ADMINISTRATION GUIDE Cisco Small Business RV180/RV180W Multifunction VPN Firewall
November 2011 Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) © 2011 Cisco Systems, Inc. All rights reserved.
DRAFT - CISCO CONFIDENTIAL Chapter 1: Introduction Product Overview Contents 1 1 LAN Ethernet Interfaces 2 Wireless Access Point (Cisco RV180W) 2 Firewall and VPN Client Access 2 Wireless Distribution System (Cisco RV180W) 2 Virtual Networks 2 Wireless Security (Cisco RV180W) 3 Quality of Service (Cisco RV180W) 3 Configuration and Administration 3 Getting to Know the Cisco RV180 4 Front Panel 4 Back Panel 5 Getting to Know the Cisco RV180W 6 Front Panel 6 Back Panel 7 Mountin
DRAFT - CISCO CONFIDENTIAL Contents Configuring Automatic Configuration (DHCP) 25 Configuring Static IP 26 Configuring PPPoE 26 Configuring PPTP 27 Configuring L2TP 28 Configuring MTU Settings 29 Configuring the MAC Address 29 Configuring PPPoE Profiles Configuring the LAN (Local Network) Settings Configuring IPv4 LAN (Local Network) Settings 30 32 32 Configuring the Host Name 32 Configuring the IP Address 32 Configuring DHCP 33 Configuring the DNS Proxy 35 Configuring Virtual LA
DRAFT - CISCO CONFIDENTIAL Contents Configuring IPv6 WAN Settings 48 Configuring IPv6 LAN Properties 50 Configuring IPv6 Routing 51 Configuring Static Routing 51 Adding a Static Route 52 Configuring Tunneling Adding an ISATAP Tunnel Configuring Router Advertisement Configuring Router Advertisement Prefixes 53 53 54 55 Chapter 3: Configuring the Wireless Network (Cisco RV180W) 58 A Note About Wireless Security 58 Wireless Security Tips 59 General Network Security Guidelines 60 Underst
DRAFT - CISCO CONFIDENTIAL Creating an Access Rule Contents 77 Configuring Attack Prevention 80 Configuring Content Filtering 81 Configuring URL Blocking 83 Configuring Port Triggering 84 Adding a Port Triggering Rule Configuring Port Forwarding Adding a Port Forwarding Configuration 84 85 86 Configuring a DMZ Host 89 Configuring Advanced Firewall Settings 89 Configuring One-to-One Network Address Translation (NAT) Adding a One-to-One NAT Rule 90 90 Configuring MAC Address Filtering 9
DRAFT - CISCO CONFIDENTIAL Contents Monitoring VPN Tunnel Status114 Configuring VPN Users 115 Configuring VPN Passthrough 116 Configuring Security Using SSL Certificates for Authentication 117 117 Uploading a Trusted Certificate 118 Generating New Certificate Requests 118 Viewing a Self Certificate Request 119 Exporting a Self Certificate Request 119 Uploading a Self Certificate 119 Exporting the Router’s Current Certificate 120 Using the Cisco RV180/RV180W With a RADIUS Server 120 Add
DRAFT - CISCO CONFIDENTIAL Configuring Additional SNMP Information Contents 134 Configuring the WAN Traffic Meter 135 Using Network Diagnostic Tools 136 Capturing and Tracing Packets 137 Configuring Logging 138 Configuring Logging Policies 138 Configuring Firewall Logs 138 Configuring Remote Logging 140 Configuring the Discovery Settings 141 Configuring Bonjour 141 Configuring UPnP 142 Configuring Time Settings 143 Backing Up and Restoring the System 143 Importing CSV Files 145
DRAFT - CISCO CONFIDENTIAL Appendix A: Using Cisco QuickVPN for Windows 7, 2000, XP, or Vista Contents 162 Overview 162 Before You Begin 162 Installing the Cisco QuickVPN Software 163 Installing from the CD-ROM 163 Downloading and Installing from the Internet 163 Using the Cisco QuickVPN Software Appendix B: Where to Go From Here Cisco RV180/RV180W Administration Guide 164 166 7
DRAFT - CISCO CONFIDENTIAL 1 Introduction This chapter describes the features of the Cisco RV180/RV180W, guides you through the installation process, and gets you started using the Device Manager, a browser-based utility for configuring the Cisco RV180/RV180W.
Introduction Product Overview DRAFT - CISCO CONFIDENTIAL 1 LAN Ethernet Interfaces Both the Cisco RV180 and Cisco RV180W models provide four full-duplex 10/100 Ethernet LAN interfaces that can connect up to four devices. Wireless Access Point (Cisco RV180W) The Cisco RV180W model provides a wireless access point that supports the 802.11n standard with MIMO technology, which multiplies the effective data rate. This technology provides better throughput and coverage than 802.11g networks.
Introduction Product Overview DRAFT - CISCO CONFIDENTIAL 1 Wireless Security (Cisco RV180W) The Cisco RV180W implements WPA2-PSK, WPA2-ENT, and WEP encryption, along with other security features including the disabling of SSID broadcasts, MAC-based filtering, and allowing or denying “time of day” access per SSID. Quality of Service (Cisco RV180W) The Cisco RV180W supports Wi-Fi Multimedia (WMM) and Wi-Fi Multimedia Power Save (WMM-PS) for wireless Quality of Service (QoS). It supports 802.
Introduction Getting to Know the Cisco RV180 DRAFT - CISCO CONFIDENTIAL 1 Getting to Know the Cisco RV180 Front Panel POWER—The Power LED lights up green to indicate the device is powered on. Flashes green when the power is coming on or software is being upgraded. WAN LED—The WAN (Internet) LED lights up green when the device is connected to your cable or DSL modem. The LED flashes green when the device is sending or receiving data over the WAN port.
Introduction Getting to Know the Cisco RV180 DRAFT - CISCO CONFIDENTIAL 1 Back Panel RESET Button—The Reset button has two functions: • If the Cisco RV180 is having problems connecting to the Internet, press the RESET button for less than five seconds with a paper clip or a pencil tip. This is similar to pressing the reset button on your PC to reboot it.
Introduction Getting to Know the Cisco RV180W DRAFT - CISCO CONFIDENTIAL 1 Getting to Know the Cisco RV180W Front Panel POWER—The Power LED lights up green to indicate the device is powered on. Flashes green when the power is coming on or software is being upgraded. WAN LED—The WAN (Internet) LED lights up green when the device is connected to your cable or DSL modem. The LED flashes green when the device is sending or receiving data over the WAN port.
Introduction Getting to Know the Cisco RV180W DRAFT - CISCO CONFIDENTIAL 1 Back Panel RESET Button—The Reset button has two functions: • If the Cisco RV180W is having problems connecting to the Internet, press the RESET button for less than five seconds with a paper clip or a pencil tip. This is similar to pressing the reset button on your PC to reboot it.
Introduction Mounting the Cisco RV180/RV180W DRAFT - CISCO CONFIDENTIAL 1 Power Port—The power port is where you connect the AC power cable. Mounting the Cisco RV180/RV180W You can place your Cisco RV180/RV180W on a desktop or mount it on a wall. Installation Guidelines • Ambient Temperature—To prevent the device from overheating, do not operate it in an area that exceeds an ambient temperature of 104°F (40°C). • Air Flow—Be sure that there is adequate air flow around the device.
Introduction Connecting the Equipment DRAFT - CISCO CONFIDENTIAL 1 STEP 3 Place the wall-mount slots over the screws and slide the device down until the screws fit snugly into the wall-mount slots. Connecting the Equipment Before you begin the installation, make sure that you have the following equipment and services: Required • Functional Internet Connection (Broadband DSL or cable modem). • Ethernet cable for WAN (Internet) connection.
Introduction Connecting the Equipment DRAFT - CISCO CONFIDENTIAL 1 To connect your firewall to the Internet: STEP 1 Power off all equipment, including the cable or DSL modem, the PC you will use to connect to the RV180/RV180W, and the RV180/RV180W. STEP 2 Use an Ethernet cable to connect the WAN port of the Cisco RV180/RV180W to your cable or DSL modem.
Introduction Connecting the Equipment DRAFT - CISCO CONFIDENTIAL 1 STEP 3 Connect one end of a different Ethernet cable to one of the LAN (Ethernet) ports on the back of the RV180/RV180W. (In this example, the LAN 2 port is used.) Connect the other end of the cable to an Ethernet port on the PC. STEP 4 Power on the cable or DSL modem and wait until the connection is active.
Introduction Connecting the Equipment DRAFT - CISCO CONFIDENTIAL 1 STEP 5 Connect the power adapter to the Cisco RV180/RV180W power port (12VDC). ! CAUTION Use only the power adapter that is supplied with the device. Using a different power adapter could damage the device. STEP 6 Plug the other end of the adapter into an electrical outlet. You may need to use a specific plug (supplied) for your country.
