Administration Guide
Page 6
... Messaging 130 131 132 133 134 Chapter 6: Using Cisco ProtectLink Security Services 135 Chapter 7: Configuring VPN About VPN Configuring a Site-to-Site VPN Tunnel Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client Configuring the User Database for the IPsec Remote Access VPN Advanced Configuration of IPsec VPN 136 136 137 139 142 144 Cisco SA500 Series Security Appliances Administration Guide 6
... Messaging 130 131 132 133 134 Chapter 6: Using Cisco ProtectLink Security Services 135 Chapter 7: Configuring VPN About VPN Configuring a Site-to-Site VPN Tunnel Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client Configuring the User Database for the IPsec Remote Access VPN Advanced Configuration of IPsec VPN 136 136 137 139 142 144 Cisco SA500 Series Security Appliances Administration Guide 6
Administration Guide
Page 7
... Access Access Options for SSL VPN Security Tips for SSL VPN Elements of the SSL VPN Scenario Step 1: Customizing the Portal Layout Scenario Step 2: Adding the SSL VPN Users Creating the SSL VPN Policies Specifying the Network Resources for SSL VPN Configuring SSL VPN Port Forwarding SSL VPN Tunnel Client Configuration Viewing the SSL VPN Client Portal VeriSign™ Identity... 156 157 159 160 163 163 165 168 169 169 170 171 171 172 173 173 175 176 176 178 180 180 182 184 185 Cisco SA500 Series Security Appliances Administration Guide 7
... Access Access Options for SSL VPN Security Tips for SSL VPN Elements of the SSL VPN Scenario Step 1: Customizing the Portal Layout Scenario Step 2: Adding the SSL VPN Users Creating the SSL VPN Policies Specifying the Network Resources for SSL VPN Configuring SSL VPN Port Forwarding SSL VPN Tunnel Client Configuration Viewing the SSL VPN Client Portal VeriSign™ Identity... 156 157 159 160 163 163 165 168 169 169 170 171 171 172 173 173 175 176 176 178 180 180 182 184 185 Cisco SA500 Series Security Appliances Administration Guide 7
Administration Guide
Page 8
... VLANs Chapter 10: Status Device Status Device Status Resource Utilization Interface Statistics Port Statistics Wireless Statistics for the SA520W VPN Status IPsec VPN Status SSL VPN Status Quick VPN Status Active Users View Logs Cisco SA500 Series Security Appliances Administration Guide Contents 185 187 188 189 190 193 194 197 197 199 199 200 200 201 202 202...
... VLANs Chapter 10: Status Device Status Device Status Resource Utilization Interface Statistics Port Statistics Wireless Statistics for the SA520W VPN Status IPsec VPN Status SSL VPN Status Quick VPN Status Active Users View Logs Cisco SA500 Series Security Appliances Administration Guide Contents 185 187 188 189 190 193 194 197 197 199 199 200 200 201 202 202...
Administration Guide
Page 9
...VPN Logs ProtectLink Logs CDP Neighbor LAN Devices Reports Appendix A: Troubleshooting Internet Connection Date and Time Pinging to Test LAN Connectivity Restoring Factory Default Configuration Settings Appendix B: Standard Services Appendix C: Technical Specifications and Environmental Requirements Appendix D: Factory Default Settings General Settings Router Settings Wireless Settings Storage Security... Settings Appendix E: Where to Go From Here 213 215 215 215 216 216 217 217 220 221 223 224 227 229 229 231 234 237 238 240 Cisco SA500 Series Security Appliances Administration...
...VPN Logs ProtectLink Logs CDP Neighbor LAN Devices Reports Appendix A: Troubleshooting Internet Connection Date and Time Pinging to Test LAN Connectivity Restoring Factory Default Configuration Settings Appendix B: Standard Services Appendix C: Technical Specifications and Environmental Requirements Appendix D: Factory Default Settings General Settings Router Settings Wireless Settings Storage Security... Settings Appendix E: Where to Go From Here 213 215 215 215 216 216 217 217 220 221 223 224 227 229 229 231 234 237 238 240 Cisco SA500 Series Security Appliances Administration...
Administration Guide
Page 10
...; About the Default Settings • Basic Tasks • Common Configuration Scenarios Feature Overview The features of SA500 Series Security Appliance Models Feature Firewall Performance UTM VPN Performance Connections SA520 200 Mbps 200 Mbps 65 Mbps 15,000 Cisco SA500 Series Security Appliances Administration Guide SA520W 200 Mbps 200 Mbps 65 Mbps 15,000 SA540 300 Mbps 300 Mbps 85...
