-
ADMINISTRATION GUIDE Cisco Small Business ISA500 Series Integrated Security Appliances (ISA550, ISA550W, ISA570, ISA570W)
-
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) © 2013 Cisco Systems, Inc. All rights reserved.
-
Federal Communication Commission Interference Statement (For ISA570 and ISA570W) This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
-
The availability of some specific channels and/or operational frequency bands are country dependent and are firmware programmed at the factory to match the intended destination. The firmware setting is not accessible by the end user. Industry Canada statement: This device complies with RSS-210 of the Industry Canada Rules.
-
Conformément à la réglementation d'Industrie Canada, le présent émetteur radio peutfonctionner avec une antenne d'un type et d'un gain maximal (ou inférieur) approuvé pourl'émetteur par Industrie Canada. Dans le but de réduire les risques de brouillage radioélectriqueà l'intention des autres utilisateurs, il faut choisir le type d'antenne et son gain de sorte que lapuissance isotrope rayonnée équivalente (p.i.r.e.) ne dépasse pas l'intensité nécessaire àl'établissement d'une communication satisfaisante.
-
Contents Chapter 1: Getting Started 19 Introduction 20 Product Overview 21 Front Panel 21 Back Panel 23 Getting Started with the Configuration Utility 25 Logging in to the Configuration Utility 26 Navigating Through the Configuration Utility 27 Using the Help System 28 Configuration Utility Icons 28 Factory Default Settings 30 Default Settings of Key Features 30 Restoring the Factory Default Settings 31 Performing Basic Configuration Tasks 32 Changing the Default Administrator P
-
Contents Configuring DMZ Services 45 Configuring Wireless Radio Settings 47 Configuring Intranet WLAN Access 48 Configure Security Services 49 Viewing Configuration Summary 50 Using the Dual WAN Wizard to Configure WAN Redundancy Settings 51 Starting the Dual WAN Wizard 51 Configuring a Configurable Port as a Secondary WAN Port 51 Configuring the Primary WAN 52 Configuring the Secondary WAN 52 Configuring WAN Redundancy 52 Configuring Network Failure Detection 53 Viewing Configurati
-
Contents Configuring Transform Policies 69 Configuring Local and Remote Networks 70 Viewing Configuration Summary 70 Using the DMZ Wizard to Configure DMZ Settings 71 Starting the DMZ Wizard 71 Configuring DDNS Profiles 71 Configuring DMZ Network 72 Configuring DMZ Services 74 Viewing Configuration Summary 76 Using the Wireless Wizard (for ISA550W and ISA570W only) 76 Starting the Wireless Wizard 76 Configuring Wireless Radio Settings 76 Configuring Wireless Connectivity Types 77
-
Contents NAT Status 100 VPN Status 101 IPsec VPN Status 101 SSL VPN Status 103 Active User Sessions 105 Security Services Reports 106 Web Security Report 106 Anti-Virus Report 107 Email Security Report 108 Network Reputation Report 109 IPS Report 110 Application Control Report 111 System Status 112 Processes 112 Resource Utilization 113 Chapter 4: Networking 115 Viewing Network Status 116 Configuring IPv4 or IPv6 Routing 116 Managing Ports 116 Viewing Status of Physica
-
Contents Configuring DMZ 141 Configuring Zones 146 Security Levels for Zones 146 Predefined Zones 147 Configuring Zones 147 Configuring DHCP Reserved IPs 149 Configuring Routing 149 Viewing the Routing Table 150 Configuring Routing Mode 150 Configuring Static Routing 151 Configuring Dynamic Routing - RIP 152 Configuring Policy-Based Routing 153 Configuring Quality of Service 155 General QoS Settings 155 Configuring WAN QoS 156 Managing WAN Bandwidth for Upstream Traffic 156
-
Contents Configuring IGMP 172 Configuring VRRP 173 Address Management 175 Configuring Addresses 175 Configuring Address Groups 176 Service Management 177 Configuring Services 177 Configuring Service Groups 178 Configuring Captive Portal 179 Requirements 179 Before You Begin 180 VLAN Setup 180 Wireless Setup 181 User Authentication 181 Configuring a Captive Portal 181 Troubleshooting 185 Using External Web-Hosted CGI Scripts 186 CGI Source Code Example: No Authentication an
-
Contents Requirements 222 Before You Begin 222 VLAN Setup 222 Wireless Setup 223 User Authentication 223 Configuring a Captive Portal 223 Troubleshooting 227 Using External Web-Hosted CGI Scripts 228 CGI Source Code Example: No Authentication and Accept Button 237 Related Information 246 Configuring Wireless Rogue AP Detection 247 Advanced Radio Settings 248 Chapter 6: Firewall 251 Configuring Firewall Rules to Control Inbound and Outbound Traffic 252 About Security Zones 252
-
Contents Configuring an Advanced NAT Rule to Support NAT Hairpinning Firewall and NAT Rule Configuration Examples 272 274 Allowing Inbound Traffic Using the WAN IP Address 274 Allowing Inbound Traffic Using a Public IP Address 276 Allowing Inbound Traffic from Specified Range of Outside Hosts 279 Blocking Outbound Traffic by Schedule and IP Address Range 280 Blocking Outbound Traffic to an Offsite Mail Server 280 Configuring Content Filtering to Control Internet Access 281 Configuring Content
-
Contents Configuring Advanced Anti-Virus Settings 306 Configuring HTTP Notification 307 Configuring Email Notification 307 Updating Anti-Virus Signatures 308 Configuring Application Control Configuring Application Control Policies 309 310 General Application Control Policy Settings 310 Adding an Application Control Policy 311 Permitting or Blocking Traffic for all Applications in a Category 312 Permitting or Blocking Traffic for an Application 313 General Application Control Settings 314
-
Contents Configuration Tasks to Establish a Site-to-Site VPN Tunnel 341 General Site-to-Site VPN Settings 341 Configuring IPsec VPN Policies 343 Configuring IKE Policies 349 Configuring Transform Sets 351 Remote Teleworker Configuration Examples 352 Configuring IPsec Remote Access 355 Cisco VPN Client Compatibility 356 Enabling IPsec Remote Access 357 Configuring IPsec Remote Access Group Policies 357 Allowing IPsec Remote VPN Clients to Access the Internet 360 Configuring Teleworker
-
Contents Chapter 9: User Management 388 Viewing Active User Sessions 388 Configuring Users and User Groups 389 Default User and User Group 389 Available Services for User Groups 389 Preempt Administrators 390 Configuring Local Users 390 Configuring Local User Groups 391 Configuring User Authentication Settings 393 Using Local Database for User Authentication 394 Using RADIUS Server for User Authentication 394 Using Local Database and RADIUS Server for User Authentication 397 Using L
-
Contents Generating New Certificate Signing Requests 422 Importing Signed Certificate for CSR from Your Local PC 423 Configuring Cisco Services and Support Settings 424 Configuring Cisco.
-
Contents Configuring Log Facilities 447 Rebooting and Resetting the Device 448 Restoring the Factory Default Settings 448 Rebooting the Security Appliance 449 Configuring Schedules Appendix A: Troubleshooting 449 453 Internet Connection 453 Date and Time 456 Pinging to Test LAN Connectivity 457 Testing the LAN Path from Your PC to Your Security Appliance 457 Testing the LAN Path from Your PC to a Remote Device 458 Appendix B: Technical Specifications and Environmental Requirements 45
-
1 Getting Started This chapter provides an overview of the Cisco ISA500 Series Integrated Security Appliance and describes basic configuration tasks to help you configure your security appliance.
-
1 Getting Started Introduction Introduction Thank you for choosing the Cisco ISA500 Series Integrated Security Appliance, a member of the Small Business Family.
-
1 Getting Started Product Overview Product Overview Before you use the security appliance, become familiar with the lights on the front panel and the ports on the rear panel.
-
1 Getting Started Product Overview Front Panel Lights The following table describes the lights on the front panel of the security appliance. These lights are used for monitoring system activity. Light Description POWER/SYS Indicates the power and system status. VPN USB WLAN (ISA550W and ISA570W only) • Solid green when the system is powered on and is operating normally. • Flashes green when the system is booting.
-
1 Getting Started Product Overview Light Description SPEED Indicates the traffic rate of the associated port. LINK/ACT • Off when the traffic rate is 10 or 100 Mbps. • Solid green when the traffic rate is 1000 Mbps. Indicates that a connection is being made through the port. • Solid green when the link is up. • Flashes green when the port is transmitting and receiving data. Back Panel The back panel is where you connect the network devices. The ports on the panel vary depending on the model.