Introduction Setting Up the Cisco RV180/RV180W Using the Setup Wizard DRAFT - CISCO CONFIDENTIAL 1 STEP 7 On the Cisco RV180/RV180W, push in the ON/OFF power button. The power light on the front panel is green when the power adapter is connected properly and the unit is turned on. Setting Up the Cisco RV180/RV180W Using the Setup Wizard With the RV180/RV180W powered on and connected to a PC, use the Setup Wizard to configure the Cisco RV180/RV180W.
Introduction Using the Getting Started Page DRAFT - CISCO CONFIDENTIAL 1 A message appears about the site’s security certificate. The RV110W uses a selfsigned security certificate and this message appears because the firewall is not known to your computer. STEP 3 Click Continue to this website (or the option shown on your particular web browser) to go to the web site. The firewall’s default IP address is 192.168.1.1.
Introduction Using the Getting Started Page DRAFT - CISCO CONFIDENTIAL 1 Configure WAN (Internet) Settings Click this link to open the Internet Setup page. Configure LAN (Local Network) Settings Click this link to open the LAN Configuration page. See Configuring the IPv4 WAN (Internet), page 25. See Configuring IPv4 LAN (Local Network) Settings, page 32. Configure Wireless Settings (RV180W only) Click this link to open the Basic Settings page. Add VPN Clients See Configuring VPN Users, page 115.
Introduction Navigating through the Pages DRAFT - CISCO CONFIDENTIAL 1 Wireless Status (RV180W only) Click this link to open the Wireless Statistics page. VPN Status Click this link to open the IPsec Connection Status page. See Viewing the Wireless Statistics (Cisco RV180W), page 154. See IPsec Connection Status, page 155. Other Resources Support Click this link to open Cisco’s support page. Forums Click this link to visit Cisco’s online support forums.
Introduction Navigating through the Pages DRAFT - CISCO CONFIDENTIAL 1 Click a menu item on the left panel to expand it. Click the menu names displayed underneath to perform an action or view a sub-menu.
Introduction Saving Your Changes DRAFT - CISCO CONFIDENTIAL 1 Saving Your Changes When you finish making changes on a configuration page, click Save to save the changes, or click Cancel to undo your changes.
Introduction Viewing the Help Files DRAFT - CISCO CONFIDENTIAL 1 Viewing the Help Files To view more information about a configuration page, click the Help link near the top right corner of the page. Connecting Devices to Your Wireless Network To connect a device such as a PC or printer to your wireless network, you must configure the wireless connection on the device using the security information you configured for the Cisco RV180/RV180W: • Network name or Service Set Identifier (SSID).
Introduction Configuration Next Steps DRAFT - CISCO CONFIDENTIAL 1 Configuration Next Steps Although the Setup Wizard automatically configures the RV180/RV180W, we recommend that you change some default settings to provide better security and performance. In addition, you may need to manually configure some settings. A suggested outline of steps follows: • Change the administrator name and password—See “Configuring User Accounts” on page 131.
Introduction Configuration Next Steps DRAFT - CISCO CONFIDENTIAL Cisco RV180/RV180W Administration Guide 1 21
Introduction Configuration Next Steps DRAFT - CISCO CONFIDENTIAL Cisco RV180/RV180W Administration Guide 1 22
Introduction Configuration Next Steps DRAFT - CISCO CONFIDENTIAL Cisco RV180/RV180W Administration Guide 1 23
DRAFT - CISCO CONFIDENTIAL 2 Configuring Networking The networking page allows you to configure networking settings.
Configuring Networking Configuring the WAN (Internet) Settings DRAFT - CISCO CONFIDENTIAL 2 Configuring the IPv4 WAN (Internet) STEP 1 Choose Networking > WAN (Internet) > IPV4 WAN (Internet). STEP 2 Choose the type of Internet connection you have. The type of connection you have determines the rest of the information you need to enter.
Configuring Networking Configuring the WAN (Internet) Settings DRAFT - CISCO CONFIDENTIAL 2 Configuring Static IP If your ISP assigned you a permanent IP address, perform the following steps to configure your WAN settings: STEP 1 Choose Networking > WAN (Internet) > IPv4 WAN (Internet). STEP 2 From the Internet Connection Type drop-down menu, choose Static IP. STEP 3 Enter this information: IP Address Enter the IP address of the WAN port. Subnet mask Enter subnet mask of the WAN port.
Configuring Networking Configuring the WAN (Internet) Settings DRAFT - CISCO CONFIDENTIAL 2 STEP 4 Enter MTU information. (See Configuring MTU Settings, page 29.) STEP 5 Enter MAC Address information. (See Configuring the MAC Address, page 29.) STEP 6 Click Save. Configuring PPTP If you have a Point-to-Point Tunneling Protocol (PPTP) connection to the Internet: STEP 1 Choose Networking > WAN (Internet) > IPv4 WAN (Internet). STEP 2 From the Internet Connection Type drop-down menu, choose PPTP.
Configuring Networking Configuring the WAN (Internet) Settings DRAFT - CISCO CONFIDENTIAL 2 STEP 5 Enter MAC Address information. (See Configuring the MAC Address, page 29.) STEP 6 Click Save. Configuring L2TP If you have a Layer 2 Tunneling Protocol (L2TP) connection to the Internet: STEP 1 Choose Networking > WAN. STEP 2 From the Internet Connection Type drop-down menu, choose L2TP. STEP 3 Enter this information: User Name Enter your username assigned to you by the ISP.
Configuring Networking Configuring the WAN (Internet) Settings DRAFT - CISCO CONFIDENTIAL 2 STEP 5 Enter MAC Address information. (See Configuring the MAC Address, page 29.) STEP 6 Click Save. Configuring MTU Settings The Maximum Transmission Unit (MTU) is the size of the largest packet that can be sent over the network. The default MTU value for Ethernet networks is usually 1500 bytes and for PPPoE connections, it is 1492 bytes.
Configuring Networking Configuring the WAN (Internet) Settings DRAFT - CISCO CONFIDENTIAL 2 To configure the MAC address settings: STEP 1 Choose Networking > WAN (Internet) > IPv4 WAN (Internet). STEP 2 From the MAC Address Source drop-down menu, choose one of these options: • Use Default Address—(Recommended) choose this option to use the default MAC address. • Use This Computer's Address—Choose this option to assign the MAC address of your computer.
Configuring Networking Configuring the WAN (Internet) Settings DRAFT - CISCO CONFIDENTIAL Authentication Type Connection Type Idle Time 2 Choose the authentication type from the drop-down menu: • Auto-negotiate—The server sends a configuration request specifying the security algorithm set on it. Then, the Cisco RV180/ RV180W sends back authentication credentials with the security type sent earlier by the server.
Configuring Networking Configuring the LAN (Local Network) Settings DRAFT - CISCO CONFIDENTIAL 2 Configuring the LAN (Local Network) Settings If you have an IPv4 network, use these sections to configure your LAN settings. If you have an IPv6 network, see Configuring IPv6 LAN Properties, page 50.
Configuring Networking Configuring the LAN (Local Network) Settings DRAFT - CISCO CONFIDENTIAL 2 To configure the IP address of the Cisco RV180/RV180W: STEP 1 Choose Networking > LAN (Local Network) > IPv4 LAN (Local Network). STEP 2 Enter this information: IP Address Enter the LAN IP address of the RV180/RV180W. Make sure the address is not in use by another device on the same network. The default IP address is 192.168.1.1.
Configuring Networking Configuring the LAN (Local Network) Settings DRAFT - CISCO CONFIDENTIAL 2 With DHCP enabled, the firewall's IP address serves as the gateway address to your LAN. The PCs in the LAN are assigned IP addresses from a pool of addresses. Each address is tested before it is assigned to avoid duplicate addresses on the LAN. For most applications, the default DHCP settings are satisfactory.
Configuring Networking Configuring the LAN (Local Network) Settings DRAFT - CISCO CONFIDENTIAL 2 Configuring the DNS Proxy You can also enable a DNS proxy. When enabled, the firewall then acts as a proxy for all DNS requests and communicates with the ISP's DNS servers. When disabled, all DHCP clients receive the DNS IP addresses of the ISP. To configure the DNS proxy server for the Cisco RV180/RV180W: STEP 1 Choose Networking > LAN (Local Network) > IPv4 LAN (Local Network).
Configuring Networking Configuring the LAN (Local Network) Settings DRAFT - CISCO CONFIDENTIAL 2 STEP 3 Enter a numerical VLAN ID that will be assigned to endpoints in the VLAN membership. The VLAN ID can range from 2 to 4093. VLAN ID 1 is reserved for the default VLAN, which is used for untagged frames received on the interface, and VLAN ID 4092 is reserved and cannot be used. STEP 4 Enter a description for the VLAN.
