User Guide

Manuals Brands Casio Manuals Other ISA550WBUN3K9

Cisco Small Business

ISA500 Series Integrated Security Appliances

(ISA550, ISA550W, ISA570, ISA570W)

ADMINISTRATION

GUIDE

Summary of content (479 pages)

PAGE 1

ADMINISTRATION GUIDE Cisco Small Business ISA500 Series Integrated Security Appliances (ISA550, ISA550W, ISA570, ISA570W)
PAGE 2

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) © 2013 Cisco Systems, Inc. All rights reserved.
PAGE 3

Federal Communication Commission Interference Statement (For ISA570 and ISA570W) This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
PAGE 4

The availability of some specific channels and/or operational frequency bands are country dependent and are firmware programmed at the factory to match the intended destination. The firmware setting is not accessible by the end user. Industry Canada statement: This device complies with RSS-210 of the Industry Canada Rules.
PAGE 5

Conformément à la réglementation d'Industrie Canada, le présent émetteur radio peutfonctionner avec une antenne d'un type et d'un gain maximal (ou inférieur) approuvé pourl'émetteur par Industrie Canada. Dans le but de réduire les risques de brouillage radioélectriqueà l'intention des autres utilisateurs, il faut choisir le type d'antenne et son gain de sorte que lapuissance isotrope rayonnée équivalente (p.i.r.e.) ne dépasse pas l'intensité nécessaire àl'établissement d'une communication satisfaisante.
PAGE 6

Contents Chapter 1: Getting Started 19 Introduction 20 Product Overview 21 Front Panel 21 Back Panel 23 Getting Started with the Configuration Utility 25 Logging in to the Configuration Utility 26 Navigating Through the Configuration Utility 27 Using the Help System 28 Configuration Utility Icons 28 Factory Default Settings 30 Default Settings of Key Features 30 Restoring the Factory Default Settings 31 Performing Basic Configuration Tasks 32 Changing the Default Administrator P
PAGE 7

Contents Configuring DMZ Services 45 Configuring Wireless Radio Settings 47 Configuring Intranet WLAN Access 48 Configure Security Services 49 Viewing Configuration Summary 50 Using the Dual WAN Wizard to Configure WAN Redundancy Settings 51 Starting the Dual WAN Wizard 51 Configuring a Configurable Port as a Secondary WAN Port 51 Configuring the Primary WAN 52 Configuring the Secondary WAN 52 Configuring WAN Redundancy 52 Configuring Network Failure Detection 53 Viewing Configurati
PAGE 8

Contents Configuring Transform Policies 69 Configuring Local and Remote Networks 70 Viewing Configuration Summary 70 Using the DMZ Wizard to Configure DMZ Settings 71 Starting the DMZ Wizard 71 Configuring DDNS Profiles 71 Configuring DMZ Network 72 Configuring DMZ Services 74 Viewing Configuration Summary 76 Using the Wireless Wizard (for ISA550W and ISA570W only) 76 Starting the Wireless Wizard 76 Configuring Wireless Radio Settings 76 Configuring Wireless Connectivity Types 77
PAGE 9

Contents NAT Status 100 VPN Status 101 IPsec VPN Status 101 SSL VPN Status 103 Active User Sessions 105 Security Services Reports 106 Web Security Report 106 Anti-Virus Report 107 Email Security Report 108 Network Reputation Report 109 IPS Report 110 Application Control Report 111 System Status 112 Processes 112 Resource Utilization 113 Chapter 4: Networking 115 Viewing Network Status 116 Configuring IPv4 or IPv6 Routing 116 Managing Ports 116 Viewing Status of Physica
PAGE 10

Contents Configuring DMZ 141 Configuring Zones 146 Security Levels for Zones 146 Predefined Zones 147 Configuring Zones 147 Configuring DHCP Reserved IPs 149 Configuring Routing 149 Viewing the Routing Table 150 Configuring Routing Mode 150 Configuring Static Routing 151 Configuring Dynamic Routing - RIP 152 Configuring Policy-Based Routing 153 Configuring Quality of Service 155 General QoS Settings 155 Configuring WAN QoS 156 Managing WAN Bandwidth for Upstream Traffic 156
PAGE 11

Contents Configuring IGMP 172 Configuring VRRP 173 Address Management 175 Configuring Addresses 175 Configuring Address Groups 176 Service Management 177 Configuring Services 177 Configuring Service Groups 178 Configuring Captive Portal 179 Requirements 179 Before You Begin 180 VLAN Setup 180 Wireless Setup 181 User Authentication 181 Configuring a Captive Portal 181 Troubleshooting 185 Using External Web-Hosted CGI Scripts 186 CGI Source Code Example: No Authentication an
PAGE 12

Contents Requirements 222 Before You Begin 222 VLAN Setup 222 Wireless Setup 223 User Authentication 223 Configuring a Captive Portal 223 Troubleshooting 227 Using External Web-Hosted CGI Scripts 228 CGI Source Code Example: No Authentication and Accept Button 237 Related Information 246 Configuring Wireless Rogue AP Detection 247 Advanced Radio Settings 248 Chapter 6: Firewall 251 Configuring Firewall Rules to Control Inbound and Outbound Traffic 252 About Security Zones 252
PAGE 13

Contents Configuring an Advanced NAT Rule to Support NAT Hairpinning Firewall and NAT Rule Configuration Examples 272 274 Allowing Inbound Traffic Using the WAN IP Address 274 Allowing Inbound Traffic Using a Public IP Address 276 Allowing Inbound Traffic from Specified Range of Outside Hosts 279 Blocking Outbound Traffic by Schedule and IP Address Range 280 Blocking Outbound Traffic to an Offsite Mail Server 280 Configuring Content Filtering to Control Internet Access 281 Configuring Content
PAGE 14

Contents Configuring Advanced Anti-Virus Settings 306 Configuring HTTP Notification 307 Configuring Email Notification 307 Updating Anti-Virus Signatures 308 Configuring Application Control Configuring Application Control Policies 309 310 General Application Control Policy Settings 310 Adding an Application Control Policy 311 Permitting or Blocking Traffic for all Applications in a Category 312 Permitting or Blocking Traffic for an Application 313 General Application Control Settings 314
PAGE 15

Contents Configuration Tasks to Establish a Site-to-Site VPN Tunnel 341 General Site-to-Site VPN Settings 341 Configuring IPsec VPN Policies 343 Configuring IKE Policies 349 Configuring Transform Sets 351 Remote Teleworker Configuration Examples 352 Configuring IPsec Remote Access 355 Cisco VPN Client Compatibility 356 Enabling IPsec Remote Access 357 Configuring IPsec Remote Access Group Policies 357 Allowing IPsec Remote VPN Clients to Access the Internet 360 Configuring Teleworker
PAGE 16

Contents Chapter 9: User Management 388 Viewing Active User Sessions 388 Configuring Users and User Groups 389 Default User and User Group 389 Available Services for User Groups 389 Preempt Administrators 390 Configuring Local Users 390 Configuring Local User Groups 391 Configuring User Authentication Settings 393 Using Local Database for User Authentication 394 Using RADIUS Server for User Authentication 394 Using Local Database and RADIUS Server for User Authentication 397 Using L
PAGE 17

Contents Generating New Certificate Signing Requests 422 Importing Signed Certificate for CSR from Your Local PC 423 Configuring Cisco Services and Support Settings 424 Configuring Cisco.
PAGE 18

Contents Configuring Log Facilities 447 Rebooting and Resetting the Device 448 Restoring the Factory Default Settings 448 Rebooting the Security Appliance 449 Configuring Schedules Appendix A: Troubleshooting 449 453 Internet Connection 453 Date and Time 456 Pinging to Test LAN Connectivity 457 Testing the LAN Path from Your PC to Your Security Appliance 457 Testing the LAN Path from Your PC to a Remote Device 458 Appendix B: Technical Specifications and Environmental Requirements 45
PAGE 19

1 Getting Started This chapter provides an overview of the Cisco ISA500 Series Integrated Security Appliance and describes basic configuration tasks to help you configure your security appliance.
PAGE 20

1 Getting Started Introduction Introduction Thank you for choosing the Cisco ISA500 Series Integrated Security Appliance, a member of the Small Business Family.
PAGE 21

1 Getting Started Product Overview Product Overview Before you use the security appliance, become familiar with the lights on the front panel and the ports on the rear panel.
PAGE 22

1 Getting Started Product Overview Front Panel Lights The following table describes the lights on the front panel of the security appliance. These lights are used for monitoring system activity. Light Description POWER/SYS Indicates the power and system status. VPN USB WLAN (ISA550W and ISA570W only) • Solid green when the system is powered on and is operating normally. • Flashes green when the system is booting.
PAGE 23

1 Getting Started Product Overview Light Description SPEED Indicates the traffic rate of the associated port. LINK/ACT • Off when the traffic rate is 10 or 100 Mbps. • Solid green when the traffic rate is 1000 Mbps. Indicates that a connection is being made through the port. • Solid green when the link is up. • Flashes green when the port is transmitting and receiving data. Back Panel The back panel is where you connect the network devices. The ports on the panel vary depending on the model.
PAGE 24

1 Getting Started Product Overview ISA570 and ISA570W Back Panel Power Switch Reset Button ANT02 ANT01 10 9 8 7 6 5 4 3 2 1 12VDC A NT02 I / CONFIGURABLE USB Port Configurable Ports LAN LAN Ports WA N WAN Port RESET O POWER 281981 A NT01 Power Connector Back Panel Descriptions Feature Description ANT01/ANT02 Threaded connectors for the antennas (for ISA550W and ISA570W only). USB Port Connects the unit to a USB device.
PAGE 25

1 Getting Started Getting Started with the Configuration Utility Feature Description RESET Button To reboot the unit, push and release the RESET button for less than 3 seconds. To restore the unit to its factory default settings, push and hold the RESET button for more than 3 seconds while the unit is powered on and the POWER/SYS light is solid green. The POWER/SYS light will flash green when the system is rebooting. Power Switch Powers the unit on or off.
PAGE 26

Getting Started Getting Started with the Configuration Utility 1 Logging in to the Configuration Utility STEP 1 Connect your computer to an available LAN port on the back panel. Your PC will become a DHCP client of the security appliance and will receive an IP address in the 192.168.75.x range. STEP 2 Start a web browser. In the address bar, enter the default IP address of the security appliance: 192.168.75.1. NOTE: The above address is the factory default LAN address.
PAGE 27

1 Getting Started Getting Started with the Configuration Utility Navigating Through the Configuration Utility Use the left hand navigation pane to perform the tasks in the Configuration Utility. 2 1 Number Component Description 1 Left Hand Navigation Pane The left hand navigation pane provides easy navigation through the configurable features. The main branches expand to provide the features. Click the main branch title to expand its contents.
PAGE 28

1 Getting Started Getting Started with the Configuration Utility Using the Help System The Configuration Utility provides a context-sensitive help file for all configuration tasks. To view the Help page, click the Help link in the top right corner of the screen. A new window opens with information about the page that you are currently viewing. Configuration Utility Icons The Configuration Utility has icons for commonly used configuration options.
PAGE 29

1 Getting Started Getting Started with the Configuration Utility Icon Description Action Forced Authorized icon Disable 802.1x access control and cause the port to transition to the authorized state without any authentication exchange required. Forced Unauthorized icon Cause the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. Auto icon Enable 802.
PAGE 30

1 Getting Started Factory Default Settings Factory Default Settings The security appliance is preconfigured with settings to allow you to start using the device with minimal changes. Depending on the requirements of your Internet Service Provider (ISP) and the needs of your business, you may need to modify some of these settings. You can use the Configuration Utility to customize all settings, as needed.
PAGE 31

1 Getting Started Factory Default Settings • Configurable Ports: Any configurable port can be configured to be a WAN, DMZ, or LAN port. By default, all configurable ports are set to be LAN ports. Only one configurable port can be configured as a WAN port at a time (See Configuring the WAN, page122). Up to four configurable ports can be configured as DMZ ports (see Configuring DMZ, page141). • Wireless Network (for ISA550W and ISA570W only): ISA550W and ISA570W are configured with four SSIDs.
PAGE 32

1 Getting Started Performing Basic Configuration Tasks green. Release the button and wait for the unit to reboot. The POWER/SYS light will flash green when the system is rebooting. • Or launch the Configuration Utility and login. Click Device Management > Reboot/Reset in the left hand navigation pane. In the Reset Device area, click Reset to Factory Defaults. After a restore to factory defaults, the following settings apply: Parameter Default Value Username cisco Password cisco LAN IP 192.168.
PAGE 33

Getting Started Performing Basic Configuration Tasks • 1 New password: Enter a new administrator password. Passwords are case sensitive. NOTE: A password requires a minimum of 8 characters, including at least three of these character classes: uppercase letters, lowercase letters, digits, and special characters. Do not repeat any password more than three times in a row. Do not set the password as the username or “cisco.” Do not capitalize or spell these words backwards.
PAGE 34

Getting Started Performing Basic Configuration Tasks 1 NOTE: You can click Install Later to upgrade the firmware later. An Upgrade Available link will be displayed at the top right corner of the screen and the Setup Wizard will now launch. We strongly recommend that you upgrade the firmware immediately. STEP 4 Validate your Cisco.com account credentials through the Internet. If your Cisco.com account credentials are valid, the security appliance starts downloading and installing the firmware.
PAGE 35

2 Configuration Wizards This chapter describes how to use the configuration wizards to configure the security appliance.
PAGE 36

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Using the Setup Wizard for the Initial Configuration Use the Setup Wizard to quickly configure the primary features of your security appliance, such as Cisco.com account credentials, security license, remote administration, port, WAN, LAN, DMZ, WAN redundancy, WLAN (for ISA550W and ISA570W only), and security services. Refer to the following steps: • Starting the Setup Wizard, page 37 • Configuring Cisco.
PAGE 37

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 • A valid Cisco.com account for validating the security license and upgrading your firmware to the latest version from Cisco.com. To register a Cisco.com account, go to https:// tools.cisco.com/RPF/register/register.do. • The Product Authorization Key (PAK), or license code, for validating the security license and activating security services.
PAGE 38

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 NOTE: You can configure your Cisco.com account credentials on the Device Management > Cisco Services & Support > Cisco.com Account page after the Setup Wizard is complete. See Configuring Cisco.com Account, page 424. STEP 5 If your Cisco.com account credentials are invalid, click OK to return to the Cisco.com Credentials page. Correct your Cisco.com account credentials and then click Next to verify them again.
PAGE 39

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Validating Security License STEP 10 Use the License Installation page to validate the security license, which is used to activate security services on the device. STEP 11 If the security license is already installed on the security appliance, click Next to proceed next step.
PAGE 40

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Configuring Remote Administration STEP 16 Use the Remote Administration page to configure the remote management settings. The security appliance allows remote management securely by using HTTPS and HTTP, for example https://xxx.xxx.xxx.xxx:8080. • Remote Administration: Click On to enable remote management by using HTTPS, or click Off to disable it. We recommend that you use HTTPS for secure remote management.
PAGE 41

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Configuring Physical Ports STEP 18 Use the Port Configuration page to specify the port configuration. If you are using the ISA570 or ISA570W, choose one of the following options: • 1 WAN, 9 LAN switch: One WAN port (WAN1) and nine LAN ports are configured. • 1 WAN, 1 DMZ, 8 LAN switch: One WAN port (WAN1), one DMZ port, and eight LAN ports are configured. The configurable port GE10 is set as a DMZ port.
PAGE 42

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Configuring the Primary WAN STEP 20 Use the Primary WAN Connection page to configure the primary WAN connection by using the account information provided by your ISP. • WAN Name: The name of the primary WAN port. • IP Address Assignment: Depending on the requirements of your ISP, choose the network addressing mode and configure the corresponding fields for the primary WAN port.
PAGE 43

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 - Weighted By Percentage: If you choose this option, specify the percentage of bandwidth for each WAN, such as 80% for WAN1 and 20% for WAN2. - Weighted by Link Bandwidth: If you choose this option, specify the amount of bandwidth for each WAN, such as 80 Mbps for WAN1 and 20 Mbps for WAN2. NOTE: The Weighted by Link Bandwidth option has the same effect as the Weighted by Percentage option.
PAGE 44

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 - DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the LAN. Any new DHCP client joining the LAN is assigned an IP address of the DHCP pool. - DHCP Relay: Allows the security appliance to use a DHCP Relay. If you choose DHCP Relay, enter the IP address of the remote DHCP server in the Relay IP field.
PAGE 45

Configuration Wizards Using the Setup Wizard for the Initial Configuration • 2 DHCP Mode: Choose one of the following DHCP modes: - Disable: Choose this option if the computers on the DMZ are configured with static IP addresses or are configured to use another DHCP server. - DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the DMZ. Any new DHCP client joining the DMZ is assigned an IP address of the DHCP pool.
PAGE 46

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 STEP 34 In the DMZ Service - Add/Edit window, enter the following information: • Original Service: Choose a service as the incoming service. • Translated Service: Choose a service as the translated service or choose Original if the translated service is same as the incoming service. If the service that you want is not in the list, choose Create a new service to create a new service object.
PAGE 47

2 Configuration Wizards Using the Setup Wizard for the Initial Configuration For example, you host an RDP server (192.168.12.101) on the DMZ. Your ISP has provided a static IP address (172.39.202.102) that you want to expose to the public as your RDP server address. You can create a DMZ service as follows to allow Internet user to access the RDP server by using the specified public IP address.
PAGE 48

Configuration Wizards Using the Setup Wizard for the Initial Configuration • 2 - 802.11b/g/n mixed: Choose this mode to allow 802.11b, 802.11g, and 802.11n clients operating in the 2.4 GHz frequency to connect to the access point. - 802.11n only: Choose this mode if all devices in the wireless network can support 802.11n. Only 802.11n clients operating in the 2.4 GHz frequency can connect to the access point.
PAGE 49

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 Configure Security Services STEP 41 Use the Security Services page to enable security services and to specify how to handle the affected traffic when the reputation-based security services are unavailable. NOTE: • Enabling a security service will apply its default settings on the security appliance to provide a moderate level of protection.
PAGE 50

Configuration Wizards Using the Setup Wizard for the Initial Configuration 2 appliance. The SMTP server or the clients that use this SMTP server can be configured to respond to the spam and suspected spam tags that the security appliance applies to the emails. • Web Reputation Filtering: Web Reputation Filtering prevents client devices from accessing dangerous websites containing viruses, spyware, malware, or phishing links.
PAGE 51

Configuration Wizards Using the Dual WAN Wizard to Configure WAN Redundancy Settings 2 Using the Dual WAN Wizard to Configure WAN Redundancy Settings If you have two ISP links, a backup WAN is required so that you can provide backup connectivity or load balancing. Use the Dual WAN Wizard to configure the WAN redundancy settings.
PAGE 52

Configuration Wizards Using the Dual WAN Wizard to Configure WAN Redundancy Settings 2 Configuring the Primary WAN STEP 5 STEP 6 Use the Primary WAN Connection page to configure the primary WAN connection by using the account information provided by your ISP. • WAN Name: The name of the primary WAN port. • IP Address Assignment: Depending on the requirements of your ISP, choose the network addressing mode and configure the corresponding fields for the primary WAN port.
PAGE 53

Configuration Wizards Using the Dual WAN Wizard to Configure WAN Redundancy Settings - 2 Weighted by Link Bandwidth: If you choose this option, specify the amount of bandwidth for each WAN, such as 80 Mbps for WAN1 and 20 Mbps for WAN2, which indicates that 80% bandwidth is distributed to WAN1 and at least 20% bandwidth is distributed to WAN2. NOTE: The Weighted by Link Bandwidth option has the same effect with the Weighted by Percentage option.
PAGE 54

Configuration Wizards Using the Remote Access VPN Wizard 2 STEP 12 After you are finished, click Next. Viewing Configuration Summary STEP 13 Use the Summary page to view information about the configuration. STEP 14 To modify any settings, click Back. If the configuration is correct, click Finish to apply your settings.
PAGE 55

2 Configuration Wizards Using the Remote Access VPN Wizard • Configuring WAN Settings, page 56 • Configuring Operation Mode, page 56 • Configuring Access Control Settings, page 57 • Configuring DNS and WINS Settings, page 57 • Configuring Backup Servers, page 58 • Configuring Split Tunneling, page 58 • Viewing Group Policy Summary, page 58 • Configuring IPsec Remote Access User Groups, page 59 • Viewing IPsec Remote Access Summary, page 59 Starting the Remote Access VPN Wizard STEP 1 Cl
PAGE 56

2 Configuration Wizards Using the Remote Access VPN Wizard NOTE: You must have valid CA certificates imported on your security appliance before you use the digital certificates to authenticate. Go to the Device Management > Certificate Management page to import the CA certificates. See Managing Certificates for Authentication, page 418. STEP 5 After you are finished, click Next. Configuring WAN Settings STEP 6 Use the WAN page to choose the WAN port that traffic passes through over the VPN tunnel.
PAGE 57

2 Configuration Wizards Using the Remote Access VPN Wizard the IPsec VPN server can assign the IP addresses to the outside interfaces of remote VPN clients. To define the pool range for remote VPN clients, enter the starting and ending IP addresses in the Start IP and End IP fields. • STEP 9 NEM: Choose this mode for the group policy that is only used for the Cisco device that supports the Cisco VPN hardware client in NEM mode.
PAGE 58

Configuration Wizards Using the Remote Access VPN Wizard 2 Configuring Backup Servers STEP 14 Use the Backup Server page to optionally specify up to three IPsec VPN servers as backup. When the connection to the primary server fails, remote VPN clients can attempt to connect to the backup servers. Backup Server 1/2/3: Enter the IP address or domain name for the backup server. The backup server 1 has the highest priority and the backup server 3 has the lowest priority.
PAGE 59

Configuration Wizards Using the Remote Access VPN Wizard 2 Configuring IPsec Remote Access User Groups STEP 20 Use the IPsec Remote Access - User Group page to configure the users and user groups for IPsec remote access. The IPsec Remote Access service must be enabled for each user group. All members of the user groups can use the specified group policy to establish the VPN connections. STEP 21 Click Add to add a user group. Other options: To edit an entry, click the Edit (pencil) icon.
PAGE 60