-
1 Getting Started Product Overview ISA570 and ISA570W Back Panel Power Switch Reset Button ANT02 ANT01 10 9 8 7 6 5 4 3 2 1 12VDC A NT02 I / CONFIGURABLE USB Port Configurable Ports LAN LAN Ports WA N WAN Port RESET O POWER 281981 A NT01 Power Connector Back Panel Descriptions Feature Description ANT01/ANT02 Threaded connectors for the antennas (for ISA550W and ISA570W only). USB Port Connects the unit to a USB device.
-
1 Getting Started Getting Started with the Configuration Utility Feature Description RESET Button To reboot the unit, push and release the RESET button for less than 3 seconds. To restore the unit to its factory default settings, push and hold the RESET button for more than 3 seconds while the unit is powered on and the POWER/SYS light is solid green. The POWER/SYS light will flash green when the system is rebooting. Power Switch Powers the unit on or off.
-
Getting Started Getting Started with the Configuration Utility 1 Logging in to the Configuration Utility STEP 1 Connect your computer to an available LAN port on the back panel. Your PC will become a DHCP client of the security appliance and will receive an IP address in the 192.168.75.x range. STEP 2 Start a web browser. In the address bar, enter the default IP address of the security appliance: 192.168.75.1. NOTE: The above address is the factory default LAN address.
-
1 Getting Started Getting Started with the Configuration Utility Navigating Through the Configuration Utility Use the left hand navigation pane to perform the tasks in the Configuration Utility. 2 1 Number Component Description 1 Left Hand Navigation Pane The left hand navigation pane provides easy navigation through the configurable features. The main branches expand to provide the features. Click the main branch title to expand its contents.
-
1 Getting Started Getting Started with the Configuration Utility Using the Help System The Configuration Utility provides a context-sensitive help file for all configuration tasks. To view the Help page, click the Help link in the top right corner of the screen. A new window opens with information about the page that you are currently viewing. Configuration Utility Icons The Configuration Utility has icons for commonly used configuration options.
-
1 Getting Started Getting Started with the Configuration Utility Icon Description Action Forced Authorized icon Disable 802.1x access control and cause the port to transition to the authorized state without any authentication exchange required. Forced Unauthorized icon Cause the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. Auto icon Enable 802.
-
1 Getting Started Factory Default Settings Factory Default Settings The security appliance is preconfigured with settings to allow you to start using the device with minimal changes. Depending on the requirements of your Internet Service Provider (ISP) and the needs of your business, you may need to modify some of these settings. You can use the Configuration Utility to customize all settings, as needed.
-
1 Getting Started Factory Default Settings • Configurable Ports: Any configurable port can be configured to be a WAN, DMZ, or LAN port. By default, all configurable ports are set to be LAN ports. Only one configurable port can be configured as a WAN port at a time (See Configuring the WAN, page122). Up to four configurable ports can be configured as DMZ ports (see Configuring DMZ, page141). • Wireless Network (for ISA550W and ISA570W only): ISA550W and ISA570W are configured with four SSIDs.
-
1 Getting Started Performing Basic Configuration Tasks green. Release the button and wait for the unit to reboot. The POWER/SYS light will flash green when the system is rebooting. • Or launch the Configuration Utility and login. Click Device Management > Reboot/Reset in the left hand navigation pane. In the Reset Device area, click Reset to Factory Defaults. After a restore to factory defaults, the following settings apply: Parameter Default Value Username cisco Password cisco LAN IP 192.168.
-
Getting Started Performing Basic Configuration Tasks • 1 New password: Enter a new administrator password. Passwords are case sensitive. NOTE: A password requires a minimum of 8 characters, including at least three of these character classes: uppercase letters, lowercase letters, digits, and special characters. Do not repeat any password more than three times in a row. Do not set the password as the username or “cisco.” Do not capitalize or spell these words backwards.
-
Getting Started Performing Basic Configuration Tasks 1 NOTE: You can click Install Later to upgrade the firmware later. An Upgrade Available link will be displayed at the top right corner of the screen and the Setup Wizard will now launch. We strongly recommend that you upgrade the firmware immediately. STEP 4 Validate your Cisco.com account credentials through the Internet. If your Cisco.com account credentials are valid, the security appliance starts downloading and installing the firmware.
-
2 Configuration Wizards This chapter describes how to use the configuration wizards to configure the security appliance.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Using the Setup Wizard for the Initial Configuration Use the Setup Wizard to quickly configure the primary features of your security appliance, such as Cisco.com account credentials, security license, remote administration, port, WAN, LAN, DMZ, WAN redundancy, WLAN (for ISA550W and ISA570W only), and security services. Refer to the following steps: • Starting the Setup Wizard, page 37 • Configuring Cisco.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 • A valid Cisco.com account for validating the security license and upgrading your firmware to the latest version from Cisco.com. To register a Cisco.com account, go to https:// tools.cisco.com/RPF/register/register.do. • The Product Authorization Key (PAK), or license code, for validating the security license and activating security services.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 NOTE: You can configure your Cisco.com account credentials on the Device Management > Cisco Services & Support > Cisco.com Account page after the Setup Wizard is complete. See Configuring Cisco.com Account, page 424. STEP 5 If your Cisco.com account credentials are invalid, click OK to return to the Cisco.com Credentials page. Correct your Cisco.com account credentials and then click Next to verify them again.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Validating Security License STEP 10 Use the License Installation page to validate the security license, which is used to activate security services on the device. STEP 11 If the security license is already installed on the security appliance, click Next to proceed next step.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Configuring Remote Administration STEP 16 Use the Remote Administration page to configure the remote management settings. The security appliance allows remote management securely by using HTTPS and HTTP, for example https://xxx.xxx.xxx.xxx:8080. • Remote Administration: Click On to enable remote management by using HTTPS, or click Off to disable it. We recommend that you use HTTPS for secure remote management.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Configuring Physical Ports STEP 18 Use the Port Configuration page to specify the port configuration. If you are using the ISA570 or ISA570W, choose one of the following options: • 1 WAN, 9 LAN switch: One WAN port (WAN1) and nine LAN ports are configured. • 1 WAN, 1 DMZ, 8 LAN switch: One WAN port (WAN1), one DMZ port, and eight LAN ports are configured. The configurable port GE10 is set as a DMZ port.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Configuring the Primary WAN STEP 20 Use the Primary WAN Connection page to configure the primary WAN connection by using the account information provided by your ISP. • WAN Name: The name of the primary WAN port. • IP Address Assignment: Depending on the requirements of your ISP, choose the network addressing mode and configure the corresponding fields for the primary WAN port.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 - Weighted By Percentage: If you choose this option, specify the percentage of bandwidth for each WAN, such as 80% for WAN1 and 20% for WAN2. - Weighted by Link Bandwidth: If you choose this option, specify the amount of bandwidth for each WAN, such as 80 Mbps for WAN1 and 20 Mbps for WAN2. NOTE: The Weighted by Link Bandwidth option has the same effect as the Weighted by Percentage option.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 - DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the LAN. Any new DHCP client joining the LAN is assigned an IP address of the DHCP pool. - DHCP Relay: Allows the security appliance to use a DHCP Relay. If you choose DHCP Relay, enter the IP address of the remote DHCP server in the Relay IP field.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration • 2 DHCP Mode: Choose one of the following DHCP modes: - Disable: Choose this option if the computers on the DMZ are configured with static IP addresses or are configured to use another DHCP server. - DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the DMZ. Any new DHCP client joining the DMZ is assigned an IP address of the DHCP pool.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 STEP 34 In the DMZ Service - Add/Edit window, enter the following information: • Original Service: Choose a service as the incoming service. • Translated Service: Choose a service as the translated service or choose Original if the translated service is same as the incoming service. If the service that you want is not in the list, choose Create a new service to create a new service object.
-
2 Configuration Wizards Using the Setup Wizard for the Initial Configuration For example, you host an RDP server (192.168.12.101) on the DMZ. Your ISP has provided a static IP address (172.39.202.102) that you want to expose to the public as your RDP server address. You can create a DMZ service as follows to allow Internet user to access the RDP server by using the specified public IP address.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration • 2 - 802.11b/g/n mixed: Choose this mode to allow 802.11b, 802.11g, and 802.11n clients operating in the 2.4 GHz frequency to connect to the access point. - 802.11n only: Choose this mode if all devices in the wireless network can support 802.11n. Only 802.11n clients operating in the 2.4 GHz frequency can connect to the access point.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Configure Security Services STEP 41 Use the Security Services page to enable security services and to specify how to handle the affected traffic when the reputation-based security services are unavailable. NOTE: • Enabling a security service will apply its default settings on the security appliance to provide a moderate level of protection.
-
Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 appliance. The SMTP server or the clients that use this SMTP server can be configured to respond to the spam and suspected spam tags that the security appliance applies to the emails. • Web Reputation Filtering: Web Reputation Filtering prevents client devices from accessing dangerous websites containing viruses, spyware, malware, or phishing links.
