Administration Guide
Page 3
...Basic Network Configuration with Internet Access 26 Cisco Smart Business Communications System Configuration 28 Firewall for Controlling Inbound and Outbound Traffic 29 DMZ for Public Websites and Services 29 Configuring ProtectLink Web & Email Security 31 Site-to-Site Networking and ...Remote Access 31 Wireless Networking 35 Chapter 2: Networking 36 Configuring the WAN Connection 37 Viewing the WAN Status 39 Creating PPPoE Profiles 40 Configuring an IP Alias 41 Cisco SA500 Series Security Appliances Administration Guide ...
...Basic Network Configuration with Internet Access 26 Cisco Smart Business Communications System Configuration 28 Firewall for Controlling Inbound and Outbound Traffic 29 DMZ for Public Websites and Services 29 Configuring ProtectLink Web & Email Security 31 Site-to-Site Networking and ...Remote Access 31 Wireless Networking 35 Chapter 2: Networking 36 Configuring the WAN Connection 37 Viewing the WAN Status 39 Creating PPPoE Profiles 40 Configuring an IP Alias 41 Cisco SA500 Series Security Appliances Administration Guide ...
Administration Guide
Page 5
...Access Points Configuring the Radio Basic Radio Configuration Advanced Radio Configuration Chapter 4: Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic Preliminary Tasks for Firewall Rules Configuring the Default Outbound Policy Configuring a Firewall Rule for Outbound Traffic 77 78 78 80 82 83 83 84 ...85 85 86 87 88 88 89 91 91 92 95 95 96 98 99 99 101 103 103 104 107 107 Cisco SA500 Series Security Appliances ...
...Access Points Configuring the Radio Basic Radio Configuration Advanced Radio Configuration Chapter 4: Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic Preliminary Tasks for Firewall Rules Configuring the Default Outbound Policy Configuring a Firewall Rule for Outbound Traffic 77 78 78 80 82 83 83 84 ...85 85 86 87 88 88 89 91 91 92 95 95 96 98 99 99 101 103 103 104 107 107 Cisco SA500 Series Security Appliances ...
Administration Guide
Page 6
... for Inbound Traffic 110 Prioritizing Firewall Rules 113 Firewall Rule Configuration Examples 114 Using Other Tools to Prevent Attacks, Restrict Access, and Control Inbound Traffic 117 Configuring Attack Checks 118 Configuring ...Using Cisco ProtectLink Security Services 135 Chapter 7: Configuring VPN About VPN Configuring a Site-to-Site VPN Tunnel Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client Configuring the User Database for the IPsec Remote Access VPN Advanced Configuration of IPsec VPN 136 136 137 139 142 144 Cisco SA500 Series Security Appliances ...
... for Inbound Traffic 110 Prioritizing Firewall Rules 113 Firewall Rule Configuration Examples 114 Using Other Tools to Prevent Attacks, Restrict Access, and Control Inbound Traffic 117 Configuring Attack Checks 118 Configuring ...Using Cisco ProtectLink Security Services 135 Chapter 7: Configuring VPN About VPN Configuring a Site-to-Site VPN Tunnel Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client Configuring the User Database for the IPsec Remote Access VPN Advanced Configuration of IPsec VPN 136 136 137 139 142 144 Cisco SA500 Series Security Appliances ...
Administration Guide
Page 10
...; About the Default Settings • Basic Tasks • Common Configuration Scenarios Feature Overview The features of SA500 Series Security Appliance Models Feature Firewall Performance UTM VPN Performance Connections SA520 200 Mbps 200 Mbps 65 Mbps 15,000 Cisco SA500 Series Security Appliances Administration Guide SA520W 200 Mbps 200 Mbps 65 Mbps 15,000 SA540 300 Mbps 300 Mbps 85...
...; About the Default Settings • Basic Tasks • Common Configuration Scenarios Feature Overview The features of SA500 Series Security Appliance Models Feature Firewall Performance UTM VPN Performance Connections SA520 200 Mbps 200 Mbps 65 Mbps 15,000 Cisco SA500 Series Security Appliances Administration Guide SA520W 200 Mbps 200 Mbps 65 Mbps 15,000 SA540 300 Mbps 300 Mbps 85...
Administration Guide
Page 19
.... • For help with advanced configuration tasks, such as firewall/NAT configuration, optional WAN configuration, DMZ configuration, and VPN setup, click the Getting Started > Advanced link in , check the Don't show this on start-up box. Getting Started (Basic) Page Cisco SA500 Series Security Appliances Administration Guide 19 Getting Started Getting Started with the Configuration...
.... • For help with advanced configuration tasks, such as firewall/NAT configuration, optional WAN configuration, DMZ configuration, and VPN setup, click the Getting Started > Advanced link in , check the Don't show this on start-up box. Getting Started (Basic) Page Cisco SA500 Series Security Appliances Administration Guide 19 Getting Started Getting Started with the Configuration...