Configuration Wizards Using the Remote Access VPN Wizard 2 After the settings are saved, the security appliance is set as an IPsec VPN server. Remote users that belong to the specified user groups can use the specified group policy to establish the VPN connections. If you check Client Internet Access, the corresponding advanced NAT rules are automatically created to allow remote VPN clients to access the Internet over the VPN tunnels.
PAGE 61

2 Configuration Wizards Using the Remote Access VPN Wizard permit the port to ensure delivery of packets destined for the SSL VPN gateway. The SSL VPN clients need to enter the entire address pair “Gateway IP address: Gateway port number” for connecting purposes. • Certificate File: Choose the default certificate or an imported certificate to authenticate users who try to access your network resource through the SSL VPN tunnels.
PAGE 62

Configuration Wizards Using the Remote Access VPN Wizard STEP 6 2 • Client Domain: Enter the domain name that should be pushed to the SSL VPN clients. • Login Banner: After the SSL VPN user logged in, a configurable login banner is displayed. Enter the message text to display along with the banner. In the Gateway (Advanced) area, enter the following information: • Idle Timeout: Enter the timeout value in seconds that the SSL VPN session can remain idle. The default value is 2100 seconds.
PAGE 63

2 Configuration Wizards Using the Remote Access VPN Wizard NOTE: Up to 32 SSL VPN group policies can be configured on the security appliance. STEP 9 Click Add to add a new SSL VPN group policy. Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click the Delete (x) icon. To delete multiple entries, check them and click Delete. STEP 10 In the Basic Settings tab, enter the following information: • Policy Name: Enter the name for the SSL VPN group policy.
PAGE 64

2 Configuration Wizards Using the Remote Access VPN Wizard STEP 12 In the Split Tunneling Settings area, enter the following information: Split tunneling permits specific traffic to be carried outside of the SSL VPN tunnel. Traffic is either included (resolved in tunnel) or excluded (resolved through the ISP or WAN connection). Tunnel resolution configuration is mutually exclusive. An IP address cannot be both included and excluded at the same time.
PAGE 65

Configuration Wizards Using the Remote Access VPN Wizard 2 for tunneling DNS requests to destinations in the private network, enter the IP address or domain name in the field and click Add. To delete a domain, select it from the list and click Delete. STEP 13 In the Zone-based Firewall Settings area, you can control access from the SSL VPN clients to the zones over the SSL VPN tunnels. Click Permit to permit access, or click Deny to deny access.
PAGE 66

Configuration Wizards Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN • 2 To create a new member, enter the username in the User Name field and the password in the Password field, enter the same password in the Password Confirm field for confirmation, and then click Create. STEP 20 Click OK to save your settings. STEP 21 After you are finished, click Next.
PAGE 67

Configuration Wizards Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN 2 Starting the Site-to-Site VPN Wizard STEP 1 Click Configuration Wizards > Site-to-Site VPN Wizard. STEP 2 Click Next. Configuring VPN Peer Settings STEP 3 Use the VPN Peer Settings page to configure an IPsec VPN policy for establishing the VPN connection with a remote router. • Profile Name: Enter the name for the IPsec VPN policy.
PAGE 68

Configuration Wizards Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN STEP 4 2 After you are finished, click Next. Configuring IKE Policies STEP 5 Use the IKE Policies page to configure the IKE policies and to specify an IKE policy for the IPsec VPN policy. You can choose the default or a custom IKE policy. STEP 6 Click Add to add an IKE policy. Other options: To edit an entry, click Edit. To delete an entry, select it and click Delete.
PAGE 69

Configuration Wizards Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN • 2 Group 14 (2048-bit) Lifetime: Enter the number of seconds for the IKE Security Association (SA) to remain valid. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations. However, with shorter lifetimes, the security appliance sets up future IKE SAs more quickly. STEP 8 Click OK to save your settings. STEP 9 After you are finished, click Next.
PAGE 70

Configuration Wizards Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN 2 STEP 13 Click OK to save your settings. STEP 14 After you are finished, click Next. Configuring Local and Remote Networks STEP 15 Use the Local and Remote VPN Networks page to configure the local and remote networks. • Local Subnet: Choose the IP address for your local network.
PAGE 71

Configuration Wizards Using the DMZ Wizard to Configure DMZ Settings • 2 If you only want to create the IPsec VPN policy and do not want to immediately activate the connection after the settings are saved, click Do Not Activate. The connection will be triggered by any traffic that matches this IPsec VPN policy and the VPN tunnel will be set up automatically. You can also go to the VPN > Site-to-Site > IPsec Policies page to manually establish the VPN connection by clicking the Connect icon.
PAGE 72

Configuration Wizards Using the DMZ Wizard to Configure DMZ Settings STEP 5 2 Enter the following information: • Service: Choose either DynDNS or No-IP service. NOTE: You must sign up for an account with either one of these providers before you can use this service. • Active On Startup: Click On to activate the DDNS setting when the security appliance starts up. • WAN Interface: Choose the WAN port for the DDNS service. Traffic for DDNS services will pass through the specified WAN port.
PAGE 73

Configuration Wizards Using the DMZ Wizard to Configure DMZ Settings 2 STEP 10 In the Basic Setting tab, enter the following information: • Name: Enter the name for the DMZ. • IP: Enter the subnet IP address for the DMZ. • Netmask: Enter the subnet mask for the DMZ. • Spanning Tree: Check this box to enable the Spanning Tree feature to determine if there are loops in the network topology. • Port: Choose a configurable port from the Port list and add it to the Member list.
PAGE 74

Configuration Wizards Using the DMZ Wizard to Configure DMZ Settings 2 • WINS2: Optionally, enter the IP address of a secondary WINS server. • Domain Name: Optionally, enter the domain name for the DMZ. • Default Gateway: Enter the IP address of default gateway. STEP 13 Click OK to save your settings. STEP 14 After you are finished, click Next. Configuring DMZ Services STEP 15 Use the DMZ Service page to configure the DMZ services. STEP 16 Click Add to create a DMZ service.
PAGE 75

2 Configuration Wizards Using the DMZ Wizard to Configure DMZ Settings • WAN IP: Specify the public IP address for the server. You can use the IP address of the selected WAN port or a public IP address that is provided by your ISP. When you choose Both as the incoming WAN port, this option is grayed out. • Enable DMZ Service: Click On to enable the DMZ service, or click Off to create only the DMZ service.
PAGE 76

Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) 2 Viewing Configuration Summary STEP 20 Use the Summary page to view information for the configuration. STEP 21 To modify any settings, click Back. If the configuration is correct, click Finish to apply your settings. Using the Wireless Wizard (for ISA550W and ISA570W only) If you are using the ISA550W or ISA570W, you can use the Wireless Wizard to configure your wireless network.
PAGE 77

Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) • STEP 4 2 - 802.11b/g/n mixed: Choose this mode to allow 802.11b, 802.11g, and 802.11n clients operating in the 2.4 GHz frequency to connect to the access point. - 802.11n only: Choose this mode if all devices in the wireless network can support 802.11n. Only 802.11n clients operating in the 2.4 GHz frequency can connect to the access point.
PAGE 78

Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) 2 Specify Wireless Connectivity Settings for All Enabled SSIDs STEP 7 STEP 8 Specify the wireless connectivity settings for all enabled SSIDs. • For complete details to configure the connectivity settings for Intranet WLAN access, see Configuring the SSID for Intranet WLAN Access, page 78.
PAGE 79

Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) STEP 2 2 In the Security Settings area, specify the wireless security settings. • Security Mode: Choose the security mode and configure the corresponding security settings. For security purposes, we strongly recommend that you use WPA2 for wireless security. For example, if you choose WPA2-Personal, enter the following information: - Encryption: WPA2-Personal always uses AES for data encryption.
PAGE 80

Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) 2 Configuring the SSID for Guest WLAN Access Follow these steps to configure the connectivity settings for Guest WLAN access. STEP 1 STEP 2 Enter the following information: • SSID: Enter the name of the SSID. • Broadcast SSID: Check this box to broadcast the SSID in its beacon frames. All wireless devices within range are able to see the SSID when they scan for available networks.
PAGE 81

Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) Cisco ISA500 Series Integrated Security Appliances Administration Guide 2 81
PAGE 82

Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) Cisco ISA500 Series Integrated Security Appliances Administration Guide 2 82
PAGE 83

Configuration Wizards Using the Wireless Wizard (for ISA550W and ISA570W only) Cisco ISA500 Series Integrated Security Appliances Administration Guide 2 83
PAGE 84

3 Status This chapter describes how to view the status of your security appliance. It includes the following sections: • Device Status Dashboard, page 84 • Network Status, page 88 • Wireless Status (for ISA550W and ISA570W only), page 99 • NAT Status, page 100 • VPN Status, page 101 • Active User Sessions, page 105 • Security Services Reports, page 106 • System Status, page 112 To access the Status pages, click Status in the left hand navigation pane.
PAGE 85

3 Status Device Status Dashboard Field Description Firmware (Primary/Secondary) Firmware version that the security appliance is currently using (Primary), and the firmware version that was previously running (Secondary). By default, the security appliance boots with the primary firmware. Bootloader Version Bootloader version of the security appliance. Serial Number Serial number of the security appliance.
PAGE 86

3 Status Device Status Dashboard Field Description Alert Total number of Alert logs. Click the number link for complete details. Critical Total number of Critical logs. Click the number link for complete details. Error Total number of Error logs. Click the number link for complete details. Warning Total number of Warning logs. Click the number link for complete details. Notification Total number of Notification logs. Click the number link for complete details.
PAGE 87

3 Status Device Status Dashboard Field Description Mode Link status of the physical port. WAN Mode Displays the WAN operation mode, such as Single - WAN1, Failover, or Load Balancing. To see complete details for WAN redundancy, click details. WAN Interface(s) To see complete details for all WAN ports, click details. Name Name of the WAN port. IP Address IP address for the WAN port. LAN Interfaces To see complete details for all VLANs, click details. Index ID of the VLAN. Name Name of the VLAN.
PAGE 88

3 Status Network Status Network Status Use the Network Status pages to view information for the various interfaces, the network usage reports, the WAN bandwidth reports, all ARP (Address Resolution Protocol) entries, and DHCP address assignment.
PAGE 89

3 Status Network Status Field Description VLAN VLANs to which the physical port is mapped. PVID The Port VLAN ID (PVID) to be used to forward or filter the untagged packets coming into the port. The PVID of a Trunk port is fixed to the DEFAULT VLAN (1). WAN Name Name of the WAN port. WAN Type Network addressing mode used to connect to the Internet for the WAN port. Connection Time Time that the WAN port is connected, in seconds.
PAGE 90

3 Status Network Status Field Description Line Status Shows if the cable is inserted to the WAN port or not. If the line status shows “Not Connected,” the cable may be loose or malfunctioning, or be plugged out. NOTE: If the line status shows “Not Connected,” the Connection Status will show “Not Connected” and the WAN State will show “Down.” Zone Zone to which the WAN port is assigned. VLAN LAN MAC Address MAC address of the default LAN. Name Name of the VLAN. VID ID of the VLAN.
PAGE 91

3 Status Network Status Traffic Statistics Use the Traffic Statistics page to view traffic data for the various interfaces. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data. Click Reset to reset the values in the Ethernet table to zero. Traffic Statistics Field Description Ethernet Port Name of the physical port. Link Status Shows if the port is connected or not. Tx Packets Number of IP packets transmitted by the port.
PAGE 92

3 Status Network Status Field Description Uptime Time that the WAN port has been active. The uptime is reset to zero when the security appliance or the WAN port is restarted. VLAN Name Name of the VLAN. Tx Packets Number of IP packets transmitted by the VLAN. Rx Packets Number of IP packets received by the VLAN. Collisions Number of signal collisions that have occurred on this VLAN. Tx Bytes/Sec Number of bytes transmitted by the VLAN per second.
PAGE 93

3 Status Network Status STEP 1 In the Data Collection area, enter the following information: • Enable Bandwidth Usage Report by IP Address: Check this box to enable the bandwidth usage report sorted by the top 25 IP addresses that consume the most bandwidth. • Enable Bandwidth Usage Report by Internet Service: Check this box to enable the bandwidth usage report sorted by the top 25 services and applications that consume the most bandwidth.
PAGE 94

3 Status Network Status This report only monitors the website visits through the HTTP port specified in the advanced settings of either Firewall Content Filtering or Web URL Filtering. You can block the websites if inappropriate websites appear in this report. For information on blocking the websites, see Configuring Content Filtering to Control Internet Access, page 281, or Configuring Web URL Filtering, page 327.
PAGE 95

3 Status Network Status ARP Table Address Resolution Protocol (ARP) is a computer-networking protocol that determines a network host’s Link Layer or hardware address when only the Internet Layer (IP) or Network Layer address is known. Use the ARP Table page to view information for all ARP entries. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data. ARP Table Field Description IP Address IP address of the device. Flag Flag type of the device.
PAGE 96

3 Status Network Status STP Status Use the STP Status page to view information about VLANs that have Spanning Tree Protocol (STP) enabled. STP is a Link Layer network protocol that ensures a loop-free topology for any bridged LAN. No information is displayed for VLANs without STP enabled. At the top of the page, use the Check the STP status in this VLAN list to choose a VLAN.
PAGE 97

3 Status Network Status Field Description Port Role The role assigned to this port • Root port: The port with the lowest path cost to the root bridge. • Designated port: The port with the lowest path cost on a LAN segment. The LAN segment will use the designated port to reach the root bridge. • Blocked port: The port that is neither a root port nor a designated port. Path Cost The cost of the path to root bridge through this port. Priority Priority of the port.
PAGE 98

3 Status Network Status Field Description Designated Cost The path cost to the designated bridge of the LAN segment. CDP Neighbor Use the CDP Neighbors page to view status information about neighboring devices that were discovered by the Cisco Discovery Protocol (if enabled). This information may be useful for troubleshooting. The information on this page is automatically refreshed at 15-second intervals. If CDP is disabled, a message appears at the top of the page and the list is empty.
PAGE 99

3 Status Wireless Status (for ISA550W and ISA570W only) Wireless Status (for ISA550W and ISA570W only) Use the Wireless Status pages to view information about your wireless network. Refer to the following topics: • Wireless Status, page 99 • Client Status, page 100 Wireless Status Use the Wireless Status > Wireless Status page to view the cumulative total of relevant wireless statistics for all SSIDs. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data.
PAGE 100

3 Status NAT Status Field Description Uptime Time that the SSID has been active. Client Status Use the Wireless Status > Client Status page to view information for all client stations that are already connected to each SSID. The MAC address and IP address for all connected client stations for each SSID are displayed. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data. NAT Status Use the NAT Status page to view information for all NAT rules.
PAGE 101

3 Status VPN Status Field Description Tx Packets Number of transmitted packets. Rx Packets Number of received packets. Tx Bytes/Sec Volume in bytes of transmitted traffic. Rx Bytes/Sec Volume in bytes of received traffic. VPN Status Use the VPN Status pages to view information for all VPN sessions. Refer to the following topics: • IPsec VPN Status, page 101 • SSL VPN Status, page 103 IPsec VPN Status Use the VPN Status > IPsec VPN Status page to view information for all IPsec VPN sessions.
PAGE 102

3 Status VPN Status Field Description VPN Type VPN connection type for an IPsec VPN session, such as Site-to-Site, IPsec Remote Access, or Teleworker VPN Client. WAN Interface WAN port used for an IPsec VPN session. Remote Gateway IP address of the remote peer. NOTE: For a site-to-site VPN session, it displays the IP address of the remote gateway. For an IPsec VPN session between the Teleworker VPN client and a remote IPsec VPN server, it displays the IP address of the IPsec VPN server.
PAGE 103

3 Status VPN Status Field Description Teleworker VPN Client If the Teleworker VPN Client feature is enabled and the security appliance is acting as a Cisco VPN hardware client, the following information is displayed. Status Shows if the Teleworker VPN Client feature is enabled or disabled. Primary DNS IP address of the primary DNS server. Secondary DNS IP address of the secondary DNS server. Primary WINS IP address of the primary WINS server.
PAGE 104

3 Status VPN Status Field Description User Name Name of the connected SSL VPN user. Client IP (Actual) Actual IP address used by the SSL VPN client. Client IP (VPN) Virtual IP address of the SSL VPN client assigned by the SSL VPN gateway. Connect Time Amount of time since the SSL VPN user first established the connection. SSL VPN Statistics In the Global Status area, the global statistic information is displayed. To clear the global statistic information, click Clear.
PAGE 105

3 Status Active User Sessions Field Description In CSTP Bytes Total number of bytes in the CSTP frames received from the client. In CSTP Data Number of CSTP data frames received from the client. In CSTP Control Number of CSTP control frames received from the client. Out CSTP Frames Number of CSTP frames sent to the client. Out CSTP Bytes Total number of bytes in the CSTP frames sent to the client. Out CSTP Data Number of CSTP data frames sent to the client.
PAGE 106

3 Status Security Services Reports Field Description Login Method How the user logs into the security appliance, such as WEB, SSL VPN, IPsec Remote Access, or Captive Portal. Session Time Time that the user has logged into the security appliance. Security Services Reports Use the Security Services Reports pages to view the reports for all security services. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data.
PAGE 107

3 Status Security Services Reports • Blocked Requests: Check this box to display the number of websites blocked by Web URL Filtering and/or Web Reputation Filtering in the graph. To view more information about blocked requests, click the red bar in the graph.
PAGE 108

3 Status Security Services Reports STEP 2 • Detected Requests: Check this box to display the number of viruses detected by the Anti-Virus service in the graph. To view more information about detected requests, click the red bar in the graph.
PAGE 109

3 Status Security Services Reports • STEP 2 Processed Requests: Check this box to display the number of emails checked by the Spam Filter service in the graph. Click Save to save your settings. Field Description System Date Current system time. Total Since Activated Total number of emails checked and total number of spam or suspected spam emails detected since the Spam Filter service was activated.
PAGE 110

3 Status Security Services Reports Field Description System Date Current system time. Total Since Activated Total number of packets checked and total number of packets blocked since the Network Reputation service was activated. Total Last 7 Days Total number of packets checked and total number of packets blocked in last seven days. Total Today Total number of packets checked and total number of packets blocked in one day.
PAGE 111

3 Status Security Services Reports Field Description System Date Current system time. Total Since Activated Total number of packets detected and total number of packets dropped since the IPS service was activated. Total Last 7 Days Total number of packets detected and total number of packets dropped in last seven days. Total Today Total number of packets detected and total number of packets dropped in one day.
PAGE 112

3 Status System Status Field Description System Date Current system time. Total Since Activated Total number of packets detected and total number of packets blocked since the Application Control service was activated. Total Last 7 Days Total number of packets detected and total number of packets blocked in last seven days. Total Today Total number of packets detected and total number of packets blocked in one day.
PAGE 113

3 Status System Status Field Description Protocol Protocol that is used by the socket. Port Port number of the local end of the socket. Local Address IP address of the local end of the socket. Foreign Address IP address of the remote end of the socket. Resource Utilization Use the System Status > Resource Utilization page to view information for the system’s CPU and memory utilization.
PAGE 114

3 Status System Status Field Description Buffer Memory Total amount of memory space currently used as buffers.
PAGE 115

4 Networking Using the Networking module to configure your Internet connection, VLAN, DMZ, zones, routing, Quality of Service (QoS), and related features.
PAGE 116

4 Networking Viewing Network Status Viewing Network Status Use the Networking > Network Status pages to view the traffic statistics, the usage reports, the WAN bandwidth reports, all ARP (Address Resolution Protocol) entries, and DHCP address assignment. For descriptions of these status reports, see Network Status, page 88. Configuring IPv4 or IPv6 Routing Use the Networking > IPv4 or IPv6 Routing page to choose the IP routing mode for your network.
PAGE 117

4 Networking Managing Ports • Configuring Port Mirroring, page 119 • Configuring Port-Based (802.1x) Access Control, page 120 Viewing Status of Physical Interfaces Use the Networking > Ports > Physical Interface page to view information about all physical ports on the security appliance. For all models, the following information appears: • Name: The name of the physical port. • Enable: Shows if the physical port is enabled or disabled.
PAGE 118

4 Networking Managing Ports STEP 1 STEP 2 Proceed as needed: • Check the box in the Enable column to enable a physical port, or uncheck this box to disable the physical port. • To edit the settings of a physical port, click the Edit (pencil) icon. See Configuring Physical Ports, page 118. Click Save to apply your settings.
PAGE 119

4 Networking Managing Ports - To release the port from a VLAN, choose a VLAN from the VLAN list and click the left arrows. NOTE: A LAN port can be assigned to multiple VLANs, but an Access LAN port can only be assigned to one VLAN. A DMZ port must be assigned to a DMZ network. NOTE: You can click the Create VLAN link to create new VLANs. For information on configuring VLAN, see Configuring a VLAN, page 137. • Flow Control: Click On to control the flow on the port, or click Off to disable it.
PAGE 120

4 Networking Managing Ports STEP 1 Click On to enable port mirroring, or click Off to disable this feature. STEP 2 If you enable port mirroring, enter the following information: STEP 3 • TX Destination: Choose the port that monitors the transmitted traffic for other ports. • TX Monitored Ports: Check the ports that are monitored. The port that you set as a TX Destination port cannot be selected as a monitored port.
PAGE 121

4 Networking Managing Ports STEP 1 In the RADIUS Settings area, specify the RADIUS servers for authentication. The security appliance predefines three RADIUS groups. Choose a predefined RADIUS group from the RADIUS Index drop-down list to authenticate users on 802.1x-capable clients. The RADIUS server settings of the selected group are displayed. You can edit the RADIUS server settings here but the settings that you specify will replace the default settings of the selected group.
PAGE 122

4 Networking Configuring the WAN • Authenticated VLAN: If you enable the 802.1x access control feature, choose the authenticated VLAN to which this port is assigned. The users who authenticated successfully can access the authenticated VLAN through the port. If the authentication fails, block access through the port. • Guest Authenticated: If you enable the 802.1x access control feature, check this box to enable the Guest Authentication feature.
PAGE 123

4 Networking Configuring the WAN • Configure the primary WAN, page 123 • Configure a secondary WAN, page 125 Release or renew a DHCP WAN connection If a WAN interface is configured to obtain an IP address from the ISP by using Dynamic Host Configuration Protocol (DHCP), you can click the Release icon to release its IP address, or click the Renew icon to obtain a new IP address. Configure the primary WAN To configure the settings for the primary WAN (WAN1), click the Edit (pencil) icon.
PAGE 124