-
Configuration Wizards Using the Dual WAN Wizard to Configure WAN Redundancy Settings 2 Using the Dual WAN Wizard to Configure WAN Redundancy Settings If you have two ISP links, a backup WAN is required so that you can provide backup connectivity or load balancing. Use the Dual WAN Wizard to configure the WAN redundancy settings.
-
Configuration Wizards Using the Dual WAN Wizard to Configure WAN Redundancy Settings 2 Configuring the Primary WAN STEP 5 STEP 6 Use the Primary WAN Connection page to configure the primary WAN connection by using the account information provided by your ISP. • WAN Name: The name of the primary WAN port. • IP Address Assignment: Depending on the requirements of your ISP, choose the network addressing mode and configure the corresponding fields for the primary WAN port.
-
Configuration Wizards Using the Dual WAN Wizard to Configure WAN Redundancy Settings - 2 Weighted by Link Bandwidth: If you choose this option, specify the amount of bandwidth for each WAN, such as 80 Mbps for WAN1 and 20 Mbps for WAN2, which indicates that 80% bandwidth is distributed to WAN1 and at least 20% bandwidth is distributed to WAN2. NOTE: The Weighted by Link Bandwidth option has the same effect with the Weighted by Percentage option.
-
Configuration Wizards Using the Remote Access VPN Wizard 2 STEP 12 After you are finished, click Next. Viewing Configuration Summary STEP 13 Use the Summary page to view information about the configuration. STEP 14 To modify any settings, click Back. If the configuration is correct, click Finish to apply your settings.
-
2 Configuration Wizards Using the Remote Access VPN Wizard • Configuring WAN Settings, page 56 • Configuring Operation Mode, page 56 • Configuring Access Control Settings, page 57 • Configuring DNS and WINS Settings, page 57 • Configuring Backup Servers, page 58 • Configuring Split Tunneling, page 58 • Viewing Group Policy Summary, page 58 • Configuring IPsec Remote Access User Groups, page 59 • Viewing IPsec Remote Access Summary, page 59 Starting the Remote Access VPN Wizard STEP 1 Cl
-
2 Configuration Wizards Using the Remote Access VPN Wizard NOTE: You must have valid CA certificates imported on your security appliance before you use the digital certificates to authenticate. Go to the Device Management > Certificate Management page to import the CA certificates. See Managing Certificates for Authentication, page 418. STEP 5 After you are finished, click Next. Configuring WAN Settings STEP 6 Use the WAN page to choose the WAN port that traffic passes through over the VPN tunnel.
-
2 Configuration Wizards Using the Remote Access VPN Wizard the IPsec VPN server can assign the IP addresses to the outside interfaces of remote VPN clients. To define the pool range for remote VPN clients, enter the starting and ending IP addresses in the Start IP and End IP fields. • STEP 9 NEM: Choose this mode for the group policy that is only used for the Cisco device that supports the Cisco VPN hardware client in NEM mode.
-
Configuration Wizards Using the Remote Access VPN Wizard 2 Configuring Backup Servers STEP 14 Use the Backup Server page to optionally specify up to three IPsec VPN servers as backup. When the connection to the primary server fails, remote VPN clients can attempt to connect to the backup servers. Backup Server 1/2/3: Enter the IP address or domain name for the backup server. The backup server 1 has the highest priority and the backup server 3 has the lowest priority.
-
Configuration Wizards Using the Remote Access VPN Wizard 2 Configuring IPsec Remote Access User Groups STEP 20 Use the IPsec Remote Access - User Group page to configure the users and user groups for IPsec remote access. The IPsec Remote Access service must be enabled for each user group. All members of the user groups can use the specified group policy to establish the VPN connections. STEP 21 Click Add to add a user group. Other options: To edit an entry, click the Edit (pencil) icon.
-
Configuration Wizards Using the Remote Access VPN Wizard 2 After the settings are saved, the security appliance is set as an IPsec VPN server. Remote users that belong to the specified user groups can use the specified group policy to establish the VPN connections. If you check Client Internet Access, the corresponding advanced NAT rules are automatically created to allow remote VPN clients to access the Internet over the VPN tunnels.
-
2 Configuration Wizards Using the Remote Access VPN Wizard permit the port to ensure delivery of packets destined for the SSL VPN gateway. The SSL VPN clients need to enter the entire address pair “Gateway IP address: Gateway port number” for connecting purposes. • Certificate File: Choose the default certificate or an imported certificate to authenticate users who try to access your network resource through the SSL VPN tunnels.
-
Configuration Wizards Using the Remote Access VPN Wizard STEP 6 2 • Client Domain: Enter the domain name that should be pushed to the SSL VPN clients. • Login Banner: After the SSL VPN user logged in, a configurable login banner is displayed. Enter the message text to display along with the banner. In the Gateway (Advanced) area, enter the following information: • Idle Timeout: Enter the timeout value in seconds that the SSL VPN session can remain idle. The default value is 2100 seconds.
-
2 Configuration Wizards Using the Remote Access VPN Wizard NOTE: Up to 32 SSL VPN group policies can be configured on the security appliance. STEP 9 Click Add to add a new SSL VPN group policy. Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click the Delete (x) icon. To delete multiple entries, check them and click Delete. STEP 10 In the Basic Settings tab, enter the following information: • Policy Name: Enter the name for the SSL VPN group policy.
-
2 Configuration Wizards Using the Remote Access VPN Wizard STEP 12 In the Split Tunneling Settings area, enter the following information: Split tunneling permits specific traffic to be carried outside of the SSL VPN tunnel. Traffic is either included (resolved in tunnel) or excluded (resolved through the ISP or WAN connection). Tunnel resolution configuration is mutually exclusive. An IP address cannot be both included and excluded at the same time.
-
Configuration Wizards Using the Remote Access VPN Wizard 2 for tunneling DNS requests to destinations in the private network, enter the IP address or domain name in the field and click Add. To delete a domain, select it from the list and click Delete. STEP 13 In the Zone-based Firewall Settings area, you can control access from the SSL VPN clients to the zones over the SSL VPN tunnels. Click Permit to permit access, or click Deny to deny access.
-
Configuration Wizards Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN • 2 To create a new member, enter the username in the User Name field and the password in the Password field, enter the same password in the Password Confirm field for confirmation, and then click Create. STEP 20 Click OK to save your settings. STEP 21 After you are finished, click Next.
-
Configuration Wizards Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN 2 Starting the Site-to-Site VPN Wizard STEP 1 Click Configuration Wizards > Site-to-Site VPN Wizard. STEP 2 Click Next. Configuring VPN Peer Settings STEP 3 Use the VPN Peer Settings page to configure an IPsec VPN policy for establishing the VPN connection with a remote router. • Profile Name: Enter the name for the IPsec VPN policy.
-
Configuration Wizards Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN STEP 4 2 After you are finished, click Next. Configuring IKE Policies STEP 5 Use the IKE Policies page to configure the IKE policies and to specify an IKE policy for the IPsec VPN policy. You can choose the default or a custom IKE policy. STEP 6 Click Add to add an IKE policy. Other options: To edit an entry, click Edit. To delete an entry, select it and click Delete.
-
Configuration Wizards Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN • 2 Group 14 (2048-bit) Lifetime: Enter the number of seconds for the IKE Security Association (SA) to remain valid. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations. However, with shorter lifetimes, the security appliance sets up future IKE SAs more quickly. STEP 8 Click OK to save your settings. STEP 9 After you are finished, click Next.
-
Configuration Wizards Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN 2 STEP 13 Click OK to save your settings. STEP 14 After you are finished, click Next. Configuring Local and Remote Networks STEP 15 Use the Local and Remote VPN Networks page to configure the local and remote networks. • Local Subnet: Choose the IP address for your local network.
-
Configuration Wizards Using the DMZ Wizard to Configure DMZ Settings • 2 If you only want to create the IPsec VPN policy and do not want to immediately activate the connection after the settings are saved, click Do Not Activate. The connection will be triggered by any traffic that matches this IPsec VPN policy and the VPN tunnel will be set up automatically. You can also go to the VPN > Site-to-Site > IPsec Policies page to manually establish the VPN connection by clicking the Connect icon.
-
Configuration Wizards Using the DMZ Wizard to Configure DMZ Settings STEP 5 2 Enter the following information: • Service: Choose either DynDNS or No-IP service. NOTE: You must sign up for an account with either one of these providers before you can use this service. • Active On Startup: Click On to activate the DDNS setting when the security appliance starts up. • WAN Interface: Choose the WAN port for the DDNS service. Traffic for DDNS services will pass through the specified WAN port.