Administration Guide
Page 25
...security appliance, consider the following configuration scenarios: • Scenario 1: Basic Network Configuration with Internet Access, page 26 • Scenario 8: Cisco Smart Business Communications System Configuration, page 28 • Scenario 7: DMZ for Public Websites and Services, page 29 • Scenario 6: Firewall... -Site Networking and Remote Access, page 31 • Scenario 10: Wireless Networking, page 35 Cisco SA500 Series Security Appliances Administration Guide 25 As you downloaded. Getting Started Common Configuration Scenarios 1 The Firmware & Configuration (Network...
...security appliance, consider the following configuration scenarios: • Scenario 1: Basic Network Configuration with Internet Access, page 26 • Scenario 8: Cisco Smart Business Communications System Configuration, page 28 • Scenario 7: DMZ for Public Websites and Services, page 29 • Scenario 6: Firewall... -Site Networking and Remote Access, page 31 • Scenario 10: Wireless Networking, page 35 Cisco SA500 Series Security Appliances Administration Guide 25 As you downloaded. Getting Started Common Configuration Scenarios 1 The Firmware & Configuration (Network...
Administration Guide
Page 27
...secondary WAN port to allow access to your devices. If you can use your security appliance with your Cisco Smart Business Communications System (SBCS), install and configure your UC500. See Scenario 6: Firewall for Public Websites and Services, page 29. Consider whether you need to allow...If you want to your network from the Internet, or if you want to provide backup connectivity or load balancing. Cisco SA500 Series Security Appliances Administration Guide 27 Review the LAN configuration and make any changes that are going to the configuration utility. Consider how ...
...secondary WAN port to allow access to your devices. If you can use your security appliance with your Cisco Smart Business Communications System (SBCS), install and configure your UC500. See Scenario 6: Firewall for Public Websites and Services, page 29. Consider whether you need to allow...If you want to your network from the Internet, or if you want to provide backup connectivity or load balancing. Cisco SA500 Series Security Appliances Administration Guide 27 Review the LAN configuration and make any changes that are going to the configuration utility. Consider how ...
Administration Guide
Page 28
... the security appliance will provide the firewall, Network Address Translation (NAT), and SIP Application Layer Gateway (SIP-ALG) for your Cisco Smart Business Communications System network. 235235 Outside Network Private Network Laptop computer Internet Internet Access Device SA 500 UC500 Printer Personal computer IP IP Phone Configuration tasks for the Cisco Configuration Assistant (CCA). Cisco SA500 Series Security Appliances Administration Guide...
... the security appliance will provide the firewall, Network Address Translation (NAT), and SIP Application Layer Gateway (SIP-ALG) for your Cisco Smart Business Communications System network. 235235 Outside Network Private Network Laptop computer Internet Internet Access Device SA 500 UC500 Printer Personal computer IP IP Phone Configuration tasks for the Cisco Configuration Assistant (CCA). Cisco SA500 Series Security Appliances Administration Guide...
Administration Guide
Page 29
...configure various levels of the security appliance for use the Firewall and NAT Rules links on the Getting Started (Advanced) page. Consider the following examples of IP addresses, or to your DMZ, you need to ensure that your LAN. Cisco SA500 Series Security Appliances Administration Guide 29 You can... To start configuring your private LAN and the Internet. Configuration tasks for this concern by configuring the Optional port of firewall rules. After you specify. Scenario 7: DMZ for Public Websites and Services If your business hosts public services such as a separate...
...configure various levels of the security appliance for use the Firewall and NAT Rules links on the Getting Started (Advanced) page. Consider the following examples of IP addresses, or to your DMZ, you need to ensure that your LAN. Cisco SA500 Series Security Appliances Administration Guide 29 You can... To start configuring your private LAN and the Internet. Configuration tasks for this concern by configuring the Optional port of firewall rules. After you specify. Scenario 7: DMZ for Public Websites and Services If your business hosts public services such as a separate...
Administration Guide
Page 61
The security appliance is disabled until you added. By placing your own custom services to the list, see Creating Custom Services, page 104. • Local Gateway: Choose the interface that is behind the firewall but cannot penetrate the ...click Add or Edit, the Protocol Bindings Configuration window opens. The public can add an additional layer of security to edit an entry. STEP 5 When you are ready, enable the new protocol bindings that is open ... table, check the box at the left side of standard services. Cisco SA500 Series Security Appliances Administration Guide 61
The security appliance is disabled until you added. By placing your own custom services to the list, see Creating Custom Services, page 104. • Local Gateway: Choose the interface that is behind the firewall but cannot penetrate the ...click Add or Edit, the Protocol Bindings Configuration window opens. The public can add an additional layer of security to edit an entry. STEP 5 When you are ready, enable the new protocol bindings that is open ... table, check the box at the left side of standard services. Cisco SA500 Series Security Appliances Administration Guide 61
Administration Guide
Page 62
A firewall rule allows inbound HTTP traffic to be identical to the IP address given to the LAN interface of this scenario, the business has one public ....200.225 SA 500 LAN Interface 192.168.75.1 DMZ Interface 172.16.2.1 Source Address Translation 209.165.200.225 172.16.2.30 Web Server Private IP Address: 172.16.2.30 Public IP Address: 209.165.200.225 User 192.168.75.10 User 192.168.75.11 235140 Cisco SA500 Series Security Appliances Administration Guide...