4 Networking Configuring the WAN - Use the following MAC address: If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, choose this option and enter the MAC address that your ISP requires for this connection. • MAC Address: Enter the MAC address, for example 01:23:45:67:89:ab. • Zone: Choose the default WAN zone or an untrusted zone for the primary WAN. You can click the Create Zone link to view, edit, or add the zones on the security appliance.
PAGE 125

4 Networking Configuring the WAN Configure a secondary WAN To configure a secondary WAN (WAN2), click Add. Then use the WAN - Add/Edit page to configure the connection. If you enabled IPv4/IPv6 routing mode, complete both tabbed pages, as described for the primary WAN interface. Click OK to save your settings in the pop-up window. Click Save to apply your settings to the security appliance. To determine how the two ISP links are used, configure the WAN redundancy settings.
PAGE 126

4 Networking Configuring the WAN Network Addressing Mode Configuration Static IP Choose this option if the ISP provides you with a static (permanent) IP address and does not assign it dynamically. Use the corresponding information from your ISP to complete the following fields: • IP Address: Enter the IP address of the WAN port that can be accessible from the Internet. • Subnet Mask: Enter the IP address of the subnet mask. • Gateway: Enter the IP address of default gateway.
PAGE 127

4 Networking Configuring the WAN Network Addressing Mode Configuration PPPoE PPPoE uses Point to Point Protocol over Ethernet (PPPoE) to connect to the Internet. Choose this option if your ISP provides you with client software, username, and password. Use the necessary PPPoE information from your ISP to complete the PPPoE configuration. • User Name: Enter the username that is required to log into the ISP. • Password: Enter the password that is required to log into the ISP.
PAGE 128

4 Networking Configuring the WAN Network Addressing Mode Configuration PPTP The PPTP protocol is typically used for VPN connection. Use the necessary information from your ISP to complete the PPTP configuration: • IP Address: Enter the IP address of the WAN port that can be accessible from the Internet. • Subnet Mask: Enter the subnet mask. • Gateway: Enter the IP address of default gateway. • User Name: Enter the username that is required to log into the PPTP server.
PAGE 129

4 Networking Configuring the WAN Network Addressing Mode Configuration L2TP Choose this option if you want to use IPsec to connect a L2TP (Layer 2 Tunneling Protocol) server and encrypt all data transmitted from the client to the server. However, it does not encrypt network traffic to other destinations. Use the necessary information from your ISP to complete the L2TP configuration: • IP Address: Enter the IP address of the WAN port that can be accessible from the Internet.
PAGE 130

4 Networking Configuring the WAN Configuring WAN Redundancy If you have two ISP links, one for WAN1 and another for WAN2, use the Networking > WAN Redundancy pages to configure the WAN redundancy to determine how the two ISP links are used. Refer to the following topics: • Dual WAN Settings, page 130 • Load Balancing with Policy-Based Routing Configuration Example, page 133 NOTE Before you configure the WAN redundancy settings, you must first configure the secondary WAN connection.
PAGE 131

4 Networking Configuring the WAN - Weighted by Link Bandwidth: If you choose this option, specify the amount of bandwidth for each WAN, such as 80 Mbps for WAN1 and 20 Mbps for WAN2, which indicates that 80% bandwidth is distributed to WAN1 and at least 20% bandwidth is distributed to WAN2. NOTE: The Weighted by Link Bandwidth option has the same effect with the Weighted by Percentage option.
PAGE 132

4 Networking Configuring the WAN NOTE: If you enable Policy-Based Routing, the policy-based routing settings will take precedence over the load balancing settings. Traffic matching the policy-based routing policies will be routed based on these settings. Traffic not matching the policy-based routing policies will be routed based on the load balancing settings. STEP 3 Click Save to apply your settings.
PAGE 133

4 Networking Configuring the WAN • STEP 2 DNS Detection: Choose this option to detect the WAN failure by looking up the DNS servers that you specify in the following fields: - Default DNS Servers: Send the DNS query for www.cisco.com to the default WAN DNS server. If the DNS server can be detected, the network connection is active. - Specify DNS Servers: Send the DNS query for www.cisco.com to the specified DNS servers.
PAGE 134

4 Networking Configuring the WAN Configuring Dynamic DNS Use the Networking > WAN > DDNS page to configure Dynamic DNS (DDNS). DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. If your ISP has not provided you with a static IP and your WAN connection is configured to use DHCP to obtain an IP address dynamically, then DDNS provides the domain name to map the dynamic IP address for your website.
PAGE 135

4 Networking Configuring the WAN • Password: Enter the password of the account that you registered in the DDNS provider. • Host and Domain Name: Enter the complete host name and domain name for the DDNS service, for example: name.dyndns.org. • Wildcards: Check this box to allow all subdomains of your DDNS host name to share the same public IP address as the host name. • Update: Check this box to update the host information every week.
PAGE 136

4 Networking Configuring the WAN between both upload and download traffic. The amount of traffic downloaded will reduce the amount of traffic that can be uploaded and vice-versa. • STEP 2 In the Traffic Counter area, enter the following information: • • STEP 3 Monthly Limit: Enter the volume limit that is applicable for this month. This limit will apply to the type of direction (Download Only or Both Direction) selected above.
PAGE 137

4 Networking Configuring a VLAN STEP 4 STEP 5 In the Internet Traffic area, the following information is displayed after you enable Traffic Metering: Start Date/Time Date on which the traffic meter was started or the last time that the traffic counter was reset. Outgoing Traffic Volume Volume of traffic, in Megabytes, that was uploaded through this port. Incoming Traffic Volume Volume of traffic, in Megabytes, that was downloaded through this port.
PAGE 138

4 Networking Configuring a VLAN STEP 1 To add a new VLAN, click Add. To modify the settings for a VLAN, click the Edit (pencil) icon. Other options: To delete a VLAN, click the Delete (x) icon. The default VLANs cannot be deleted. STEP 2 In the Basic Settings tab, enter the following information: • Name: Enter the name for the VLAN. • VLAN ID: Enter a unique identification number for the VLAN, which can be any number from 3 to 4089.
PAGE 139

4 Networking Configuring a VLAN STEP 3 STEP 4 In the DHCP Pool Settings tab, choose the DHCP mode from the DHCP Mode drop-down list. • Disable: Choose this option if the computers on the VLAN are configured with static IP addresses or are configured to use another DHCP server. • DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the VLAN. Any new DHCP client joining the VLAN is assigned an IP address of the DHCP pool.
PAGE 140

4 Networking Configuring a VLAN • Option 150: Supports a list of TFTP servers (2 TFTP servers). Enter the IP addresses of TFTP servers. Separate multiple entries with commas (,). NOTE: Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch offices.
PAGE 141

4 Networking Configuring DMZ Configuring DMZ Use the Networking > DMZ page to configure a Demarcation Zone or Demilitarized Zone (DMZ). A DMZ is a sub-network that is behind the firewall but that is open to the public. By placing your public services on a DMZ, you can add an additional layer of security to the LAN. The public can connect to the services on the DMZ but cannot penetrate the LAN.
PAGE 142

4 Networking Configuring DMZ Figure 1 Example DMZ with One Public IP Address for WAN and DMZ www.example.com Internet Source Address Translation 209.165.200.225 Public IP Address 209.165.200.225 LAN Interface 192.168.75.1 User 192.168.75.10 DMZ Interface 172.16.2.1 Web Server Private IP Address: 172.16.2.30 Public IP Address: 209.165.200.225 User 192.168.75.11 283049 ISA500 172.16.2.30 In this scenario, the business has one public IP address, 209.165.200.
PAGE 143

4 Networking Configuring DMZ Figure 2 Example DMZ with Two Public IP Addresses www.example.com Internet Source Address Translation Public IP Addresses 209.165.200.225 (router) 209.165.200.226 (web server) DMZ Interface 172.16.2.1 Web Server Private IP Address: 172.16.2.30 Public IP Address: 209.165.200.226 LAN Interface 192.168.75.1 User 192.168.75.10 172.16.2.30 User 192.168.75.11 283050 ISA500 209.165.200.226 In this scenario, the ISP has supplied two static IP addresses: 209.165.200.
PAGE 144

4 Networking Configuring DMZ STEP 2 In the Basic Settings tab, enter the following information: • Name: Enter the name for the DMZ. • IP Address: Enter the subnet IP address for the DMZ. • Netmask: Enter the subnet mask for the DMZ. • Spanning Tree: Check this box to enable the Spanning Tree feature to determine if there are loops in the network topology. • Port: Specify a configurable port as a DMZ port. Traffic through the DMZ port is directed to the DMZ.
PAGE 145

4 Networking Configuring DMZ STEP 5 • Lease Time: Enter the maximum connection time that a dynamic IP address is “leased” to a network user. When the time elapses, the user will be automatically renewed the dynamic IP address. • DNS 1: Enter the IP address of the primary DNS server. • DNS 2: Optionally, enter the IP address of the secondary DNS server. • WINS 1: Optionally, enter the IP address of the primary WINS server. • WINS 2: Optionally, enter the IP address of the secondary WINS server.
PAGE 146

4 Networking Configuring Zones Configuring Zones Use the Networking > Zones page to configure a security zone, which is a group of interfaces to which a security policy can be applied. The interfaces in a zone share common functions or features. For example, two interfaces that are connected to the local LAN might be placed in one security zone, and the interfaces connected to the Internet might be placed in another security zone. The interfaces are IP-based interfaces (VLANs, WAN1, WAN2, and so forth).
PAGE 147

4 Networking Configuring Zones • Untrusted(0): Offers the lowest level of trust. It is used by both the WAN and the virtual multicast zones. You can map the WAN port to an untrusted zone. Predefined Zones The security appliance predefines the following zones with different security levels: • WAN: The WAN zone is an untrusted zone. By default, the WAN1 port is mapped to the WAN zone. If the secondary WAN (WAN2) is applicable, it can be mapped to the WAN zone or any other untrusted zone.
PAGE 148

4 Networking Configuring Zones STEP 1 To add a new zone, click Add. To edit an entry, click the Edit (pencil) icon. Other options: To delete an entry, click the Delete (x) icon. To delete multiple entries, check them and click Delete. NOTE: All predefined zones (except for the VOICE zone) cannot be deleted. Only the associated ports and VLANs for the predefined zones (except for the VPN and SSLVPN zones) can be edited. STEP 2 Enter the following information: • Name: Enter the name for the zone.
PAGE 149

4 Networking Configuring DHCP Reserved IPs Configuring DHCP Reserved IPs Use the Networking > DHCP Reservations page to reserve certain IP addresses for specified devices, identified by their MAC addresses. Whenever the DHCP server receives a request from a device, the hardware address is compared with the database. If the device is found, then the reserved IP address is used. Otherwise, an IP address is assigned automatically from the DHCP pool. STEP 1 To add a DHCP Reservation rule, click Add.
PAGE 150

4 Networking Configuring Routing Viewing the Routing Table Use the Networking > Routing > Routing Table page to view the following information: • Destination Address: The IP address of the host or the network that the route leads to. • Subnetwork Mask: The subnet mask of the destination network. • Gateway: The IP address of the gateway through which the destination host or network can be reached. • Flags: The status flag of the route. • Metric: The cost of a route.
PAGE 151

4 Networking Configuring Routing Configuring Static Routing Use the Networking > Routing > Static Routing page to configure static routes. You can optionally assign a priority, which determines the route is selected when there are multiple routes travelling to the same destination. NOTE Up to 150 static routing rules can be configured on the security appliance. STEP 1 To add a static route, click Add. To edit an entry, click the Edit (pencil) icon.
PAGE 152

4 Networking Configuring Routing Configuring Dynamic Routing - RIP Use the Networking > Routing > Dynamic - RIP page to configure Dynamic Routing or RIP. RIP is an Interior Gateway Protocol (IGP) that is commonly used in internal networks. It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network.
PAGE 153

4 Networking Configuring Routing Configuring Policy-Based Routing Use the Networking > Routing > Policy Based Routing page to configure Policy-Based Routing (PBR). PBR specifies the internal IP and/or service going through a WAN port to provide more flexible and granular traffic handling capabilities. Up to 100 Policy-Based Routing rules can be configured on the security appliance. This feature can be used to segregate traffic between links that are not of the same speed.
PAGE 154

4 Networking Configuring Routing STEP 1 Click On to enable PBR, or click Off to disable it. STEP 2 To add a new PBR rule, click Add. To edit an entry, click the Edit (pencil) icon. Other options: To delete an entry, click the Delete (x) icon. STEP 3 Enter the following information: • From: Choose the VLAN that traffic originates from. • Service: For service binding only, choose an existing service. For IP binding only, choose All Traffic.
PAGE 155

4 Networking Configuring Quality of Service Configuring Quality of Service The Quality of Service (QoS) feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and that the desired traffic receives preferential treatment.
PAGE 156

4 Networking Configuring Quality of Service STEP 3 Click Save to apply your settings. Configuring WAN QoS This section describes how to configure WAN QoS.
PAGE 157

4 Networking Configuring Quality of Service Configuring WAN Queue Settings Use the Queue Settings page to determine how traffic in queues is handled for each WAN port. The security appliance supports six queues for the WAN ports, Q1 to Q6. There are three ways of determining how traffic in queues is handled: Strict Priority (SP) Egress traffic from the highest-priority queue (Q1) is transmitted first.
PAGE 158

4 Networking Configuring Quality of Service STEP 1 Click Networking > QoS > WAN QoS > Queue Settings. STEP 2 Specify the way of determining how traffic in queues is handled for each WAN port. • Strict Priority (SP): Set the order in which queues are serviced, traffic scheduling for the selected queue and all higher queues is based strictly on the queue priority, starting with Q1 (the highest priority queue) and going to the next lower queue when each queue is complete.
PAGE 159

4 Networking Configuring Quality of Service STEP 2 To add a new traffic selector, click Add. Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click the Delete (x) icon. The Traffic Selector - Add/Edit window opens. STEP 3 Enter the following information: • Class Name: Enter a descriptive name for the traffic class. • Source Address: Choose Any or choose an existing address or address group (network) that traffic comes from.
PAGE 160

4 Networking Configuring Quality of Service NOTE: Traffic that matches the above settings will be classified to a class for management purposes. STEP 4 Click Save to apply your settings. Configuring WAN QoS Policy Profiles Use the QoS Policy Profile page to configure class-based policy profiles for managing traffic through the WAN interfaces. NOTE Up to 32 WAN QoS policy profiles can be configured on the security appliance. STEP 1 Click Networking > QoS > WAN QoS > QoS Policy Profile.
PAGE 161

4 Networking Configuring Quality of Service STEP 1 In the QoS Class Rules area, click Add to add a WAN QoS class rule. The QoS Class Rule - Add/Edit window opens. STEP 2 STEP 3 Enter the following information: • Class: Choose an existing traffic selector (traffic class) to associate with the policy profile. • Queue: For an outbound traffic policy profile, choose the queue for sending the packets that belongs to the selected traffic class.
PAGE 162

4 Networking Configuring Quality of Service STEP 2 To edit the policy profile settings associated with a WAN interface, click the Edit (pencil) icon. The Policy Profile to Interface Mapping - Edit window opens. STEP 3 Enter the following information: • Interface: The name of the WAN interface with which the policy profiles are associated. • Inbound Policy Name: Choose an inbound policy profile for managing inbound traffic through the selected WAN interface.
PAGE 163

4 Networking Configuring Quality of Service Perform the following configuration tasks to give the voice traffic a higher priority: • Go to the Networking > Routing > Static Routing page to add a static routing rule as follows: Destination Address voice_phone_ip NOTE: In this case, you can manually create an IP address object called “voice_phone_ip” with the IP address 10.1.1.11 by selecting the Create a new address option.
PAGE 164

4 Networking Configuring Quality of Service • Configure WAN QoS for the inbound voice traffic. For complete details, see Configuring WAN QoS for Voice Traffic from WAN to LAN, page 165. Configure WAN QoS for Voice Traffic from LAN to WAN Follow these steps to configure WAN QoS to manage the outbound voice traffic from LAN to WAN: STEP 1 Go to the Networking > QoS > WAN QoS > Queue Settings page to determine how traffic in queues is handled for the WAN port. a.
PAGE 165

4 Networking Configuring Quality of Service b. Add two QoS class rules to associate the specified traffic classes with the QoS policy profile as follows: QoS Class Rule 1 Class Choose the traffic class called “voice-outbound-class.” Queue Choose the highest queue Q1 for the outbound voice traffic. QoS Class Rules 2 STEP 4 Class Choose the traffic class called “data-outbound-class.” Queue Choose one queue from Q2 to Q6 for the outbound data traffic.
PAGE 166

4 Networking Configuring Quality of Service QoS Class Rule STEP 3 Add a QoS class rule with the following settings: • Class: Choose the traffic class called “voice-inbound-class.” • DSCP Marking: Choose the DSCP tag value (such as 46) for the inbound voice traffic depending on the QoS settings on your voice switch. For more information, see Understanding DSCP Values, page 171.
PAGE 167

4 Networking Configuring Quality of Service Configuring LAN Queue Settings Use the Queue Settings page to configure whether traffic scheduling on Ethernet interfaces is based on either SP or WRR, or the combination of the two. The security appliance supports four queues for LAN traffic, Q1 to Q4. STEP 1 Click Networking > QoS > LAN QoS > Queue Settings. STEP 2 Specify how to determine LAN traffic in queues.
PAGE 168

4 Networking Configuring Quality of Service STEP 3 LAN Queue CoS Value 1 6 2 4 3 2 4 0 Click Save to apply your settings. Mapping CoS to LAN Queue STEP 1 Click Networking > QoS > LAN QoS > Mapping CoS to Queue. STEP 2 Choose the traffic forwarding queue to which the CoS priority tag value is mapped. Four traffic priority queues are supported, where Q4 is the lowest and Q1 is the highest. STEP 3 Click Save to apply your settings.
PAGE 169

4 Networking Configuring Quality of Service Configuring Default CoS Use the Default CoS page to configure the default CoS values for incoming packets through each LAN interface. The possible field values are 0 to 7. The default value is 0. STEP 1 Click Networking > QoS > LAN QoS > Default CoS. STEP 2 Enter the following information: STEP 3 • Default CoS: Choose the default CoS priority tag value for the LAN interfaces, where 0 is the lowest and 7 is the highest.
PAGE 170

4 Networking Configuring Quality of Service 802.1p Priority 802.11e Priority 1 1 (Background Priority) 2 2 (Background Priority) 3 4 (Video Priority) 4 5 (Video Priority) 5 6 (Voice Priority) 6 7 (Voice Priority) 7 7 (Voice Priority) IEEE 802.11e to 802.1p Mapping 802.11e Priority 802.
PAGE 171

4 Networking Configuring Quality of Service STEP 3 Click Save to apply your settings. Mapping CoS to Wireless Queue STEP 1 Click Networking > QoS > Wireless QoS > Mapping CoS to Queue. STEP 2 Choose the traffic forwarding queue to which the CoS priority tag value is mapped. STEP 3 Click Save to apply your settings. Mapping DSCP to Wireless Queue STEP 1 Click Networking > QoS > Wireless QoS > Mapping DSCP to Queue.
PAGE 172

4 Networking Configuring IGMP DSCP Value Decimal Value Meaning 010 100 20 AF22 010 110 22 AF23 011 010 26 AF31 011 100 28 AF32 011 110 30 AF33 100 010 34 AF41 100 100 36 AF42 100 110 38 AF43 Configuring IGMP Internet Group Management Protocol (IGMP) is a communication protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships.
PAGE 173

4 Networking Configuring VRRP STEP 2 Enter the following information: • IGMP Proxy: Click On to enable IGMP Proxy so that the security appliance can act as a proxy for all IGMP requests and communicate with the IGMP servers of the ISP, or click Off to disable it. • IGMP Version: Choose either IGMP Version 1 and 2 or IGMP Version 3. • STEP 3 - IGMP Version 1: Hosts can join multicast groups. There are no leave messages.
PAGE 174

4 Networking Configuring VRRP STEP 2 Check the box next to Enable Virtual Router Redundancy Protocol (VRRP) to enable VRRP, or uncheck this box to disable it. STEP 3 If you enable VRRP, enter the following information: • Interface: The default port of the master virtual router (your security appliance). • Source IP: The source IP address of the master virtual router.
PAGE 175

4 Networking Address Management Address Management Use the Address Management page to manage the address and address group objects. The security appliance is configured with a long list of common address objects so that you can use to configure firewall rules, port forwarding rules, or other features. See Default Address Objects, page 478.
PAGE 176

4 Networking Address Management - Network: Network address object like the Range object comprises multiple hosts, but rather than being bound by specified upper and lower range delimiters, the boundaries are defined by a valid netmask. Network address objects must be defined by the network’s address and a corresponding netmask. As a general rule, the first address in a network (the network address) and the last address in a network (the broadcast address) are unusable.
PAGE 177

4 Networking Service Management STEP 7 Click Save to apply your settings. Service Management Use the Service Management page to maintain the service or service group objects. The security appliance is configured with a long list of standard services so that you can use to configure the firewall rules, port forwarding rules, or other features. See Default Service Objects, page 474.
PAGE 178

4 Networking Service Management - ICMP: Internet Control Message Protocol (ICMP) is a TCP/IP protocol used to send error and control messages. If you choose this option, enter the ICMP type in the ICMP Type field. - TCP: Transmission Control Protocol (TCP) is a transport protocol in TCP/IP. TCP ensures that a message is sent accurately and in its entirety. If you choose this option, enter the starting port number in the Port Range Start field and the ending port number in the Port Range End field.
PAGE 179

4 Networking Configuring Captive Portal STEP 5 To remove the services from the group, select the services from the right list and click the left arrow. STEP 6 Click OK to save your settings. STEP 7 Click Save to apply your settings. Configuring Captive Portal You may want to direct users to a web portal before they can access the Internet through the security appliance. To achieve this goal, you can enable Captive Portal on a wireless network, a VLAN, or a DMZ.
PAGE 180