Configuring Networking Configuring the LAN (Local Network) Settings DRAFT - CISCO CONFIDENTIAL 2 address on the PC connected to the LAN port, or manually assign an IP address to your PC that is in the same subnet as the VLAN. Open a new browser window and re-connect to the Cisco RV180/RV180W.
Configuring Networking Configuring the LAN (Local Network) Settings DRAFT - CISCO CONFIDENTIAL 2 STEP 1 Choose Networking > LAN (Local Network) > Static DHCP. STEP 2 Click Add. STEP 3 Enter the IP address of the device. STEP 4 Enter the MAC address of the device. The format for the MAC Address is XX:XX:XX:XX:XX:XX where X is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive). NOTE: The IP Address assigned should be outside the pool of the DHCP addresses configured.
Configuring Networking Configuring the LAN (Local Network) Settings DRAFT - CISCO CONFIDENTIAL 2 Adding a DHCP Client to Configuration File Map This table displays the list of currently configured DHCP Client MAC address to configuration filename mappings. It has the following fields: • MAC Address • Configuration Filename Click Add to add a new DHCP Client MAC address to configuration filename mapping. Click Edit to edit the MAC address or boot filename for a particular entry.
Configuring Networking Configuring the LAN (Local Network) Settings DRAFT - CISCO CONFIDENTIAL Bridge Priority 2 Enter a bridge priority from 0 to 61440 in increments of 4096. Valid values are 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 40960, 45056, 49152, 53248, 57344, and 61440. The lower the system priority, the more likely the Cisco RV180W is to become the root in the Spanning Tree. The default is 327688. Hello Time Enter a number from 1 to 10. The default is 2.
Configuring Networking Configuring Routing DRAFT - CISCO CONFIDENTIAL 2 STEP 1 Choose Networking > LAN > Jumbo Frames. STEP 2 Check the Enable box. STEP 3 Click Save. Configuring Routing Choosing the Routing Mode The Cisco RV180/RV180W provides two different routing modes. Network Address Translation (NAT), or gateway routing, is a technique that allows several endpoints on a LAN to share an Internet connection.
Configuring Networking Configuring Routing DRAFT - CISCO CONFIDENTIAL 2 Viewing Routing Information To view routing information your network: STEP 1 Choose Networking > Routing > Routing Table. STEP 2 Next to the type of network you have, click Display. Information about your network routing is displayed, including the following: IPv4 Routing Table • Destination—Destination host/network IP address for which this route is added. • Gateway—The gateway used for this route.
Configuring Networking Configuring Routing DRAFT - CISCO CONFIDENTIAL 2 IPv6 Routing Table • Destination—Destination host/network IP address for which this route is added. • Next Hop—IP address of an adjacent or intermediate host or router through which traffic must flow before reaching its ultimate destination. • Flags—For debugging purpose only; possible flags include: - UP—Route is up. - Host—Target is a host. - Gateway—Use gateway. - R—Reinstate route for dynamic routing.
Configuring Networking Configuring Routing DRAFT - CISCO CONFIDENTIAL 2 Adding a Static Route To create a static route: STEP 1 Select Networking > Routing > Static Routes. STEP 2 In the Static Route Table, click Add. STEP 3 In the Route Name field, enter the name of the route. STEP 4 If a route is to be immediately active, check the Active check box. When a route is added in an inactive state, it will be listed in the routing table, but will not be used by the firewall. The route can be enabled later.
Configuring Networking Configuring Routing DRAFT - CISCO CONFIDENTIAL 2 Configuring Dynamic Routing RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks. It allows the Cisco RV180/RV180W to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. NOTE RIP is disabled by default on the Cisco RV180/RV180W.
Configuring Networking Configuring Port Management DRAFT - CISCO CONFIDENTIAL 2 2M, check the Enable box. (You must also choose the direction as explained in Step 2.) STEP 5 If you enabled RIP v2 authentication, enter the following first and second key parameters: • MD5 Key ID—Input the unique MD-5 key ID used to create the Authentication Data for this RIP v2 message. • MD5 Auth Key—Input the auth key for this MD5 key, the auth key that is encrypted and sent along with the RIP-V2 message.
Configuring Networking Configuring Dynamic DNS (DDNS) DRAFT - CISCO CONFIDENTIAL 2 STEP 6 (Optional) Select one of the following port speeds: 10 Mbps, 100 Mbps, or 1000 Mbps. The default setting is 100 Mbps for all ports. This setting is available only when the Auto Negotiation check box is unchecked. You can change the port speed if a network is designed to run at a particular speed, such as 10 Mbps mode. In this case, the endpoint also uses 10 Mbps mode either by autonegotiation or manual setting.
Configuring Networking Configuring IPv6 DRAFT - CISCO CONFIDENTIAL 2 STEP 4 If you selected TZO.com: a. Specify the complete Host Name and Domain Name for the DDNS service. b. Enter the user e-mail address for the TZO account. c. Enter the user key for the TZO account. d. In the Update Period field, enter the number of hours before the Cisco RV180/ RV180W updates the host information on TZO.com. STEP 5 Click Save. Configuring IPv6 If you have an IPv6 network, see the following sections.
Configuring Networking Configuring IPv6 DRAFT - CISCO CONFIDENTIAL 2 Configuring DHCPv6 When the ISP allows you to obtain the WAN IP settings via DHCP, you need to provide details for the DHCPv6 client configuration. STEP 1 Choose IPv6 > IPv6 WAN (Internet). STEP 2 In the WAN (Internet) Address (IPv6) field, choose DHCPv6. STEP 3 Choose if the DHCPv6 client on the gateway is stateless or stateful. If a stateful client is selected, the gateway connects to the ISP's DHCPv6 server for a leased address.
Configuring Networking Configuring IPv6 DRAFT - CISCO CONFIDENTIAL 2 Configuring IPv6 LAN Properties In IPv6 mode, the LAN DHCP server is enabled by default (similar to IPv4 mode). The DHCPv6 server assigns IPv6 addresses from configured address pools with the IPv6 Prefix Length assigned to the LAN. To configure IPv6 LAN properties: STEP 1 Choose Networking > IPv6 > IPv6 LAN (Local Area Network). STEP 2 Under LAN TCP/IP Setup, in the IPv6 Address field, enter the IP address of the Cisco RV180/RV180W.
Configuring Networking Configuring IPv6 DRAFT - CISCO CONFIDENTIAL STEP 9 2 • Use DNS Proxy—Check this box to enable DNS proxy on this LAN, or uncheck this box to disable this proxy. When this feature is enabled, the firewall acts as a proxy for all DNS requests and communicate with the ISP’s DNS servers (as configured in the WAN settings page). • Use DNS from ISP—This option allows the ISP to define the DNS servers (primary/secondary) for the LAN DHCP client.
Configuring Networking Configuring IPv6 DRAFT - CISCO CONFIDENTIAL 2 resources to exchange routing information with a peer router. You can also use static routes to reach peer routers that do not support dynamic routing protocols. Static routes can be used together with dynamic routes. Be careful not to introduce routing loops in your network. Adding a Static Route To create a static route: STEP 1 Select Networking > IPv6 > Routing. STEP 2 In the list of static routes, click Add.
Configuring Networking Configuring IPv6 DRAFT - CISCO CONFIDENTIAL 2 Configuring Tunneling The Cisco RV180/RV180W provides several IPv6 tunneling methods. 6to4 tunneling allows IPv6 packets to be transmitted over an IPv4 network. 6to4 tunneling is typically used when a site or end user wants to connect to the IPv6 Internet using the existing IPv4 network. NOTE You must use static routes when tunneling. See Configuring Static Routing, page 51.
Configuring Networking Configuring IPv6 DRAFT - CISCO CONFIDENTIAL 2 STEP 1 Choose Networking > IPv6 > Tunneling. STEP 2 In the ISATAP Tunnel Table, click Add. STEP 3 Enter the tunnel name. STEP 4 Choose the local endpoint address, or the endpoint address for the tunnel that starts with the Cisco RV180/RV180W. The endpoint can be the LAN interface (if the LAN is configured as an IPv4 network), or another LAN IPv4 address. STEP 5 If you chose Other IP in Step 4, enter the IPv4 address of the endpoint.
Configuring Networking Configuring IPv6 DRAFT - CISCO CONFIDENTIAL 2 To configure the RADVD: STEP 1 Choose Networking > IPv6 > Router Advertisement. STEP 2 Under Router Advertisement Status, choose Enable. STEP 3 Under Advertise Mode, choose one of the following: • Unsolicited Multicast—Select this option to send router advertisements (RAs) to all interfaces belonging to the multicast group.
Configuring Networking Configuring IPv6 DRAFT - CISCO CONFIDENTIAL 2 STEP 1 Choose Networking > IPv6 > Advertisement Prefixes. STEP 2 Click Add. STEP 3 Choose the IPv6 Prefix Type: • 6to4—6to4 is a system that allows IPv6 packets to be transmitted over an IPv4 network. It is used when an end user wants to connect to the IPv6 Internet using their existing IPv4 connection • Global/Local/ISATAP—By using ISATAP, you can integrate IPv6 traffic into a IPv4 network environment.
