Administration Guide
Page 2
and other company. (1110R) © 2011 Cisco Systems, Inc. All rights reserved. The use of their respective owners. Cisco and the Cisco logo are the property of the word partner does not imply a partnership relationship between Cisco and any other countries. To view a list of Cisco and/or its affiliates in the U.S. OL-19114-05 Third-party trademarks mentioned are trademarks or registered trademarks of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
and other company. (1110R) © 2011 Cisco Systems, Inc. All rights reserved. The use of their respective owners. Cisco and the Cisco logo are the property of the word partner does not imply a partnership relationship between Cisco and any other countries. To view a list of Cisco and/or its affiliates in the U.S. OL-19114-05 Third-party trademarks mentioned are trademarks or registered trademarks of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Administration Guide
Page 18
On the Certificate page, click Install the Certificate. For more information, see : www.cisco.com/go/configassist. Cisco SA500 Series Security Appliances Administration Guide 18 STEP 3 When the Security Alert appears, accept or install the certificate: • Internet Explorer: Click Yes to ... in the LAN configuration, you are using the security appliance with the Configuration Utility 1 Connecting to the Configuration Utility STEP 1 Connect your computer to the Configuration Utility. NOTE You can use the Cisco Configuration Assistant (CCA) t to launch the Configuration...
On the Certificate page, click Install the Certificate. For more information, see : www.cisco.com/go/configassist. Cisco SA500 Series Security Appliances Administration Guide 18 STEP 3 When the Security Alert appears, accept or install the certificate: • Internet Explorer: Click Yes to ... in the LAN configuration, you are using the security appliance with the Configuration Utility 1 Connecting to the Configuration Utility STEP 1 Connect your computer to the Configuration Utility. NOTE You can use the Cisco Configuration Assistant (CCA) t to launch the Configuration...
Administration Guide
Page 30
For more information, see Configuring a DMZ, page 61. Cisco SA500 Series Security Appliances Administration Guide 30 Getting Started Common Configuration Scenarios www.example.com 1 Internet Public IP Address 209.165.200.225 SA 500 LAN Interface 192.168.75.1 DMZ Interface 172.16.2.1 Source Address Translation 209.165.200.225 172.16.2.30 Web Server Private IP Address...
For more information, see Configuring a DMZ, page 61. Cisco SA500 Series Security Appliances Administration Guide 30 Getting Started Common Configuration Scenarios www.example.com 1 Internet Public IP Address 209.165.200.225 SA 500 LAN Interface 192.168.75.1 DMZ Interface 172.16.2.1 Source Address Translation 209.165.200.225 172.16.2.30 Web Server Private IP Address...
Administration Guide
Page 38
... connection. Choose Custom if you have not been assigned a static DNS IP address. - Choose Default to use ISP-specified addresses. - Cisco SA500 Series Security Appliances Administration Guide 38 You can be passed on a VLAN tagged WAN interlace. • VLAN ID: Specify the VLAN ID. Get Dynamically ... specify another size. STEP 6 If required by your ISP. • DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to enable a connection on . Networking Configuring the WAN Connection 2 • My IP Address: Enter the IP address assigned to you by...
... connection. Choose Custom if you have not been assigned a static DNS IP address. - Choose Default to use ISP-specified addresses. - Cisco SA500 Series Security Appliances Administration Guide 38 You can be passed on a VLAN tagged WAN interlace. • VLAN ID: Specify the VLAN ID. Get Dynamically ... specify another size. STEP 6 If required by your ISP. • DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to enable a connection on . Networking Configuring the WAN Connection 2 • My IP Address: Enter the IP address assigned to you by...
Administration Guide
Page 55
...IP Address: Choose this option, also enter the Idle Time in minutes. You can be passed on. Choose Custom if you . Cisco SA500 Series Security Appliances Administration Guide 55 Choose this option if you choose this option if your Internet service. - If you pay a flat fee for... • Server IP Address: Enter the IP address of activity. Idle Time: The security appliance disconnects from your ISP. • DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to use ISP-specified addresses. - Choose Default to IP addresses. Get Dynamically from ...
...IP Address: Choose this option, also enter the Idle Time in minutes. You can be passed on. Choose Custom if you . Cisco SA500 Series Security Appliances Administration Guide 55 Choose this option if you choose this option if your Internet service. - If you pay a flat fee for... • Server IP Address: Enter the IP address of activity. Idle Time: The security appliance disconnects from your ISP. • DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to use ISP-specified addresses. - Choose Default to IP addresses. Get Dynamically from ...
