indicates the appliance is performing the power-on

diagnostics. When off, indicates the appliance has booted properly.

POWER LED—(Green) When lit, indicates the appliance is powered on.

DMZ LED—(Green) When lit, indicates the Optional port is configured as a

Demilitarized Zone or Demarcation Zone, which allows public services such as

web servers, without exposing your LAN.

SPEED LED—(Green or Orange) Indicates the traffic rate for the associated port.

Off = 10 Mbps, Green = 100 Mbps, Orange = 1000 Mbps.

LAN Ports 448

Wireless

(802.11n)

No Yes No

IPsec (# seats) Yes (50) Yes (50) Yes (100)

SSL (# seats) Includes 2 seats.

With license, up

to 25 seats.

Includes 2 seats.

With license, up

to 25 seats.

Included (50)

Feature SA 520 SA 520W SA 540

Getting Started

Feature Overview

Cisco SA 500 Series Security Appliances Administration Guide 12

1

LINK/ACT LED—(Green) When lit, indicates that a connection is being made

through the port. When flashing, the port is active.

WLAN LED—(Green) When lit, indicates that wireless is enabled (SA 520W).

Rear Panel

POWER Switch—Turns the security appliance on or off.

POWER Connector—Connects the security appliance to power using the

supplied power cable.

LAN Ports—Connect computers and other network appliances to the security

appliance. The SA 520 and SA 520W have 4 LAN ports. The SA 540 has 8.

OPTIONAL Port—Can be configured to operate as a WAN, LAN, or DMZ port. A

DMZ (Demilitarized Zone or Demarcation Zone) can be configured to allow public

access to services such as web servers without exposing your LAN.

WAN Port—Connects the security appliance to DSL, a cable modem, or another

WAN connectivity device.

USB Port—Connects the security appliance to a USB device. You can use a USB

device to store configuration files for backup and restore operations.

NOTE The back panel of the SA 520W includes three threaded connectors for the

antennas.

Getting Started

Installation

Cisco SA 500 Series Security Appliances Administration Guide 13

1

Installation

This section guides you through the installation of your security appliance. Refer to

the following topics:

• Installation Options, page 13

• Hardware Installation, page 16

Installation Options

You can place your security appliance on a desktop, mount it on a wall, or mount it

in a rack.

Placement Tips

• Ambient Temperature—To prevent the security appliance from

overheating, do not operate it in an area that exceeds an ambient

temperature of 104°F (40°C).

• Air Flow—Be sure that there is adequate air flow around the device.

• Mechanical Loading—Be sure that the security appliance is level and

stable to avoid any hazardous conditions.

To place the security appliance on a desktop, install the four rubber feet (included)

on the bottom of the security appliance. Place the device on a flat surface.

Getting Started

Installation

Cisco SA 500 Series Security Appliances Administration Guide 14

1

Wall Mounting

STEP 1 Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9

inches). Leave 3-4 mm (about 1/8 inch) of the head exposed.

Getting Started

Installation

Cisco SA 500 Series Security Appliances Administration Guide 15

1

STEP 2 Position the unit so that the wall-mount slots are over the two screws. Slide the unit

down until the screws fit snugly into the wall-mount slots.

Rack Mounting

You can mount the security appliance in any standard size, 19-inch (about 48 cm)

wide rack. Each security appliance requires 1 rack unit (RU) of space, which is 1.75

inches (44.45 mm) high.

!

CAUTION Do not overload the power outlet or circuit when installing multiple devices in a

rack.

Getting Started

Installation

Cisco SA 500 Series Security Appliances Administration Guide 16

1

STEP 1 Remove the four screws from each side of the security appliance.

STEP 2 Place one of the supplied spacers on the side of the security appliance so that the

four holes align to the screw holes. Place a rack mount bracket next to the spacer

and reinstall the screws.

NOTE If the screws are not long enough to reattach the bracket with the spacer,

attach the bracket directly to the case without the spacer.

STEP 3 Install the security appliance into a standard rack as shown.