...; About the Default Settings • Basic Tasks • Common Configuration Scenarios Feature Overview The features of SA500 Series Security Appliance Models Feature Firewall Performance UTM VPN Performance Connections SA520 200 Mbps 200 Mbps 65 Mbps 15,000 Cisco SA500 Series Security Appliances Administration Guide SA520W 200 Mbps 200 Mbps 65 Mbps 15,000 SA540 300 Mbps 300 Mbps 85...
Administration Guide
Page 19
...links. • For help with advanced configuration tasks, such as firewall/NAT configuration, optional WAN configuration, DMZ configuration, and VPN setup, click the Getting Started > Advanced link in the navigation pane, and click the links to perform the tasks that you...page from appearing automatically after you want to complete. • To return to get started. Getting Started (Basic) Page Cisco SA500 Series Security Appliances Administration Guide 19 Getting Started Getting Started with the Configuration Utility 1 Using the Getting Started Pages The Getting Started pages ...
...links. • For help with advanced configuration tasks, such as firewall/NAT configuration, optional WAN configuration, DMZ configuration, and VPN setup, click the Getting Started > Advanced link in the navigation pane, and click the links to perform the tasks that you...page from appearing automatically after you want to complete. • To return to get started. Getting Started (Basic) Page Cisco SA500 Series Security Appliances Administration Guide 19 Getting Started Getting Started with the Configuration Utility 1 Using the Getting Started Pages The Getting Started pages ...
Administration Guide
Page 31
For more information, see Chapter 6, "Using Cisco ProtectLink Security Services." Configuration tasks for Remote Access with a Web Browser Cisco SA500 Series Security Appliances Administration Guide 31 The Protect Link window opens. Scenario 9: Site-to-Site... Networking and Remote Access You can configure the following types of the Getting Started (Advanced) page, click Enable ProtectLink Gateway and/or Endpoint. You can configure a Virtual Private Network (VPN...
For more information, see Chapter 6, "Using Cisco ProtectLink Security Services." Configuration tasks for Remote Access with a Web Browser Cisco SA500 Series Security Appliances Administration Guide 31 The Protect Link window opens. Scenario 9: Site-to-Site... Networking and Remote Access You can configure the following types of the Getting Started (Advanced) page, click Enable ProtectLink Gateway and/or Endpoint. You can configure a Virtual Private Network (VPN...
Administration Guide
Page 32
....0 Internet Outside 209.165.200.236 SA 500 Inside 10.20.20.0 Site B Printer Personal computers Personal computers Printer 235142 Configuration tasks for Site-to-Site VPN For site-to-site VPN, you can configure an IPsec tunnel with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration Guide 32 When the VPN Wizard appears, choose the Site-to...
....0 Internet Outside 209.165.200.236 SA 500 Inside 10.20.20.0 Site B Printer Personal computers Personal computers Printer 235142 Configuration tasks for Site-to-Site VPN For site-to-site VPN, you can configure an IPsec tunnel with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration Guide 32 When the VPN Wizard appears, choose the Site-to...
Administration Guide
Page 33
... Started (Advanced) page to add your VPN users. DNS Server 10.10.10.163 Security Appliance Internal Inside network 10.10.10.0 Outside Personal Computer Using VPN Software Client Internet Personal Computer Using VPN Software Client 235236 WINS Server 10.10...maintaining the VPN client software for this scenario: In the IPsec VPN Remote Access section of the Getting Started (Advanced) page, click the VPN Wizard link. Getting Started Common Configuration Scenarios 1 IPsec VPN Remote Access with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration ...
... Started (Advanced) page to add your VPN users. DNS Server 10.10.10.163 Security Appliance Internal Inside network 10.10.10.0 Outside Personal Computer Using VPN Software Client Internet Personal Computer Using VPN Software Client 235236 WINS Server 10.10...maintaining the VPN client software for this scenario: In the IPsec VPN Remote Access section of the Getting Started (Advanced) page, click the VPN Wizard link. Getting Started Common Configuration Scenarios 1 IPsec VPN Remote Access with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration ...
Administration Guide
Page 34
... (Advanced) page and click the Configure Users link to configure the policies, client settings, routes, and resources for your SSL VPN. Cisco SA500 Series Security Appliances Administration Guide 34 DNS Server 10.10.10.163 Security Appliance Internal Inside network 10.10.10.0 Outside Internet ClientlessVPN ClientlessVPN 235141 WINS Server 10.10.10.133 ClientlessVPN Configuration tasks...
