Administration Guide
Page 3
... the Configuration Utility 21 Using the Help System 22 About the Default Settings 22 Basic Tasks 23 Changing the Default User Name and Password 23 Backing Up Your Configuration 24 Upgrading the Firmware 24 Common Configuration Scenarios 25 Basic Network Configuration with Internet Access 26 Cisco Smart Business Communications System Configuration 28 Firewall for Controlling Inbound and Outbound Traffic 29 DMZ for Public Websites and Services 29 Configuring ProtectLink Web & Email Security 31 Site-to-Site Networking and Remote Access 31 Wireless Networking...
... the Configuration Utility 21 Using the Help System 22 About the Default Settings 22 Basic Tasks 23 Changing the Default User Name and Password 23 Backing Up Your Configuration 24 Upgrading the Firmware 24 Common Configuration Scenarios 25 Basic Network Configuration with Internet Access 26 Cisco Smart Business Communications System Configuration 28 Firewall for Controlling Inbound and Outbound Traffic 29 DMZ for Public Websites and Services 29 Configuring ProtectLink Web & Email Security 31 Site-to-Site Networking and Remote Access 31 Wireless Networking...
Administration Guide
Page 11
... and the ports on diagnostics. Cisco SA500 Series Security Appliances Administration Guide 11 When off, indicates the appliance has booted properly. • POWER LED-(Green) When lit, indicates the appliance is powered on. • DMZ LED-(Green) When lit, indicates the Optional port is configured as a Demilitarized Zone or Demarcation Zone, which allows public services such as web servers, without exposing your LAN. • SPEED LED-(Green or Orange) Indicates the traffic rate for...
... and the ports on diagnostics. Cisco SA500 Series Security Appliances Administration Guide 11 When off, indicates the appliance has booted properly. • POWER LED-(Green) When lit, indicates the appliance is powered on. • DMZ LED-(Green) When lit, indicates the Optional port is configured as a Demilitarized Zone or Demarcation Zone, which allows public services such as web servers, without exposing your LAN. • SPEED LED-(Green or Orange) Indicates the traffic rate for...
Administration Guide
Page 12
... use a USB device to the security appliance. NOTE The back panel of the SA520W includes three threaded connectors for backup and restore operations. When flashing, the port is active. • WLAN LED-(Green) When lit, indicates that a connection is enabled (SA520W). The SA540 has 8. • OPTIONAL Port-Can be configured to allow public access to services such as web servers without exposing your LAN. • WAN Port-Connects the security appliance to DSL, a cable modem, or another WAN connectivity device. • USB Port-Connects...
... use a USB device to the security appliance. NOTE The back panel of the SA520W includes three threaded connectors for backup and restore operations. When flashing, the port is active. • WLAN LED-(Green) When lit, indicates that a connection is enabled (SA520W). The SA540 has 8. • OPTIONAL Port-Can be configured to allow public access to services such as web servers without exposing your LAN. • WAN Port-Connects the security appliance to DSL, a cable modem, or another WAN connectivity device. • USB Port-Connects...
Administration Guide
Page 18
... use the Cisco Configuration Assistant (CCA) t to launch the Configuration Utility if you will need to enter the new IP address to connect to an available LAN port on the back panel of the security appliance. Cisco SA500 Series Security Appliances Administration Guide 18 On the Certificate page, click Install the Certificate. On the Certificate page, click Install the Certificate. STEP 4 Enter the default user name and password: • Username: cisco • Password: cisco STEP 5 Click Log In. STEP 3 When the Security...
... use the Cisco Configuration Assistant (CCA) t to launch the Configuration Utility if you will need to enter the new IP address to connect to an available LAN port on the back panel of the security appliance. Cisco SA500 Series Security Appliances Administration Guide 18 On the Certificate page, click Install the Certificate. On the Certificate page, click Install the Certificate. STEP 4 Enter the default user name and password: • Username: cisco • Password: cisco STEP 5 Click Log In. STEP 3 When the Security...