4 Networking Before You Begin A computer accessing the Captive Portal must have one of these operating systems: • Windows 7 • Windows XP • Mac OS Captive Portal also can be used from a mobile device with one of these operating systems: • iOS (iPhone, iPad) • Android Before You Begin Before you configure your portal, you may need to configure VLANs, SSIDs, and users. Read the following information to determine what steps may be needed to achieve your goals.
PAGE 181

4 Networking Configuring a Captive Portal Wireless Setup For a Captive Portal on the wireless network, you must enable the wireless radio and at least one SSID before you can enable a Captive Portal. To configure these settings, use the Wireless > Basic Settings page. . • Enable the wireless radio. • Enable the SSID(s) that you want to use for the portal. • If you created a special VLAN for use with your Captive Portal, assign it to the SSID(s) that you want to use for the portal.
PAGE 182

4 Networking Configuring a Captive Portal • Internal, no auth with accept button: Uses the default HotSpot Login page and does not require a login. A user simply clicks the Accept button to access the Internet. • External: Uses a custom HotSpot Login page on the specified external web server and requires a login. • External, no auth with accept button: Uses a custom HotSpot Login page on the specified external web server and does not require a login.
PAGE 183

4 Networking Configuring a Captive Portal STEP 6 If you chose Internal or Internal, no auth with accept button, set up the default HotSpot Login page: • Logo File: You can import an image, such as your corporate logo, to display on the login page. Click Browse to locate and select an image file from your local PC and then click Upload. To delete the loaded file, click Delete. • Background File: You can import an image to display as the background for the login page.
PAGE 184

4 Networking Configuring a Captive Portal STEP 7 STEP 8 If you chose External or External, no auth with accept button, specify these settings for your external portal page: • Authentication Web Server: Enter the full URL of the external web server (including https://), for example https://172.24.10.10/cgi-bin/PortalLogin.cgi. • Authentication Web Key: Enter the key used to protect the username and password that the external web server sends to the security appliance for authentication.
PAGE 185

4 Networking Troubleshooting STEP 9 If you want to bypass the portal for certain IP addresses, add them in the Advanced Settings > Open Domains area. a. Click Add. b. Enter the IP address or domain name in the Domain field. c. Click OK to save your settings. STEP 10 Click Save to apply your settings. Troubleshooting Problem 1: User is not redirected to portal page when internal web authentication type is chosen.
PAGE 186

4 Networking Using External Web-Hosted CGI Scripts the VLAN to which Captive Portal users join should be able to access the web-server. • Check if the web-server has any issues. Using External Web-Hosted CGI Scripts Following is a CGI script which asks for the authentication information of a user. The secret string programmed in the uamsecret variable should be configured as Authentication Web Key on the Captive portal page. Replace the MySMB string in the following section with your company name.
PAGE 187

Networking Using External Web-Hosted CGI Scripts 4 $OK_CHARS='-a-zA-Z0-9_.@&=%!'; $| = 1; if ($ENV{'CONTENT_LENGTH'}) { read (STDIN, $_, $ENV{'CONTENT_LENGTH'}); } s/[^$OK_CHARS]/_/go; $input = $_; # Make sure that the get query parameters are clean $OK_CHARS='-a-zA-Z0-9_.@&=%!'; $_ = $query=$ENV{QUERY_STRING}; s/[^$OK_CHARS]/_/go; $query = $_; # If she did not use https tell her that it was wrong.
PAGE 188

4 Networking Using External Web-Hosted CGI Scripts @array2 = split('=',$var); if ($array2[0] =~ /^UserName$/) { $username = $array2[1]; } if ($array2[0] =~ /^Password$/) { $password = $array2[1]; } if ($array2[0] =~ /^challenge$/) { $challenge = $array2[1]; } if ($array2[0] =~ /^button$/) { $button = $array2[1]; } if ($array2[0] =~ /^logout$/) { $logout = $array2[1]; } if ($array2[0] =~ /^prelogin$/) { $prelogin = $array2[1]; } if ($array2[0] =~ /^res$/) { $res = $array2[1]; } if ($array2[0] =~ /^uamip$/)
PAGE 189

Networking Using External Web-Hosted CGI Scripts 4 $pappassword = unpack "H32", ($password ^ $newchal); #sleep 5; print "Content-type: text/html\n\n"; print "
PAGE 190

Networking Using External Web-Hosted CGI Scripts 4 # If login successful if ($res =~ /^success$/) { $result = 1; } # If login failed if ($res =~ /^failed$/) { $result = 2; } # If logout successful if ($res =~ /^logoff$/) { $result = 3; } # If tried to login while already logged in if ($res =~ /^already$/) { $result = 4; } # If not logged in yet if ($res =~ /^notyet$/) { $result = 5; } # If login from smart client if ($res =~ /^smartclient$/) { $result = 6; } # If requested a logging in pop up window if ($
PAGE 191

Networking Using External Web-Hosted CGI Scripts 4
MySMB Login Failed
Login must be performed through MySMB daemon. "; exit(0); } #Generate the output print "Content-type: text/html\n\n MySMB Login[2.
PAGE 192

Networking Using External Web-Hosted CGI Scripts 4 } } function popUp(URL) { if (self.name != \"chillispot_popup\") { chillispot_popup = window.open(URL, 'chillispot_popup', 'toolbar= 0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width= 500,height=375'); } } function doOnLoad(result, URL, userurl, redirurl, timeleft) { if (timeleft) { mytimeleft = timeleft; } if ((result == 1) && (self.name == \"chillispot_popup\")) { doTime(); } if ((result == 1) && (self.
PAGE 193

Networking Using External Web-Hosted CGI Scripts 4 function doOnBlur(result) { if ((result == 12) && (self.name == \"chillispot_popup\")) { if (blur == 0) { blur = 1; self.focus(); } } } "; # # # if (!window.
PAGE 194

Networking Using External Web-Hosted CGI Scripts 4 Password:[2.4]
PAGE 195

4 Networking Using External Web-Hosted CGI Scripts if (($result == 3) || ($result == 13)) { print "
Logged out from MySMB
[5.1] Login[5.2] "; } exit(0); CGI Source Code Example: No Authentication and Accept Button Following is a CGI script which presents a Accept button on the portal page.
PAGE 196

4 Networking Using External Web-Hosted CGI Scripts $uamsecret = "gemteksmb"; # Uncomment the following line if you want to use ordinary user-password # for radius authentication. Must be used together with $uamsecret. $userpassword=1; # Our own path $loginpath = $ENV{'SCRIPT_URL'}; use Digest::MD5 qw(md5 md5_hex md5_base64); # Make sure that the form parameters are clean $OK_CHARS='-a-zA-Z0-9_.
PAGE 197

4 Networking Using External Web-Hosted CGI Scripts --> "; exit(0); } #Read form parameters which we care about @array = split('&',$input); foreach $var ( @array ) { @array2 = split('=',$var); if ($array2[0] =~ /^UserName$/) { $username = $array2[1]; } if ($array2[0] =~ /^Password$/) { $password = $array2[1]; } if ($array2[0] =~ /^challenge$/) { $challenge = $array2[1]; } if ($array2[0] =~ /^button$/) { $button = $array2[1]; } if ($array2[0] =~ /^logout$/) { $logout = $ar
PAGE 198

Networking Using External Web-Hosted CGI Scripts 4 $password =~s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg; # If attempt to login if ($button =~ /^Accept$/) { $hexchal = pack "H32", $challenge; if (defined $uamsecret) { $newchal = md5($hexchal, $uamsecret); } else { $newchal = $hexchal; } $response = md5_hex("\0", $password, $newchal); $pappassword = unpack "H32", ($password ^ $newchal); #sleep 5; print "Content-type: text/html\n\n"; print "
PAGE 199

Networking Using External Web-Hosted CGI Scripts 4 print " --> "; exit(0); } # Default: It was not a form request $result = 0; # If login successful if ($res =~ /^success$/) { $result = 1; } # If login failed if ($res =~ /^failed$/) { $result = 2; } # If logout successful if ($res =~ /^logoff$/) { $result = 3; } # If tried to login while already logged in if ($res =~ /^already$/) { $result = 4; } # If not logged in yet if ($res =~ /^notyet$/) { $res
PAGE 200

Networking Using External Web-Hosted CGI Scripts 4 } # Otherwise it was not a form request # Send out an error message if ($result == 0) { print "Content-type: text/html\n\n
PAGE 201

Networking Using External Web-Hosted CGI Scripts 4 if (hours < 10) hours = \"0\" + hours; if (mins < 10) mins = \"0\" + mins; if (secs < 10) secs = \"0\" + secs; title = \"Online time: \" + hours + \":\" + mins + \":\" + secs; if (mytimeleft) { title = \"Remaining time: \" + hours + \":\" + mins + \":\" + secs; } if(document.all || document.getElementById){ document.title = title; } else { self.status = title; } } function popUp(URL) { if (self.name != \"chillispot_popup\") { chillispot_popup = window.
PAGE 202

Networking Using External Web-Hosted CGI Scripts 4 else { opener.location = \"about:home\"; } self.focus(); blur = 0; } if ((result == 13) && (self.name == \"chillispot_popup\")) { self.focus(); blur = 1; } } function doOnBlur(result) { if ((result == 12) && (self.name == \"chillispot_popup\")) { if (blur == 0) { blur = 1; self.

PAGE 203

Networking Using External Web-Hosted CGI Scripts 4

[2.4]

PAGE 204

4 Networking Related Information "; } if (($result == 3) || ($result == 13)) { print "

Logged out from MySMB

Login "; } exit(0); Related Information Support Cisco Small Business Support Community www.cisco.com/go/smallbizsupport Cisco Small Business Support and Resources www.cisco.com/go/smallbizhelp Phone Support Contacts www.cisco.

PAGE 205

4 Networking Related Information Cisco Small Business Home www.cisco.com/smb Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) © 2013 Cisco Systems, Inc.

PAGE 206

5 Wireless (for ISA550W and ISA570W only) This chapter describes how to configure your wireless network.

PAGE 207

5 Wireless (for ISA550W and ISA570W only) Viewing Wireless Status Viewing Wireless Status This section describes how to view information for your wireless network. Refer to the following topics: • Viewing Wireless Statistics, page 207 • Viewing Wireless Client Status, page 208 Viewing Wireless Statistics Use the Wireless Status page to view the cumulative total of relevant wireless statistics for all SSIDs. This page is automatically updated every 10 seconds.

PAGE 208

Wireless (for ISA550W and ISA570W only) Configuring the Basic Settings 5 Viewing Wireless Client Status Use the Client Status page to view information for all client stations that are already connected to each SSID. The MAC address and IP address for all connected client stations for each SSID are displayed. To open this page, click Wireless > Wireless Status > Client Status. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data.

PAGE 209

Wireless (for ISA550W and ISA570W only) Configuring the Basic Settings STEP 3 5 • Bandwidth Channel: Choose 20 MHz channel bonding (spacing), or choose Auto to let the system determine the optimal channel spacing to use. This setting is specific to 802.11n traffic. • Extension Channel: Choose either Lower or Upper if you choose Auto channel spacing. • Unscheduled Automatic Power Save Delivery (U-APSD): Click Enable to enable U-APSD to conserve the power, or click Disable to disable it.

PAGE 210

Wireless (for ISA550W and ISA570W only) Configuring SSID Profiles STEP 4 5 • VLAN Mapping: Displays the VLAN to which the SSID is mapped. All traffic from the wireless clients that are connected to this SSID will be directed to the selected VLAN. To associate the SSID to a specific VLAN, click the Edit (pencil) icon. See Mapping the SSID to VLAN, page 218.

PAGE 211

5 Wireless (for ISA550W and ISA570W only) Configuring SSID Profiles Configuring Wireless Security This section describes how to configure the security mode for the SSID. All devices on this network must use the same security mode and settings to work correctly. Cisco recommends using the highest level of security that is supported by the devices in your network. NOTE If the security mode is set as WEP or as WPA with TKIP encryption algorithm for the SSID that supports 802.

PAGE 212

5 Wireless (for ISA550W and ISA570W only) Configuring SSID Profiles Security Mode Description WEP Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and SSIDs on the network are configured with a static 64-bit or 128-bit Shared Key for data encryption. The higher the bit for data encryption, the more secure for your network. WEP encryption is an older encryption method that is not considered to be secure and can easily be broken.

PAGE 213

5 Wireless (for ISA550W and ISA570W only) Configuring SSID Profiles Security Mode Description WPA2 WPA2 provides the best security for wireless transmissions. This method implements the security standards specified in the final version of 802.11i. The security appliance supports the following WPA2 security modes: WPA + WPA2 • WPA2-Personal: Always uses AES encryption mechanism for data encryption. • WPA2-Enterprise: Uses WPA2 with RADIUS authentication.

PAGE 214

Wireless (for ISA550W and ISA570W only) Configuring SSID Profiles STEP 5 STEP 6 STEP 7 5 If you choose WEP as the security mode, enter the following information: • Authentication Type: Choose either Open System or Shared key, or choose Auto to let the security appliance accept both Open System and Shared Key schemes. • Default Transmit Key: Choose a key index as the default transmit key. Key indexes 1 through 4 are available.

PAGE 215

Wireless (for ISA550W and ISA570W only) Configuring SSID Profiles • STEP 8 STEP 9 5 Key Renewal Timeout: Enter a value to set the interval at which the key is refreshed for clients associated to this SSID. The valid range is 0 to 4194303 seconds. A value of zero (0) indicates that the key is not refreshed. The default value is 3600 seconds. If you choose WPA/WPA2-Personal mixed as the security mode, enter the following information: • Encryption: Automatically choose TKIP or AES for data encryption.

PAGE 216

Wireless (for ISA550W and ISA570W only) Configuring SSID Profiles - 5 Secondary RADIUS Server Shared Secret: The shared secret key of the secondary RADIUS server. NOTE: You can change the settings in the above fields but the RADIUS server settings you specify will replace the default settings of the selected group. To maintain the RADIUS servers, go to the Users > RADIUS Servers page. See Configuring RADIUS Servers, page 401.

PAGE 217

Wireless (for ISA550W and ISA570W only) Configuring SSID Profiles 5 selected group. To maintain the RADIUS servers, go to the Users > RADIUS Servers page. See Configuring RADIUS Servers, page 401. STEP 13 Click OK to save your settings. STEP 14 Click Save to apply your settings. Controlling Wireless Access Based on MAC Addresses MAC Filtering allows or blocks access to the SSID by the MAC (hardware) address of the requesting device. By default, MAC Filtering is disabled for each SSID.

PAGE 218

Wireless (for ISA550W and ISA570W only) Configuring SSID Profiles STEP 5 Click OK to save your settings. STEP 6 Click Save to apply your settings. 5 Mapping the SSID to VLAN STEP 1 Click Wireless > Basic Settings. STEP 2 In the SSIDs area, click the Edit (pencil) icon to edit the settings for the SSID. The SSID - Edit window opens. STEP 3 In the VLANs tab, enter the following information: • SSID Name: The name of the SSID to which the VLAN is mapped.

PAGE 219

Wireless (for ISA550W and ISA570W only) Configuring Wi-Fi Protected Setup • 5 Active Time: Click On to enable the schedule feature for the SSID, or click Off to disable it. Disabling the schedule feature will keep the SSID active in 24 hours per day. If you enable this feature, configure the time range per day to keep this SSID active. - Start Time: Enter the values in the hour and minute fields and choose AM or PM from the drop-down list.

PAGE 220

Wireless (for ISA550W and ISA570W only) Configuring Wi-Fi Protected Setup - STEP 4 5 Unconfigured: If you choose this option, the SSID will automatically configure its security settings such as the SSID name and the security mode before the wireless clients are associated to provide a secured connection. After the wireless clients are connected, the status will be automatically changed to “Configured.

PAGE 221

Wireless (for ISA550W and ISA570W only) Configuring Captive Portal STEP 6 5 If the wireless client device asks for the PIN number of the security appliance, follow these steps to establish the WPS connection: a. Enable WPS on the security appliance. b. Click Generate to generate a PIN number. c. Follow the instructions on the wireless client device to configure WPS within 2 minutes by using the registered PIN number. d. Verify that the wireless client device is connected to the SSID.

PAGE 222

Wireless (for ISA550W and ISA570W only) Requirements 5 Requirements This feature is compatible with these browsers: • Internet Explorer (v 8.0 or above) • Firefox (v 9.

PAGE 223

Wireless (for ISA550W and ISA570W only) Configuring a Captive Portal 5 • You may want to associate a VLAN, such as the GUEST VLAN, with a security zone so that you can configure appropriate security policies. For example, you can apply URL filtering policies to the zone to prevent access to certain types of websites. • A Captive Portal must be associated either with a single SSID or with a VLAN.

PAGE 224

Wireless (for ISA550W and ISA570W only) Configuring a Captive Portal 5 STEP 1 Enable Captive Portal: Click On to enable the Captive Portal feature. STEP 2 Apply On: Choose the SSID, VLAN, or DMZ interface on which to apply the Captive Portal settings. STEP 3 Web Authentication Type: Choose one of the following methods for web authentication. The security appliance can authenticate the users by using the local database and external AAA server (such as RADIUS, AD, and LDAP).

PAGE 225

Wireless (for ISA550W and ISA570W only) Configuring a Captive Portal • STEP 6 5 Idle Timeout: Enter the maximum number of minutes that a wireless session can be idle. After the timeout period elapses, an idle session will be terminated. The default value is 5 minutes. If you chose Internal or Internal, no auth with accept button, set up the default HotSpot Login page: • Logo File: You can import an image, such as your corporate logo, to display on the login page.

PAGE 226

Wireless (for ISA550W and ISA570W only) Configuring a Captive Portal • STEP 7 STEP 8 5 Message: If you want to create your own message on the login page, enter the desired text in this field. If you chose External or External, no auth with accept button, specify these settings for your external portal page: • Authentication Web Server: Enter the full URL of the external web server (including https://), for example https://172.24.10.10/cgi-bin/PortalLogin.cgi.

PAGE 227

Wireless (for ISA550W and ISA570W only) Troubleshooting STEP 9 5 If you want to bypass the portal for certain IP addresses, add them in the Advanced Settings > Open Domains area. a. Click Add. b. Enter the IP address or domain name in the Domain field. c. Click OK to save your settings. STEP 10 Click Save to apply your settings. Troubleshooting Problem 1: User is not redirected to portal page when internal web authentication type is chosen.

PAGE 228

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 the VLAN to which Captive Portal users join should be able to access the web-server. • Check if the web-server has any issues. Using External Web-Hosted CGI Scripts Following is a CGI script which asks for the authentication information of a user. The secret string programmed in the uamsecret variable should be configured as Authentication Web Key on the Captive portal page.

PAGE 229

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 $OK_CHARS='-a-zA-Z0-9_.@&=%!'; $| = 1; if ($ENV{'CONTENT_LENGTH'}) { read (STDIN, $_, $ENV{'CONTENT_LENGTH'}); } s/[^$OK_CHARS]/_/go; $input = $_; # Make sure that the get query parameters are clean $OK_CHARS='-a-zA-Z0-9_.@&=%!'; $_ = $query=$ENV{QUERY_STRING}; s/[^$OK_CHARS]/_/go; $query = $_; # If she did not use https tell her that it was wrong.

PAGE 230

5 Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts @array2 = split('=',$var); if ($array2[0] =~ /^UserName$/) { $username = $array2[1]; } if ($array2[0] =~ /^Password$/) { $password = $array2[1]; } if ($array2[0] =~ /^challenge$/) { $challenge = $array2[1]; } if ($array2[0] =~ /^button$/) { $button = $array2[1]; } if ($array2[0] =~ /^logout$/) { $logout = $array2[1]; } if ($array2[0] =~ /^prelogin$/) { $prelogin = $array2[1]; } if ($array2[0] =~ /^res$/) { $res = $array2[1]; }

PAGE 231

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 $pappassword = unpack "H32", ($password ^ $newchal); #sleep 5; print "Content-type: text/html\n\n"; print "

PAGE 232

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 # If login successful if ($res =~ /^success$/) { $result = 1; } # If login failed if ($res =~ /^failed$/) { $result = 2; } # If logout successful if ($res =~ /^logoff$/) { $result = 3; } # If tried to login while already logged in if ($res =~ /^already$/) { $result = 4; } # If not logged in yet if ($res =~ /^notyet$/) { $result = 5; } # If login from smart client if ($res =~ /^smartclient$/) { $result = 6; } # If requested a l

PAGE 233

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5

MySMB Login Failed

Login must be performed through MySMB daemon. "; exit(0); } #Generate the output print "Content-type: text/html\n\n MySMB Login[2.

PAGE 234

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 } } function popUp(URL) { if (self.name != \"chillispot_popup\") { chillispot_popup = window.open(URL, 'chillispot_popup', 'toolbar= 0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width= 500,height=375'); } } function doOnLoad(result, URL, userurl, redirurl, timeleft) { if (timeleft) { mytimeleft = timeleft; } if ((result == 1) && (self.name == \"chillispot_popup\")) { doTime(); } if ((result == 1) && (self.

PAGE 235

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 function doOnBlur(result) { if ((result == 12) && (self.name == \"chillispot_popup\")) { if (blur == 0) { blur = 1; self.

PAGE 236

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5

Password:

PAGE 237

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 if (($result == 3) || ($result == 13)) { print "

Logged out from MySMB

[5.1] Login[5.2] "; } exit(0); CGI Source Code Example: No Authentication and Accept Button Following is a CGI script which presents a Accept button on the portal page.

PAGE 238

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 $uamsecret = "gemteksmb"; # Uncomment the following line if you want to use ordinary user-password # for radius authentication. Must be used together with $uamsecret. $userpassword=1; # Our own path $loginpath = $ENV{'SCRIPT_URL'}; use Digest::MD5 qw(md5 md5_hex md5_base64); # Make sure that the form parameters are clean $OK_CHARS='-a-zA-Z0-9_.