Configuring Networking Configuring IPv6 DRAFT - CISCO CONFIDENTIAL Cisco RV180/RV180W Administration Guide 2 57
DRAFT - CISCO CONFIDENTIAL 3 Configuring the Wireless Network (Cisco RV180W) This chapter describes how to configure your wireless network and includes the following sections: • A Note About Wireless Security, page 58 • Understanding the Cisco RV180W’s Wireless Networks, page 61 • Configuring Basic Wireless Settings, page 61 • Configuring Advanced Wireless Settings, page 68 • Configuring Wi-Fi Protected Setup, page 70 • Configuring a Wireless Distribution System (WDS), page 71 NOTE This chapte
Configuring the Wireless Network (Cisco RV180W) A Note About Wireless Security DRAFT - CISCO CONFIDENTIAL 3 Wireless Security Tips Since you cannot physically prevent someone from connecting to your wireless network, you need to take some additional steps to keep your network secure: • Change the default wireless network name or SSID Wireless devices have a default wireless network name or Service Set Identifier (SSID) set by the factory.
Configuring the Wireless Network (Cisco RV180W) A Note About Wireless Security DRAFT - CISCO CONFIDENTIAL • 3 Enable encryption Encryption protects data transmitted over a wireless network. Wi-Fi Protected Access (WPA/WPA2) and Wired Equivalency Privacy (WEP) offer different levels of security for wireless communication. Currently, devices that are Wi-Fi certified are required to support WPA2, but are not required to support WEP.
Configuring the Wireless Network (Cisco RV180W) Understanding the Cisco RV180W’s Wireless Networks DRAFT - CISCO CONFIDENTIAL 3 Understanding the Cisco RV180W’s Wireless Networks The Cisco Small Business RV 120W Wireless-N VPN Firewall provides four separate virtual wireless networks. These networks can be configured and enabled with individual settings.
Configuring the Wireless Network (Cisco RV180W) Configuring Basic Wireless Settings DRAFT - CISCO CONFIDENTIAL 3 STEP 5 The Control Side Band field defines the sideband which is used for the secondary or extension channel when the AP is operating in 40 Mhz channel width. Choose lower or upper. This field is only available when channel spacing is set to auto.
Configuring the Wireless Network (Cisco RV180W) Configuring Basic Wireless Settings DRAFT - CISCO CONFIDENTIAL 3 to this network are assigned addresses on this VLAN. The default VLAN is 1 and if all the devices are on the same network, this can be left unchanged. d. (Optional) Check the Wireless Isolation within SSID box to separate this network from the other three networks on the Cisco RV180/RV180W.
Configuring the Wireless Network (Cisco RV180W) Configuring Basic Wireless Settings DRAFT - CISCO CONFIDENTIAL 3 • Wi-Fi Protected Access (WPA) Personal—WPA is part of the wireless security standard (802.11i) standardized by the Wi-Fi Alliance and was intended as an intermediate measure to take the place of WEP while the 802.11i standard was being prepared. It supports TKIP/AES encryption.
Configuring the Wireless Network (Cisco RV180W) Configuring Basic Wireless Settings DRAFT - CISCO CONFIDENTIAL 3 d. Select one of the four keys to use as the shared key that devices must have in order to use the wireless network. If you did not generate a key in Step 7c, enter a key directly into the WEP Key field. The length of the key should be 5 ASCII characters (or 10 hexadecimal characters) for 64-bit WEP and 13 ASCII characters (or 26 hexadecimal characters) for 128-bit WEP.
Configuring the Wireless Network (Cisco RV180W) Configuring Basic Wireless Settings DRAFT - CISCO CONFIDENTIAL 3 STEP 4 Choose Enable. STEP 5 Under Connection Control, choose one of the following: • Block following MAC addresses from connecting to wireless network— Blocks MAC addresses specified below from connecting to the wireless network. • Allow only following MAC addresses to connect to wireless network— Allows only the MAC addresses specified below to connect to the wireless network.
Configuring the Wireless Network (Cisco RV180W) Configuring Basic Wireless Settings DRAFT - CISCO CONFIDENTIAL 3 STEP 6 In the DSCP to Queue table, for each ingress DSCP, you can choose the output queue for the traffic. The Differentiated Services Code Point (DSCP) field identifies the data packet and the output queue identifies the output queue in which the packet is transmitted: • Voice (4) or Video (3)—High priority queue, minimum delay.
Configuring the Wireless Network (Cisco RV180W) Configuring Advanced Wireless Settings DRAFT - CISCO CONFIDENTIAL 3 Configuring Advanced Wireless Settings To configure advanced wireless settings on the Cisco RV180/RV180W: STEP 1 Choose Wireless > Advanced Settings. STEP 2 In the Beacon Interval field, enter the time in milliseconds between beacon transmissions. The default interval is 100 milliseconds.
Configuring the Wireless Network (Cisco RV180W) Configuring Rogue Access Point Detection DRAFT - CISCO CONFIDENTIAL 3 environment. This function boosts the Cisco RV180W’s ability to catch all wireless transmissions but severely decreases performance. STEP 8 The Short Retry Limit and Long Retry Limit fields determine the number of times the Cisco RV180/RV180W will reattempt a frame transmission that fails. The limit applies to both long and short frames of a size less than or equal to the RTS threshold.
Configuring the Wireless Network (Cisco RV180W) Configuring Wi-Fi Protected Setup DRAFT - CISCO CONFIDENTIAL 3 To change the interval at which APs are displayed in the table, enter the seconds in the Poll Interval field. You can click Start or Stop to stop the collection of data that will be displayed in the table. Adding and Editing Authorized APs To add or edit authorized APs: STEP 1 Choose Wireless > Rogue AP > Authorized APs. STEP 2 Click Add or check the box of an authorized AP and click Edit.
Configuring the Wireless Network (Cisco RV180W) Configuring a Wireless Distribution System (WDS) DRAFT - CISCO CONFIDENTIAL 3 NOTE: You can enable WPS on only one of the four networks, or virtual access points. STEP 3 Under WPS Status, choose Enable to allow WPS configuration. By default, WPS is disabled. STEP 4 Click Save. To set up a WPS-enabled device in the network: STEP 1 Choose Wireless > WPS.
Configuring the Wireless Network (Cisco RV180W) Configuring Load Balancing DRAFT - CISCO CONFIDENTIAL 3 STEP 1 Choose Wireless > WDS. STEP 2 Check the Enable box to enable WDS in the Cisco RV180W. STEP 3 Enter a WPA Key (password) for authentication. STEP 4 Click Save. You can manually add WDS peers that can connect to the Cisco RV180W: STEP 1 In the WDS Peer Table, click Add. STEP 2 Enter the MAC (hardware) address of the WDS peer and click Save.
Configuring the Wireless Network (Cisco RV180W) Configuring Load Balancing DRAFT - CISCO CONFIDENTIAL Cisco RV180/RV180W Administration Guide 3 73
DRAFT - CISCO CONFIDENTIAL 4 Configuring the Firewall This chapter contains information about configuring the firewall properties of the Cisco RV180/RV180W and includes the following sections: • Cisco RV180/RV180W Firewall Features, page 74 • Configuring Access Rules, page 76 • Configuring Attack Prevention, page 80 • Configuring Content Filtering, page 81 • Configuring URL Blocking, page 83 • Configuring Port Triggering, page 84 • Configuring Port Forwarding, page 85 • Configuring a DMZ Ho
Configuring the Firewall Cisco RV180/RV180W Firewall Features DRAFT - CISCO CONFIDENTIAL 4 • Schedules as to when the router should apply rules. • Keywords (in a domain name or on a URL of a web page) that the router should allow or block. • MAC addresses of devices whose inbound access to your network the router should block. • Port triggers that signal the router to allow or block access to specified services as defined by port number.
Configuring the Firewall Configuring Access Rules DRAFT - CISCO CONFIDENTIAL 4 Configuring Access Rules Configure access rules to control traffic to and from your network. To configure access rules, choose Firewall > Access Rules. All configured firewall rules on the Cisco RV180/RV180W are displayed in the Access Rule Table. Configuring the Default Outbound Policy You can configure the default outbound policy for the traffic that is directed from your secure network (LAN) to the Internet.
Configuring the Firewall Configuring Access Rules DRAFT - CISCO CONFIDENTIAL 4 Creating an Access Rule Access rules specify the type of traffic that is allowed into and out of your network. To create access rules: STEP 1 Choose Firewall > Access Rules. STEP 2 Click Add Rule.