Administration Guide
Page 22
... a static IP address, you are described below. About the Default Settings The SA500 Series Security Appliances are pre-configured with minimal changes needed . You can change the subnet address, or the default IP address of the screen. See Scenario 1: Basic Network Configuration with Internet Access, page 26. • LAN Configuration: By default, the LAN interface acts as a secondary WAN port. If your IPv6 LAN. You can change other WAN settings as needed . If you want to start using Dynamic Host Configuration Protocol (DHCP). For a full list...
... a static IP address, you are described below. About the Default Settings The SA500 Series Security Appliances are pre-configured with minimal changes needed . You can change the subnet address, or the default IP address of the screen. See Scenario 1: Basic Network Configuration with Internet Access, page 26. • LAN Configuration: By default, the LAN interface acts as a secondary WAN port. If your IPv6 LAN. You can change other WAN settings as needed . If you want to start using Dynamic Host Configuration Protocol (DHCP). For a full list...
Administration Guide
Page 23
... unauthorized access, immediately change the user name and password for the password. However, for security purposes, it easy for you begin using a web browser and entering the default IP address of inactivity. See Scenario 10: Wireless Networking, page 35. • Administrative Access: You can log on by default. The access point is enabled by entering cisco for the username and cisco for the default Administrator account. The User Configuration window opens, displaying the default information. STEP 3 Click the button in...
... unauthorized access, immediately change the user name and password for the password. However, for security purposes, it easy for you begin using a web browser and entering the default IP address of inactivity. See Scenario 10: Wireless Networking, page 35. • Administrative Access: You can log on by default. The access point is enabled by entering cisco for the username and cisco for the default Administrator account. The User Configuration window opens, displaying the default information. STEP 3 Click the button in...
Administration Guide
Page 24
... default password for updates and download if new STEP 2 When the web page opens, download the latest software. The User Type and Group cannot be inactive before the login expires. Cisco SA500 Series Security Appliances Administration Guide 24 Backing Up Your Configuration At any other tasks, you should upgrade your configuration. For more information, see Upgrading Firmware and Working with Configuration Files, page 176. STEP 1 In the Upgrade Firmware section of the Getting Started (Basic) page, click the Install...
... default password for updates and download if new STEP 2 When the web page opens, download the latest software. The User Type and Group cannot be inactive before the login expires. Cisco SA500 Series Security Appliances Administration Guide 24 Backing Up Your Configuration At any other tasks, you should upgrade your configuration. For more information, see Upgrading Firmware and Working with Configuration Files, page 176. STEP 1 In the Upgrade Firmware section of the Getting Started (Basic) page, click the Install...
Administration Guide
Page 26
... WAN & LAN Connectivity section of the WAN or LAN settings. For more information, see Changing the Default User Name and Password, page 23). Cisco SA500 Series Security Appliances Administration Guide 26 Getting Started Common Configuration Scenarios 1 Scenario 1: Basic Network Configuration with Internet Access 235234 Outside Network Private Network Laptop computer Internet Internet Access Device SA 500 Printer Personal computer In a basic deployment for a small business, the security appliance enables communication between the devices on the LAN receive their IP addresses...
... WAN & LAN Connectivity section of the WAN or LAN settings. For more information, see Changing the Default User Name and Password, page 23). Cisco SA500 Series Security Appliances Administration Guide 26 Getting Started Common Configuration Scenarios 1 Scenario 1: Basic Network Configuration with Internet Access 235234 Outside Network Private Network Laptop computer Internet Internet Access Device SA 500 Printer Personal computer In a basic deployment for a small business, the security appliance enables communication between the devices on the LAN receive their IP addresses...
Administration Guide
Page 27
... logging or remote access to allow inbound access from remote sites or remote workers. If you are needed to use the Optional port as a LAN Port, page 53. 5. See Configuring the Logging Options, page 185 and RMON (Remote Management), page 197. In the WAN & LAN Connectivity section of the Getting Started (Advanced) page. If you want to support your UC500. See Scenario 6: Firewall for Public Websites and Services, page 29. Cisco SA500 Series Security Appliances Administration Guide...