-
Configuration Wizards Using the DMZ Wizard to Configure DMZ Settings 2 STEP 10 In the Basic Setting tab, enter the following information: • Name: Enter the name for the DMZ. • IP: Enter the subnet IP address for the DMZ. • Netmask: Enter the subnet mask for the DMZ. • Spanning Tree: Check this box to enable the Spanning Tree feature to determine if there are loops in the network topology. • Port: Choose a configurable port from the Port list and add it to the Member list.
-
Configuration Wizards Using the DMZ Wizard to Configure DMZ Settings 2 • WINS2: Optionally, enter the IP address of a secondary WINS server. • Domain Name: Optionally, enter the domain name for the DMZ. • Default Gateway: Enter the IP address of default gateway. STEP 13 Click OK to save your settings. STEP 14 After you are finished, click Next. Configuring DMZ Services STEP 15 Use the DMZ Service page to configure the DMZ services. STEP 16 Click Add to create a DMZ service.
-
2 Configuration Wizards Using the DMZ Wizard to Configure DMZ Settings • WAN IP: Specify the public IP address for the server. You can use the IP address of the selected WAN port or a public IP address that is provided by your ISP. When you choose Both as the incoming WAN port, this option is grayed out. • Enable DMZ Service: Click On to enable the DMZ service, or click Off to create only the DMZ service.
-
Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) 2 Viewing Configuration Summary STEP 20 Use the Summary page to view information for the configuration. STEP 21 To modify any settings, click Back. If the configuration is correct, click Finish to apply your settings. Using the Wireless Wizard (for ISA550W and ISA570W only) If you are using the ISA550W or ISA570W, you can use the Wireless Wizard to configure your wireless network.
-
Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) • STEP 4 2 - 802.11b/g/n mixed: Choose this mode to allow 802.11b, 802.11g, and 802.11n clients operating in the 2.4 GHz frequency to connect to the access point. - 802.11n only: Choose this mode if all devices in the wireless network can support 802.11n. Only 802.11n clients operating in the 2.4 GHz frequency can connect to the access point.
-
Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) 2 Specify Wireless Connectivity Settings for All Enabled SSIDs STEP 7 STEP 8 Specify the wireless connectivity settings for all enabled SSIDs. • For complete details to configure the connectivity settings for Intranet WLAN access, see Configuring the SSID for Intranet WLAN Access, page 78.
-
Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) STEP 2 2 In the Security Settings area, specify the wireless security settings. • Security Mode: Choose the security mode and configure the corresponding security settings. For security purposes, we strongly recommend that you use WPA2 for wireless security. For example, if you choose WPA2-Personal, enter the following information: - Encryption: WPA2-Personal always uses AES for data encryption.
-
Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) 2 Configuring the SSID for Guest WLAN Access Follow these steps to configure the connectivity settings for Guest WLAN access. STEP 1 STEP 2 Enter the following information: • SSID: Enter the name of the SSID. • Broadcast SSID: Check this box to broadcast the SSID in its beacon frames. All wireless devices within range are able to see the SSID when they scan for available networks.
-
Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) Cisco ISA500 Series Integrated Security Appliances Administration Guide 2 81
-
Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) Cisco ISA500 Series Integrated Security Appliances Administration Guide 2 82
-
Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) Cisco ISA500 Series Integrated Security Appliances Administration Guide 2 83
-
3 Status This chapter describes how to view the status of your security appliance. It includes the following sections: • Device Status Dashboard, page 84 • Network Status, page 88 • Wireless Status (for ISA550W and ISA570W only), page 99 • NAT Status, page 100 • VPN Status, page 101 • Active User Sessions, page 105 • Security Services Reports, page 106 • System Status, page 112 To access the Status pages, click Status in the left hand navigation pane.
-
3 Status Device Status Dashboard Field Description Firmware (Primary/Secondary) Firmware version that the security appliance is currently using (Primary), and the firmware version that was previously running (Secondary). By default, the security appliance boots with the primary firmware. Bootloader Version Bootloader version of the security appliance. Serial Number Serial number of the security appliance.
-
3 Status Device Status Dashboard Field Description Alert Total number of Alert logs. Click the number link for complete details. Critical Total number of Critical logs. Click the number link for complete details. Error Total number of Error logs. Click the number link for complete details. Warning Total number of Warning logs. Click the number link for complete details. Notification Total number of Notification logs. Click the number link for complete details.
-
3 Status Device Status Dashboard Field Description Mode Link status of the physical port. WAN Mode Displays the WAN operation mode, such as Single - WAN1, Failover, or Load Balancing. To see complete details for WAN redundancy, click details. WAN Interface(s) To see complete details for all WAN ports, click details. Name Name of the WAN port. IP Address IP address for the WAN port. LAN Interfaces To see complete details for all VLANs, click details. Index ID of the VLAN. Name Name of the VLAN.
-
3 Status Network Status Network Status Use the Network Status pages to view information for the various interfaces, the network usage reports, the WAN bandwidth reports, all ARP (Address Resolution Protocol) entries, and DHCP address assignment.
-
3 Status Network Status Field Description VLAN VLANs to which the physical port is mapped. PVID The Port VLAN ID (PVID) to be used to forward or filter the untagged packets coming into the port. The PVID of a Trunk port is fixed to the DEFAULT VLAN (1). WAN Name Name of the WAN port. WAN Type Network addressing mode used to connect to the Internet for the WAN port. Connection Time Time that the WAN port is connected, in seconds.
-
3 Status Network Status Field Description Line Status Shows if the cable is inserted to the WAN port or not. If the line status shows “Not Connected,” the cable may be loose or malfunctioning, or be plugged out. NOTE: If the line status shows “Not Connected,” the Connection Status will show “Not Connected” and the WAN State will show “Down.” Zone Zone to which the WAN port is assigned. VLAN LAN MAC Address MAC address of the default LAN. Name Name of the VLAN. VID ID of the VLAN.
-
3 Status Network Status Traffic Statistics Use the Traffic Statistics page to view traffic data for the various interfaces. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data. Click Reset to reset the values in the Ethernet table to zero. Traffic Statistics Field Description Ethernet Port Name of the physical port. Link Status Shows if the port is connected or not. Tx Packets Number of IP packets transmitted by the port.
-
3 Status Network Status Field Description Uptime Time that the WAN port has been active. The uptime is reset to zero when the security appliance or the WAN port is restarted. VLAN Name Name of the VLAN. Tx Packets Number of IP packets transmitted by the VLAN. Rx Packets Number of IP packets received by the VLAN. Collisions Number of signal collisions that have occurred on this VLAN. Tx Bytes/Sec Number of bytes transmitted by the VLAN per second.
-
3 Status Network Status STEP 1 In the Data Collection area, enter the following information: • Enable Bandwidth Usage Report by IP Address: Check this box to enable the bandwidth usage report sorted by the top 25 IP addresses that consume the most bandwidth. • Enable Bandwidth Usage Report by Internet Service: Check this box to enable the bandwidth usage report sorted by the top 25 services and applications that consume the most bandwidth.
-
3 Status Network Status This report only monitors the website visits through the HTTP port specified in the advanced settings of either Firewall Content Filtering or Web URL Filtering. You can block the websites if inappropriate websites appear in this report. For information on blocking the websites, see Configuring Content Filtering to Control Internet Access, page 281, or Configuring Web URL Filtering, page 327.
-
3 Status Network Status ARP Table Address Resolution Protocol (ARP) is a computer-networking protocol that determines a network host’s Link Layer or hardware address when only the Internet Layer (IP) or Network Layer address is known. Use the ARP Table page to view information for all ARP entries. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data. ARP Table Field Description IP Address IP address of the device. Flag Flag type of the device.
-
3 Status Network Status STP Status Use the STP Status page to view information about VLANs that have Spanning Tree Protocol (STP) enabled. STP is a Link Layer network protocol that ensures a loop-free topology for any bridged LAN. No information is displayed for VLANs without STP enabled. At the top of the page, use the Check the STP status in this VLAN list to choose a VLAN.
-
3 Status Network Status Field Description Port Role The role assigned to this port • Root port: The port with the lowest path cost to the root bridge. • Designated port: The port with the lowest path cost on a LAN segment. The LAN segment will use the designated port to reach the root bridge. • Blocked port: The port that is neither a root port nor a designated port. Path Cost The cost of the path to root bridge through this port. Priority Priority of the port.
-
3 Status Network Status Field Description Designated Cost The path cost to the designated bridge of the LAN segment. CDP Neighbor Use the CDP Neighbors page to view status information about neighboring devices that were discovered by the Cisco Discovery Protocol (if enabled). This information may be useful for troubleshooting. The information on this page is automatically refreshed at 15-second intervals. If CDP is disabled, a message appears at the top of the page and the list is empty.