Configuring the Firewall Configuring Access Rules DRAFT - CISCO CONFIDENTIAL • HTTPS (Secure Hypertext Transfer Protocol) • ICMP (Internet Control Message Protocol) type 3 through 11 or 13 • ICQ (chat) • IMAP (Internet Message Access Protocol) 2 or 3 • IRC (Internet Relay Chat) • NEWS • NFS (Network File System) • NNTP (Network News Transfer Protocol) • PING • POP3 (Post Office Protocol) • PPTP (Point-to-Point Tunneling Protocol) • RCMD (command) • REAL-AUDIO • REXEC (Remote exe
Configuring the Firewall Configuring Access Rules DRAFT - CISCO CONFIDENTIAL • RIP (Routing Information Protocol) • IKE • SHTTPD (Simple HTTPD web server) • IPSEC-UDP-ENCAP (UDP Encapsulation of IPsec packets) • IDENT protocol • VDOLIVE (live web video delivery) • SSH (secure shell) • SIP-TCP or SIP-UDP 4 STEP 6 In the Source IP field, configure the IP address to which the firewall rule applies: • Any—The rule applies to traffic originating from any IP address in the local network.
Configuring the Firewall Configuring Attack Prevention DRAFT - CISCO CONFIDENTIAL 4 STEP 8 If you are configuring an outbound firewall access rule: a. In the Destination IP field, configure the IP address to which the firewall rule applies: • Any—The rule applies to traffic going to any IP address. • Single Address—The rule applies to traffic going to a single IP address. Enter the address in the Start field.
Configuring the Firewall Configuring Content Filtering DRAFT - CISCO CONFIDENTIAL • - Respond to Ping on WAN (Internet)—To configure the Cisco RV180/ RV180W to allow a response to an Internet Control Message Protocol (ICMP) Echo (ping) request on the WAN interface, check this box. This setting is used as a diagnostic tool for connectivity problems. Not enabled by default. - Stealth Mode—If Stealth Mode is enabled, the router will not respond to port scans from the WAN.
Configuring the Firewall Configuring Content Filtering DRAFT - CISCO CONFIDENTIAL 4 You also need to turn on content filtering to set up trusted domains. Enabling Content Filtering To enable content filtering: STEP 1 Choose Firewall > Content Filtering. STEP 2 Check the Enable box. STEP 3 Click Save. Blocking Web Components Certain commonly-used web components can be blocked for increased security. Some of these components can be used by malicious websites to infect computers that access them.
Configuring the Firewall Configuring URL Blocking DRAFT - CISCO CONFIDENTIAL 4 NOTE: Many websites require that cookies be accepted in order for the site to be accessed properly. Blocking cookies can cause many websites to not function properly. STEP 3 Click Save. Adding Trusted Domains You can add a list of trusted domains. These domains are bypassed during keyword filtering. For example, if “yahoo” is added to the blocked keywords list and www.yahoo.com is added to the trusted domain list, then www.
Configuring the Firewall Configuring Port Triggering DRAFT - CISCO CONFIDENTIAL 4 STEP 4 Select the group to which to apply the keyword blocking. If you need to configure a new group, click Configure LAN Groups. (See Configuring LAN (Local Network) Groups, page 96.) STEP 5 Enter the keyword to block. STEP 6 Click Save. Configuring Port Triggering Port triggering allows devices on the LAN to request one or more ports to be forwarded to them.
Configuring the Firewall Configuring Port Forwarding DRAFT - CISCO CONFIDENTIAL 4 STEP 1 Choose Firewall > Port Triggering. STEP 2 Click Add. STEP 3 Specify an easily-identifiable name for this rule. STEP 4 Check the Enable box to enable the rule. STEP 5 Select whether the port uses TCP, UDP, or both protocols. STEP 6 In the Outgoing (Trigger) Port Range section, specify the port number or range of port numbers that will trigger this rule when a connection request from outgoing traffic is made.
Configuring the Firewall Configuring Port Forwarding DRAFT - CISCO CONFIDENTIAL 4 • Source IP—The source IP address for traffic from which traffic is forwarded (Any, Single Address or Address Range). • Destination IP—The IP address of the server to which traffic is forwarded. • Forward From Port—From which port traffic will be forwarded. • Forward To Port—To which port traffic will be forwarded.
Configuring the Firewall Configuring Port Forwarding DRAFT - CISCO CONFIDENTIAL • HTTP (Hyptertext Transfer Protocol) • HTTPS (Secure Hypertext Transfer Protocol) • ICMP (Internet Control Message Protocol) type 3 through 11 or 13 • ICQ (chat) • IMAP (Internet Message Access Protocol) 2 or 3 • IRC (Internet Relay Chat) • NEWS • NFS (Network File System) • NNTP (Network News Transfer Protocol) • PING • POP3 (Post Office Protocol) • PPTP (Point-to-Point Tunneling Protocol) • RCMD (co
Configuring the Firewall Configuring Port Forwarding DRAFT - CISCO CONFIDENTIAL • TFTP (Trivial File Transfer Protocol) • RIP (Routing Information Protocol) • IKE • SHTTPD (Simple HTTPD web server) • IPSEC-UDP-ENCAP (UDP Encapsulation of IPsec packets) • IDENT protocol • VDOLIVE (live web video delivery) • SSH (secure shell) • SIP-TCP or SIP-UDP 4 STEP 5 Select the Source IP: • Any—Specifies that the rule being created is for traffic from the given endpoint.
Configuring the Firewall Configuring a DMZ Host DRAFT - CISCO CONFIDENTIAL 4 STEP 9 Click Save. Configuring a DMZ Host The Cisco RV180/RV180W supports DMZ options. A DMZ is a sub-network that is open to the public but behind the firewall. DMZ allows you to redirect packets going to your WAN port IP address to a particular IP address in your LAN. It is recommended that hosts that must be exposed to the WAN (such as web or e-mail servers) be placed in the DMZ network.
Configuring the Firewall Configuring Advanced Firewall Settings DRAFT - CISCO CONFIDENTIAL 4 Configuring One-to-One Network Address Translation (NAT) One-to-one NAT is a way to make systems behind a firewall that are configured with private IP addresses appear to have public IP addresses. To configure one-to-one NAT, choose Firewall > Advanced Settings > One-to-One NAT. The One-to-One-NAT Rules Table lists the available One-To-One NAT rules that have been configured.
Configuring the Firewall Configuring Advanced Firewall Settings DRAFT - CISCO CONFIDENTIAL 4 Configuring MAC Address Filtering MAC address filtering allows you to block traffic coming from certain known machines or devices. The router uses the MAC address of a computer or device on the network to identify it and block or permit the access. Traffic coming in from a specified MAC address will be filtered depending upon the policy.
Configuring the Firewall Configuring Advanced Firewall Settings DRAFT - CISCO CONFIDENTIAL 4 Configuring IP/MAC Address Binding IP/MAC Binding allows you to bind IP addresses to MAC address. Some machines are configured with static addresses. To prevent users from changing static IP addresses, IP/MAC Binding should be enabled. If the Cisco RV180/RV180W sees packets with matching IP address but inconsistent MAC addresses, it drops those packets.
Configuring the Firewall Configuring Advanced Firewall Settings DRAFT - CISCO CONFIDENTIAL 4 STEP 4 Enter the service type, or layer 4 protocol that the service uses (TCP, UDP, ICMP, ICMPv6, or other). If you chose ICMP or ICMPv6 as the service type, enter the ICMP type. This is a numeric value from 0 through 40 for ICMP and from 0 through 255 for ICMPv6. STEP 5 If you chose TCP or UDP, in the Start Port field, enter the first TCP or UDP port of the range that the service uses.
Configuring the Firewall Configuring Advanced Firewall Settings DRAFT - CISCO CONFIDENTIAL 4 Configuring Sessions You can limit the maximum number of unidentified sessions and half-open sessions on the Cisco RV180/RV180W. You can also introduce timeouts for TCP and UDP sessions to ensure Internet traffic is not deviating from expectations in your private network. To configure session settings: STEP 1 Choose Firewall > Advanced Settings > Session Settings.
Configuring the Firewall Configuring Advanced Firewall Settings DRAFT - CISCO CONFIDENTIAL 4 Configuring Internet Group Management Protocol (IGMP) Internet Group Management Protocol (IGMP) is an exchange protocol for routers. Hosts that want to receive multicast messages need to inform their neighboring routers of their status. In some networks, each node in a network becomes a member of a multicast group and receives multicast packets.
Configuring the Firewall Configuring Advanced Firewall Settings DRAFT - CISCO CONFIDENTIAL 4 STEP 3 Choose the Upstream Interface (WAN or LAN). Select the interface (LAN or WAN) on which the IGMP proxy acts as a normal multicast client. STEP 4 Click Save. Configuring LAN (Local Network) Groups You can create LAN groups, which are groups of endpoints that are identified by their IP address.
Configuring the Firewall Firewall Configuration Examples DRAFT - CISCO CONFIDENTIAL 4 STEP 3 Click Save. Firewall Configuration Examples Example 1: Allow inbound HTTP traffic to the DMZ In this example, you host a public web server on your local DMZ network. You want to allow inbound HTTP requests from any outside IP address to the IP address of your web server at any time of day.