A firewall rule allows inbound HTTP traffic to be identical to the IP address given to the LAN interface of this scenario, the business has one public ....200.225 SA 500 LAN Interface 192.168.75.1 DMZ Interface 172.16.2.1 Source Address Translation 209.165.200.225 172.16.2.30 Web Server Private IP Address: 172.16.2.30 Public IP Address: 209.165.200.225 User 192.168.75.10 User 192.168.75.11 235140 Cisco SA500 Series Security Appliances Administration Guide...
Administration Guide
Page 63
...port and created a firewall rule to allow inbound HTTP traffic to the web server. Networking Configuring a DMZ Figure 4 Example DMZ with the IP address 209.165.200.226, and they are connected to the web server at 172.16.2.30. Cisco SA500 Series Security Appliances Administration Guide 63 The... address 209.165.200.225 is associated with Two Public IP Addresses www.example.com 2 Internet Public IP Addresses 209.165.200.225 (router) 209.165.200.226 (web server) SA 500 LAN Interface 192.168.75...
...port and created a firewall rule to allow inbound HTTP traffic to the web server. Networking Configuring a DMZ Figure 4 Example DMZ with the IP address 209.165.200.226, and they are connected to the web server at 172.16.2.30. Cisco SA500 Series Security Appliances Administration Guide 63 The... address 209.165.200.225 is associated with Two Public IP Addresses www.example.com 2 Internet Public IP Addresses 209.165.200.225 (router) 209.165.200.226 (web server) SA 500 LAN Interface 192.168.75...
Administration Guide
Page 64
... this mode, also enter the IP address of configuration tasks. Click Apply to save your DMZ port settings, and then create firewall rules to allow traffic to access the services on the screen. The DMZ Configuration window opens. STEP 4 In the DHCP for... a DMZ 2 Configuring the DMZ Settings Follow this option to allow the security appliance to use a DHCP Relay. The Optional Port Mode window opens. If you choose this option if If the computers on the DMZ network communicate with white backgrounds. - c. Cisco SA500 Series Security Appliances Administration Guide 64
... this mode, also enter the IP address of configuration tasks. Click Apply to save your DMZ port settings, and then create firewall rules to allow traffic to access the services on the screen. The DMZ Configuration window opens. STEP 4 In the DHCP for... a DMZ 2 Configuring the DMZ Settings Follow this option to allow the security appliance to use a DHCP Relay. The Optional Port Mode window opens. If you choose this option if If the computers on the DMZ network communicate with white backgrounds. - c. Cisco SA500 Series Security Appliances Administration Guide 64
Administration Guide
Page 65
...The default is 24 hours. • Relay Gateway: If you want to a network user. To get started, click Firewall on the menu bar. Cisco SA500 Series Security Appliances Administration Guide 65 STEP 5 In the DMZ Proxies section, check the box to allow inbound traffic to save your DMZ. ...For more information, see Configuring a Firewall Rule for Inbound Traffic, page 110. • If you chose DHCP Relay as ...
...The default is 24 hours. • Relay Gateway: If you want to a network user. To get started, click Firewall on the menu bar. Cisco SA500 Series Security Appliances Administration Guide 65 STEP 5 In the DMZ Proxies section, check the box to allow inbound traffic to save your DMZ. ...For more information, see Configuring a Firewall Rule for Inbound Traffic, page 110. • If you chose DHCP Relay as ...
Administration Guide
Page 74
...the IP Address, MAC Address, Port Name, or VLAN, based on your settings. STEP 4 Click Apply to save your requirements. Cisco SA500 Series Security Appliances Administration Guide 74 If you do not see a service that can be used to differentiate traffic and give preference to higher-priority ...Ethernet header field, depending on the chosen match type. Networking QoS Bandwidth Profiles 2 After you can configure a custom service through Firewall custom services page. • Traffic Selector Match Type: Choose the method for implementing Quality of Service at the top of the page.