-
3 Status Wireless Status (for ISA550W and ISA570W only) Wireless Status (for ISA550W and ISA570W only) Use the Wireless Status pages to view information about your wireless network. Refer to the following topics: • Wireless Status, page 99 • Client Status, page 100 Wireless Status Use the Wireless Status > Wireless Status page to view the cumulative total of relevant wireless statistics for all SSIDs. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data.
-
3 Status NAT Status Field Description Uptime Time that the SSID has been active. Client Status Use the Wireless Status > Client Status page to view information for all client stations that are already connected to each SSID. The MAC address and IP address for all connected client stations for each SSID are displayed. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data. NAT Status Use the NAT Status page to view information for all NAT rules.
-
3 Status VPN Status Field Description Tx Packets Number of transmitted packets. Rx Packets Number of received packets. Tx Bytes/Sec Volume in bytes of transmitted traffic. Rx Bytes/Sec Volume in bytes of received traffic. VPN Status Use the VPN Status pages to view information for all VPN sessions. Refer to the following topics: • IPsec VPN Status, page 101 • SSL VPN Status, page 103 IPsec VPN Status Use the VPN Status > IPsec VPN Status page to view information for all IPsec VPN sessions.
-
3 Status VPN Status Field Description VPN Type VPN connection type for an IPsec VPN session, such as Site-to-Site, IPsec Remote Access, or Teleworker VPN Client. WAN Interface WAN port used for an IPsec VPN session. Remote Gateway IP address of the remote peer. NOTE: For a site-to-site VPN session, it displays the IP address of the remote gateway. For an IPsec VPN session between the Teleworker VPN client and a remote IPsec VPN server, it displays the IP address of the IPsec VPN server.
-
3 Status VPN Status Field Description Teleworker VPN Client If the Teleworker VPN Client feature is enabled and the security appliance is acting as a Cisco VPN hardware client, the following information is displayed. Status Shows if the Teleworker VPN Client feature is enabled or disabled. Primary DNS IP address of the primary DNS server. Secondary DNS IP address of the secondary DNS server. Primary WINS IP address of the primary WINS server.
-
3 Status VPN Status Field Description User Name Name of the connected SSL VPN user. Client IP (Actual) Actual IP address used by the SSL VPN client. Client IP (VPN) Virtual IP address of the SSL VPN client assigned by the SSL VPN gateway. Connect Time Amount of time since the SSL VPN user first established the connection. SSL VPN Statistics In the Global Status area, the global statistic information is displayed. To clear the global statistic information, click Clear.
-
3 Status Active User Sessions Field Description In CSTP Bytes Total number of bytes in the CSTP frames received from the client. In CSTP Data Number of CSTP data frames received from the client. In CSTP Control Number of CSTP control frames received from the client. Out CSTP Frames Number of CSTP frames sent to the client. Out CSTP Bytes Total number of bytes in the CSTP frames sent to the client. Out CSTP Data Number of CSTP data frames sent to the client.
-
3 Status Security Services Reports Field Description Login Method How the user logs into the security appliance, such as WEB, SSL VPN, IPsec Remote Access, or Captive Portal. Session Time Time that the user has logged into the security appliance. Security Services Reports Use the Security Services Reports pages to view the reports for all security services. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data.
-
3 Status Security Services Reports • Blocked Requests: Check this box to display the number of websites blocked by Web URL Filtering and/or Web Reputation Filtering in the graph. To view more information about blocked requests, click the red bar in the graph.
-
3 Status Security Services Reports STEP 2 • Detected Requests: Check this box to display the number of viruses detected by the Anti-Virus service in the graph. To view more information about detected requests, click the red bar in the graph.
-
3 Status Security Services Reports • STEP 2 Processed Requests: Check this box to display the number of emails checked by the Spam Filter service in the graph. Click Save to save your settings. Field Description System Date Current system time. Total Since Activated Total number of emails checked and total number of spam or suspected spam emails detected since the Spam Filter service was activated.
-
3 Status Security Services Reports Field Description System Date Current system time. Total Since Activated Total number of packets checked and total number of packets blocked since the Network Reputation service was activated. Total Last 7 Days Total number of packets checked and total number of packets blocked in last seven days. Total Today Total number of packets checked and total number of packets blocked in one day.
-
3 Status Security Services Reports Field Description System Date Current system time. Total Since Activated Total number of packets detected and total number of packets dropped since the IPS service was activated. Total Last 7 Days Total number of packets detected and total number of packets dropped in last seven days. Total Today Total number of packets detected and total number of packets dropped in one day.
-
3 Status System Status Field Description System Date Current system time. Total Since Activated Total number of packets detected and total number of packets blocked since the Application Control service was activated. Total Last 7 Days Total number of packets detected and total number of packets blocked in last seven days. Total Today Total number of packets detected and total number of packets blocked in one day.
-
3 Status System Status Field Description Protocol Protocol that is used by the socket. Port Port number of the local end of the socket. Local Address IP address of the local end of the socket. Foreign Address IP address of the remote end of the socket. Resource Utilization Use the System Status > Resource Utilization page to view information for the system’s CPU and memory utilization.
-
3 Status System Status Field Description Buffer Memory Total amount of memory space currently used as buffers.
-
4 Networking Using the Networking module to configure your Internet connection, VLAN, DMZ, zones, routing, Quality of Service (QoS), and related features.
-
4 Networking Viewing Network Status Viewing Network Status Use the Networking > Network Status pages to view the traffic statistics, the usage reports, the WAN bandwidth reports, all ARP (Address Resolution Protocol) entries, and DHCP address assignment. For descriptions of these status reports, see Network Status, page 88. Configuring IPv4 or IPv6 Routing Use the Networking > IPv4 or IPv6 Routing page to choose the IP routing mode for your network.
-
4 Networking Managing Ports • Configuring Port Mirroring, page 119 • Configuring Port-Based (802.1x) Access Control, page 120 Viewing Status of Physical Interfaces Use the Networking > Ports > Physical Interface page to view information about all physical ports on the security appliance. For all models, the following information appears: • Name: The name of the physical port. • Enable: Shows if the physical port is enabled or disabled.
-
4 Networking Managing Ports STEP 1 STEP 2 Proceed as needed: • Check the box in the Enable column to enable a physical port, or uncheck this box to disable the physical port. • To edit the settings of a physical port, click the Edit (pencil) icon. See Configuring Physical Ports, page 118. Click Save to apply your settings.
-
4 Networking Managing Ports - To release the port from a VLAN, choose a VLAN from the VLAN list and click the left arrows. NOTE: A LAN port can be assigned to multiple VLANs, but an Access LAN port can only be assigned to one VLAN. A DMZ port must be assigned to a DMZ network. NOTE: You can click the Create VLAN link to create new VLANs. For information on configuring VLAN, see Configuring a VLAN, page 137. • Flow Control: Click On to control the flow on the port, or click Off to disable it.
-
4 Networking Managing Ports STEP 1 Click On to enable port mirroring, or click Off to disable this feature. STEP 2 If you enable port mirroring, enter the following information: STEP 3 • TX Destination: Choose the port that monitors the transmitted traffic for other ports. • TX Monitored Ports: Check the ports that are monitored. The port that you set as a TX Destination port cannot be selected as a monitored port.
-
4 Networking Managing Ports STEP 1 In the RADIUS Settings area, specify the RADIUS servers for authentication. The security appliance predefines three RADIUS groups. Choose a predefined RADIUS group from the RADIUS Index drop-down list to authenticate users on 802.1x-capable clients. The RADIUS server settings of the selected group are displayed. You can edit the RADIUS server settings here but the settings that you specify will replace the default settings of the selected group.
-
4 Networking Configuring the WAN • Authenticated VLAN: If you enable the 802.1x access control feature, choose the authenticated VLAN to which this port is assigned. The users who authenticated successfully can access the authenticated VLAN through the port. If the authentication fails, block access through the port. • Guest Authenticated: If you enable the 802.1x access control feature, check this box to enable the Guest Authentication feature.
-
4 Networking Configuring the WAN • Configure the primary WAN, page 123 • Configure a secondary WAN, page 125 Release or renew a DHCP WAN connection If a WAN interface is configured to obtain an IP address from the ISP by using Dynamic Host Configuration Protocol (DHCP), you can click the Release icon to release its IP address, or click the Renew icon to obtain a new IP address. Configure the primary WAN To configure the settings for the primary WAN (WAN1), click the Edit (pencil) icon.
-
4 Networking Configuring the WAN - Use the following MAC address: If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, choose this option and enter the MAC address that your ISP requires for this connection. • MAC Address: Enter the MAC address, for example 01:23:45:67:89:ab. • Zone: Choose the default WAN zone or an untrusted zone for the primary WAN. You can click the Create Zone link to view, edit, or add the zones on the security appliance.