PAGE 239

5 Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts --> "; exit(0); } #Read form parameters which we care about @array = split('&',$input); foreach $var ( @array ) { @array2 = split('=',$var); if ($array2[0] =~ /^UserName$/) { $username = $array2[1]; } if ($array2[0] =~ /^Password$/) { $password = $array2[1]; } if ($array2[0] =~ /^challenge$/) { $challenge = $array2[1]; } if ($array2[0] =~ /^button$/) { $button = $array2[1]; } if ($array2[0] =

PAGE 240

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 $password =~s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg; # If attempt to login if ($button =~ /^Accept$/) { $hexchal = pack "H32", $challenge; if (defined $uamsecret) { $newchal = md5($hexchal, $uamsecret); } else { $newchal = $hexchal; } $response = md5_hex("\0", $password, $newchal); $pappassword = unpack "H32", ($password ^ $newchal); #sleep 5; print "Content-type: text/html\n\n"; print "

PAGE 241

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 print " --> "; exit(0); } # Default: It was not a form request $result = 0; # If login successful if ($res =~ /^success$/) { $result = 1; } # If login failed if ($res =~ /^failed$/) { $result = 2; } # If logout successful if ($res =~ /^logoff$/) { $result = 3; } # If tried to login while already logged in if ($res =~ /^already$/) { $result = 4; } # If not logged in yet i

PAGE 242

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 } # Otherwise it was not a form request # Send out an error message if ($result == 0) { print "Content-type: text/html\n\n

PAGE 243

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 if (hours < 10) hours = \"0\" + hours; if (mins < 10) mins = \"0\" + mins; if (secs < 10) secs = \"0\" + secs; title = \"Online time: \" + hours + \":\" + mins + \":\" + secs; if (mytimeleft) { title = \"Remaining time: \" + hours + \":\" + mins + \":\" + secs; } if(document.all || document.getElementById){ document.title = title; } else { self.status = title; } } function popUp(URL) { if (self.

PAGE 244

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5 else { opener.location = \"about:home\"; } self.focus(); blur = 0; } if ((result == 13) && (self.name == \"chillispot_popup\")) { self.focus(); blur = 1; } } function doOnBlur(result) { if ((result == 12) && (self.name == \"chillispot_popup\")) { if (blur == 0) { blur = 1; self.

PAGE 245

Wireless (for ISA550W and ISA570W only) Using External Web-Hosted CGI Scripts 5

PAGE 246

5 Wireless (for ISA550W and ISA570W only) Related Information "; } if (($result == 3) || ($result == 13)) { print "

Logged out from MySMB

PAGE 247

5 Wireless (for ISA550W and ISA570W only) Configuring Wireless Rogue AP Detection Cisco Small Business Home www.cisco.com/smb Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners.

PAGE 248

Wireless (for ISA550W and ISA570W only) Advanced Radio Settings 5 • To change the MAC address of an authorized access point, click the Edit (pencil) icon. • To export the list of authorized access points to a file, click Export. • To import the list of authorized access points from a file, click Import. Choose whether to replace the existing list of Authorized Access Points or add the entries in the imported file to the list of Authorized Access Points.

PAGE 249

Wireless (for ISA550W and ISA570W only) Advanced Radio Settings 5 - Select the AUTO radio button if you want the security appliance to perform a CTS handshake before transmitting a packet. This mode can minimize collisions among hidden stations. - Select the Disabled radio button if you want to permanently disable this feature. • Power Output: You can adjust the output power of the access point to get the appropriate coverage for your wireless network.

PAGE 250

Wireless (for ISA550W and ISA570W only) Advanced Radio Settings STEP 3 5 Click Save to apply your settings.

PAGE 251

6 Firewall This chapter describes how to configure firewall rules that control inbound and outbound traffic and to specify other settings that protect your network.

PAGE 252

Firewall Configuring Firewall Rules to Control Inbound and Outbound Traffic 6 Configuring Firewall Rules to Control Inbound and Outbound Traffic The zone-based firewall can permit or deny inbound or outbound traffic based on the zone, service, source and destination address, and schedule.

PAGE 253

6 Firewall Configuring Firewall Rules to Control Inbound and Outbound Traffic Security Levels and Predefined Zones Security Level Description Predefined Zones Trusted (100) Highest level of trust. LAN By default, the DEFAULT VLAN is mapped to the predefined LAN zone. You can group one or more VLANs into a Trusted zone. VPN (75) Higher level of trust than a public zone, but a lower level of trust than a trusted zone. VPN SSLVPN This security level is used exclusively for VPN connections.

PAGE 254

6 Firewall Configuring Firewall Rules to Control Inbound and Outbound Traffic Default Firewall Settings By default, the firewall prevents all traffic from a lower security zone to a higher security zone (commonly known as Inbound) and allows all traffic from a higher security zone to a lower security zone (commonly known as Outbound). For example, all traffic from the LAN (trusted zone) to the WAN (untrusted zone) is permitted, and traffic from the WAN (untrusted zone) to the DMZ (public zone) is blocked.

PAGE 255

6 Firewall Configuring Firewall Rules to Control Inbound and Outbound Traffic VOICE Deny N/A Permit Permit Permit Permit Permit VPN Deny Deny N/A Deny Permit Permit Permit SSLVPN Deny Deny Deny N/A Permit Permit Permit DMZ Deny Deny Deny Deny N/A Permit Permit GUEST Deny Deny Deny Deny Deny N/A Permit WAN Deny Deny Deny Deny Deny Deny N/A NOTE ACL rules are applicable for inter-VLAN traffic, whether within a zone or between zones.

PAGE 256

Firewall Configuring Firewall Rules to Control Inbound and Outbound Traffic 6 • To create a firewall rule that applies to a specific service or service group, first create the service or service group. See Service Management, page177. • To create a firewall rule that applies only to a specific address or address group, first create the address or address group. See Address Management, page175. • To create a firewall rule that applies only at a specific day and time, first create the schedule.

PAGE 257

Firewall Configuring Firewall Rules to Control Inbound and Outbound Traffic 6 • Check Enable to enable a firewall rule, or uncheck this box to disable it. By default, all default firewall rules are enabled. • To add a new entry, click the Add button. • To edit an entry, click the Edit (pencil) icon. • To delete an entry, click the Delete (x) icon. • To delete multiple entries, check them and click the Delete button. • Check Log to log the event when a firewall rule is hit.

PAGE 258

Firewall Configuring Firewall Rules to Control Inbound and Outbound Traffic 6 The Rule - Add/Edit window opens. STEP 3 Enter the following information: • Enable: Click On to enable the firewall rule, or click Off to create only the firewall rule. • From Zone: Choose the source zone for traffic that is covered by this firewall rule. For example, choose DMZ if traffic is coming from a server on your DMZ. • To Zone: Choose the destination zone for traffic that is covered by this firewall rule.

PAGE 259

Firewall Configuring Firewall Rules to Control Inbound and Outbound Traffic • 6 Match Action: Choose the action for traffic when the packet hits the firewall rule. - Deny: Deny access. - Permit: Permit access. - Accounting: Increase the Hit Count number by one when the packet hits the firewall rule. STEP 4 Click OK to save your settings. STEP 5 Click Save to apply your settings.

PAGE 260

Firewall Configuring Firewall Rules to Control Inbound and Outbound Traffic 6 This section provides a configuration example about how to create a WAN-to-LAN firewall rule to permit multicast traffic by using the predefined multicast address object. STEP 1 Click Firewall > Access Control > ACL Rules. STEP 2 Click Add to add a new firewall rule. The Rule - Add/Edit window opens. STEP 3 Enter the following information: • Enable: Click On to enable the firewall rule.

PAGE 261

Firewall Configuring NAT Rules to Securely Access a Remote Network 6 Email Alert, Remote Logs, and Local Log settings if you want to send firewall logs to a specified email address, save firewall logs to your local syslog daemon, and save firewall logs to a specified remote syslog server. See Configuring Log Settings, page 444. STEP 3 STEP 4 Go to the Device Management > Logs > Log Facilities page to enable Email Alert, Local Log, and/or Remote Log for the firewall facility.

PAGE 262

Firewall Configuring NAT Rules to Securely Access a Remote Network 6 Refer to the following topics: • Viewing NAT Translation Status, page 262 • Priorities of NAT Rules, page 263 • Configuring Dynamic PAT Rules, page 264 • Configuring Static NAT Rules, page 265 • Configuring Port Forwarding Rules, page 266 • Configuring Port Triggering Rules, page 268 • Configuring Advanced NAT Rules, page 269 • Configuring IP Alias for Advanced NAT rules, page 270 • Configuring an Advanced NAT Rule to Su

PAGE 263

Firewall Configuring NAT Rules to Securely Access a Remote Network 6 Field Description Translated Source Address IP address that the specified original source address is translated to. Translated Destination Port Interface that the specified destination interface is translated to. Translated Source Port Interface that the specified source interface is translated to. Tx Packets Number of transmitted packets. Rx Packets Number of received packets.

PAGE 264

Firewall Configuring NAT Rules to Securely Access a Remote Network 6 For example, if an advanced NAT rule and a port forwarding rule conflict, then the advanced NAT rule will take precedence over the port forwarding rule and the port forwarding rule will not take effect. Configuring Dynamic PAT Rules Dynamic Port Address Translation (Dynamic PAT) can only be used to establish connections from private network to public network.

PAGE 265

Firewall Configuring NAT Rules to Securely Access a Remote Network 6 Configuring Static NAT Rules Static NAT creates a fixed translation of a real address to a mapped address. Because the mapped address is the same for each consecutive connection, static NAT allows bidirectional connection initiation, both to and from the host (if a firewall rule allows it).

PAGE 266

Firewall Configuring NAT Rules to Securely Access a Remote Network STEP 5 6 Click Save to apply your settings. Configuring Port Forwarding Rules Port forwarding forwards a TCP/IP packet traversing a Network Address Translation (NAT) gateway to a pre-determined network port on a host within a NAT-masqueraded network, typically a private network based on the port number on which it was received at the gateway from the originating host.

PAGE 267

Firewall Configuring NAT Rules to Securely Access a Remote Network 6 NOTE: One-to-one translation will be performed for port range forwarding. For example, if you want to translate an original TCP service with the port range of 50000 to 50002 to a TCP service with the port range of 60000 to 60002, then the port 50000 will be translated to the port 60000, the port 50001 will be translated to the port 60001, and the port 50002 will be translated to the port 60002.

PAGE 268

Firewall Configuring NAT Rules to Securely Access a Remote Network 6 Configuring Port Triggering Rules Port triggering opens an incoming port for a specified type of traffic on a defined outgoing port. When a LAN device makes a connection on one of the defined outgoing ports, the security appliance opens the specified incoming port to support the exchange of data. The open ports will be closed again after 600 seconds when the data exchange is complete.

PAGE 269

Firewall Configuring NAT Rules to Securely Access a Remote Network • 6 Enable Port Triggering: Click On to enable the port triggering rule, or click Off to create only the port triggering rule. STEP 5 Click OK to save your settings. STEP 6 Click Save to apply your settings. Configuring Advanced NAT Rules Advanced NAT allows you to identify real addresses and real ports for address translation by specifying the source and destination addresses.

PAGE 270

Firewall Configuring NAT Rules to Securely Access a Remote Network 6 • Original Source Address: Choose the original source address for the packet. • Original Destination Address: Choose the original destination address for the packet. • Original Services: Choose the original TCP or UDP service. • Translated Source Address: Choose the translated source address for the packet. • Translated Destination Address: Choose the translated destination address for the packet.

PAGE 271

Firewall Configuring NAT Rules to Securely Access a Remote Network 6 For example, you host a HTTP server (192.168.75.20) on your LAN. Your ISP has provided a static IP address (1.1.1.3) that you want to expose to the public as your HTTP server address. You want to allow Internet user to access the internal HTTP server by using the specified public IP address. Solution: Assuming that the IP address of the WAN1 port is 1.1.1.2 and you are assigned another public IP address 1.1.1.3.

PAGE 272

Firewall Configuring NAT Rules to Securely Access a Remote Network 6 Solution: Assuming that the IP address of the WAN1 port is 1.1.1.2 and the SSL VPN client address pool is set as 192.168.200.0/24. You can first create a host address object with the IP 1.1.1.3 called “PublicIP,” and then create an advanced NAT rule as follows to allow SSL VPN clients to access the Internet: From Any To WAN1 NOTE: It must be set as a WAN port and cannot be set as Any.

PAGE 273

Firewall Configuring NAT Rules to Securely Access a Remote Network STEP 3 STEP 4 Original Service FTP-CONTROL Translated Service FTP-CONTROL Translated IP FTPServer WAN WAN1 WAN IP WAN1_IP Enable Port Forwarding On Create Firewall Rule On 6 A firewall rule will be automatically created as follows to allow access.

PAGE 274

6 Firewall Firewall and NAT Rule Configuration Examples Translated Source Address WAN1_IP Translated Destination Address FTPServer Translated Services FTP-CONTROL Firewall and NAT Rule Configuration Examples This section provides some configuration examples on adding firewall and NAT rules.

PAGE 275

6 Firewall Firewall and NAT Rule Configuration Examples STEP 3 STEP 4 Original Service FTP-CONTROL Translated Service FTP-CONTROL Translated IP InternalFTP WAN WAN1 WAN IP WAN1_IP Enable Port Forwarding On Or go to the Firewall > NAT > Advanced NAT page to create an advanced NAT rule as follows.

PAGE 276

6 Firewall Firewall and NAT Rule Configuration Examples Source Address ANY Destination Address InternalFTP Match Action Permit NOTE When you create the port forwarding rule, you can check Create Firewall Rule to automatically generate the firewall rule. Allowing Inbound Traffic Using a Public IP Address Use Case: You host an RDP server on the DMZ. Your ISP has provided a static IP address that you want to expose to the public as your RDP server address.

PAGE 277

6 Firewall Firewall and NAT Rule Configuration Examples STEP 4 STEP 5 Or go to the Firewall > NAT > Advanced NAT page to create an advanced NAT rule as follows.

PAGE 278

6 Firewall Firewall and NAT Rule Configuration Examples STEP 1 Click Configuration Wizards > DMZ Wizard. STEP 2 In the DMZ Configuration page, configure a DMZ network as follows: STEP 3 Name DMZ IP 192.168.12.1 Netmask 255.255.255.

PAGE 279

6 Firewall Firewall and NAT Rule Configuration Examples Match Action Permit Allowing Inbound Traffic from Specified Range of Outside Hosts Use Case: You want to allow incoming video conferencing to be initiated from a restricted range of outside IP addresses (132.177.88.2 to 132.177.88.254). In the example, connections for CU-SeeMe (an Internet video-conferencing client) are allowed only from a specified range of external IP addresses.

PAGE 280

6 Firewall Firewall and NAT Rule Configuration Examples Services CU-SEEME Source Address OutsideNetwork Destination Address InternalIP Match Action Permit Blocking Outbound Traffic by Schedule and IP Address Range Use Case: Block all weekend Internet usage if the request originates from a specified range of IP addresses. Solution: Create an address object with the range 10.1.1.1 to 10.1.1.

PAGE 281

6 Firewall Configuring Content Filtering to Control Internet Access From Zone LAN To Zone WAN Services SMTP Source Address Any Destination Address OffsiteMail Match Action Deny Configuring Content Filtering to Control Internet Access Content Filtering blocks or allows HTTP access to websites containing specific keywords or domains. It controls access to certain Internet sites based on analysis of its content (domain or URL keyword), rather than its source or other criteria.

PAGE 282

Firewall Configuring Content Filtering to Control Internet Access 6 Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click the Delete (x) icon. The Content Filtering Policies - Add/Edit window opens. STEP 3 Enter the following information: • Policy Profile: Enter the name for the content filtering policy profile. • Description: Enter a brief description for the content filtering policy profile.

PAGE 283

Firewall Configuring Content Filtering to Control Internet Access STEP 2 6 Enter the following information: • Enable Content Filter URL: Click On to enable the website access rule, or click Off to create only the website access rule. • URL: Enter the domain name or URL keyword of a website that you want to permit or block.

PAGE 284

Firewall Configuring Content Filtering to Control Internet Access STEP 4 6 Click Save to apply your settings. Configuring Advanced Content Filtering Settings STEP 1 Click Firewall > Content Filtering > Advanced Settings. STEP 2 Enter the following information: • Filter Traffic on HTTP Port: Enter the port number that is used for filtering HTTP traffic. Content Filtering only monitors and controls the website visits through this HTTP port. The default value is 80.

PAGE 285

Firewall Configuring MAC Address Filtering to Permit or Block Traffic STEP 3 6 Click Save to apply your settings. Configuring MAC Address Filtering to Permit or Block Traffic MAC Address Filtering permits and blocks network access from specific devices through the use of MAC address list. The MAC Address Filtering settings apply for all traffic except Intra-VLAN and Intra-SSID. STEP 1 Click Firewall > MAC Filtering > MAC Address Filtering. The MAC Address Filtering window opens.

PAGE 286

Firewall Configuring IP-MAC Binding to Prevent Spoofing 6 Configuring IP-MAC Binding to Prevent Spoofing IP-MAC Binding allows you to bind an IP address to a MAC address and vice-versa. It only allows traffic when the host IP address matches a specified MAC address. By requiring the gateway to validate the source traffic’s IP address with the unique MAC address of device, this ensures that traffic from the specified IP address is not spoofed.

PAGE 287

6 Firewall Configuring Attack Protection Configuring Attack Protection Use the Attack Protection page to specify how to protect your network against common types of attacks including discovery, flooding, and echo storms. STEP 1 Click Firewall > Attack Protection. STEP 2 In the WAN Security Checks area, enter the following information: STEP 3 • Block Ping WAN Interface: Check this box to prevent attackers from discovering your network through ICMP Echo (ping) requests.

PAGE 288

6 Firewall Configuring Session Limits • STEP 5 Block Multicast Packets: Check this box to block multicast packets. By default, the firewall blocks all multicast packets. This feature has higher priority than the firewall rules, which indicates that the firewall rules that permit multicast traffic will be overridden if you enable this feature.

PAGE 289

Firewall Configuring Application Level Gateway STEP 3 6 • Maximum Connections: Limit the number for TCP and UDP connections. Enter a value in the range 1000 to 60000. The default value is 60000. • TCP Timeout: Enter the timeout value in seconds for TCP session. Inactive TCP sessions are removed from the session table after this duration. The valid range is 5 to 3600 seconds. The default value is 1200 seconds. • UDP Timeout: Enter the timeout value in seconds for UDP session.

PAGE 290

Firewall Configuring Application Level Gateway STEP 3 6 • H.323 Support: H.323 is a standard teleconferencing protocol suite that provides audio, data, and video conferencing. It allows for real-time point-to-point and multipoint communication between client computers over a packet-based network that does not provide a guaranteed quality of service. Check this box to enable H.323 ALG support, or uncheck this box to disable this feature.

PAGE 291

7 Security Services This chapter describes how to configure Unified Threat Management (UTM) security services to provide protection from Internet threats.

PAGE 292

7 Security Services About Security Services About Security Services The security appliance supports a variety of UTM security services to provide the Internet threat protection for your network. By default, all security services except Network Reputation are disabled. The following table lists all available security services on the security appliance.

PAGE 293

7 Security Services Activating Security Services Anti-Virus, Application Control, and IPS are signature-based security services. You must update the signatures frequently to ensure that these security services can give you the best protection. Spam Filter, Network Reputation, Web Reputation Filtering, and Web URL Filtering are reputation-based security services. They obtain the security data from the SecApps servers and determine which traffic is allowed or blocked.

PAGE 294

7 Security Services Security Services Dashboard Security Services Dashboard Use the Dashboard page to view the status of the security license, enable or disable security services, and check for signature updates for all signature-based security services. STEP 1 Click Security Services > Dashboard. The Dashboard window opens. STEP 2 In the License Status area, the security license status is displayed.

PAGE 295

7 Security Services Viewing Security Services Reports The date and time of your last check are displayed in the Last Check column. When a signature file is updated successfully, the date and time of the last successful update are displayed in the Last Update column. • STEP 4 Spam Filter, Web URL Filtering, Web Reputation Filtering, and Network Reputation obtain the security data from the SecApps servers and determine which traffic is allowed or blocked.

PAGE 296

7 Security Services Viewing Security Services Reports • Viewing IPS Report, page 300 • Viewing Application Control Report, page 301 NOTE The security services reports are only active after the security license is installed. Before you choose a report to view, make sure that the corresponding security service is enabled. Viewing Web Security Report This report displays the number of web access requests logged and the number of websites blocked by Web URL Filtering, Web Reputation Filtering, or both.

PAGE 297

7 Security Services Viewing Security Services Reports Field Description Total Last 7 Days Total number of web access requests processed and total number of websites blocked in last seven days. Total Today Total number of web access requests processed and total number of websites blocked in one day. Graph Total number of web access requests processed and total number of websites blocked per day in last seven days.

PAGE 298

7 Security Services Viewing Security Services Reports Field Description Total Since Activated Total number of files checked and total number of viruses detected since the Anti-Virus service was activated. Total Last 7 Days Total number of files checked and total number of viruses detected in last seven days. Total Today Total number of files checked and total number of viruses detected in one day. Graph Total number of files checked and total number of viruses detected per day in last seven days.

PAGE 299

7 Security Services Viewing Security Services Reports Field Description Total Last 7 Days Total number of emails checked and total number of spam or suspected spam emails detected in last seven days. Total Today Total number of emails checked and total number of spam or suspected spam emails detected in one day. Graph Total number of emails checked and total number of spam or suspected spam emails detected per day in last seven days.

PAGE 300

7 Security Services Viewing Security Services Reports Field Description Total Today Total number of packets checked and total number of packets blocked in one day. Graph Total number of packets checked and total number of packets blocked per day in last seven days. Viewing IPS Report This report displays the number of packets detected and the number of packets dropped by the IPS service.

PAGE 301

7 Security Services Viewing Security Services Reports Field Description Graph Total number of packets detected and total number of packets dropped per day in last seven days. Viewing Application Control Report This report displays the number of packets detected and the number of packets blocked by the Application Control service.

PAGE 302

7 Security Services Configuring Anti-Virus Field Description Graph Total number of packets detected and total number of packets blocked per day in last seven days. Configuring Anti-Virus Anti-Virus helps protect your network from viruses and malware. Anti-Virus scans for viruses over a multitude of protocols, including HTTP, FTP, POP3, SMTP, CIFS, NETBIOS, and IMAP. NOTE Anti-Virus covers the most recent and widespread threats but cannot detect all known viruses (including rare samples).