...the IP Address, MAC Address, Port Name, or VLAN, based on your settings. STEP 4 Click Apply to save your requirements. Cisco SA500 Series Security Appliances Administration Guide 74 If you do not see a service that can be used to differentiate traffic and give preference to higher-priority ...Ethernet header field, depending on the chosen match type. Networking QoS Bandwidth Profiles 2 After you can configure a custom service through Firewall custom services page. • Traffic Selector Match Type: Choose the method for implementing Quality of Service at the top of the page.
Administration Guide
Page 103
... or prevent some outbound access, you want to Prevent Attacks, Restrict Access, and Control Inbound Traffic • SIP To access the Firewall pages click Firewall from the Configuration Utility menu bar. Configuring Firewall Rules to whom the rules apply and can specify these settings: • Services or traffic types (examples: web browsing, VoIP... • Days of the week and times of day • Keywords in a domain name or on a URL of a web page • MAC addresses of devices Cisco SA500 Series Security Appliances Administration Guide 103
... or prevent some outbound access, you want to Prevent Attacks, Restrict Access, and Control Inbound Traffic • SIP To access the Firewall pages click Firewall from the Configuration Utility menu bar. Configuring Firewall Rules to whom the rules apply and can specify these settings: • Services or traffic types (examples: web browsing, VoIP... • Days of the week and times of day • Keywords in a domain name or on a URL of a web page • MAC addresses of devices Cisco SA500 Series Security Appliances Administration Guide 103
Administration Guide
Page 104
..., page 104. • If you can use additional public IP addresses (typically assigned by entering a name, specifying the type, and assigning the port range. Cisco SA500 Series Security Appliances Administration Guide 104 Firewall Configuration Configuring Firewall Rules to create rules that apply only on specified days and times, first create the schedules. Creating Custom Services The...
..., page 104. • If you can use additional public IP addresses (typically assigned by entering a name, specifying the type, and assigning the port range. Cisco SA500 Series Security Appliances Administration Guide 104 Firewall Configuration Configuring Firewall Rules to create rules that apply only on specified days and times, first create the schedules. Creating Custom Services The...
Administration Guide
Page 105
...Available Custom Services table. STEP 4 Click Apply to save your security appliance, see Configuring the Time Settings, page 184. Any existing custom services appear in the first column of configuration tasks under Firewall and NAT Rules, click Configure Custom Services. Other options: ...Port and the Finish Port. Cisco SA500 Series Security Appliances Administration Guide 105 The Custom Services window opens. After you choose ICMP or ICMPv6, also enter the ICMP Type. - STEP 3 Enter the following information: • Name: Enter a name for a Firewall Rules You can create a schedule...
...Available Custom Services table. STEP 4 Click Apply to save your security appliance, see Configuring the Time Settings, page 184. Any existing custom services appear in the first column of configuration tasks under Firewall and NAT Rules, click Configure Custom Services. Other options: ...Port and the Finish Port. Cisco SA500 Series Security Appliances Administration Guide 105 The Custom Services window opens. After you choose ICMP or ICMPv6, also enter the ICMP Type. - STEP 3 Enter the following information: • Name: Enter a name for a Firewall Rules You can create a schedule...
Administration Guide
Page 106
... > Advanced to continue with the list of the table heading. Any existing schedules appear in the first column of configuration tasks under Firewall and NAT Rules, click Configure Schedules (Optional). To select all entries, check the box in the Select Schedule drop-down list on... Click Apply to save your local network. Cisco SA500 Series Security Appliances Administration Guide 106 If you choose Specific Times, also enter the Start Time and the End Time by your ISP and you want to these addresses to reach devices on the Firewall Rule Configuration page. • Scheduled Days:...
... > Advanced to continue with the list of the table heading. Any existing schedules appear in the first column of configuration tasks under Firewall and NAT Rules, click Configure Schedules (Optional). To select all entries, check the box in the Select Schedule drop-down list on... Click Apply to save your local network. Cisco SA500 Series Security Appliances Administration Guide 106 If you choose Specific Times, also enter the Start Time and the End Time by your ISP and you want to these addresses to reach devices on the Firewall Rule Configuration page. • Scheduled Days:...
Administration Guide
Page 107
... the WAN For examples, see Configuring a Firewall Rule for outbound traffic, see Firewall Rule Configuration Examples, page 114. NOTE Next steps: • To configure a firewall rule for outbound traffic, see Configuring a Firewall Rule for Outbound Traffic, page 107. • To configure a firewall rule for Inbound Traffic, page 110. Cisco SA500 Series Security Appliances Administration Guide 107 STEP 2 Select Allow...
... the WAN For examples, see Configuring a Firewall Rule for outbound traffic, see Firewall Rule Configuration Examples, page 114. NOTE Next steps: • To configure a firewall rule for outbound traffic, see Configuring a Firewall Rule for Outbound Traffic, page 107. • To configure a firewall rule for Inbound Traffic, page 110. Cisco SA500 Series Security Appliances Administration Guide 107 STEP 2 Select Allow...