... logging or remote access to allow inbound access from remote sites or remote workers. If you are needed to use the Optional port as a LAN Port, page 53. 5. See Configuring the Logging Options, page 185 and RMON (Remote Management), page 197. In the WAN & LAN Connectivity section of the Getting Started (Advanced) page. If you want to support your UC500. See Scenario 6: Firewall for Public Websites and Services, page 29. Cisco SA500 Series Security Appliances Administration Guide...
Administration Guide
Page 28
... IP Phone Configuration tasks for this scenario: 1. Connect a cable from the security appliance to the documentation or online Help for your network, disable those functions on the Getting Started (Basic) page. With the default configuration, the security appliance acts as needed. IP Phones are assigned IP addresses in the range of the security appliance. Because the security appliance will provide the firewall, Network Address Translation (NAT), and SIP Application Layer Gateway (SIP-ALG) for the Cisco Configuration Assistant (CCA). Configure a static IP route from the WAN port...
... IP Phone Configuration tasks for this scenario: 1. Connect a cable from the security appliance to the documentation or online Help for your network, disable those functions on the Getting Started (Basic) page. With the default configuration, the security appliance acts as needed. IP Phones are assigned IP addresses in the range of the security appliance. Because the security appliance will provide the firewall, Network Address Translation (NAT), and SIP Application Layer Gateway (SIP-ALG) for the Cisco Configuration Assistant (CCA). Configure a static IP route from the WAN port...
Administration Guide
Page 35
... for Scenario 1: Basic Network Configuration with Internet Access, page 26. 2. The default WAN and LAN settings might be sufficient for your wireless network, see Chapter 3, "Wireless Configuration for this scenario: 1. Outside Network Private Network Laptop computer Internet ISP Router SA 500 Printer Personal computer IP IP Phone Configuration tasks for the SA520W." 235237 Cisco SA500 Series Security Appliances Administration Guide 35 Although you can begin using your wireless network right away, you should configure the security settings to your network and the data that...
... for Scenario 1: Basic Network Configuration with Internet Access, page 26. 2. The default WAN and LAN settings might be sufficient for your wireless network, see Chapter 3, "Wireless Configuration for this scenario: 1. Outside Network Private Network Laptop computer Internet ISP Router SA 500 Printer Personal computer IP IP Phone Configuration tasks for the SA520W." 235237 Cisco SA500 Series Security Appliances Administration Guide 35 Although you can begin using your wireless network right away, you should configure the security settings to your network and the data that...
Administration Guide
Page 43
....1. • By default, the security appliance acts as a LAN Port About the Default LAN Settings • By default the LAN of the router is configured in the DHCP configuration when acknowledging a DHCP request from a DHCP client. • By default, your LAN is the gateway address to your LAN. With DHCP enabled, the IP address of a DNS server but uses the NetBIOS protocol to resolve hostnames. A WINS server is the equivalent of the security appliance is configured for IPv4 addressing. Cisco SA500 Series Security Appliances Administration Guide 43 If you...
....1. • By default, the security appliance acts as a LAN Port About the Default LAN Settings • By default the LAN of the router is configured in the DHCP configuration when acknowledging a DHCP request from a DHCP client. • By default, your LAN is the gateway address to your LAN. With DHCP enabled, the IP address of a DNS server but uses the NetBIOS protocol to resolve hostnames. A WINS server is the equivalent of the security appliance is configured for IPv4 addressing. Cisco SA500 Series Security Appliances Administration Guide 43 If you...
Administration Guide
Page 46
... interface • DHCP server mode STEP 2 Click Apply to the specified LAN port is on a separate VLAN and cannot access other VLANs, unless you need an extra LAN port and are isolated from one another. For example, if you enable inter VLAN routing. VLAN Configuration The security appliance supports Virtual LANs (VLANs), which can create new VLAN. Viewing the LAN Status STEP 1 Click Networking > LAN > LAN Status. For more information, see Pinging to Test LAN Connectivity, page 221 in Appendix A, "Troubleshooting." Cisco SA500 Series Security Appliances Administration Guide...