... (Advanced) page and click the Configure Users link to configure the policies, client settings, routes, and resources for your SSL VPN. Cisco SA500 Series Security Appliances Administration Guide 34 DNS Server 10.10.10.163 Security Appliance Internal Inside network 10.10.10.0 Outside Internet ClientlessVPN ClientlessVPN 235141 WINS Server 10.10.10.133 ClientlessVPN Configuration tasks...
Administration Guide
Page 136
Cisco SA500 Series Security Appliances Administration Guide 136 See Configuring a Site-to-Site VPN Tunnel, page 137. • Remote Access with IPsec VPN Client Software: A remote worker uses a secure VPN client software to access the corporate network. 7 Configuring VPN This chapter describes how to configure a Virtual Private Network (VPN) to allow other sites and remote workers to secure traffic between two sites...
Cisco SA500 Series Security Appliances Administration Guide 136 See Configuring a Site-to-Site VPN Tunnel, page 137. • Remote Access with IPsec VPN Client Software: A remote worker uses a secure VPN client software to access the corporate network. 7 Configuring VPN This chapter describes how to configure a Virtual Private Network (VPN) to allow other sites and remote workers to secure traffic between two sites...
Administration Guide
Page 137
...pane. Figure 5 Site-to-Site VPN Site A Outside 209.165.200.226 SA 500 Inside 10.10.10.0 Internet Outside 209.165.200.236 SA 500 Inside 10.20.20.0 Site B Printer Personal computers Personal computers Printer 235142 The VPN Wizard helps you can update any ... parameters to -Site VPN, click VPN Wizard. Cisco SA500 Series Security Appliances Administration Guide 137 STEP 3 In the Connection Name and Remote IP Type area, enter the following website: www.vpnc.org/vpn-standards.html STEP 1 Click VPN > IPsec > VPN Wizard, or from the security appliance to another VPN gateway. NOTE For ...
...pane. Figure 5 Site-to-Site VPN Site A Outside 209.165.200.226 SA 500 Inside 10.10.10.0 Internet Outside 209.165.200.236 SA 500 Inside 10.20.20.0 Site B Printer Personal computers Personal computers Printer 235142 The VPN Wizard helps you can update any ... parameters to -Site VPN, click VPN Wizard. Cisco SA500 Series Security Appliances Administration Guide 137 STEP 3 In the Connection Name and Remote IP Type area, enter the following website: www.vpnc.org/vpn-standards.html STEP 1 Click VPN > IPsec > VPN Wizard, or from the security appliance to another VPN gateway. NOTE For ...
Administration Guide
Page 138
... an IP address, or choose Fully Qualified Domain Name (FQDN) if you would choose IP Address for this VPN tunnel: Dedicated WAN or Optional WAN. Cisco SA500 Series Security Appliances Administration Guide 138 For the example illustrated in the IP Address or Internet Name field. NOTE When the... security appliance at the remote site: • Remote LAN IP Address: Enter the IP address of the pre-shared key ...
... an IP address, or choose Fully Qualified Domain Name (FQDN) if you would choose IP Address for this VPN tunnel: Dedicated WAN or Optional WAN. Cisco SA500 Series Security Appliances Administration Guide 138 For the example illustrated in the IP Address or Internet Name field. NOTE When the... security appliance at the remote site: • Remote LAN IP Address: Enter the IP address of the pre-shared key ...
Administration Guide
Page 139
... the Getting Started (Advanced) page, click Getting Started > Advanced to return to the list of 255.0.0.0. The Wizard creates a VPN policy and an IKE policy based on the Wizard page. Cisco SA500 Series Security Appliances Administration Guide 139 After creating the policies through the Wizard, you are not saved on your entries. NOTE The IP...
... the Getting Started (Advanced) page, click Getting Started > Advanced to return to the list of 255.0.0.0. The Wizard creates a VPN policy and an IKE policy based on the Wizard page. Cisco SA500 Series Security Appliances Administration Guide 139 After creating the policies through the Wizard, you are not saved on your entries. NOTE The IP...
Administration Guide
Page 140
... new connection name?: Enter a name for the connection. STEP 2 In the About VPN Wizard area, choose Remote Access to allow Extended Authentication (XAUTH) from the Getting Started (Advanced) page, under Technical Documentation at : www.cisco.com/go /sa500resources. Cisco SA500 Series Security Appliances Administration Guide 140 If you complete the Wizard. STEP 3 In the Connection Name...
... new connection name?: Enter a name for the connection. STEP 2 In the About VPN Wizard area, choose Remote Access to allow Extended Authentication (XAUTH) from the Getting Started (Advanced) page, under Technical Documentation at : www.cisco.com/go /sa500resources. Cisco SA500 Series Security Appliances Administration Guide 140 If you complete the Wizard. STEP 3 In the Connection Name...