Configuring the Firewall Firewall Configuration Examples DRAFT - CISCO CONFIDENTIAL Parameter Value Action Always Allow Service CU-SEEME:UDP Source IP Address Range Start 132.177.88.2 Finish 134.177.88.254 Send to Local Server (DNAT IP) 192.168.1.11 Rule Status Enabled 4 Example 3: Multi-NAT Configuration In this example, you want to configure multi-NAT to support multiple public IP addresses on one WAN port interface.
Configuring the Firewall Firewall Configuration Examples DRAFT - CISCO CONFIDENTIAL 4 Parameter Value Source IP Single Address Start 10.1.0.52 Send to Local Server (DNAT IP) 192.168.1.
Configuring the Firewall Firewall Configuration Examples DRAFT - CISCO CONFIDENTIAL Parameter Value Source IP Address Range Start starting IP address Finish ending IP address Destination IP Any Rule Status Enabled 4 Create an inbound access rule with the following parameters: Parameter Value Connection Type Inbound Action Block by Schedule Schedule Weekend Service All Traffic Source IP Any Rule Status Enabled Cisco RV180/RV180W Administration Guide 100
Configuring the Firewall Firewall Configuration Examples DRAFT - CISCO CONFIDENTIAL Cisco RV180/RV180W Administration Guide 4 101
Configuring the Firewall Firewall Configuration Examples DRAFT - CISCO CONFIDENTIAL Cisco RV180/RV180W Administration Guide 4 102
DRAFT - CISCO CONFIDENTIAL 5 Configuring Virtual Private Networks (VPNs) and Security This chapter describes VPN configuration, beginning with the “Configuring VPNs” section on page 103. It also describes how to configure router security, beginning with the “Configuring Security” section on page 117.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL 5 STEP 1 Enable remote management. See Configuring Remote Management, page 130. STEP 2 Create QuickVPN users. See Configuring VPN Users, page 115. After a user account is created, the credentials can be used by the QuickVPN client. For more information on installing and using Cisco QuickVPN, see Appendix A, “Using Cisco QuickVPN for Windows 7, 2000, XP, or Vista.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL 5 STEP 7 If you chose gateway in Step 2, enter the IP address and subnet mask of the remote LAN. The remote gateway to which the Cisco RV180/RV180W will connect is located on that LAN. NOTE: The IP address range used on the remote LAN must be different from the IP address range used on the local LAN. STEP 8 Click Save.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL 5 To configure IKE Policies: STEP 1 Choose VPN > IPsec > Advanced VPN Setup. In the IKE Policy Table, click Add. STEP 2 Under Policy Name, enter a unique name for the policy for identification and management purposes. STEP 3 Under Direction/Type, choose one of the following connection methods: • Initiator—The router will initiate the connection to the remote end.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL • 5 DER ASN1 DN STEP 8 If you chose FQDN, User-FQDN, or DER ASN1 DN as the identifier type, enter the IP address or domain name in the Identifier field. IKE SA Parameters The Security Association (SA) parameters define the strength and mode for negotiating the SA.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL 5 NOTE: The double quote character (“) is not supported in the pre-shared key. STEP 4 Choose the Diffie-Hellman (DH) Group algorithm, which is used when exchanging keys. The DH Group sets the strength of the algorithm in bits. NOTE: Ensure that the DH Group is configured identically on both sides of the IKE policy.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL • 5 IPsec Host—The router is authenticated by a remote gateway with a username and password combination. In this mode, the router acts as a VPN Client of the remote gateway. STEP 2 If you selected IPsec Host, enter the username and password for the host. Configuring VPN Policies To configure a VPN policy: STEP 1 Choose VPN > IPsec > Advanced VPN Setup. STEP 2 In the VPN Policy Table, click Add.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL 5 Local Traffic Selection and Remote Traffic Section STEP 1 For both of these sections, configure the following settings: • Local/Remote IP—Select the type of identifier that you want to provide for the endpoint: - Any—Specifies that the policy is for traffic from the given end point (local or remote). Note that selecting Any for both local and remote end points is not valid.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL 5 STEP 5 In the Domain Name 2 field, specify a domain name, which will be queried only using the DNS server configured in the Domain Name Server 2 field. NOTE Make sure that you avoid using overlapping subnets for remote or local traffic selectors. Using these subnets would require adding static routes on the router and the hosts to be used.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL • • 5 Key-In—Enter the integrity key (for ESP with Integrity-mode) for the inbound policy. The length of the key depends on the algorithm chosen: - MD5—16 characters - SHA-1— 20 characters - SHA2-256—32 characters - SHA2-384— 48 characters - SHA2-512—64 characters Key-Out—Enter the integrity key (for ESP with Integrity-mode) for the outbound policy.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL 5 Auto Policy Parameters If you chose auto as the policy type in Step 4, configure the following: STEP 1 SA Lifetime—Enter the duration of the Security Association and choose the unit from the drop-down list: • Seconds—Choose this option to measure the SA Lifetime in seconds. After the specified number of seconds passes, the Security Association is renegotiated. The default value is 3600 seconds.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL 5 Configuring VPN Clients VPN clients must be configured with the same VPN policy parameters used in the VPN tunnel the client wishes to use: encryption, authentication, life time, and PFS key-group. Upon establishing these authentication parameters, the VPN Client user database must also be populated with an account to give a user access to the tunnel.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL 5 Packets Number of IP packets transmitted over this SA. Kbytes Kilobytes of data transmitted over this SA. State Status of the SA for IKE policies: Not Connected or IPsec SA Established. Action Choose Connect to establish a connection, or Drop to terminate an established connection. Configuring VPN Users To view a list of VPN users, choose VPN > IPsec > VPN Users.
Configuring Virtual Private Networks (VPNs) and Security Configuring VPNs DRAFT - CISCO CONFIDENTIAL 5 STEP 4 Enter the username. STEP 5 Enter the password. If you want the user to be able to change the password, check the Enabled box. STEP 6 Under Protocol, choose the type of user: • QuickVPN—The user is authenticated by the VPN server. See Creating Cisco QuickVPN Client Users, page 103. • PPTP—The user is authenticated by a PPTP server.
Configuring Virtual Private Networks (VPNs) and Security Configuring Security DRAFT - CISCO CONFIDENTIAL 5 Configuring Security The Cisco RV180/RV180W provides several security methods, including certificate authentication, RADIUS server support, and 802.1x port-based authentication. Using SSL Certificates for Authentication The Cisco RV180/RV180W uses digital certificates for IPsec VPN authentication and SSL validation (for HTTPS and SSL VPN authentication).
Configuring Virtual Private Networks (VPNs) and Security Configuring Security DRAFT - CISCO CONFIDENTIAL 5 Uploading a Trusted Certificate If you have a certificate from a trusted authority to upload, the file must be located on the computer connected to the Cisco RV180/RV180W. Perform the following steps: STEP 1 Choose Security > SSL Certificate. STEP 2 In the Trusted Certificates (CA Certificate) Table, click Upload. STEP 3 Click Browse and locate the file on your computer. STEP 4 Click Upload.
Configuring Virtual Private Networks (VPNs) and Security Configuring Security DRAFT - CISCO CONFIDENTIAL 5 STEP 9 (Optional) Enter the e-mail address of the company contact that is used when generating the self certificate request. STEP 10 Click Save. A new certificate request is created and appears in the Self Certificate Requests Table. STEP 11 Click Export for Admin to save the certificate file. This file is submitted to the CA for signing, unless your organization is self-certifying.
Configuring Virtual Private Networks (VPNs) and Security Configuring Security DRAFT - CISCO CONFIDENTIAL 5 STEP 3 Click Browse and locate the file on your computer. STEP 4 Click Upload. The new certificate appears in the table. Exporting the Router’s Current Certificate To export the router’s current certificate: STEP 1 Choose Security > SSL Certificate. STEP 2 Under Export Certificate, click Export for Client to export the certificate.
Configuring Virtual Private Networks (VPNs) and Security Configuring Security DRAFT - CISCO CONFIDENTIAL 5 STEP 3 In the Authentication Port field, enter the port number on which the RADIUS server sends traffic. STEP 4 In the Secret field, enter the shared key that allows the Cisco RV180/RV180W to authenticate with the RADIUS server. This key must match the key configured on the RADIUS server. The single quote, double quote, and space characters are not allowed in this field.
Configuring Virtual Private Networks (VPNs) and Security Configuring Security DRAFT - CISCO CONFIDENTIAL 5 Configuring 802.1x Port-Based Authentication A port-based network access control uses the physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. It also prevents access to that port in cases where the authentication fails.