Administration Guide
Page 62
...scenario, the business has one public IP address, 209.165.200.225, which is used for WAN and DMZ www.example.com Internet Public IP Address 209.165.200.225 SA 500 LAN Interface 192.168.75.1 DMZ Interface 172.16.2.1 Source Address Translation 209.165.200.225 172.16.2.30 Web Server... Private IP Address: 172.16.2.30 Public IP Address: 209.165.200.225 User 192.168.75.10 User 192.168.75.11 235140 Cisco SA500 Series Security Appliances Administration Guide...
...scenario, the business has one public IP address, 209.165.200.225, which is used for WAN and DMZ www.example.com Internet Public IP Address 209.165.200.225 SA 500 LAN Interface 192.168.75.1 DMZ Interface 172.16.2.1 Source Address Translation 209.165.200.225 172.16.2.30 Web Server... Private IP Address: 172.16.2.30 Public IP Address: 209.165.200.225 User 192.168.75.10 User 192.168.75.11 235140 Cisco SA500 Series Security Appliances Administration Guide...
Administration Guide
Page 63
... server. Cisco SA500 Series Security Appliances Administration Guide 63 The firewall rule specifies an external IP address of 209.165.200.226. The address 209.165.200.225 is associated with Two Public IP Addresses www.example.com 2 Internet Public IP Addresses 209.165.200.225 (router) 209.165.200.226 (web server) SA 500 LAN Interface...
... server. Cisco SA500 Series Security Appliances Administration Guide 63 The firewall rule specifies an external IP address of 209.165.200.226. The address 209.165.200.225 is associated with Two Public IP Addresses www.example.com 2 Internet Public IP Addresses 209.165.200.225 (router) 209.165.200.226 (web server) SA 500 LAN Interface...
Administration Guide
Page 76
...: Choose None or choose DynDNS.com. • Host and Domain Name: Specify the complete Host Name and Domain Name for the DDNS service. • User Name: Enter the DynDNS account User Name. • Password: Enter the password for your website. STEP 1 Click Networking > Dynamic DNS. Cisco SA500 Series Security Appliances Administration Guide 76 If your...
...: Choose None or choose DynDNS.com. • Host and Domain Name: Specify the complete Host Name and Domain Name for the DDNS service. • User Name: Enter the DynDNS account User Name. • Password: Enter the password for your website. STEP 1 Click Networking > Dynamic DNS. Cisco SA500 Series Security Appliances Administration Guide 76 If your...
Administration Guide
Page 126
... this option to allow access only to any URL that contains the keyword that you entered www.yahoo.com, then your users can access websites such as www.yahoo.com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp. For example, if you entered in the URL box. STEP ...entered yahoo, then your users can access www.yahoo.com, but they will be blocked from www.yahoo.com.uk or www.yahoo.co.jp. - STEP 5 Click Apply to save your settings. b. Other options: Click the Edit button to access. Cisco SA500 Series Security Appliances Administration Guide 126 The Approved URLs window opens. You...
... this option to allow access only to any URL that contains the keyword that you entered www.yahoo.com, then your users can access websites such as www.yahoo.com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp. For example, if you entered in the URL box. STEP ...entered yahoo, then your users can access www.yahoo.com, but they will be blocked from www.yahoo.com.uk or www.yahoo.co.jp. - STEP 5 Click Apply to save your settings. b. Other options: Click the Edit button to access. Cisco SA500 Series Security Appliances Administration Guide 126 The Approved URLs window opens. You...
Administration Guide
Page 127
... Type: Specify the method for the URL, then your users are prevented from accessing. Cisco SA500 Series Security Appliances Administration Guide 127 For example, if you click Add or Edit, the Blocked URLs Configuration window opens. After you enter www.yahoo.com for applying this rule: - Other options: Click the Edit button to Allow or...
... Type: Specify the method for the URL, then your users are prevented from accessing. Cisco SA500 Series Security Appliances Administration Guide 127 For example, if you click Add or Edit, the Blocked URLs Configuration window opens. After you enter www.yahoo.com for applying this rule: - Other options: Click the Edit button to Allow or...
Administration Guide
Page 131
... 213. • Automatic Signature Updates: IPS uses signature files to view the IPS log messages. Click Apply to save your Cisco.com User Name and Password to authenticate to protect. Cisco SA500 Series Security Appliances Administration Guide 131 This option is only active if the Automatically Update Signature box is disabled. Intrusion Prevention System Configuring IPS...