PAGE 303

7 Security Services Configuring Anti-Virus Refer to the following topics: • General Anti-Virus Settings, page 303 • Configuring Advanced Anti-Virus Settings • Configuring HTTP Notification, page 307 • Configuring Email Notification, page 307 • Updating Anti-Virus Signatures, page 308 General Anti-Virus Settings Use the General Settings page to enable or disable Anti-Virus, specify the zones to scan for viruses, and configure the preventive actions for different types of traffic, and set the maxi

PAGE 304

7 Security Services Configuring Anti-Virus - • To save Anti-Virus logs to the remote syslog server if you have a remote syslog server support, you must enable the Log feature, specify the Remote Log settings, and enable the Remote Log settings for the Anti-Virus facility. Action: Specify the preventive action for different types of traffic when viruses are detected. The following table lists all available actions for each protocol.

PAGE 305

7 Security Services Configuring Anti-Virus Protocol Action SMTP Email Attachments None: No action is required when viruses are detected. Notify: Send the original email and an alert email to the email receiver when viruses are detected in email attachments. Notify + Destruct File: Delete the infected files and send the original email and an alert email to the email receiver when viruses are detected in email attachments.

PAGE 306

7 Security Services Configuring Anti-Virus STEP 5 In the Update Virus Database area, specify how to update the Anti-Virus signatures. You can automatically check for signature updates from Cisco’s signature server every 24 hours or manually check for signature updates at any time by clicking Update. See Updating Anti-Virus Signatures, page 308. STEP 6 Click Save to apply your settings. Configuring Advanced Anti-Virus Settings Use the Advanced Settings page to configure the scan settings.

PAGE 307

7 Security Services Configuring Anti-Virus Configuring HTTP Notification HTTP Notification informs users that viruses are detected in web pages or in files that they try to access. Use the HTTP Notification page to customize the notification message that will be sent to the user when viruses are detected. STEP 1 Click Security Services > Anti-Virus > HTTP Notification. STEP 2 Enter the alert message in the Notification Content field.

PAGE 308

7 Security Services Configuring Anti-Virus NOTE: The above email server settings are read only. They are used to send the alert email to the original email receiver. You can click the Edit link to configure the email server settings, but save your settings on this page first. See Configuring Email Alert Settings, page 408.

PAGE 309

7 Security Services Configuring Application Control STEP 3 To automatically update the Anti-Virus signatures, perform the following steps: a. In the Auto Update Virus Database area, click On to automatically check for signature updates from Cisco’s signature server every 24 hours. b. Click Save to apply your settings. STEP 4 To manually update the Anti-Virus signatures at any time, click Update to check for signature updates from Cisco’s signature server immediately.

PAGE 310

7 Security Services Configuring Application Control Configuring Application Control Policies Use the Application Control Policies page to configure the application control policies. An application control policy allows you to permit or block traffic for the applications by schedule. Important Tips: • Be aware that the Cisco ISA500 can control access only for the traffic that it handles.

PAGE 311

7 Security Services Configuring Application Control • STEP 3 Click the Delete (x) icon to delete an existing application control policy. The default application control policy cannot be deleted. Click Save to apply your settings. Adding an Application Control Policy An application control policy is used to permit or block traffic for the applications by schedule. NOTE Up to 80 custom application control policies can be configured on the security appliance.

PAGE 312

7 Security Services Configuring Application Control NOTE: By default, the table filter settings are hidden. You can click the triangle next to Hide Table Filter Settings to display or hide the table filter settings. STEP 4 After you set the table filter settings, click Refresh Table to refresh the data in the table. Only the applications that you specified are displayed in the table.

PAGE 313

7 Security Services Configuring Application Control • Logging: Choose Enable to log the event when an application is blocked, or choose Disable to disable the logging feature. If the logging settings vary among the applications in a category, you must first choose the keep application-level settings option, and then configure the logging settings for each application in the category. See Permitting or Blocking Traffic for an Application, page 313.

PAGE 314

7 Security Services Configuring Application Control • Application: The name of the application. • Action: Choose Permit to permit traffic for the application or choose Deny to block traffic for the application. • Logging: Choose Enable to log the event when an application is blocked, or choose Disable to disable the logging function.

PAGE 315

7 Security Services Configuring Application Control • Enabling Application Control Service, page 315 • Mapping Application Control Policies to Zones, page 315 • Configuring Application Control Policy Mapping Rules, page 316 • Updating Application Signature Database, page 317 Enabling Application Control Service STEP 1 Click Security Services > Application Control > Application Control Settings. STEP 2 Click On to enable the Application Control feature, or click Off to disable it.

PAGE 316

7 Security Services Configuring Application Control • STEP 3 Re-order the priorities of multiple application control policy mapping rules within a given zone. To move the rule up one position, click the Move up icon. To move the rule down one position, click the Move down icon. The default application control policy mapping rule must be the last policy with the lowest priority for a zone. Click Save to apply your settings.

PAGE 317

7 Security Services Configuring Application Control in the list, choose Create a new address to create a new address object. To maintain the address objects, go to Networking > Address Management page. See Address Management, page 175. STEP 3 Click OK to save your settings. Updating Application Signature Database Application Control uses signatures to identify and block the applications.

PAGE 318

7 Security Services Configuring Application Control STEP 4 To manually update the application signatures at any time, click Check for Update Now to check for signature updates from Cisco’s signature server immediately. You can also click Check for Updates Now from the Security Services > Dashboard page to manually update the application signatures. STEP 5 To manually update the application signatures from your local PC, perform the following steps: a.

PAGE 319

7 Security Services Configuring Spam Filter NOTE: By default, the table filter settings are hidden. You can click the triangle next to Show Table Filter Settings to display or hide the table filter settings. STEP 3 After you set the table filter settings, click Refresh Table to refresh the data in the table. STEP 4 You can enable or disable the detection for the selected applications in the table.

PAGE 320

7 Security Services Configuring Spam Filter STEP 4 STEP 5 STEP 6 • Action when Suspect Spam Detected: Choose Block Email to block the email, or choose Tag Email with [Suspect Spam] to get the email tagged with [Suspect Spam]. • Reputation Threshold: Specify the block sensitivity as Low, Medium, or High, or as a numerical threshold (Custom). - Low: Blocks less spam with lowest risk of false positives. The threshold value for spam is -4 and the threshold value for suspected spam is -2.

PAGE 321

7 Security Services Configuring Intrusion Prevention Configuring Intrusion Prevention Intrusion Prevention System (IPS) is a network-based platform that inspects network traffic for malicious or unwanted activity such as worms, spyware, and policy violations. When IPS detects a threat, it reacts in real-time by taking actions such as blocking or dropping connections, logging the detected activities, and sending notifications about these activities.

PAGE 322

7 Security Services Configuring Intrusion Prevention NOTE: You can block an intrusion based on the source zones or based on the destination zones. For example, if you select the LAN and DMZ zones, IPS inspects all traffic for the LAN and DMZ zones regardless of its source. Traffic between LAN and DMZ is inspected once, not twice. If you select the WAN zone, IPS inspects all traffic for the WAN zone regardless of its destination.

PAGE 323

7 Security Services Configuring Intrusion Prevention NOTE: For ease of use, you can edit the preventive actions for a group of signatures. Check the box for each signature that you want to change, or select all signatures by checking the box in the top left corner of the table. To edit the settings for the selected signatures, click the Edit (pencil) icon at the top of the table.

PAGE 324

7 Security Services Configuring Intrusion Prevention To log IPS events, you must first specify the action for the signatures, and then go to the Device Management > Logs pages to configure the log settings and log facilities. See Log Management, page 442. To save IPS logs to the local syslog daemon, you must enable the Log feature, set the log buffer size and the severity for local logs, and then enable the Local Log settings for the Intrusion Prevention (IPS) facility.

PAGE 325

Security Services Configuring Web Reputation Filtering STEP 3 7 • Last Check: The date and time of the last check. • Last Update: The date and time of the last successful update when the signature file is updated successfully. • Version: The version number of the IPS signature file that is currently used on the security appliance. To automatically update the IPS signatures, perform the following steps: a.

PAGE 326

7 Security Services Configuring Web Reputation Filtering You can create a “white list” of trusted sites by adding up to 256 Allowed Web Sites. The specified websites will not be examined by Web Reputation Filtering. STEP 1 Click Security Services > Web Reputation Filtering. STEP 2 Click On to enable Web Reputation Filtering, or click Off to disable it. STEP 3 Specify the block sensitivity as Low, Medium, or High, or as a numerical threshold (Custom).

PAGE 327

7 Security Services Configuring Web URL Filtering STEP 5 STEP 6 In the Service Outage area, you can specify how to deal with web traffic when Web Reputation Filtering is unavailable. Choose one of the following actions: • Block Web Traffic when web reputation filter services are not available: All web traffic is blocked until Web Reputation Filtering is available. The default block page will be displayed when a web page is blocked.

PAGE 328

7 Security Services Configuring Web URL Filtering Configuring Web URL Filtering Policy Profiles A Web URL Filtering policy profile is used to specify which URL categories are blocked or allowed. NOTE Up to 256 Web URL Filtering policy profiles can be configured on the security appliance. STEP 1 Click Security Services > Web URL Filtering > Policy Profile. STEP 2 To add a new Web URL Filtering policy profile, click Add. Other Options: To edit an entry, click the Edit (pencil) icon.

PAGE 329

7 Security Services Configuring Web URL Filtering Configuring Website Access Control List Blocking an URL category will block all websites that belong to this category. You can specify the website exceptions in the website access control list. The website exceptions will override the URL category settings in the same profile. NOTE Up to 32 website exceptions can be configured for each Web URL Filtering policy profile.

PAGE 330

7 Security Services Configuring Web URL Filtering STEP 4 Click OK to save your settings. Mapping Web URL Filtering Policy Profiles to Zones Use the Policy to Zone Mapping page to apply the Web URL Filtering policy profile to each zone. The Web URL Filtering policy assigned to each zone determines whether to block or forward the HTTP requests from the hosts in the zone. By default, Default Profile that permits all URL categories is assigned to all predefined zones and new zones.

PAGE 331

7 Security Services Configuring Web URL Filtering STEP 3 STEP 4 STEP 5 - Proxy: Check this box to block proxy servers, which can be used to circumvent certain firewall rules and thus present a potential security gap. - Java: Check this box to block Java applets that can be downloaded from pages that contain them. - ActiveX: Check this box to prevent ActiveX applets from being downloaded through Internet Explorer. - Cookies: Check this box to block cookies, which typically contain sessions.

PAGE 332

7 Security Services Network Reputation Network Reputation Network Reputation blocks incoming traffic from IP addresses that are known to initiate attacks throughout the Internet. Network Reputation checks the source and destination addresses of each packet against the address blacklist to determine whether to proceed or to drop the packet. The blacklist data is automatically updated every six hours.

PAGE 333

8 VPN This chapter describes how to configure Virtual Private Networks (VPNs) that allow other sites and remote workers to access your network resources.

PAGE 334

8 VPN About VPNs About VPNs A VPN provides a secure communication channel (also known as a “tunnel”) between two gateway routers or between a remote PC and a gateway router. The security appliance supports the following VPN solutions: • Site-to-Site VPN: Connects two routers to secure traffic between two sites that are physically separated. See Configuring a Site-to-Site VPN, page 340. • IPsec Remote Access: Allows the security appliance to act as a head-end device in remote access VPNs.

PAGE 335

8 VPN Viewing VPN Status Viewing VPN Status This section describes how to view information for all VPN sessions. Refer to the following topics: • Viewing IPsec VPN Status, page 335 • Viewing SSL VPN Status, page 337 Viewing IPsec VPN Status Use the IPsec VPN Status page to view the status of all IPsec VPN sessions. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data.

PAGE 336

8 VPN Viewing VPN Status Field Description Remote Gateway IP address of the remote peer. NOTE: For a site-to-site VPN session, it displays the IP address of the remote gateway. For an IPsec VPN session between the Teleworker VPN client and a remote IPsec VPN server, it displays the IP address of the IPsec VPN server. For an IPsec VPN session between the IPsec VPN server and a remote VPN client, it displays the IP address of the remote VPN client.

PAGE 337

8 VPN Viewing VPN Status Field Description Teleworker VPN Client If the Teleworker VPN Client feature is enabled and the security appliance is acting as a Cisco VPN hardware client, the following information is displayed. Status Shows if the Teleworker VPN Client feature is enabled or disabled. Primary DNS IP address of the primary DNS server. Secondary DNS IP address of the secondary DNS server. Primary WINS IP address of the primary WINS server.

PAGE 338

8 VPN Viewing VPN Status Field Description Client IP (Actual) Actual IP address used by the SSL VPN client. Client IP (VPN) Virtual IP address of the SSL VPN client assigned by the SSL VPN gateway. Connect Time Amount of time since the SSL VPN user first established the connection. SSL VPN Statistics In the Global Status area, the global statistic information is displayed. To clear the global statistic information, click Clear. Active Users Total number of connected SSL VPN users.

PAGE 339

8 VPN Viewing VPN Status Field Description In CSTP Bytes Total number of bytes in the CSTP frames received from the client. In CSTP Data Number of CSTP data frames received from the client. In CSTP Control Number of CSTP control frames received from the client. Out CSTP Frames Number of CSTP frames sent to the client. Out CSTP Bytes Total number of bytes in the CSTP frames sent to the client. Out CSTP Data Number of CSTP data frames sent to the client.

PAGE 340

8 VPN Configuring a Site-to-Site VPN Configuring a Site-to-Site VPN A site-to-site VPN tunnel connects two routers to secure traffic between two sites that are physically separated. Figure 3 Site-to-Site VPN Internet Outside 209.165.200.226 Outside 209.165.200.236 Site A Site B ISA500 ISA500 Inside 10.20.20.0 Inside 10.10.10.0 Printer Personal computers Personal computers 283057 Printer This section describes how to set up the site-to-site VPN tunnels.

PAGE 341

8 VPN Configuring a Site-to-Site VPN Configuration Tasks to Establish a Site-to-Site VPN Tunnel To establish a site-to-site VPN tunnel, complete the following configuration tasks: • Add the subnet IP address objects for your local network and remote network. See Address Management, page 175. • (Optional) Import the certificates for authentication between two peers. Skip this step if you want to use the pre-shared key for authentication. See Managing Certificates for Authentication, page 418.

PAGE 342

8 VPN Configuring a Site-to-Site VPN STEP 2 • WAN Interface: The WAN port that traffic passes through over the IPsec VPN tunnel. • Peers: The IP address of the remote peer. • Local: The local network of the local peer. • Remote: The remote network of the remote peer. • IKE: The IKE policy used for the IPsec VPN policy. • Transform: The transform set used for the IPsec VPN policy. Click On to enable site-to-site VPN, or click Off to disable it.

PAGE 343

8 VPN Configuring a Site-to-Site VPN Configuring IPsec VPN Policies The IPsec VPN policy is used to establish the VPN connection between two peers. ISA550 and ISA550W support up to 50 IPsec VPN tunnels. ISA570 and ISA570W support up to 100 IPsec VPN tunnels. NOTE Before you create an IPsec VPN policy, make sure that the IKE and transform policies are configured. Then you can apply the IKE and transform policies to the IPsec VPN policy. STEP 1 Click VPN > Site-to-Site > IPsec Policies.

PAGE 344

8 VPN Configuring a Site-to-Site VPN • Authentication Method: Choose one of the following authentication methods: - Pre-shared Key: Uses a simple, password-based key to authenticate. If you choose this option, enter the desired value that the peer device must provide to establish a connection in the Key field. The pre-shared key must be entered exactly the same here and on the remote peer. - Certificate: Uses the digital certificate from a third party Certificate Authority (CA) to authenticate.

PAGE 345

8 VPN Configuring a Site-to-Site VPN STEP 4 In the Advanced Settings tab, enter the following information: • PFS Enable: Click On to enable Perfect Forward Secrecy (PFS) to improve security, or click Off to disable it. If you enable PFS, a Diffie-Hellman exchange is performed for every phase-2 negotiation. PFS is desired on the keying channel of the VPN connection. • DPD Enable: Click On to enable Dead Peer Detection (DPD), or click Off to disable it.

PAGE 346

8 VPN Configuring a Site-to-Site VPN NOTE: The VPN firewall rules that are automatically generated by the zone access control settings will be added to the list of firewall rules with the priority higher than default firewall rules, but lower than custom firewall rules. • Apply NAT Policies: Click On to apply the NAT settings for both the local network and the remote network communicating over the VPN tunnel.

PAGE 347

8 VPN Configuring a Site-to-Site VPN Figure 4 Networking Example that Simulates Two Merging Companies with the Same IP Addressing Scheme 172.16.1.2 Site A 172.16.1.1 Router A NAT pool 10.5.76.58 172.18.x.x NAT pool 172.19.x.x 10.5.76.57 ISA500 172.16.1.1 172.16.1.2 283058 Site B In this example, when the host 172.16.1.2 at Site A accesses the same IP-addressed host at Site B, it connects to a 172.19.1.2 address rather than to the actual 172.16.1.2 address.

PAGE 348

8 VPN Configuring a Site-to-Site VPN • STEP 5 SA-Lifetime: Enter the lifetime of the IPsec Security Association (SA). The IPsec SA lifetime represents the interval after which the IPsec SA becomes invalid. The IPsec SA is renegotiated after this interval. The default value is 1 hour. In the VPN Failover tab, enter the following information: • WAN Failover Enable: Click On to enable WAN Failover for site-to-site VPN, or click Off to disable it.

PAGE 349

8 VPN Configuring a Site-to-Site VPN • STEP 8 If you only want to create the IPsec VPN policy and do not want to immediately activate the connection after the settings are saved, click the Do Not Activate button. The connection will be triggered by any traffic that matches the IPsec VPN policy and the VPN tunnel will be set up automatically. You can also click the Connect icon to manually establish the VPN connection. Click Save to apply your settings.

PAGE 350

8 VPN Configuring a Site-to-Site VPN NOTE: Ensure that the authentication algorithm is configured identically on both sides. • • • Authentication: Specify the authentication method that the security appliance uses to establish the identity of each IPsec peer. - Pre-shared Key: Uses a simple, password-based key to authenticate. The alpha-numeric key is shared with the IKE peer. Pre-shared keys do not scale well with a growing network but are easier to set up in a small network.

PAGE 351

8 VPN Configuring a Site-to-Site VPN Configuring Transform Sets A transform set specifies the algorithms of integrity and encryption that the peer will use to protect data communications. Two peers must use the same algorithm to communicate. NOTE Up to 16 transform sets can be configured on the security appliance. STEP 1 Click VPN > Site-to-Site > Transform Policies. The Transform Sets window opens. The default and custom transform sets are listed in the table.

PAGE 352

8 VPN Configuring a Site-to-Site VPN STEP 5 Click Save to apply your settings. Remote Teleworker Configuration Examples site-to-site VPN IP IP IP Phone 283881 Use Case: You want to establish a site-to-site VPN tunnel between the security appliance and a remote UC500 to provide voice and data services to phones at a remote site.

PAGE 353

8 VPN Configuring a Site-to-Site VPN Field Setting Transform Integrity = ESP_SHA1_HMAC Encryption = ESP_3DES NOTE: The default transform set used on the UC500 cannot be modified through CCA. The above transform settings must be configured on the security appliance. Use Case: The UC500 device is behind the security appliance. You want to establish a site-to-site VPN tunnel between two security appliances to provide voice and data services to phones at a remote site.

PAGE 354

8 VPN Configuring a Site-to-Site VPN Original Source Address uc540-datalan Original Destination Address Any Original Services Any Translated Source Address WAN1_IP Translated Destination Address Any Translated Services Any NOTE: You can choose the Create a new address option from the drop-down list to create an address object for the data LAN (10.25.1.0/24) behind the UC500 and then select it as the original source address.

PAGE 355

8 VPN Configuring IPsec Remote Access Configuring IPsec Remote Access The IPsec Remote Access feature introduces server support for the Cisco VPN Client (Release 4.x and 5.x) software clients and the Cisco VPN hardware clients. This feature allows remote users to establish the VPN tunnels to securely access the corporate network resources. Centrally managed IPsec policies are “pushed” to remote VPN clients by the VPN server, minimizing configuration by end users.

PAGE 356

8 VPN Configuring IPsec Remote Access Field Setting Transform Integrity = SHA Encryption = ESP_AES_256 This section describes how to configure the IPsec Remote Access feature.

PAGE 357

8 VPN Configuring IPsec Remote Access NOTE You must log in and possess a valid service contract in order to access the Cisco VPN Client software. A 3-year Cisco Small Business Support Service Contract (CON-SBS-SVC2) is required to download the client software from Cisco.com. If you don’t have one, contact your partner or reseller, or Cisco Support for more information. For more information about how to download, install, and configure the Cisco VPN Client software, see this web page: http://www.cisco.

PAGE 358

8 VPN Configuring IPsec Remote Access • WAN Interface: Choose the WAN port that traffic passes through over the VPN tunnel. • IKE Authentication Method: Choose the authentication method. - Pre-shared Key: Uses a simple, password-based key to authenticate. If you choose this option, enter the desired value that remote VPN clients must provide to establish the VPN connections in the Password field. The pre-shared key must be entered exactly the same here and on the remote clients.

PAGE 359

8 VPN Configuring IPsec Remote Access • Client Internet Access: Check this box to automatically create advanced NAT rules to allow remote VPN clients to access the Internet over the VPN tunnels. If you uncheck this box, you can manually create advanced NAT rules. See Allowing IPsec Remote VPN Clients to Access the Internet, page 360. • WAN Failover: Click On to enable WAN Failover, or click Off to disable it.

PAGE 360

8 VPN Configuring IPsec Remote Access NOTE: The backup servers that you specified on the IPsec VPN server will be sent to remote VPN clients when initiating the VPN connections. The remote VPN clients will cache them. • Split Tunnel: Click On to enable the split tunneling feature, or click Off to disable it. Split tunneling allows only traffic that is specified by the VPN client routes to corporate resources through the VPN tunnel. If you enable split tunneling, you need to define the split subnets.

PAGE 361

8 VPN Configuring IPsec Remote Access Field Setting Mode Client Pool Range for Client LAN Start IP: 192.168.3.2 Client Internet Access Disable WAN Failover On End IP: 192.168.3.254 NOTE: An address object with the range 192.168.3.2 to 192.168.3.254 called “EZVPN_VPNGroup1” will be automatically created. STEP 2 STEP 3 If only a single WAN interface is configured, go to the Firewall > NAT > Advanced NAT page to create an advanced NAT rule as follows.