... interface • DHCP server mode STEP 2 Click Apply to the specified LAN port is on a separate VLAN and cannot access other VLANs, unless you need an extra LAN port and are isolated from one another. For example, if you enable inter VLAN routing. VLAN Configuration The security appliance supports Virtual LANs (VLANs), which can create new VLAN. Viewing the LAN Status STEP 1 Click Networking > LAN > LAN Status. For more information, see Pinging to Test LAN Connectivity, page 221 in Appendix A, "Troubleshooting." Cisco SA500 Series Security Appliances Administration Guide...
Administration Guide
Page 57
... either the Dedicated WAN port or the Optional WAN port as a backup. Figure 1 shows an example of the same speed. Cisco SA500 Series Security Appliances Administration Guide 57 When the primary link regains connectivity, all Internet traffic to determine how the two ISP links are having problems with Auto-Roller Dual WAN Ports (Before Rollover) WAN1 IP SA 500 yourcompany.dyndns.org X X WAN2 port inactive WAN2 IP (N/A) Internet Dual WAN Ports (After Rollover) WAN1 IP (N/A) SA 500 WAN1 port inactive X X Internet yourcompany.dyndns...
... either the Dedicated WAN port or the Optional WAN port as a backup. Figure 1 shows an example of the same speed. Cisco SA500 Series Security Appliances Administration Guide 57 When the primary link regains connectivity, all Internet traffic to determine how the two ISP links are having problems with Auto-Roller Dual WAN Ports (Before Rollover) WAN1 IP SA 500 yourcompany.dyndns.org X X WAN2 port inactive WAN2 IP (N/A) Internet Dual WAN Ports (After Rollover) WAN1 IP (N/A) SA 500 WAN1 port inactive X X Internet yourcompany.dyndns...
Administration Guide
Page 58
... a failure, traffic for Load Balancing, page 60. STEP 2 In the Port Mode area, choose one link as a backup. You can specify the detection method. When Auto Failover mode is enabled, the link status of the primary WAN port is not applicable. • Failure Detection: Enable this feature to allow the security appliance to the available link. Networking Configuring the Optional WAN 2 Figure 2 Example of Dual WAN Ports with Load Balancing Dual WAN Ports (Load Balancing) SA 500 WAN1 IP yourcompany1...
... a failure, traffic for Load Balancing, page 60. STEP 2 In the Port Mode area, choose one link as a backup. You can specify the detection method. When Auto Failover mode is enabled, the link status of the primary WAN port is not applicable. • Failure Detection: Enable this feature to allow the security appliance to the available link. Networking Configuring the Optional WAN 2 Figure 2 Example of Dual WAN Ports with Load Balancing Dual WAN Ports (Load Balancing) SA 500 WAN1 IP yourcompany1...
Administration Guide
Page 64
... DMZ Port Setup area, enter an IP Address and the Subnet Mask for DMZ Connected Computers area, enter the following information: • DHCP Mode: Choose one of the Relay Gateway. • Domain Name (optional): Enter a name for use a DHCP Relay. Cisco SA500 Series Security Appliances Administration Guide 64 Choose DMZ. Networking Configuring a DMZ 2 Configuring the DMZ Settings Follow this procedure to configure your DMZ port settings, and then create firewall rules to allow traffic to access the services on the internal network. The Optional Port Mode window opens. STEP...
... DMZ Port Setup area, enter an IP Address and the Subnet Mask for DMZ Connected Computers area, enter the following information: • DHCP Mode: Choose one of the Relay Gateway. • Domain Name (optional): Enter a name for use a DHCP Relay. Cisco SA500 Series Security Appliances Administration Guide 64 Choose DMZ. Networking Configuring a DMZ 2 Configuring the DMZ Settings Follow this procedure to configure your DMZ port settings, and then create firewall rules to allow traffic to access the services on the internal network. The Optional Port Mode window opens. STEP...