... 213. • Automatic Signature Updates: IPS uses signature files to view the IPS log messages. Click Apply to save your Cisco.com User Name and Password to authenticate to protect. Cisco SA500 Series Security Appliances Administration Guide 131 This option is only active if the Automatically Update Signature box is disabled. Intrusion Prevention System Configuring IPS...
Administration Guide
Page 132
For more information, see Logs Facility and Severity, page 189. Cisco SA500 Series Security Appliances Administration Guide 132 Browse to the category heading. STEP 1 Click IPS > IPS Policy, or from the Getting Started (Advanced) page, under a category, click the + button...file on this category. Click Reset to revert to the previous settings. • Manual Signature Updates: To manually update the latest signature file, click the Cisco.com link to obtain the file and download it to save your computer. STEP 3 Click Apply to your settings. STEP 2 Choose the policy for each ...
For more information, see Logs Facility and Severity, page 189. Cisco SA500 Series Security Appliances Administration Guide 132 Browse to the category heading. STEP 1 Click IPS > IPS Policy, or from the Getting Started (Advanced) page, under a category, click the + button...file on this category. Click Reset to revert to the previous settings. • Manual Signature Updates: To manually update the latest signature file, click the Cisco.com link to obtain the file and download it to save your computer. STEP 3 Click Apply to your settings. STEP 2 Choose the policy for each ...
Administration Guide
Page 135
...bar, and then click License Management. For more information, see the Cisco ProtectLink Security documentation at: www.cisco.com/go/protectlink. To buy, register, or activate the service, click ...Cisco ProtectLink Gateway provides the web security features of ProtectLink Web and combines it with email security to configure the ProtectLink services. 6 Using Cisco ProtectLink Security Services The SA500 Series supports Cisco ProtectLink Security Services. These services provide layers of protection against different security threats on a server. Cisco SA500 Series Security Appliances...
...bar, and then click License Management. For more information, see the Cisco ProtectLink Security documentation at: www.cisco.com/go/protectlink. To buy, register, or activate the service, click ...Cisco ProtectLink Gateway provides the web security features of ProtectLink Web and combines it with email security to configure the ProtectLink services. 6 Using Cisco ProtectLink Security Services The SA500 Series supports Cisco ProtectLink Security Services. These services provide layers of protection against different security threats on a server. Cisco SA500 Series Security Appliances...
Administration Guide
Page 138
... that address or name in Figure 5, the remote site, Site B, has a public IP address of 209.165.200.236. Then enter that device. Cisco SA500 Series Security Appliances Administration Guide 138 Do not use for this VPN tunnel: Dedicated WAN or Optional WAN. STEP 4 In the Remote & Local WAN Addresses area, enter... address of the remote device, or choose Fully Qualified Domain Name (FQDN) if you want to enter a domain name, such as vpn.company.com. For the example illustrated in the Local WAN's IP Address or Internet Name field. You would choose IP Address for the type, and you ...
... that address or name in Figure 5, the remote site, Site B, has a public IP address of 209.165.200.236. Then enter that device. Cisco SA500 Series Security Appliances Administration Guide 138 Do not use for this VPN tunnel: Dedicated WAN or Optional WAN. STEP 4 In the Remote & Local WAN Addresses area, enter... address of the remote device, or choose Fully Qualified Domain Name (FQDN) if you want to enter a domain name, such as vpn.company.com. For the example illustrated in the Local WAN's IP Address or Internet Name field. You would choose IP Address for the type, and you ...
Administration Guide
Page 140
... Connection Name and Remote IP Type area, enter the following information: • What is available for download at : www.cisco.com/go / ciscovpnclient. If you complete the Wizard. Cisco SA500 Series Security Appliances Administration Guide 140 The Cisco VPN client software is the new connection name?: Enter a name for the connection. Configuring VPN Configuring an IPsec VPN...
... Connection Name and Remote IP Type area, enter the following information: • What is available for download at : www.cisco.com/go / ciscovpnclient. If you complete the Wizard. Cisco SA500 Series Security Appliances Administration Guide 140 The Cisco VPN client software is the new connection name?: Enter a name for the connection. Configuring VPN Configuring an IPsec VPN...
Administration Guide
Page 141
... the pre-shared key. • Local WAN Interface: If you have only one specified in the Local WAN's IP Address or Internet Name field. Cisco SA500 Series Security Appliances Administration Guide 141 If you are not using the Getting Started (Advanced) page, click Getting Started > Advanced to return to enter a domain name, .... • Local Gateway Type: This field can be entered exactly the same here and on an external authentication server such as vpn.company.com. Then enter that you want to save your settings. Choose IP Address if you want to the list of the pre-shared key is...