DRAFT - CISCO CONFIDENTIAL 6 Configuring Quality of Service (QoS) The Cisco RV180/RV180W lets you configure the following Quality of Service (QoS) features: • Configuring WAN QoS Profiles, page 123 • Configuring Profile Binding, page 125 • Configuring CoS Settings, page 126 • Mapping CoS Settings to DSCP Values, page 127 Configuring WAN QoS Profiles WAN QoS profiles let you manage the bandwidth of the traffic flowing from the secure network (LAN) to the insecure network (WAN).
Configuring Quality of Service (QoS) Configuring WAN QoS Profiles DRAFT - CISCO CONFIDENTIAL 6 For more information, see Configuring Bandwidth Allocation Settings, page 124. STEP 3 When prompted to reset the previous priority or rate limit configuration, click OK. STEP 4 Click Save. Configuring Bandwidth Allocation Settings To configure the WAN QoS bandwidth allocation settings: STEP 1 Choose QoS > WAN QoS Profiles.
Configuring Quality of Service (QoS) Configuring Profile Binding DRAFT - CISCO CONFIDENTIAL 6 STEP 3 Enter this information: Name Enter the name of the profile. Priority If the WAN QoS mode is set to Priority, choose the priority level from the drop-down menu. Minimum Bandwidth Rate If the WAN QoS mode is set to Rate Limit, enter the minimum bandwidth rate (1 to total WAN bandwidth in Kbps).
Configuring Quality of Service (QoS) Configuring CoS Settings DRAFT - CISCO CONFIDENTIAL 6 If the service you are looking for is not in the drop-down menu, you can configure a custom service in the Firewall page (see Creating Custom Services, page 92.) STEP 4 From the Traffic Selector Match Type drop-down menu, choose the traffic selector to use to bind traffic to the profile.
Configuring Quality of Service (QoS) Mapping CoS Settings to DSCP Values DRAFT - CISCO CONFIDENTIAL 6 STEP 3 For each CoS priority level in the CoS to Traffic Forwarding Queue Mapping Table, choose a priority value from the Traffic Forwarding Queue drop-down menu. These values mark traffic types with higher or lower traffic priority depending on the type of traffic. STEP 4 Click Save. To restore the default CoS settings, click Restore Default and, when prompted, click OK. Then, click Save.
DRAFT - CISCO CONFIDENTIAL 7 Administering Your Cisco RV180/RV180W This chapter describes the administration features of the Cisco RV180/RV180W, including creating users, configuring network management, diagnostics and logging, date and time, and other settings.
Administering Your Cisco RV180/RV180W Configuring Language DRAFT - CISCO CONFIDENTIAL 7 Configuring Language To configure the language for the Cisco RV180/RV180W graphical user interface: STEP 1 Choose Administration > Language Selection. STEP 2 Choose the language you want to use from the drop-down list. STEP 3 Click Save. Configuring Password Rules The Cisco RV180/RV180W can enforce rules for passwords selected by administrators and users.
Administering Your Cisco RV180/RV180W Using the Management Interface DRAFT - CISCO CONFIDENTIAL 7 To enable web access on the LAN port: STEP 1 Choose Administration > Management Interface > Web Access. STEP 2 In the LAN section, under HTTPS Web Access on LAN Interface, check Enable. Configuring Remote Management You can enable remote access so that administrators can log in remotely to the system and access the web interface.
Administering Your Cisco RV180/RV180W Using the Management Interface DRAFT - CISCO CONFIDENTIAL 7 management of the Cisco RV180/RV180W by SNMP, under Remote SNMP, check Enable. Configuring User Accounts The Cisco RV180/RV180W supports two user accounts for administering and viewing settings: an administrative user (default user name: “admin”) and a “guest” user (default user name: “guest”). The guest account has read-only access.
Administering Your Cisco RV180/RV180W Configuring Network Management DRAFT - CISCO CONFIDENTIAL 7 Setting the Session Timeout Value The timeout value is the number of minutes of inactivity that are allowed before the Device Manager session is ended. This can be configured for the Admin and Guest accounts: STEP 1 Choose Administration > Session Timeout. STEP 2 In the Administrator Inactivity Timeout field, enter the number, in minutes, before an administrator login session times out due to inactivity.
Administering Your Cisco RV180/RV180W Configuring Network Management DRAFT - CISCO CONFIDENTIAL 7 STEP 1 In the SNMPv3 User Table, check the box for the user to edit and click Edit. STEP 2 Under Security Level, choose the amount of SNMPv3 Privileges: • NoAuthNoPriv—Doesn't require any Authentication and Privacy. • AuthNoPriv—Submit only Authentication algorithm and password. • AuthPriv—Submit Authentication/privacy algorithm and password.
Administering Your Cisco RV180/RV180W Configuring Network Management DRAFT - CISCO CONFIDENTIAL 7 Configuring Access Control Rules The SNMP v1/v2c Access Control Table is a table of access rules that enables read-only or read-write access for select IP addresses in a defined SNMP agent's community. To configure access control rules: STEP 1 In the SNMP v1/v2c Access Control Table, click Add. STEP 2 Enter the IP Address of the specific SNMP manager or trap agent on which to create an access rule.
Administering Your Cisco RV180/RV180W Configuring the WAN Traffic Meter DRAFT - CISCO CONFIDENTIAL 7 Configuring the WAN Traffic Meter The WAN traffic meter displays statistics for traffic coming from the WAN (Internet) to the Cisco RV180/RV180W, and traffic going from the Cisco RV180/RV180W to the WAN. To configure the WAN Traffic Meter: STEP 1 Choose Administration > WAN Traffic Meter. STEP 2 Under WAN Traffic Meter, to enable the display of WAN traffic statistics, check Enable.
Administering Your Cisco RV180/RV180W Using Network Diagnostic Tools DRAFT - CISCO CONFIDENTIAL 7 To configure what the Cisco RV180/RV180W does when the traffic limit is reached: STEP 1 Choose Administration > WAN Traffic Meter. STEP 2 Under When Limit Is Reached, select one of the following: • Block All Traffic—All traffic to and from the Cisco RV180/RV180W is blocked. • Block All Traffic Except E-Mail—Only email is allowed to and from the Cisco RV180/RV180W.
Administering Your Cisco RV180/RV180W Capturing and Tracing Packets DRAFT - CISCO CONFIDENTIAL 7 Using Traceroute Traceroute displays all the routers present between the destination IP address and this router. Up to 30 “hops” (intermediate routers) between this router and the destination will be displayed. To use traceroute: STEP 1 Choose Diagnostics > Network Tools. STEP 2 Under Ping or Trace an IP Address, enter an IP address or domain name and click Traceroute.
Administering Your Cisco RV180/RV180W Configuring Logging DRAFT - CISCO CONFIDENTIAL 7 NOTE The packet trace is limited to 1MB of data per capture session. When the capture file size exceeds 1MB, it will be deleted automatically and a new capture file will be created. Configuring Logging NOTE Enabling logging options may generate a significant volume of log messages and is recommended for debugging purposes only.
Administering Your Cisco RV180/RV180W Configuring Logging DRAFT - CISCO CONFIDENTIAL 7 STEP 1 Choose Administration > Logging > Firewall Logs. STEP 2 Under the type of routing logs, check the box to choose one or both of the following for each type: • Accepted Packets—Check this box to log packets that were successfully transferred through the segment. This option is useful when the Default Outbound Policy is “Block” (see Configuring the Default Outbound Policy, page 76).
Administering Your Cisco RV180/RV180W Configuring Logging DRAFT - CISCO CONFIDENTIAL 7 Configuring Remote Logging To configure remote logging: STEP 1 Choose Administration > Logging > Remote Logging Configuration. STEP 2 In the Remote Log Identifier field, enter a prefix to add to every logged message for easier identification of the source of the message. The log identifier will be added to both e-mail and Syslog messages. STEP 3 Click Save.
Administering Your Cisco RV180/RV180W Configuring the Discovery Settings DRAFT - CISCO CONFIDENTIAL 7 STEP 4 (Optional) To receive e-mail logs according to a schedule, configure the appropriate schedule settings: • Unit—Select the period of time that you need to send the log: Hourly, Daily, or Weekly. To disable sending of logs, select Never.
Administering Your Cisco RV180/RV180W Configuring the Discovery Settings DRAFT - CISCO CONFIDENTIAL 7 it on VLAN 1, and devices joining the network can connect to the Cisco RV180/ RV180W. If you have other VLANs created on your network, you can enable Bonjour on those VLANs too. (See Configuring Virtual LAN (VLAN) Membership, page 35 for more information.) STEP 4 Click Save.
Administering Your Cisco RV180/RV180W Configuring Time Settings DRAFT - CISCO CONFIDENTIAL • 7 IP Address—The IP address of the UPnP device that is accessing this router. STEP 5 Click Save. Configuring Time Settings You can configure your time zone, whether or not to adjust for Daylight Savings Time, and with which Network Time Protocol (NTP) server to synchronize the date and time. The router then gets its date and time information from the NTP server.