Administration Guide
Page 141
... Local WAN's IP Address or Internet Name field. Cisco SA500 Series Security Appliances Administration Guide 141 NOTE Next steps: • If you are using a different FQDN or IP address than the one WAN configured, choose Dedicated WAN. To add users to the user database, continue with a VPN Client 7 • What is the pre-shared Key...
... Local WAN's IP Address or Internet Name field. Cisco SA500 Series Security Appliances Administration Guide 141 NOTE Next steps: • If you are using a different FQDN or IP address than the one WAN configured, choose Dedicated WAN. To add users to the user database, continue with a VPN Client 7 • What is the pre-shared Key...
Administration Guide
Page 142
... authentication server such as a RADIUS server, see the Application Note located under Technical Documentation at: www.cisco.com/go/sa500resources. Configuring VPN Configuring an IPsec VPN Tunnel for the XAUTH user. • Remote Peer Type: Choose one of the following information: ... or update the configured IKE policy, click IPsec > IKE Policies. Configuring the User Database for IPsec VPN, page 144. Standard IPsec (XAuth) Cisco SA500 Series Security Appliances Administration Guide 142 For more information, see Configuring the IKE Policies for remote access by remote workers,...
... authentication server such as a RADIUS server, see the Application Note located under Technical Documentation at: www.cisco.com/go/sa500resources. Configuring VPN Configuring an IPsec VPN Tunnel for the XAUTH user. • Remote Peer Type: Choose one of the following information: ... or update the configured IKE policy, click IPsec > IKE Policies. Configuring the User Database for IPsec VPN, page 144. Standard IPsec (XAuth) Cisco SA500 Series Security Appliances Administration Guide 142 For more information, see Configuring the IKE Policies for remote access by remote workers,...
Administration Guide
Page 143
...- This option should be used when additional client security is a propriety Cisco/Linksys client which the remote user will have access. STEP 5 Repeat as Greenbow. See Advanced Configuration of IPsec VPN, page 144. • For Cisco QuickVPN, you are using the Getting Started (Advanced... user credentials. NOTE Next steps: • If you also must enable Remote Management. Cisco SA500 Series Security Appliances Administration Guide 143 Cisco QuickVPN X-Auth is specific only to Quick VPN. See RMON (Remote Management), page 197. The subnet should be selected when the clients...
...- This option should be used when additional client security is a propriety Cisco/Linksys client which the remote user will have access. STEP 5 Repeat as Greenbow. See Advanced Configuration of IPsec VPN, page 144. • For Cisco QuickVPN, you are using the Getting Started (Advanced... user credentials. NOTE Next steps: • If you also must enable Remote Management. Cisco SA500 Series Security Appliances Administration Guide 143 Cisco QuickVPN X-Auth is specific only to Quick VPN. See RMON (Remote Management), page 197. The subnet should be selected when the clients...
Administration Guide
Page 144
... to your network. After the Wizard creates the matching IKE and VPN policies, you can create IKE policies to define the security parameters such as needed. NOTE The VPN Wizard is also an authentication method to protect data and ensure privacy. Cisco SA500 Series Security Appliances Administration Guide 144 You can make changes, as authentication of devices...
... to your network. After the Wizard creates the matching IKE and VPN policies, you can create IKE policies to define the security parameters such as needed. NOTE The VPN Wizard is also an authentication method to protect data and ensure privacy. Cisco SA500 Series Security Appliances Administration Guide 144 You can make changes, as authentication of devices...
Administration Guide
Page 145
...check the box in either Initiator or Responder mode. • Exchange Mode: Choose one of the following options: - Cisco SA500 Series Security Appliances Administration Guide 145 After you must use an IP address as the identifier type, then Main Mode is disabled and Aggressive ... following options: - The IKE Policies window opens. Responder: The security appliance waits passively and responds to edit an entry. Both: The security appliance works in the first column of IKE Policies table. Configuring VPN Advanced Configuration of IKE Policies table. The existing entries appear in...
...check the box in either Initiator or Responder mode. • Exchange Mode: Choose one of the following options: - Cisco SA500 Series Security Appliances Administration Guide 145 After you must use an IP address as the identifier type, then Main Mode is disabled and Aggressive ... following options: - The IKE Policies window opens. Responder: The security appliance waits passively and responds to edit an entry. Both: The security appliance works in the first column of IKE Policies table. Configuring VPN Advanced Configuration of IKE Policies table. The existing entries appear in...