-
4 Networking Configuring the WAN Configure a secondary WAN To configure a secondary WAN (WAN2), click Add. Then use the WAN - Add/Edit page to configure the connection. If you enabled IPv4/IPv6 routing mode, complete both tabbed pages, as described for the primary WAN interface. Click OK to save your settings in the pop-up window. Click Save to apply your settings to the security appliance. To determine how the two ISP links are used, configure the WAN redundancy settings.
-
4 Networking Configuring the WAN Network Addressing Mode Configuration Static IP Choose this option if the ISP provides you with a static (permanent) IP address and does not assign it dynamically. Use the corresponding information from your ISP to complete the following fields: • IP Address: Enter the IP address of the WAN port that can be accessible from the Internet. • Subnet Mask: Enter the IP address of the subnet mask. • Gateway: Enter the IP address of default gateway.
-
4 Networking Configuring the WAN Network Addressing Mode Configuration PPPoE PPPoE uses Point to Point Protocol over Ethernet (PPPoE) to connect to the Internet. Choose this option if your ISP provides you with client software, username, and password. Use the necessary PPPoE information from your ISP to complete the PPPoE configuration. • User Name: Enter the username that is required to log into the ISP. • Password: Enter the password that is required to log into the ISP.
-
4 Networking Configuring the WAN Network Addressing Mode Configuration PPTP The PPTP protocol is typically used for VPN connection. Use the necessary information from your ISP to complete the PPTP configuration: • IP Address: Enter the IP address of the WAN port that can be accessible from the Internet. • Subnet Mask: Enter the subnet mask. • Gateway: Enter the IP address of default gateway. • User Name: Enter the username that is required to log into the PPTP server.
-
4 Networking Configuring the WAN Network Addressing Mode Configuration L2TP Choose this option if you want to use IPsec to connect a L2TP (Layer 2 Tunneling Protocol) server and encrypt all data transmitted from the client to the server. However, it does not encrypt network traffic to other destinations. Use the necessary information from your ISP to complete the L2TP configuration: • IP Address: Enter the IP address of the WAN port that can be accessible from the Internet.
-
4 Networking Configuring the WAN Configuring WAN Redundancy If you have two ISP links, one for WAN1 and another for WAN2, use the Networking > WAN Redundancy pages to configure the WAN redundancy to determine how the two ISP links are used. Refer to the following topics: • Dual WAN Settings, page 130 • Load Balancing with Policy-Based Routing Configuration Example, page 133 NOTE Before you configure the WAN redundancy settings, you must first configure the secondary WAN connection.
-
4 Networking Configuring the WAN - Weighted by Link Bandwidth: If you choose this option, specify the amount of bandwidth for each WAN, such as 80 Mbps for WAN1 and 20 Mbps for WAN2, which indicates that 80% bandwidth is distributed to WAN1 and at least 20% bandwidth is distributed to WAN2. NOTE: The Weighted by Link Bandwidth option has the same effect with the Weighted by Percentage option.
-
4 Networking Configuring the WAN NOTE: If you enable Policy-Based Routing, the policy-based routing settings will take precedence over the load balancing settings. Traffic matching the policy-based routing policies will be routed based on these settings. Traffic not matching the policy-based routing policies will be routed based on the load balancing settings. STEP 3 Click Save to apply your settings.
-
4 Networking Configuring the WAN • STEP 2 DNS Detection: Choose this option to detect the WAN failure by looking up the DNS servers that you specify in the following fields: - Default DNS Servers: Send the DNS query for www.cisco.com to the default WAN DNS server. If the DNS server can be detected, the network connection is active. - Specify DNS Servers: Send the DNS query for www.cisco.com to the specified DNS servers.
-
4 Networking Configuring the WAN Configuring Dynamic DNS Use the Networking > WAN > DDNS page to configure Dynamic DNS (DDNS). DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. If your ISP has not provided you with a static IP and your WAN connection is configured to use DHCP to obtain an IP address dynamically, then DDNS provides the domain name to map the dynamic IP address for your website.
-
4 Networking Configuring the WAN • Password: Enter the password of the account that you registered in the DDNS provider. • Host and Domain Name: Enter the complete host name and domain name for the DDNS service, for example: name.dyndns.org. • Wildcards: Check this box to allow all subdomains of your DDNS host name to share the same public IP address as the host name. • Update: Check this box to update the host information every week.
-
4 Networking Configuring the WAN between both upload and download traffic. The amount of traffic downloaded will reduce the amount of traffic that can be uploaded and vice-versa. • STEP 2 In the Traffic Counter area, enter the following information: • • STEP 3 Monthly Limit: Enter the volume limit that is applicable for this month. This limit will apply to the type of direction (Download Only or Both Direction) selected above.
-
4 Networking Configuring a VLAN STEP 4 STEP 5 In the Internet Traffic area, the following information is displayed after you enable Traffic Metering: Start Date/Time Date on which the traffic meter was started or the last time that the traffic counter was reset. Outgoing Traffic Volume Volume of traffic, in Megabytes, that was uploaded through this port. Incoming Traffic Volume Volume of traffic, in Megabytes, that was downloaded through this port.
-
4 Networking Configuring a VLAN STEP 1 To add a new VLAN, click Add. To modify the settings for a VLAN, click the Edit (pencil) icon. Other options: To delete a VLAN, click the Delete (x) icon. The default VLANs cannot be deleted. STEP 2 In the Basic Settings tab, enter the following information: • Name: Enter the name for the VLAN. • VLAN ID: Enter a unique identification number for the VLAN, which can be any number from 3 to 4089.
-
4 Networking Configuring a VLAN STEP 3 STEP 4 In the DHCP Pool Settings tab, choose the DHCP mode from the DHCP Mode drop-down list. • Disable: Choose this option if the computers on the VLAN are configured with static IP addresses or are configured to use another DHCP server. • DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the VLAN. Any new DHCP client joining the VLAN is assigned an IP address of the DHCP pool.
-
4 Networking Configuring a VLAN • Option 150: Supports a list of TFTP servers (2 TFTP servers). Enter the IP addresses of TFTP servers. Separate multiple entries with commas (,). NOTE: Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch offices.
-
4 Networking Configuring DMZ Configuring DMZ Use the Networking > DMZ page to configure a Demarcation Zone or Demilitarized Zone (DMZ). A DMZ is a sub-network that is behind the firewall but that is open to the public. By placing your public services on a DMZ, you can add an additional layer of security to the LAN. The public can connect to the services on the DMZ but cannot penetrate the LAN.
-
4 Networking Configuring DMZ Figure 1 Example DMZ with One Public IP Address for WAN and DMZ www.example.com Internet Source Address Translation 209.165.200.225 Public IP Address 209.165.200.225 LAN Interface 192.168.75.1 User 192.168.75.10 DMZ Interface 172.16.2.1 Web Server Private IP Address: 172.16.2.30 Public IP Address: 209.165.200.225 User 192.168.75.11 283049 ISA500 172.16.2.30 In this scenario, the business has one public IP address, 209.165.200.
-
4 Networking Configuring DMZ Figure 2 Example DMZ with Two Public IP Addresses www.example.com Internet Source Address Translation Public IP Addresses 209.165.200.225 (router) 209.165.200.226 (web server) DMZ Interface 172.16.2.1 Web Server Private IP Address: 172.16.2.30 Public IP Address: 209.165.200.226 LAN Interface 192.168.75.1 User 192.168.75.10 172.16.2.30 User 192.168.75.11 283050 ISA500 209.165.200.226 In this scenario, the ISP has supplied two static IP addresses: 209.165.200.
-
4 Networking Configuring DMZ STEP 2 In the Basic Settings tab, enter the following information: • Name: Enter the name for the DMZ. • IP Address: Enter the subnet IP address for the DMZ. • Netmask: Enter the subnet mask for the DMZ. • Spanning Tree: Check this box to enable the Spanning Tree feature to determine if there are loops in the network topology. • Port: Specify a configurable port as a DMZ port. Traffic through the DMZ port is directed to the DMZ.
-
4 Networking Configuring DMZ STEP 5 • Lease Time: Enter the maximum connection time that a dynamic IP address is “leased” to a network user. When the time elapses, the user will be automatically renewed the dynamic IP address. • DNS 1: Enter the IP address of the primary DNS server. • DNS 2: Optionally, enter the IP address of the secondary DNS server. • WINS 1: Optionally, enter the IP address of the primary WINS server. • WINS 2: Optionally, enter the IP address of the secondary WINS server.