Administering Your Cisco RV180/RV180W Backing Up and Restoring the System DRAFT - CISCO CONFIDENTIAL 7 When the router is working as configured, you can back up the configuration for restoring later. During backup, your settings are saved as a file on your PC. You can restore the router's settings from this file. ! CAUTION During a restore operation, do not try to go online, turn off the router, shut down the PC, or do anything else to the router until the operation is complete.
7 Administering Your Cisco RV180/RV180W Importing CSV Files DRAFT - CISCO CONFIDENTIAL Importing CSV Files You can import VPN client setting files that contain the username and passwords of clients in a Comma Separated Value (CSV) text file. You can use Excel to create a CSV file containing the VPN client settings. The file should contain one row for the headings and one or more rows for the VPN clients.
Administering Your Cisco RV180/RV180W Rebooting the Cisco RV180/RV180W DRAFT - CISCO CONFIDENTIAL 7 Rebooting the Cisco RV180/RV180W To reboot the router, choose Administration > Reboot Router. Click Reboot. Restoring the Factory Defaults ! CAUTION During a restore operation, do not try to go online, turn off the router, shut down the PC, or do anything else to the router until the operation is complete. This should take about a minute.
Administering Your Cisco RV180/RV180W Choosing the Device Mode (Cisco RV180W) DRAFT - CISCO CONFIDENTIAL • 7 WDS Repeater—The Cisco RV180W connects using wireless to another wireless network and repeats the wireless signal to clients behind the Cisco RV180W. STEP 3 Click Save.
8 Viewing the Cisco RV180/RV180W Status This chapter describes how to view real-time statistics and other information about the Cisco RV120W.
8 Viewing the Cisco RV180/RV180W Status Viewing the Dashboard The view of the back panel shows you which ports are used (colored in green) and allows you to click the port to obtain information about the connection. • To view a port’s connection information, click the port. • To refresh the port information, click Refresh. • To close the port information sheet, click Close. The Dashboard page displays the following: Device Information Host Name The name of the device.
8 Viewing the Cisco RV180/RV180W Status Viewing the Dashboard To view the logs, click details. For more information see Viewing Logs, page 157. To manage logs, click manage logging. For more information see Configuring Logging, page 138. LAN (Local Network) Interface MAC Address The MAC address of the router. IPv4 Address The local IP address of the router. To change the IP address, see Configuring the IPv4 WAN (Internet), page 25.
8 Viewing the Cisco RV180/RV180W Status Viewing the System Summary VPN Site-to-Site Tunnels Displays the connected IPSec VPN tunnels. PPTP Users The number of Point-to-Point Tunneling Protocol (PPTP) users. QuickVPN Users The number of QuickVPN users. Viewing the System Summary The System Summary page displays a summary of the router’s settings. To view a summary of system settings: STEP 1 Choose Status > System Summary. STEP 2 Click Refresh to obtain the latest information.
8 Viewing the Cisco RV180/RV180W Status Viewing the System Summary LAN (Local Network) Information MAC Address The MAC address of the device. IPv4 Address The IP address and subnet mask of the device. IPv6 Address The IP address and subnet mask of the device (shown only if IPv6 is enabled). DHCP Server The status of the router’s DHCP server (enabled or disabled). If it is enabled, DHCP client machines connected to the LAN port receive their IP address dynamically.
8 Viewing the Cisco RV180/RV180W Status Viewing the System Summary Gateway The gateway IP address of the WAN port. Primary DNS Server The IP address of the primary DNS server. Secondary DNS Server The IP address of the secondary DNS server. NAT (IPv4 Only Mode) WAN (Internet) Information (IPv6) Connection Time The time duration for which the connection is up.
8 Viewing the Cisco RV180/RV180W Status Viewing the Wireless Statistics (Cisco RV180W) Viewing the Wireless Statistics (Cisco RV180W) The Wireless Statistics page shows a cumulative total of relevant wireless statistics for the radio on the device. To view wireless statistics: STEP 1 Choose Status > Wireless Statistics. STEP 2 Click Stop. STEP 3 In the Poll Interval field, enter the number of seconds the router waits before updating the information on this page.
8 Viewing the Cisco RV180/RV180W Status IPsec Connection Status IPsec Connection Status The IPsec Connection Status page displays the status of IPsec connections. To view the status of IPsec connections: STEP 1 Choose Status > IPsec Connection Status. STEP 2 Click Stop. STEP 3 In the Poll Interval field, enter the number of seconds the router waits before updating the information on this page. STEP 4 Click Start to restart automatic refresh at the specified poll interval.
8 Viewing the Cisco RV180/RV180W Status Viewing VPN Client Connection Status Viewing VPN Client Connection Status The VPN Client Connection Status page displays the status of VPN connections. To view VPN user connection status: STEP 1 Choose Status > VPN Client Connection Status. STEP 2 Click Stop. STEP 3 In the Poll Interval field, enter the number of seconds the router waits before updating the information on this page. STEP 4 Click Start to restart automatic refresh at the specified poll interval.
8 Viewing the Cisco RV180/RV180W Status Viewing Logs Viewing Logs The View Logs page allows you to view the Cisco RV120W logs. To view the logs: STEP 1 Choose Status > View Logs. STEP 2 Click Refresh Logs to display the latest log entries. STEP 3 To specify the types of logs to display, choose an option from the Logging Policy drop-down menu. To delete all entries in the log window, click Clear Logs. To email all log messages from the router, click Send Logs.
8 Viewing the Cisco RV180/RV180W Status Viewing Port Triggering Status The Available LAN (Local Network) Hosts page displays the following fields: Name The name of the connected host. IP Address The IP address of the host. MAC Address The MAC address of the host. Type The type of connection (for example, static or dynamic). Interface Type The interface type (Wired or Wireless). Viewing Port Triggering Status To view the status of port triggering: STEP 1 Choose Status > Port Triggering Status.
8 Viewing the Cisco RV180/RV180W Status Viewing Port Statistics Viewing Port Statistics The Port Statistics page displays port statistics. To view port statistics: STEP 1 Choose Status > Port Statistics. STEP 2 In the Poll Interval field, enter the auto-refresh time interval in seconds. The default value is 10. STEP 3 To start the display of port statistics, click Start. This page displays the latest port statistics based on the value you enter in the Poll Interval field.
8 Viewing the Cisco RV180/RV180W Status Viewing Open Ports Viewing Open Ports The View Open Ports page displays a listing of all open ports. To view open ports, choose Status > View Open Ports. This page displays this information about open ports: Proto The protocol (TCP, UDP, and raw) used by the port. Recv-Q The number of bytes not copied by the program connected to this port. Send-Q The number of bytes not acknowledged by the program connected to this port.
Viewing the Cisco RV180/RV180W Status Viewing Open Ports Cisco RV120W Administration Guide 8 161
A Using Cisco QuickVPN for Windows 7, 2000, XP, or Vista Overview This appendix explains how to install and use the Cisco QuickVPN software that can be downloaded from www.cisco.com. QuickVPN works with computers running Windows 7, 2000, XP, or Vista. (Computers using other operating systems will have to use third-party VPN software.
Using Cisco QuickVPN for Windows 7, 2000, XP, or Vista Installing the Cisco QuickVPN Software A Installing the Cisco QuickVPN Software Installing from the CD-ROM STEP 1 Insert the Cisco RV180/RV180W CD-ROM into your CD-ROM drive. After the Setup Wizard begins, click the Install QuickVPN link. The License Agreement window appears. STEP 2 Click Yes to accept the agreement. The InstallShield Wizard copies the appropriate files to the computer.
Using Cisco QuickVPN for Windows 7, 2000, XP, or Vista Using the Cisco QuickVPN Software A Using the Cisco QuickVPN Software STEP 1 Double-click the Cisco QuickVPN software icon on your desktop or in the system tray. STEP 2 The QuickVPN Login window will appear. In the Profile Name field, enter a name for your profile. In the User Name and Password fields, enter the User Name and Password that were created in Configuring VPN Users, page 115.
Using Cisco QuickVPN for Windows 7, 2000, XP, or Vista Using the Cisco QuickVPN Software A STEP 5 To terminate the VPN tunnel, click Disconnect. To change your password, click Change Password. For information, click Help. STEP 6 If you clicked Change Password and have permission to change your own password, you will see the Connect Virtual Private Connection window. Enter your password in the Old Password field. Enter your new password in the New Password field.
B Where to Go From Here Cisco provides a wide range of resources to help you obtain the full benefits of the Cisco RV120W. Product Resources Support Cisco Small Business Support Community www.cisco.com/go/smallbizsupport Cisco Small Business Support and Resources www.cisco.com/go/smallbizhelp Phone Support Contacts www.cisco.com/en/US/support/ tsd_cisco_small_business _support_center_contacts.html Cisco Small Business Firmware Downloads www.cisco.