PAGE 362

8 VPN Configuring IPsec Remote Access Field Setting Name VPNClient_to_WAN1 Enable On From Any To WAN1 Original Source Address EZVPN_VPNGroup1 Original Destination Address Any Original Services Any Translated Source Address WAN1_IP Translated Destination Address Any Translated Services Any Field Setting Name VPNClient_to_WAN2 Enable On From Any To WAN2 Original Source Address EZVPN_VPNGroup1 Original Destination Address Any Original Services Any Translated Source Addre

PAGE 363

8 VPN Configuring Teleworker VPN Client Field Setting Translated Destination Address Any Translated Services Any Configuring Teleworker VPN Client The Teleworker VPN Client feature minimizes the configuration requirements at remote locations by allowing the security appliance to work as a Cisco VPN hardware client to receive the security policies upon the VPN tunnel from a remote IPsec VPN server.

PAGE 364

8 VPN Configuring Teleworker VPN Client NOTE When the security appliance is acting as a Cisco VPN hardware client, the following IKE policy and transform set are used by default. The IKE policy and transform set used on the security appliance are unconfigurable.

PAGE 365

8 VPN Configuring Teleworker VPN Client Benefits of the Teleworker VPN Client Feature • Allows dynamic configuration of end-user policy, requiring less manual configuration by end users and field technicians, thus reducing errors and further service calls. • Allows the provider to change equipment and network configurations as needed, with little or no reconfiguration of the end-user equipment. • Provides for centralized security policy management.

PAGE 366

8 VPN Configuring Teleworker VPN Client • Network Extension Mode, page 367 Client Mode Client mode specifies that NAT or PAT be done so that the PCs and other hosts at the remote end of the VPN tunnel form a private network that do not use any IP addresses in the IP address space of the destination server. In Client mode, the outside interface of the Cisco VPN hardware client can be assigned an IP address by the remote server. Figure 7 illustrates the client mode of operation.

PAGE 367

8 VPN Configuring Teleworker VPN Client Network Extension Mode Network Extension Mode (NEM) specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network. PAT is not used, which allows the client PCs and hosts to have direct access to the PCs and hosts at the destination network.

PAGE 368

8 VPN Configuring Teleworker VPN Client General Teleworker VPN Client Settings This section describes how to enable the Teleworker VPN Client feature, configure the Auto Initiation Retry settings, and manually connect or disconnect the VPN connections. STEP 1 Click VPN > Teleworker VPN Client.

PAGE 369

8 VPN Configuring Teleworker VPN Client STEP 3 Click Save to apply your settings. STEP 4 To manually initiate the VPN connection, click the Connect icon in the Configure column. By default, the group policy that the Activate Connection on Startup setting is enabled will automatically initiate the VPN connection when the security appliance starts up. Only one VPN connection can be active at a time. STEP 5 To manually terminate the VPN connection, click the Disconnect icon.

PAGE 370

8 VPN Configuring Teleworker VPN Client • IKE Authentication Method: The VPN client must be properly authenticated before it can access the remote network. Choose one of the following authentication methods: - Pre-shared Key: Choose this option if the IPsec VPN server uses a simple, password-based key to authenticate and then enter the following information: Group Name: Enter the name of the IPsec Remote Access group policy that is defined on the IPsec VPN server.

PAGE 371

8 VPN Configuring Teleworker VPN Client the connection will form one logical network. PAT will be automatically disabled, allowing the PCs and hosts at both ends of the connection to have direct access to one another. STEP 4 • VLAN: If you choose NEM, specify the VLAN that permits access from and to the private network of the IPsec VPN server. • User Name: Enter the username used by the Teleworker VPN client to establish a VPN connection.

PAGE 372

8 VPN Configuring SSL VPN • If you want to immediately activate the connection after the settings are saved, click the Activate Connection button. When you create multiple Teleworker VPN Client group policies at a time, only one connection can be active after you save your settings. The security appliance will use the group policy that was last created or edited to initiate the VPN connection.

PAGE 373

8 VPN Configuring SSL VPN Figure 9 SSL Remote User Access DNS Server 10.10.10.163 Cisco AnyConnect VPN Client ISA500 Internal network Inside 10.10.10.0 Outside Internet WINS Server 10.10.10.133 Cisco AnyConnect VPN Client 283059 Cisco AnyConnect VPN Client This section describes how to configure the SSL VPN feature.

PAGE 374

8 VPN Configuring SSL VPN SSL VPN group policy can enable the SSL VPN service for a user group. All members of the user group at remote sites can establish the SSL VPN tunnels based on the selected SSL VPN group policy. See Configuring SSL VPN Users, page 376. • SSL VPN Group Policies: Create your SSL VPN group policies. The SSL VPN group policy is used to establish the SSL VPN tunnel to access your network resources. See Configuring SSL VPN Group Policies, page 379.

PAGE 375

8 VPN Configuring SSL VPN Installing Cisco AnyConnect Secure Mobility Client You can set up a PC to run the Cisco AnyConnect Secure Mobility Client software by installing the client software for the appropriate operating system directly on the user’s PC. The user starts the Cisco AnyConnect Secure Mobility Client software and provides the authentication credentials to establish the VPN connection. The security appliance supports the Cisco AnyConnect Secure Mobility Client Release 3.0 (use for SSL only).

PAGE 376

8 VPN Configuring SSL VPN Importing Certificates for User Authentication The SSL VPN gateway holds a CA certificate that is presented to the SSL VPN clients when the SSL VPN clients first connect to the gateway. The purpose of this certificate is to authenticate the server. You can use the default certificate or an imported certificate for authentication. For information on importing the certificates, see Managing Certificates for Authentication, page 418.

PAGE 377

8 VPN Configuring SSL VPN • Gateway Port: Enter the port number used for the SSL VPN gateway. By default, SSL operates on port 443. However, the SSL VPN gateway should be flexible to operate on a user defined port. The firewall should permit the port to ensure delivery of packets destined for the SSL VPN gateway. The SSL VPN clients need to enter the entire address pair “Gateway IP address: Gateway port number” for connecting purposes.

PAGE 378

8 VPN Configuring SSL VPN STEP 4 • Client Domain: Enter the domain name that should be pushed to SSL VPN clients. • Login Banner: After the users logged in, a configurable login banner is displayed. Enter the message text to display along with the banner. In the Optional Gateway area, enter the following information: • Idle Timeout: Enter the timeout value in seconds that the SSL VPN session can remain idle. The default value is 2100 seconds.

PAGE 379

8 VPN Configuring SSL VPN Configuring SSL VPN Group Policies All members of the SSL VPN user group can establish the SSL VPN tunnels based on the specified SSL VPN group policy to access your network resources. NOTE Up to 32 SSL VPN group policies can be configured on the security appliance. STEP 1 Click VPN > SSL Remote User Access > SSL VPN Group Policies. The SSL VPN Group Policies window opens. The default and custom SSL VPN group policies are listed in the table.

PAGE 380

8 VPN Configuring SSL VPN STEP 5 • Address: If you choose Bypass-Local or Auto, enter the IP address or domain name of the MSIE proxy server. • Port: Enter the port number of the MSIE proxy server. • IE Proxy Exception: You can specify the exception hosts for IE proxy settings. This option allows the browser not to send traffic for the given hostname or IP address through the proxy. To add an entry, enter the IP address or domain name of an exception host and click Add.

PAGE 381

8 VPN Configuring SSL VPN - Exclude Local LAN: If you choose Exclude Traffic, check the box to permit remote users to access their local LANs without passing through VPN tunnel, or uncheck the box to deny remote users to access their local LANs without passing through VPN tunnel. NOTE: To exclude local LANs, make sure that the Exclude Local LAN feature is enabled on both the SSL VPN server and the AnyConnect clients.

PAGE 382

8 VPN Configuring SSL VPN Accessing SSL VPN Portal The SSL VPN portal provides a message to remind users to install the Cisco AnyConnect Secure Mobility Client software to connect to the SSL VPN server. You can find the software installers from the CD that is packed with the device or download the software installers from Cisco.com. See Installing Cisco AnyConnect Secure Mobility Client, page 375. You can access the SSL VPN portal via a web browser from the WAN side by using the HTTPS protocol.

PAGE 383

8 VPN Configuring SSL VPN STEP 3 Field Setting Enable On From Any To WAN1 Original Source Address SSLVPN_ADDRESS_POOL Original Destination Address Any Original Services Any Translated Source Address WAN1_IP Translated Destination Address Any Translated Services Any If two WAN interfaces are configured and the WAN redundancy is set as the Load Balancing mode, go to the Firewall > NAT > Advanced NAT page to create two advanced NAT rule as follows.

PAGE 384

8 VPN Configuring SSL VPN Field Setting Translated Source Address WAN1_IP Translated Destination Address Any Translated Services Any Field Setting Name SSLVPN_to_WAN2 Enable On From Any To WAN2 Original Source Address SSLVPN_ADDRESS_POOL Original Destination Address Any Original Services Any Translated Source Address WAN2_IP Translated Destination Address Any Translated Services Any Cisco ISA500 Series Integrated Security Appliances Administration Guide 384

PAGE 385

8 VPN Configuring L2TP Server Configuring L2TP Server Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol that allows remote clients to use the public IP network to securely communicate with private corporate network servers. L2TP uses PPP over UDP (port 1701) to tunnel the data. L2TP protocol is based on the client and server model. The security appliance can terminate the L2TP-over-IPsec connections from incoming Microsoft Windows clients. STEP 1 Click VPN > L2TP Server.

PAGE 386

8 VPN Configuring L2TP Server • IPsec: Click On to enable the data encryption over the IPsec VPN tunnel, or click Off to disable it. • Pre-shared Key: The data encryption over the VPN tunnel uses a pre-shared key for authentication. If you enable IPsec, enter the desired value, which the L2TP client must provide to establish a connection. The pre-shared key must be entered exactly the same here and on the L2TP clients. STEP 4 Click Save to apply your settings.

PAGE 387

8 VPN Configuring VPN Passthrough Configuring VPN Passthrough Use the VPN Passthrough page to configure VPN Passthrough to allow VPN traffic that originates from VPN clients to pass through your security appliance. Use this feature if there are devices behind your security appliance that need the IPSec tunnels to be set up independently, such as connecting to another router on the WAN. STEP 1 Click VPN > VPN Passthrough. The VPN Passthrough window opens.

PAGE 388

9 User Management This chapter describes how to manage users, user groups, and configure user authentication settings. It includes the following sections: • Viewing Active User Sessions, page 388 • Configuring Users and User Groups, page 389 • Configuring User Authentication Settings, page 393 • Configuring RADIUS Servers, page 401 To access the Users pages, click Users in the left hand navigation pane.

PAGE 389

User Management Configuring Users and User Groups 9 Configuring Users and User Groups This section describes how to maintain the users and user groups in local database.

PAGE 390

User Management Configuring Users and User Groups 9 policy to access your network resources. The Cisco AnyConnect Secure Mobility Client software must be installed on user’s PC. • IPsec Remote Access: Allows the members of the user group at remote sites to establish the VPN tunnels to securely access your network resources. • Captive Portal: Allows the wireless users who have authenticated successfully to be directed to a specified web page (portal) before they can access the Internet.

PAGE 391

User Management Configuring Users and User Groups STEP 3 9 Enter the following information: • User: Enter the username for the user. • New Password: Enter the password for the user. Passwords are case sensitive. NOTE: A password requires a minimum of 8 characters, including at least three of these character classes: uppercase letters, lowercase letters, digits, and special characters. Do not repeat any password more than three times in a row. Do not set the password as the username or “cisco.

PAGE 392

9 User Management Configuring Users and User Groups STEP 3 In the Group Settings tab, enter the following information: • Name: Enter the name for the user group. • Services: Specify the service policy for the user group. You can enable multiple services for a user group. - Web Login: Choose one of the following web login policies for the user group. Disable: All members of the user group cannot log into the Configuration Utility through the web browser.

PAGE 393

User Management Configuring User Authentication Settings STEP 5 9 Click OK to save your settings. Configuring User Authentication Settings User authentication is a means of identifying the user and verifying that the user is allowed to access some restricted services. For example, a user can be identified as a SSL VPN user in order to access your network resources over SSL VPN tunnels. The security appliance authenticates all users when they attempt to access your network resources in different zones.

PAGE 394

User Management Configuring User Authentication Settings 9 Using Local Database for User Authentication Use the local database to authenticate users when the number of users accessing the network is less than 100 users. The local database verifies the user’s credentials. Only the valid local users are allowed to access the network. For information on configuring local users in the local database, see Configuring Local Users, page 390. STEP 1 Click Users > User Authentication.

PAGE 395

9 User Management Configuring User Authentication Settings - Retries: Enter the number of times that the security appliance will try to contact the RADIUS server. The range is 0-10 attempts. The default value is 2. The security appliance first sends a request message to the primary RADIUS server. If there is no response from the primary RADIUS server, the security appliance waits the number of seconds that you set in the RADIUS Server Timeout field, and then sends another request message.

PAGE 396

9 User Management Configuring User Authentication Settings User1 in Group1 Group1 Group2 Default Group User1 in Group2 Group1 Group2 Default Group User1 does not exist Group1 Group2 Default Group In the above table, if the User1 in the RADIUS server belongs to the Group1 but the User1 in the local database belongs to the Group2, then the User1 will belong to the Group1 after the user passes the RADIUS authentication.

PAGE 397

User Management Configuring User Authentication Settings • 9 Default User Group to Which All RADIUS Users Belong: Choose a local user group as the default group to which the RADIUS users belong. If the group does not exist in the local database when getting user group information from the RADIUS server, the RADIUS user will be automatically set to the specified local user group.

PAGE 398

User Management Configuring User Authentication Settings 9 Using LDAP for User Authentication The security appliance can use the LDAP directory for user authentication, with support of three schemes including Microsoft Active Directory, RFC2798 InterOrgPerson, and RFC2307 Network Information Service. STEP 1 Click Users > User Authentication. STEP 2 Choose LDAP as the authentication method. STEP 3 Click Configure to configure the LDAP settings.

PAGE 399

User Management Configuring User Authentication Settings STEP 5 • Login Password: If you choose Give Login Name or Location in Tree or Give Bind Distinguished Name as the login method, enter the password of the account that can log into the LDAP server. • Protocol Version: Choose the LDAP version from the drop-down list. The security appliance supports LDAP Version 2 and LDAP Version 3. Most LDAP directories, including Active Directory, use LDAP Version 3.

PAGE 400

User Management Configuring User Authentication Settings 9 • User Tree for Login to Server: If you choose Give Login Name or Location in Tree as the login method in the Settings tab, specify the user tree that is used to log into the LDAP server. • Trees Containing Users: Specify the user trees in the LDAP directory. To add an entry, click Add. To edit an entry, click the Edit (pencil) icon. To delete an entry, click Remove.

PAGE 401

9 User Management Configuring RADIUS Servers STEP 3 Click Configure to configure the LDAP settings for user authentication. For complete details, see Using LDAP for User Authentication, page 398. STEP 4 Click Save to apply your settings. Configuring RADIUS Servers Use the RADIUS Servers page to configure the RADIUS servers that are used to authenticate users who try to access the network resources. A RADIUS group includes a primary RADIUS server and a backup RADIUS server.

PAGE 402

User Management Configuring RADIUS Servers STEP 6 9 Click Save to apply your settings.

PAGE 403

10 Device Management This chapter describes how to maintain the configuration and firmware, reboot or reset the security appliance, manage the security license and digital certificates, and configure other features to help maintain the security appliance.

PAGE 404

10 Device Management Viewing System Status Viewing System Status This section describes how to view information for all running processes and the system’s CPU and memory utilization. Refer to the following topics: • Viewing Process Status, page 404 • Viewing Resource Utilization, page 404 Viewing Process Status Use the Processes page to view information for all running processes. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data.

PAGE 405

10 Device Management Administration Field Description CPU Usage by Kernel CPU resource currently used by kernel space processes, in percentage. CPU Idle CPU idle resource at current time, in percentage. CPU Waiting for I/O CPU resource currently waiting for I/O, in percentage. Memory Utilization Total Memory Total amount of memory space available on the security appliance. Memory Used Total amount of memory space currently used by the processes.

PAGE 406

10 Device Management Administration Configuring Administrator Settings Use the Administrator Settings page to modify the username and password for the default administrator account and configure the user session settings. The user session settings are applicable for all authentication methods. NOTE At your first login, you must change the default administrator password for security purposes.

PAGE 407

10 Device Management Administration • Web Server SSL Certificate: Choose a certificate to authenticate users who try to access the Configuration Utility through a web browser by using HTTPS. By default, the web authentication server uses the default certificate for authentication. You can choose an imported certificate for authentication. The web authentication server will restart to load the selected certificate. • Management: Check the box to enable access the configuration utility via HTTP or HTTPS.

PAGE 408

10 Device Management Administration • HTTPS Listen Port Number: If you enable remote management by using HTTPS, enter the port number. By default, the listen port number for HTTPS is 8080. • HTTP: Click On to enable remote management by using HTTP, or click Off to disable it. • HTTP Listen Port Number: If you enable remote management by using HTTP, enter the port number. By default, the listen port number for HTTP is 80.

PAGE 409

10 Device Management Administration • DNS resolution of the Security Services application server name fails because the server is offline. STEP 1 Click Device Management > Administration > Email Alert. STEP 2 In the Email Server area, specify the SMTP email server that is used to send the alert emails. STEP 3 • SMTP Server: Enter the IP address or Internet name of the SMTP server. • Port: Enter the port for SMTP communication. The valid range of port numbers is 1~65535.

PAGE 410

10 Device Management Administration STEP 4 In the Event Alerts area, specify the email alert settings for each event. When the relative events are detected, the alert emails are sent to the specified email address. The following table provides information about how to enable the email alert feature for each event.

PAGE 411

10 Device Management Administration Event Description License Expiration Alert Sends an alert email a specified number of days before the security license expires. • days: Enter the number of days before the license expires to send the alert email. The default value is 15 days. • Send to Email Address: Enter the email address to receive the alert emails.

PAGE 412

10 Device Management Administration Event Description Site-to-Site VPN Up/Down Alert Sends an alert email when a VPN tunnel is established, a VPN tunnel is down, or the VPN tunnel negotiation fails. • Send to Email Address: Enter the email address to receive the alert emails.

PAGE 413

10 Device Management Administration Event Description Traffic Meter Alert Sends an alert email when the traffic limit is reached, or before the traffic counter is reset. • Send to Email Address: Enter the email address to receive the alert emails.

PAGE 414

10 Device Management Administration Event Description IPS Alert Sends an alert email every 30 minutes to the specified email address if an attack is detected by the IPS service or if an application is blocked by the Application Control service. • Send to Email Address: Enter the email address to receive the alert emails. To enable the IPS Alert feature, you must complete the following tasks: Web URL Filtering Alert • Enable IPS and configure the IPS settings.

PAGE 415

10 Device Management Administration Configuring SNMP Simple Network Management Protocol (SNMP) is a network protocol used over User Datagram Protocol (UDP) that lets you monitor and manage the security appliance from a SNMP manager. SNMP provides a remote means to monitor and control the network devices, and to manage the configuration, statistics collection, performance, and security. STEP 1 Click Device Management > Administration > SNMP. STEP 2 Click On to enable SNMP, or click Off to disable SNMP.

PAGE 416

Device Management Backing Up and Restoring a Configuration STEP 6 10 • SNMP Read-Write Community: Enter the read-write community used to access the SNMP entity. • Trap Community: Enter the community that the remote trap receiver host receives the traps or notifications sent by the SNMP entity. • SNMP Trusted Host: Enter the IP address or domain name of the host trusted by the SNMP entity. The trusted host can access the SNMP entity. Entering 0.0.0.

PAGE 417

Device Management Backing Up and Restoring a Configuration STEP 3 10 To back up the current settings on a USB device, perform the following steps: a. Insert a USB device into the USB port on the back panel. Make sure that the USB Device Status shows “Device Attached.” Click Refresh to refresh the status immediately. b. In the Configuration Backup area, select the Save Configuration to USB radio button and click Backup. The Encryption window opens. c.

PAGE 418

Device Management Managing Certificates for Authentication 10 d. If the selected configuration file is encrypted, the Encryption window opens. Enter the password in the Key field and click OK. The security appliance reboots with the saved settings of the selected configuration file. Managing Certificates for Authentication Use the Certificate Management page to manage the certificates for authentication. You can perform the following tasks: • View the certificate status and details.

PAGE 419

Device Management Managing Certificates for Authentication 10 Viewing Certificate Status and Details STEP 1 Click Device Management > Certificate Management. The Certificate Management window opens. All existing certificates are listed in the table. The following certificate information is displayed: STEP 2 • Certificate: The name of the certificate. • Type: The type of the certificate.

PAGE 420

10 Device Management Managing Certificates for Authentication Certificate Type Details CA Certificate or Local Certificate • Name: Name used to identify this certificate. • Issuer: Name of the CA that issued the certificate. • Subject: Name which other organizations will see as the holder (owner) of this certificate. • Serial number: Serial number maintained by the CA and used for identification purposes. • Valid from: Date from which the certificate is valid.

PAGE 421

Device Management Managing Certificates for Authentication • 10 If you are downloading a local certificate, the Download Certificate window opens. Enter a password in the Enter Export Password field to protect the certificate file and click Download. The certificate file will be saved in .p12 format. Exporting Certificates to a USB Device To export a local certificate or a CSR to a USB device, you must first insert the USB device into the USB port on the back panel.

PAGE 422

Device Management Managing Certificates for Authentication • 10 Import a CA certificate from a PEM (.pem or .crt) encoded file: If you choose this option, click Browse to locate and select a CA certificate file from your local PC and click Import. Importing Certificates from a USB Device To import local or CA certificates from a USB device, you must first insert the USB device into the USB port on the back panel. STEP 1 Click Device Management > Certificate Management.

PAGE 423

Device Management Managing Certificates for Authentication STEP 4 10 • Common Name: Enter the common name for the certificate. • E-mail Address: Enter your email address. • Subject Distinguished Name: After you enter the above information, the Distinguished Name (DN) is created in this field. • Subject Key Type: Displays the signature algorithm (RSA) used to sign the certificate. RSA is a public key cryptographic algorithm used for encrypting data.