-
4 Networking Configuring Zones Configuring Zones Use the Networking > Zones page to configure a security zone, which is a group of interfaces to which a security policy can be applied. The interfaces in a zone share common functions or features. For example, two interfaces that are connected to the local LAN might be placed in one security zone, and the interfaces connected to the Internet might be placed in another security zone. The interfaces are IP-based interfaces (VLANs, WAN1, WAN2, and so forth).
-
4 Networking Configuring Zones • Untrusted(0): Offers the lowest level of trust. It is used by both the WAN and the virtual multicast zones. You can map the WAN port to an untrusted zone. Predefined Zones The security appliance predefines the following zones with different security levels: • WAN: The WAN zone is an untrusted zone. By default, the WAN1 port is mapped to the WAN zone. If the secondary WAN (WAN2) is applicable, it can be mapped to the WAN zone or any other untrusted zone.
-
4 Networking Configuring Zones STEP 1 To add a new zone, click Add. To edit an entry, click the Edit (pencil) icon. Other options: To delete an entry, click the Delete (x) icon. To delete multiple entries, check them and click Delete. NOTE: All predefined zones (except for the VOICE zone) cannot be deleted. Only the associated ports and VLANs for the predefined zones (except for the VPN and SSLVPN zones) can be edited. STEP 2 Enter the following information: • Name: Enter the name for the zone.
-
4 Networking Configuring DHCP Reserved IPs Configuring DHCP Reserved IPs Use the Networking > DHCP Reservations page to reserve certain IP addresses for specified devices, identified by their MAC addresses. Whenever the DHCP server receives a request from a device, the hardware address is compared with the database. If the device is found, then the reserved IP address is used. Otherwise, an IP address is assigned automatically from the DHCP pool. STEP 1 To add a DHCP Reservation rule, click Add.
-
4 Networking Configuring Routing Viewing the Routing Table Use the Networking > Routing > Routing Table page to view the following information: • Destination Address: The IP address of the host or the network that the route leads to. • Subnetwork Mask: The subnet mask of the destination network. • Gateway: The IP address of the gateway through which the destination host or network can be reached. • Flags: The status flag of the route. • Metric: The cost of a route.
-
4 Networking Configuring Routing Configuring Static Routing Use the Networking > Routing > Static Routing page to configure static routes. You can optionally assign a priority, which determines the route is selected when there are multiple routes travelling to the same destination. NOTE Up to 150 static routing rules can be configured on the security appliance. STEP 1 To add a static route, click Add. To edit an entry, click the Edit (pencil) icon.
-
4 Networking Configuring Routing Configuring Dynamic Routing - RIP Use the Networking > Routing > Dynamic - RIP page to configure Dynamic Routing or RIP. RIP is an Interior Gateway Protocol (IGP) that is commonly used in internal networks. It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network.
-
4 Networking Configuring Routing Configuring Policy-Based Routing Use the Networking > Routing > Policy Based Routing page to configure Policy-Based Routing (PBR). PBR specifies the internal IP and/or service going through a WAN port to provide more flexible and granular traffic handling capabilities. Up to 100 Policy-Based Routing rules can be configured on the security appliance. This feature can be used to segregate traffic between links that are not of the same speed.
-
4 Networking Configuring Routing STEP 1 Click On to enable PBR, or click Off to disable it. STEP 2 To add a new PBR rule, click Add. To edit an entry, click the Edit (pencil) icon. Other options: To delete an entry, click the Delete (x) icon. STEP 3 Enter the following information: • From: Choose the VLAN that traffic originates from. • Service: For service binding only, choose an existing service. For IP binding only, choose All Traffic.
-
4 Networking Configuring Quality of Service Configuring Quality of Service The Quality of Service (QoS) feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and that the desired traffic receives preferential treatment.
-
4 Networking Configuring Quality of Service STEP 3 Click Save to apply your settings. Configuring WAN QoS This section describes how to configure WAN QoS.
-
4 Networking Configuring Quality of Service Configuring WAN Queue Settings Use the Queue Settings page to determine how traffic in queues is handled for each WAN port. The security appliance supports six queues for the WAN ports, Q1 to Q6. There are three ways of determining how traffic in queues is handled: Strict Priority (SP) Egress traffic from the highest-priority queue (Q1) is transmitted first.
-
4 Networking Configuring Quality of Service STEP 1 Click Networking > QoS > WAN QoS > Queue Settings. STEP 2 Specify the way of determining how traffic in queues is handled for each WAN port. • Strict Priority (SP): Set the order in which queues are serviced, traffic scheduling for the selected queue and all higher queues is based strictly on the queue priority, starting with Q1 (the highest priority queue) and going to the next lower queue when each queue is complete.
-
4 Networking Configuring Quality of Service STEP 2 To add a new traffic selector, click Add. Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click the Delete (x) icon. The Traffic Selector - Add/Edit window opens. STEP 3 Enter the following information: • Class Name: Enter a descriptive name for the traffic class. • Source Address: Choose Any or choose an existing address or address group (network) that traffic comes from.
-
4 Networking Configuring Quality of Service NOTE: Traffic that matches the above settings will be classified to a class for management purposes. STEP 4 Click Save to apply your settings. Configuring WAN QoS Policy Profiles Use the QoS Policy Profile page to configure class-based policy profiles for managing traffic through the WAN interfaces. NOTE Up to 32 WAN QoS policy profiles can be configured on the security appliance. STEP 1 Click Networking > QoS > WAN QoS > QoS Policy Profile.
-
4 Networking Configuring Quality of Service STEP 1 In the QoS Class Rules area, click Add to add a WAN QoS class rule. The QoS Class Rule - Add/Edit window opens. STEP 2 STEP 3 Enter the following information: • Class: Choose an existing traffic selector (traffic class) to associate with the policy profile. • Queue: For an outbound traffic policy profile, choose the queue for sending the packets that belongs to the selected traffic class.
-
4 Networking Configuring Quality of Service STEP 2 To edit the policy profile settings associated with a WAN interface, click the Edit (pencil) icon. The Policy Profile to Interface Mapping - Edit window opens. STEP 3 Enter the following information: • Interface: The name of the WAN interface with which the policy profiles are associated. • Inbound Policy Name: Choose an inbound policy profile for managing inbound traffic through the selected WAN interface.
-
4 Networking Configuring Quality of Service Perform the following configuration tasks to give the voice traffic a higher priority: • Go to the Networking > Routing > Static Routing page to add a static routing rule as follows: Destination Address voice_phone_ip NOTE: In this case, you can manually create an IP address object called “voice_phone_ip” with the IP address 10.1.1.11 by selecting the Create a new address option.
-
4 Networking Configuring Quality of Service • Configure WAN QoS for the inbound voice traffic. For complete details, see Configuring WAN QoS for Voice Traffic from WAN to LAN, page 165. Configure WAN QoS for Voice Traffic from LAN to WAN Follow these steps to configure WAN QoS to manage the outbound voice traffic from LAN to WAN: STEP 1 Go to the Networking > QoS > WAN QoS > Queue Settings page to determine how traffic in queues is handled for the WAN port. a.
-
4 Networking Configuring Quality of Service b. Add two QoS class rules to associate the specified traffic classes with the QoS policy profile as follows: QoS Class Rule 1 Class Choose the traffic class called “voice-outbound-class.” Queue Choose the highest queue Q1 for the outbound voice traffic. QoS Class Rules 2 STEP 4 Class Choose the traffic class called “data-outbound-class.” Queue Choose one queue from Q2 to Q6 for the outbound data traffic.
-
4 Networking Configuring Quality of Service QoS Class Rule STEP 3 Add a QoS class rule with the following settings: • Class: Choose the traffic class called “voice-inbound-class.” • DSCP Marking: Choose the DSCP tag value (such as 46) for the inbound voice traffic depending on the QoS settings on your voice switch. For more information, see Understanding DSCP Values, page 171.
-
4 Networking Configuring Quality of Service Configuring LAN Queue Settings Use the Queue Settings page to configure whether traffic scheduling on Ethernet interfaces is based on either SP or WRR, or the combination of the two. The security appliance supports four queues for LAN traffic, Q1 to Q4. STEP 1 Click Networking > QoS > LAN QoS > Queue Settings. STEP 2 Specify how to determine LAN traffic in queues.
-
4 Networking Configuring Quality of Service STEP 3 LAN Queue CoS Value 1 6 2 4 3 2 4 0 Click Save to apply your settings. Mapping CoS to LAN Queue STEP 1 Click Networking > QoS > LAN QoS > Mapping CoS to Queue. STEP 2 Choose the traffic forwarding queue to which the CoS priority tag value is mapped. Four traffic priority queues are supported, where Q4 is the lowest and Q1 is the highest. STEP 3 Click Save to apply your settings.