... the pre-shared key. • Local WAN Interface: If you have only one specified in the Local WAN's IP Address or Internet Name field. Cisco SA500 Series Security Appliances Administration Guide 141 If you are not using the Getting Started (Advanced) page, click Getting Started > Advanced to return to enter a domain name, .... • Local Gateway Type: This field can be entered exactly the same here and on an external authentication server such as vpn.company.com. Then enter that you want to save your settings. Choose IP Address if you want to the list of the pre-shared key is...
Administration Guide
Page 142
...for IPsec VPN, page 144. • To configure IPsec passthrough, click IPsec > Passthrough. Alternatively, you are using the Cisco VPN Client, see Configuring the IKE Policies for remote access by remote workers, use this list when XAUTH is used in ...external authentication server such as a RADIUS server, see the Application Note located under Technical Documentation at: www.cisco.com/go/sa500resources. Standard IPsec (XAuth) Cisco SA500 Series Security Appliances Administration Guide 142 Configuring VPN Configuring an IPsec VPN Tunnel for the XAUTH user. • Remote Peer...
...for IPsec VPN, page 144. • To configure IPsec passthrough, click IPsec > Passthrough. Alternatively, you are using the Cisco VPN Client, see Configuring the IKE Policies for remote access by remote workers, use this list when XAUTH is used in ...external authentication server such as a RADIUS server, see the Application Note located under Technical Documentation at: www.cisco.com/go/sa500resources. Standard IPsec (XAuth) Cisco SA500 Series Security Appliances Administration Guide 142 Configuring VPN Configuring an IPsec VPN Tunnel for the XAUTH user. • Remote Peer...
Administration Guide
Page 169
The VIP Configuration window opens. Cisco SA500 Series Security Appliances Administration Guide 169 VeriSign™ Identity Protection configuration Use this option if you have purchased VeriSign service. Click Apply to authenticate SSL VPN users, providing an enhanced level of security. The user must ensure that you acquired ...from VeriSign: • VIP Pilot/Developer Test Drive: Choose this option if pilot tokens were provided to you to : www.cisco.com/go to test and understand VIP ...
The VIP Configuration window opens. Cisco SA500 Series Security Appliances Administration Guide 169 VeriSign™ Identity Protection configuration Use this option if you have purchased VeriSign service. Click Apply to authenticate SSL VPN users, providing an enhanced level of security. The user must ensure that you acquired ...from VeriSign: • VIP Pilot/Developer Test Drive: Choose this option if pilot tokens were provided to you to : www.cisco.com/go to test and understand VIP ...
Administration Guide
Page 177
... (every 24 hours). The Firmware & Configuration (Network) window opens. See Release Notes located under Technical Documentation at: www.cisco.com/go/sa500resource. See Device Status, page 204. • Check for IPS signature downloads. Enter your settings. Click OK to save your... is available, select one of the following tasks, as needed: • Status Displays the firmware status. For example, the Cisco username and login used in Administration is automatically updated for New Firmware & Download: - Cisco SA500 Series Security Appliances Administration Guide 177
... (every 24 hours). The Firmware & Configuration (Network) window opens. See Release Notes located under Technical Documentation at: www.cisco.com/go/sa500resource. See Device Status, page 204. • Check for IPS signature downloads. Enter your settings. Click OK to save your... is available, select one of the following tasks, as needed: • Status Displays the firmware status. For example, the Cisco username and login used in Administration is automatically updated for New Firmware & Download: - Cisco SA500 Series Security Appliances Administration Guide 177
Administration Guide
Page 192
For example: CN=hostname.domain.com, ST=CA, C=USA • Hash Algorithm: Algorithm used by a comma. To view the request, click the View button next to identify a certificate. • Subject: Name ... of the generated certificate and can contain these fields: - C=Country For example: CN=router1, OU=my_dept, O=my_company, L=SFO, C=US Whatever name you just created. Cisco SA500 Series Security Appliances Administration Guide 192 The subject field populates the CN (Common Name) entry of the generated CSR. To include more than one subject field, enter each...
For example: CN=hostname.domain.com, ST=CA, C=USA • Hash Algorithm: Algorithm used by a comma. To view the request, click the View button next to identify a certificate. • Subject: Name ... of the generated certificate and can contain these fields: - C=Country For example: CN=router1, OU=my_dept, O=my_company, L=SFO, C=US Whatever name you just created. Cisco SA500 Series Security Appliances Administration Guide 192 The subject field populates the CN (Common Name) entry of the generated CSR. To include more than one subject field, enter each...