PAGE 424

Device Management Configuring Cisco Services and Support Settings 10 Configuring Cisco Services and Support Settings This section describes how to configure your Cisco.com account on the security appliance, enable or disable Cisco OnPlus, configure the remote support settings, and send the contents for system diagnosis. Refer to the following topics: • Configuring Cisco.

PAGE 425

Device Management Configuring Cisco Services and Support Settings 10 Configuring Cisco OnPlus Use the Cisco OnPlus page to enable or disable Cisco OnPlus Advanced Security Service on the security appliance. Enabling Cisco OnPlus Advanced Security Service allows your security appliance to send security reporting and notification data through the OnPlus Service. If an OnPlus appliance is not present in your network, this setting will have no effect.

PAGE 426

Device Management Configuring Cisco Services and Support Settings 10 Configuring Remote Support Settings Use the Remote Support page to enable the SSHv2 server for debugging purposes. This feature allows the engineers to use a unique console root password to log in to the security appliance for debugging operations. STEP 1 Click Device Management > Cisco Services & Support > Remote Support.

PAGE 427

10 Device Management Configuring System Time STEP 4 • Password Protection: Click On to enable the password protection, or click Off to disable it. • Password: If you enable the password protection, enter the password in this field. In the Email area, specify the email address to receive the compressed file. • You can send the compressed file to the email address specified on the Email Alert page by selecting the first radio button.

PAGE 428

10 Device Management Configuring Device Properties STEP 5 • Custom NTP Servers: Click this option to use a custom NTP server. Enter the IP addresses or domain names of up to two custom NTP servers in the Server 1 Name/IP Address and Server 2 Name/IP Address fields. The server 1 is the primary NTP server and the server 2 is the secondary NTP server. • Current Time: Displays the current date and time synchronized with the configured NTP server. Click Save to apply your settings.

PAGE 429

10 Device Management Diagnostic Utilities NOTE These features require an active WAN connection. Ping Use the Ping page to test the connectivity between the security appliance and a connected device on the network. STEP 1 Click Device Management > Diagnostic Utilities > Ping. The Ping window opens. STEP 2 STEP 3 Enter the following information: • IP Address or URL: Enter the IP address or URL to ping. • Packet Size: Enter the packet size in the range 32 to 65500 bytes to ping.

PAGE 430

10 Device Management Device Discovery Protocols DNS Lookup Use the DNS Lookup page to retrieve the IP address of any server on the Internet. STEP 1 Click Device Management > Diagnostic Utilities > DNS Lookup. STEP 2 Enter the IP address or domain name that you want to look up in the IP Address or Domain Name field. STEP 3 Click Run to query the server on the Internet. If the host or domain name exists, you will see a response with the IP address. STEP 4 Click Clear to clean up the querying results.

PAGE 431

10 Device Management Device Discovery Protocols • LLDP Discovery, page 433 UPnP Discovery UPnP (Universal Plug and Play) allows for automatic discovery of devices that can communicate with your security appliance. The UPnP Portmaps table displays the port mapping entries of the UPnP-enabled devices that accessed your security appliance. STEP 1 Click Device Management > Discovery Protocols > UPnP.

PAGE 432

10 Device Management Device Discovery Protocols Bonjour Discovery Bonjour is a service advertisement and discovery protocol. Bonjour only advertises the default services configured on the security appliance when Bonjour is enabled. STEP 1 Click Device Management > Discovery Protocols > Bonjour. STEP 2 Click On to enable Bonjour, or click Off to disable it. If you enable Bonjour, all default services such as CSCO-SB, HTTP, and HTTPS are enabled. You cannot disable a particular service.

PAGE 433

10 Device Management Device Discovery Protocols - Per Port: Configure CDP on selective ports. CDP per port is recommended. • CDP Timer: Enter the value of the time interval between two successive CDP packets sent by the security appliance. The default value is 60 seconds. • CDP Hold Timer: The hold timer is the amount of time the information sent in the CDP packet should be cached by the security appliance that receives the CDP packet, after which the information is expired.

PAGE 434

10 Device Management Firmware Management STEP 5 Click Save to apply your settings. Firmware Management You can perform the following tasks to maintain the firmware: • View the firmware status. See Viewing Firmware Information, page 435. • Switch to the secondary firmware through the Configuration Utility. See Using the Secondary Firmware, page 435. • Upgrade your firmware to the latest version from Cisco.com. See Upgrading your Firmware from Cisco.com, page 436.

PAGE 435

10 Device Management Firmware Management Viewing Firmware Information STEP 1 Click Device Management > Firmware. The Firmware window opens. STEP 2 In the Firmware Version area, the following firmware information is displayed: • Primary Firmware Version: The version of the primary firmware that you are using. • Secondary Firmware Version: The version of the secondary firmware that you used previously.

PAGE 436

10 Device Management Firmware Management Upgrading your Firmware from Cisco.com The security appliance automatically checks for firmware updates from Cisco.com every 24 hours. You can upgrade your firmware to the latest version if a newer firmware is available on Cisco.com. A valid Cisco.com account is required to download the firmware image from Cisco.com. NOTE This feature requires an active WAN connection. STEP 1 Click Device Management > Firmware. The Firmware window opens.

PAGE 437

10 Device Management Firmware Management Upgrading Firmware from a PC or a USB Device This section describes how to manually upgrade the firmware from a firmware image on your local PC or on a USB device. You must first download the latest firmware image from Cisco.com and save it to your local PC or to a USB device. STEP 1 Click Device Management > Firmware. The Firmware window opens. STEP 2 To manually upgrade the firmware from your local PC, perform the following steps: a.

PAGE 438

10 Device Management Firmware Management Firmware Auto Fall Back Mechanism The security appliance includes two firmware images in the same NAND flash to provide an Auto Fall Back mechanism so that the security appliance can automatically switch to the secondary firmware when the primary firmware experiences a CRC error or cannot boot up successfully for five times. • CRC Error: An error that the firmware cannot pass the CRC (Cyclic Redundancy Check) validation.

PAGE 439

10 Device Management Managing Security License STEP 2 Remove all cables from the WAN and LAN ports. STEP 3 Connect your PC to the LAN port. STEP 4 Configure your PC with a static IP address of 192.168.75.100 and a subnet mask of 255.255.255.0. STEP 5 On your PC, start your TFTP client, such as tftpd32. Specify the host IP address as 192.168.75.1 and transfer the ISA500 firmware file from your PC to the security appliance. The security appliance will upgrade the firmware after you upload the image.

PAGE 440

10 Device Management Managing Security License Checking Security License Status You can view information for the security license, including the expiration date, the device credentials used to renew the license, and the email alert settings for license expiration events. STEP 1 Click Device Management > License Management. The License Management window opens. The following information is displayed. • Feature: The name of the security license.

PAGE 441

10 Device Management Managing Security License and configure the email server settings. See Configuring Email Alert Settings, page 408. Installing or Renewing Security License This section describes how to install the security license or renew the security license before it expires. A valid security license is required to activate security services and to support SSLVPN with mobile devices such as smart phones and tablets. NOTE You can also validate the security license by using the Setup Wizard.

PAGE 442

10 Device Management Log Management STEP 5 Check the box of Click here if you accept with SEULA to accept the SEULA (Software End User License Agreement) requirements. You can click the SEULA link to see the detailed SEULA requirements on Cisco.com. STEP 6 Click Validate License to validate the security license on your security appliance. After the license is installed or renewed, the expiration date of the security license is updated immediately.

PAGE 443

10 Device Management Log Management STEP 3 • Log Facility: Choose the facility to filter the logs. All logs that belong to the selected facility and match the specified severity settings are displayed. • Keyword: Enter the keyword to search the logs. All logs that contain the specified keyword are displayed. • Source IP Address: Enter the source IP address to filter the firewall logs. All firewall logs that match this source IP address are displayed.

PAGE 444

10 Device Management Log Management Configuring Log Settings Use the Log Settings page to enable the Log feature and configure the log settings. You can set the log buffer size, log all unicast traffic or broadcast traffic destined to your device for troubleshooting purposes, specify which syslogs to be mailed to a specified email address on schedule, and set the severity level of the events that are logged. If you have a remote syslog server support, you can save logs to the remote syslog server.

PAGE 445

10 Device Management Log Management • To Email Address: The email address used to receive the logs. • SMTP Server: The IP address or Internet name of the SMTP server. • SMTP Authentication: Shows if the SMTP authentication is enabled or disabled. NOTE: The above email server settings are read only. You must enable the Syslog Email feature and configure the email server settings to send the syslog messages to a specified email address.

PAGE 446

10 Device Management Log Management STEP 6 - Daily: Send the logs at a specific time of every day. If you choose this option, specify the time to send the logs in the Time field. - Weekly: Send the logs on a weekly basis. If you choose this option, specify the day of the week in the Day field and the time in the Time field. • Day: If the logs are sent on a weekly basis, choose the day of the week • Time: Choose the time of day when the logs should be sent.

PAGE 447

10 Device Management Log Management Configuring Log Facilities Use the Log Facilities page to specify which system messages are logged based on the facility and determine where to save the syslogs and whether to send the syslogs to a specified email address on schedule. NOTE Before you configure the log facilities, make sure that you enable the Log feature, set the log buffer size, and specify the Email Alert, Remote Log, and Local Log settings. See Configuring Log Settings, page 444.

PAGE 448

Device Management Rebooting and Resetting the Device 10 Rebooting and Resetting the Device Use the Reboot/Reset page to reboot the security appliance or restore the security appliance to the factory default settings (if necessary) from the Configuration Utility.

PAGE 449

10 Device Management Configuring Schedules Rebooting the Security Appliance To reboot the security appliance, you can press and release the RESET button on the back panel for less than 3 seconds, or perform the Reboot operation from the Configuration Utility. STEP 1 Click Device Management > Reboot/Reset. The Reboot/Reset window opens. STEP 2 In the Reboot Device area, click Reboot. A warning message appears saying “Preparing to reboot.

PAGE 450

10 Device Management Configuring Schedules • • Schedule Days: Schedules the firewall rule or the application control policy on all days or on specific days. - All Days: Choose this option if you want to keep the firewall rule or the application control policy always on. - Specific Days: Choose this option and then check the days that you want to keep the firewall rule or the application control policy active.

PAGE 451

Device Management Configuring Schedules Cisco ISA500 Series Integrated Security Appliances Administration Guide 10 451

PAGE 452

Device Management Configuring Schedules Cisco ISA500 Series Integrated Security Appliances Administration Guide 10 452

PAGE 453

A Troubleshooting This chapter describes how to fix some common issues that you may encounter when using the security appliance. It includes the following sections: • Internet Connection, page 453 • Date and Time, page 456 • Pinging to Test LAN Connectivity, page 457 Internet Connection Symptom: You cannot access the Configuration Utility from a PC on your LAN. Recommended Actions: STEP 1 Check the Ethernet connection between the PC and the security appliance.

PAGE 454

A Troubleshooting Internet Connection If you do not want to reset to factory-default settings and lose your configuration, reboot the security appliance and use a packet sniffer (such as Ethereal™) to capture packets sent during the reboot. Look at the ARP packets to locate the LAN interface address. STEP 5 Launch your web browser and ensure that Java, JavaScript, or ActiveX is enabled. If you are using Internet Explorer, click Refresh to ensure that the Java applet is loaded.

PAGE 455

A Troubleshooting Internet Connection Symptom: The security appliance cannot obtain an IP address from the ISP. Recommended Actions: STEP 1 Turn off power to the cable or DSL modem. STEP 2 Power off the security appliance. STEP 3 Then reapply power to the cable or DSL modem. STEP 4 When the modem lights indicate that it has resynchronized with the ISP, reapply power to the security appliance. If the security appliance still cannot obtain an ISP address, see the next symptom.

PAGE 456

A Troubleshooting Date and Time Symptom: The security appliance can obtain an IP address, but PC is unable to load Internet pages. Recommended Actions: STEP 1 Ask your ISP for the addresses of its designated DNS servers. Configure your PC to recognize those addresses. For details, see your operating system documentation. STEP 2 On your PC, configure the security appliance to be its TCP/IP gateway. Date and Time Symptom: Date shown is January 1, 2000.

PAGE 457

A Troubleshooting Pinging to Test LAN Connectivity Pinging to Test LAN Connectivity The security appliance and most TCP/IP terminal devices contain a ping utility that sends an ICMP echo-request packet to the designated device. The device responds with an echo reply. Troubleshooting a TCP/IP network is made very easy by using the ping utility in your PC or workstation.

PAGE 458

A Troubleshooting Pinging to Test LAN Connectivity - Verify that the IP addresses for the security appliance and PC are correct and on the same subnet. Testing the LAN Path from Your PC to a Remote Device STEP 1 On your PC, click the Windows Start button, and then click Run. STEP 2 Type ping -n 10 where -n 10 specifies a maximum of 10 tries and is the IP address of a remote device such as your ISP’s DNS server. Example: ping -n 10 10.1.1.1.

PAGE 459

B Technical Specifications and Environmental Requirements The following table lists the technical specifications and environmental requirements for the security appliance.

PAGE 460

B Technical Specifications and Environmental Requirements Feature ISA550 ISA550W ISA570 ISA570W Operating Humidity 10 to 90 percent relative humidity, non-condensing 10 to 90 percent relative humidity, non-condensing 10 to 90 percent relative humidity, non-condensing 10 to 90 percent relative humidity, non-condensing Storage Humidity 5 to 95 percent relative humidity, non-condensing 5 to 95 percent relative humidity, non-condensing 5 to 95 percent relative humidity, non-condensing 5 to 95 pe

PAGE 461

C Factory Default Settings This chapter describes the factory default settings for the primary features, and provides the lists of predefined service and address objects.

PAGE 462

C Factory Default Settings Device Management Feature Setting Remote management using HTTP Disable HTTP listen port number 80 Remote SNMP Disable User Session Settings Inactivity timeout 15 minutes (0 to 1000 minutes) Limit login session for web logins Disable Login session limit 10 minutes (0 to 1000 minutes) SNMP Disable SNMP Versions SNMP Version 1 and 2, SNMP Version 3 Maximum number of certificates 128 Remote Support Disable Cisco OnPlus Enable Send Diagnostics Disable Date a

PAGE 463

C Factory Default Settings User Management Feature Setting CPU threshold setting 90% (10% to 100%) New Firmware Alert Disable License Expiration Alert Disable Alert before the license expires 15 days Syslog Email Disable Site-to-Site VPN Up/Down Alert Disable WAN Up/Down Alert Disable WAN Up/Down alert interval 5 minutes (3 to 1440 minutes) Traffic Meter Alert Disable Anti-Virus Alert Disable Anti-Virus alert interval 30 minutes (1 to 1440 minutes) IPS Alert Disable Web URL Filte

PAGE 464

C Factory Default Settings Networking Feature Setting Default administrator password cisco Maximum number of local users 100 User Authentication Methods Local Database (default) RADIUS RADIUS+Local Database LDAP LDAP+Local Database Networking Feature Setting IPv4 or IPv6 Routing IPv4 only WAN Interfaces Maximum number of WAN interfaces 2 WAN1-Physical Port GE1 WAN1-IP Address Assignment DHCP Client WAN1-MTU Auto WAN1-MTU Value 1500 WAN1-DNS Server Source Get Dynamically from ISP W

PAGE 465

C Factory Default Settings Networking Feature Setting Port-based Access Control Disable WAN Redundancy Operation Modes Equal Load Balancing (default) Load Balancing Failover Routing Table VLANs Maximum number of VLANs 16 DEFAULT VLAN VID=1 IP Address=192.168.75.1 Subnet=255.255.255.0 Spanning Tree=Disable DHCP Mode=DHCP Server DHCP Pool=192.168.75.100 to 200 Lease Time=1 day Default Gateway=192.168.75.

PAGE 466

C Factory Default Settings Networking Feature GUEST VLAN Setting VID=2 IP Address=192.168.25.1 Subnet=255.255.255.0 Spanning Tree=Disable DHCP Mode=DHCP Server DHCP Pool=192.168.25.100 to 200 Lease Time=1 day Default Gateway=192.168.25.1 Mapped Zone=GUEST VOICE VLAN VID=100 IP Address=10.1.1.2 Subnet=255.255.255.

PAGE 467

C Factory Default Settings Networking Feature Maximum number of Policy-Based Routing rules WAN QoS Setting 100 Disable Maximum number of traffic selectors 256 Maximum number of WAN QoS policy profiles 32 Maximum number of traffic selectors associated with one WAN QoS policy profile 64 LAN QOS Disable WLAN QoS Disable Service Management Maximum number of service groups 64 Maximum number of services 150 Maximum number of services in one service group 64 Address Management Maximum number of

PAGE 468

C Factory Default Settings Wireless Wireless Feature Setting Wireless Radio Disable Basic Radio Settings Wireless mode 802.

PAGE 469

C Factory Default Settings VPN Feature Setting Wi-Fi Protected Setup (WPS) Disable Rogue AP Detection Disable Captive Portal Disable Session timeout 60 minutes (0 to 480 minutes) Idle timeout 5 minutes (0 to 480 minutes) VPN Feature Setting Site-to-Site VPN Disable Maximum number of Site-to-Site VPN tunnels 100 for ISA570 and ISA570W 50 for ISA550 and ISA550W IKE Policies Maximum number of IKE policies 16 DefaultIke, Hash SHA1 DefaultIke, Authentication Pre-shared Key DefaultIke,

PAGE 470

C Factory Default Settings VPN Feature Setting IPsec Remote Access Disable Maximum number of group policies Teleworker VPN Client 16 Disable Maximum number of group policies 16 Auto initiation retry Disable Retry interval 120 seconds (120 to 1800 seconds) Retry limit 0 (0 to 16) SSL VPN disable Maximum number of group policies 32 Gateway interface WAN1 Gateway port number 443 Certificate file Default Client address pool 192.168.200.0 Client netmask 255.255.255.

PAGE 471

C Factory Default Settings Security Services Feature Setting Rekey method SSL Rekey interval 3600 seconds (0 to 43200 seconds) L2TP Server Disable IPsec Passthrough Enable PPTP Passthrough Enable L2TP Passthrough Enable Security Services Feature Setting Anti-Virus Disable Application Control Disable Spam Filter Disable Intrusion Prevention (IPS) Disable Web Reputation Filtering Disable Web URL Filtering Disable Network Reputation Enable Features Setting Default Firewall Ru

PAGE 472

C Factory Default Settings Firewall Features Setting Maximum number of custom firewall rules 100 Dynamic PAT Enable Maximum number of Static NAT rules 64 Maximum number of Port Forwarding rules 64 Maximum number of Port Triggering rules 15 Maximum number of Advanced NAT rules 32 NAT Content Filtering Disable MAC Address Filtering Disable Maximum number of MAC Address Filtering rules 100 IP - MAC Binding Maximum number of IP - MAC Binding rules 100 Attack Protection Block Ping WAN In

PAGE 473

C Factory Default Settings Reports Features Setting SYN Flood Detect Rate 128 max/sec (0 to 65535) Echo Storm 15 packets/sec (0 to 65535) ICMP Flood 100 packets/sec (0 to 65535) Session Limits Maximum number of connections 60000 (1000 to 60000) TCP timeout 1200 seconds (5 to 3600 seconds) UDP timeout 180 seconds (5 to 3600 seconds) Application Level Gateway (ALG) SIP ALG Enable H.

PAGE 474

C Factory Default Settings Default Service Objects Feature Setting Email Security Report Disable IPS Report Disable Network Reputation Report Enable Web Security Report Disable Default Service Objects The following table displays all predefined service objects on the security appliance.

PAGE 475

C Factory Default Settings Default Service Objects Service Name Protocol Port Start Port End Description FTP-DATA TCP 20 20 File Transfer Protocol, data transfer FTP-CONTROL TCP 21 21 File Transfer Protocol, control command HTTP TCP 80 80 HyperText Transfer Protocol HTTPS TCP 443 443 HTTP over SSL/TLS ICMP Destination Unreachable ICMP 3 0 ICMP Ping Reply ICMP 0 0 ICMP Ping Request ICMP 8 0 ICMP Redirect Message ICMP 5 0 ICMP Router Advertisement ICMP 9 0 ICMP R

PAGE 476

C Factory Default Settings Default Service Objects Service Name Protocol Port Start Port End Description IKE UDP 500 500 IPsec Key Exchange IMAP TCP 143 143 Internet Message Access Protocol IMAP2 TCP 143 143 Internet Message Access Protocol Version 2 IMAP3 TCP 220 220 Internet Message Access Protocol Version 3 IPSEC-UDP-ENCA P UDP 4500 4500 IPsec over UDP IRC TCP 6660 6660 Internet Relay Chat, de facto port: 6660 to 6669 ISAKMP UDP 500 500 L2TP UDP 1701 1701 NEWS

PAGE 477

C Factory Default Settings Default Service Objects Service Name Protocol Port Start Port End Description RTELNET TCP 107 107 Remote TELNET service RTSP TCP/UDP 554 554 Real Time Streaming Protocol SFTP TCP 115 115 Simple File Transfer Protocol SHTTPD TCP 8080 8080 Simple HTTPD SHTTPDS TCP 443 443 Simple HTTPD over SSL SIP TCP/UDP 5060 5060 Session Initiation Protocol SMTP TCP 25 25 Simple Mail Transfer Protocol SNMP TCP/UDP 161 161 Simple Network Management Prot

PAGE 478

C Factory Default Settings Default Address Objects Default Address Objects The following table displays all predefined address objects on the security appliance. The IP address, IP address and netmask, or IP range for these objects will be automatically modified depending on your configuration or network connection. Address Name Type IP, IP/Netmask, or IP Range WAN1_IP Host 0.0.0.0 WAN1_GW Host 0.0.0.0 WAN1_DNS1 Host 0.0.0.0 WAN1_DNS2 Host 0.0.0.0 WAN1_USER_DNS1 Host 0.0.0.

PAGE 479

D Where to Go From Here Cisco provides a wide range of resources to help you and your customers obtain the full benefits of the Cisco ISA500 Series Integrated Security Appliances. Product Resources Support Cisco Small Business Support Community www.cisco.com/go/smallbizsupport Cisco Small Business Support and Resources www.cisco.com/go/smallbizhelp Phone Support Contacts www.cisco.com/go/sbsc Firmware Downloads www.cisco.