Administration Guide
Page 131
... outgoing LAN traffic. NOTE The Cisco username and password details once applied are only required once. Cisco SA500 Series Security Appliances Administration Guide 131 STEP 1 Click IPS > IPS Setup, or from the IPS Setup page. To enable IPS for a particular zone, select either LAN or DMZ or both for the security zone you can configure the security appliance to save your settings. You can enable IPS for the zone(s) that the security device last checked for IPS signature downloads. - Click the View IPS Logs link...
... outgoing LAN traffic. NOTE The Cisco username and password details once applied are only required once. Cisco SA500 Series Security Appliances Administration Guide 131 STEP 1 Click IPS > IPS Setup, or from the IPS Setup page. To enable IPS for a particular zone, select either LAN or DMZ or both for the security zone you can configure the security appliance to save your settings. You can enable IPS for the zone(s) that the security device last checked for IPS signature downloads. - Click the View IPS Logs link...
Administration Guide
Page 147
... remote server. STEP 7 In the Extended Authentication (XAUTH) area, you choose this option, also enter a Username and Password. - Password: Enter the password for the security appliance to use when connecting to use when exchanging keys. Cisco SA500 Series Security Appliances Administration Guide 147 Username: If you choose this option, be shared with a username and password combination. The username can enable the VPN gateway router to detect whether a peer is idle. • Reconnect after failure count: Maximum number of DPD failures allowed...
... remote server. STEP 7 In the Extended Authentication (XAUTH) area, you choose this option, also enter a Username and Password. - Password: Enter the password for the security appliance to use when connecting to use when exchanging keys. Cisco SA500 Series Security Appliances Administration Guide 147 Username: If you choose this option, be shared with a username and password combination. The username can enable the VPN gateway router to detect whether a peer is idle. • Reconnect after failure count: Maximum number of DPD failures allowed...
Quick Start Guide
Page 1
... configuration. WAN Port-Connects the security appliance to services such as shown. Placement Tips • Ambient Temperature-To prevent the security appliance from each side of the security appliance. Rack Mounting You can be configured to store configuration files for backup and restore operations. DIAG LED-(Orange) When lit, indicates the appliance is configured as a WAN, LAN, or DMZ port. When off . SPEED LED-(Green or Orange) Indicates the traffic rate for the antennas. 2 Installation Options You can use a USB device to...
... configuration. WAN Port-Connects the security appliance to services such as shown. Placement Tips • Ambient Temperature-To prevent the security appliance from each side of the security appliance. Rack Mounting You can be configured to store configuration files for backup and restore operations. DIAG LED-(Orange) When lit, indicates the appliance is configured as a WAN, LAN, or DMZ port. When off . SPEED LED-(Green or Orange) Indicates the traffic rate for the antennas. 2 Installation Options You can use a USB device to...
Quick Start Guide
Page 2
... the security appliance. and/or its affiliates in this guide. The use Internet Explorer (version 6 and higher), Firefox, and Safari (for details. Orient each antenna onto a threaded connector on the back panel. STEP 5 For a UC500, connect an Ethernet network cable from the Cisco Configuration Assistant (CCA) if a CCA-supported device is complete. 4 Launching the Configuration Utility STEP 1 Connect your PC to show an active connection. STEP 7 Power on the security appliance. Each LED lights to an available LAN port...
... the security appliance. and/or its affiliates in this guide. The use Internet Explorer (version 6 and higher), Firefox, and Safari (for details. Orient each antenna onto a threaded connector on the back panel. STEP 5 For a UC500, connect an Ethernet network cable from the Cisco Configuration Assistant (CCA) if a CCA-supported device is complete. 4 Launching the Configuration Utility STEP 1 Connect your PC to show an active connection. STEP 7 Power on the security appliance. Each LED lights to an available LAN port...