Hardware Installation

Follow these steps to connect the equipment:

STEP 1 Connect the security appliance to power.

STEP 2 If you are installing the SA 520W, screw each antenna onto a threaded connector

on the back panel. Orient each antenna to point upward.

STEP 3 For DSL, a cable modem, or other WAN connectivity devices, connect an Ethernet

network cable from the device to the WAN port on the back panel. Cisco strongly

recommends using Cat5E or better cable.

Getting Started

Installation

Cisco SA 500 Series Security Appliances Administration Guide 17

1

STEP 4 For network devices, connect an Ethernet network cable from the network device

to one of the dedicated LAN ports on the back panel.

STEP 5 For a UC 500, connect an Ethernet network cable from the WAN port of the UC 500

to an available LAN port of the security appliance.

NOTE For details about configuring the UC 500 and the security appliance to work

together, see the SA 500 Series Security Appliances Administration Guide

on Cisco.com. See the documentation links in the “Where to Go From

Here” section of this guide.

STEP 6 Power on the security appliance.

STEP 7 Power on the connected devices. Each LED lights to show an active connection.

A sample configuration is illustrated below.

Congratulations! The installation of the security appliance is complete.

Getting Started

Getting Started with the Configuration Utility

Cisco SA 500 Series Security Appliances Administration Guide 18

1

Getting Started with the Configuration Utility

The Configuration Utility web page is a web based device manager that is used to

provision the SA 500 Series Security Appliances. To use this utility, you must be

able to connect to the SA 500 Series Security Appliances from your administration

PC or laptop. You can access the router by using any web browser (such as

Microsoft Internet Explorer or Mozilla Firefox).

Connecting to the Configuration Utility

STEP 1 Connect your computer to an available LAN port on the back panel of the security

appliance.

STEP 2 Start a web browser, and enter the following address: 192.168.75.1

NOTE The above address is the factory default LAN address of the security

appliance. If you change this setting in the LAN configuration, you will need

to enter the new IP address to connect to the Configuration Utility.

STEP 3 When the Security Alert appears, accept or install the certificate:

• Internet Explorer: Click Ye s to proceed, or click View Certificate for details.

On the Certificate page, click Install the Certificate. Follow the instructions

in the Wizard to complete the installation.

• Firefox: Click the link to add an exception. Click the Add Exception button.

Click Get Certificate, and then click Confirm Security Exception.

• Safari: Click Continue to proceed, or click Show Certificate. On the

Certificate page, click Install the Certificate. Follow the instructions in the

Wizard to complete the installation.

Getting Started

Getting Started with the Configuration Utility

Cisco SA 500 Series Security Appliances Administration Guide 19

1

STEP 4 Enter the default user name and password:

• Username: cisco

• Password: cisco

STEP 5 Click Log In. The Getting Started (Basic) page appears. For more information, see

Using the Getting Started Pages, page 20.

You can use the Cisco Configuration Assistant to launch the Configuration Utility if

you are using the security appliance with a CCA-supported device, such as the

UC 500. For more information about CCA, see: www.cisco.com/go/configassist.

Getting Started

Getting Started with the Configuration Utility

Cisco SA 500 Series Security Appliances Administration Guide 20

1

Using the Getting Started Pages

The Getting Started pages provide help with common configuration tasks.

• Find a task that you need to perform, and then click a link to get started.

Proceed in order through the listed links.

• To return to the Getting Started (Basic) page at any time, click the Getting

Started button in the menu bar.

• For help with advanced configuration tasks, such as firewall/NAT

configuration, optional WAN configuration, DMZ configuration, and VPN

setup, click the Getting Started > Advanced link in the navigation pane,

and click the links to perform the tasks that you want to complete.

• If you want to prevent the Getting Started (Basic) page from appearing

automatically after you log in, check the Don’t show this on start-up box at

Figure 1 Getting Started (Basic) Page

Page is loading ...

Cisco QuickVPN - PC Administration Manual

This manual is also suitable for

Cisco QuickVPN - PC Administration Manual

Related papers

Other documents