-
4 Networking Configuring Quality of Service Configuring Default CoS Use the Default CoS page to configure the default CoS values for incoming packets through each LAN interface. The possible field values are 0 to 7. The default value is 0. STEP 1 Click Networking > QoS > LAN QoS > Default CoS. STEP 2 Enter the following information: STEP 3 • Default CoS: Choose the default CoS priority tag value for the LAN interfaces, where 0 is the lowest and 7 is the highest.
-
4 Networking Configuring Quality of Service 802.1p Priority 802.11e Priority 1 1 (Background Priority) 2 2 (Background Priority) 3 4 (Video Priority) 4 5 (Video Priority) 5 6 (Voice Priority) 6 7 (Voice Priority) 7 7 (Voice Priority) IEEE 802.11e to 802.1p Mapping 802.11e Priority 802.
-
4 Networking Configuring Quality of Service STEP 3 Click Save to apply your settings. Mapping CoS to Wireless Queue STEP 1 Click Networking > QoS > Wireless QoS > Mapping CoS to Queue. STEP 2 Choose the traffic forwarding queue to which the CoS priority tag value is mapped. STEP 3 Click Save to apply your settings. Mapping DSCP to Wireless Queue STEP 1 Click Networking > QoS > Wireless QoS > Mapping DSCP to Queue.
-
4 Networking Configuring IGMP DSCP Value Decimal Value Meaning 010 100 20 AF22 010 110 22 AF23 011 010 26 AF31 011 100 28 AF32 011 110 30 AF33 100 010 34 AF41 100 100 36 AF42 100 110 38 AF43 Configuring IGMP Internet Group Management Protocol (IGMP) is a communication protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships.
-
4 Networking Configuring VRRP STEP 2 Enter the following information: • IGMP Proxy: Click On to enable IGMP Proxy so that the security appliance can act as a proxy for all IGMP requests and communicate with the IGMP servers of the ISP, or click Off to disable it. • IGMP Version: Choose either IGMP Version 1 and 2 or IGMP Version 3. • STEP 3 - IGMP Version 1: Hosts can join multicast groups. There are no leave messages.
-
4 Networking Configuring VRRP STEP 2 Check the box next to Enable Virtual Router Redundancy Protocol (VRRP) to enable VRRP, or uncheck this box to disable it. STEP 3 If you enable VRRP, enter the following information: • Interface: The default port of the master virtual router (your security appliance). • Source IP: The source IP address of the master virtual router.
-
4 Networking Address Management Address Management Use the Address Management page to manage the address and address group objects. The security appliance is configured with a long list of common address objects so that you can use to configure firewall rules, port forwarding rules, or other features. See Default Address Objects, page 478.
-
4 Networking Address Management - Network: Network address object like the Range object comprises multiple hosts, but rather than being bound by specified upper and lower range delimiters, the boundaries are defined by a valid netmask. Network address objects must be defined by the network’s address and a corresponding netmask. As a general rule, the first address in a network (the network address) and the last address in a network (the broadcast address) are unusable.
-
4 Networking Service Management STEP 7 Click Save to apply your settings. Service Management Use the Service Management page to maintain the service or service group objects. The security appliance is configured with a long list of standard services so that you can use to configure the firewall rules, port forwarding rules, or other features. See Default Service Objects, page 474.
-
4 Networking Service Management - ICMP: Internet Control Message Protocol (ICMP) is a TCP/IP protocol used to send error and control messages. If you choose this option, enter the ICMP type in the ICMP Type field. - TCP: Transmission Control Protocol (TCP) is a transport protocol in TCP/IP. TCP ensures that a message is sent accurately and in its entirety. If you choose this option, enter the starting port number in the Port Range Start field and the ending port number in the Port Range End field.
-
4 Networking Configuring Captive Portal STEP 5 To remove the services from the group, select the services from the right list and click the left arrow. STEP 6 Click OK to save your settings. STEP 7 Click Save to apply your settings. Configuring Captive Portal You may want to direct users to a web portal before they can access the Internet through the security appliance. To achieve this goal, you can enable Captive Portal on a wireless network, a VLAN, or a DMZ.
-
4 Networking Before You Begin A computer accessing the Captive Portal must have one of these operating systems: • Windows 7 • Windows XP • Mac OS Captive Portal also can be used from a mobile device with one of these operating systems: • iOS (iPhone, iPad) • Android Before You Begin Before you configure your portal, you may need to configure VLANs, SSIDs, and users. Read the following information to determine what steps may be needed to achieve your goals.
-
4 Networking Configuring a Captive Portal Wireless Setup For a Captive Portal on the wireless network, you must enable the wireless radio and at least one SSID before you can enable a Captive Portal. To configure these settings, use the Wireless > Basic Settings page. . • Enable the wireless radio. • Enable the SSID(s) that you want to use for the portal. • If you created a special VLAN for use with your Captive Portal, assign it to the SSID(s) that you want to use for the portal.
-
4 Networking Configuring a Captive Portal • Internal, no auth with accept button: Uses the default HotSpot Login page and does not require a login. A user simply clicks the Accept button to access the Internet. • External: Uses a custom HotSpot Login page on the specified external web server and requires a login. • External, no auth with accept button: Uses a custom HotSpot Login page on the specified external web server and does not require a login.
-
4 Networking Configuring a Captive Portal STEP 6 If you chose Internal or Internal, no auth with accept button, set up the default HotSpot Login page: • Logo File: You can import an image, such as your corporate logo, to display on the login page. Click Browse to locate and select an image file from your local PC and then click Upload. To delete the loaded file, click Delete. • Background File: You can import an image to display as the background for the login page.
-
4 Networking Configuring a Captive Portal STEP 7 STEP 8 If you chose External or External, no auth with accept button, specify these settings for your external portal page: • Authentication Web Server: Enter the full URL of the external web server (including https://), for example https://172.24.10.10/cgi-bin/PortalLogin.cgi. • Authentication Web Key: Enter the key used to protect the username and password that the external web server sends to the security appliance for authentication.
-
4 Networking Troubleshooting STEP 9 If you want to bypass the portal for certain IP addresses, add them in the Advanced Settings > Open Domains area. a. Click Add. b. Enter the IP address or domain name in the Domain field. c. Click OK to save your settings. STEP 10 Click Save to apply your settings. Troubleshooting Problem 1: User is not redirected to portal page when internal web authentication type is chosen.
-
4 Networking Using External Web-Hosted CGI Scripts the VLAN to which Captive Portal users join should be able to access the web-server. • Check if the web-server has any issues. Using External Web-Hosted CGI Scripts Following is a CGI script which asks for the authentication information of a user. The secret string programmed in the uamsecret variable should be configured as Authentication Web Key on the Captive portal page. Replace the MySMB string in the following section with your company name.
-
Networking Using External Web-Hosted CGI Scripts 4 $OK_CHARS='-a-zA-Z0-9_.@&=%!'; $| = 1; if ($ENV{'CONTENT_LENGTH'}) { read (STDIN, $_, $ENV{'CONTENT_LENGTH'}); } s/[^$OK_CHARS]/_/go; $input = $_; # Make sure that the get query parameters are clean $OK_CHARS='-a-zA-Z0-9_.@&=%!'; $_ = $query=$ENV{QUERY_STRING}; s/[^$OK_CHARS]/_/go; $query = $_; # If she did not use https tell her that it was wrong.
-
4 Networking Using External Web-Hosted CGI Scripts @array2 = split('=',$var); if ($array2[0] =~ /^UserName$/) { $username = $array2[1]; } if ($array2[0] =~ /^Password$/) { $password = $array2[1]; } if ($array2[0] =~ /^challenge$/) { $challenge = $array2[1]; } if ($array2[0] =~ /^button$/) { $button = $array2[1]; } if ($array2[0] =~ /^logout$/) { $logout = $array2[1]; } if ($array2[0] =~ /^prelogin$/) { $prelogin = $array2[1]; } if ($array2[0] =~ /^res$/) { $res = $array2[1]; } if ($array2[0] =~ /^uamip$/)
-
Networking Using External Web-Hosted CGI Scripts 4 $pappassword = unpack "H32", ($password ^ $newchal); #sleep 5; print "Content-type: text/html\n\n"; print "
-
Networking Using External Web-Hosted CGI Scripts 4 # If login successful if ($res =~ /^success$/) { $result = 1; } # If login failed if ($res =~ /^failed$/) { $result = 2; } # If logout successful if ($res =~ /^logoff$/) { $result = 3; } # If tried to login while already logged in if ($res =~ /^already$/) { $result = 4; } # If not logged in yet if ($res =~ /^notyet$/) { $result = 5; } # If login from smart client if ($res =~ /^smartclient$/) { $result = 6; } # If requested a logging in pop up window if ($
-
Networking Using External Web-Hosted CGI Scripts 4
MySMB Login Failed
Login must be performed through MySMB daemon.