Administration Guide
Page 3
... About the Default Settings 22 Basic Tasks 23 Changing the Default User Name and Password 23 Backing Up Your Configuration 24 Upgrading the Firmware 24 Common Configuration Scenarios 25 Basic Network Configuration with Internet Access 26 Cisco Smart Business Communications System Configuration 28 Firewall for Controlling Inbound and Outbound Traffic 29 DMZ for Public Websites and Services 29 Configuring ProtectLink Web & Email Security 31 Site-to-Site Networking and Remote Access 31 Wireless Networking 35 Chapter 2: Networking 36 Configuring the WAN Connection 37...
... About the Default Settings 22 Basic Tasks 23 Changing the Default User Name and Password 23 Backing Up Your Configuration 24 Upgrading the Firmware 24 Common Configuration Scenarios 25 Basic Network Configuration with Internet Access 26 Cisco Smart Business Communications System Configuration 28 Firewall for Controlling Inbound and Outbound Traffic 29 DMZ for Public Websites and Services 29 Configuring ProtectLink Web & Email Security 31 Site-to-Site Networking and Remote Access 31 Wireless Networking 35 Chapter 2: Networking 36 Configuring the WAN Connection 37...
Administration Guide
Page 7
... Policies Configuring SSL VPN for Browser-Based Remote Access Access Options for SSL VPN Security Tips for SSL VPN Elements of the SSL VPN Scenario Step 1: Customizing the Portal Layout Scenario Step 2: Adding the SSL VPN Users Creating the SSL VPN Policies Specifying the Network Resources for SSL VPN Configuring SSL VPN Port Forwarding SSL VPN Tunnel Client Configuration Viewing the SSL VPN Client Portal VeriSign™ Identity Protection configuration Configuring VeriSign Identity Protection Managing User Credentials for VeriSign Service Chapter 8: Administration Users Domains Groups Adding...
... Policies Configuring SSL VPN for Browser-Based Remote Access Access Options for SSL VPN Security Tips for SSL VPN Elements of the SSL VPN Scenario Step 1: Customizing the Portal Layout Scenario Step 2: Adding the SSL VPN Users Creating the SSL VPN Policies Specifying the Network Resources for SSL VPN Configuring SSL VPN Port Forwarding SSL VPN Tunnel Client Configuration Viewing the SSL VPN Client Portal VeriSign™ Identity Protection configuration Configuring VeriSign Identity Protection Managing User Credentials for VeriSign Service Chapter 8: Administration Users Domains Groups Adding...
Administration Guide
Page 22
... using the device with Internet Access, page 26. • LAN Configuration: By default, the LAN interface acts as a DHCP server for all connected devices. However, you might need to start using Dynamic Host Configuration Protocol (DHCP). If you want to use the Configuration Utility to modify some of all factory default settings, see Scenario 1: Basic Network Configuration with minimal changes needed . About the Default Settings The SA500 Series Security Appliances are pre-configured with Cisco SA500 Series Security Appliances Administration Guide 22 For a full list...
... using the device with Internet Access, page 26. • LAN Configuration: By default, the LAN interface acts as a DHCP server for all connected devices. However, you might need to start using Dynamic Host Configuration Protocol (DHCP). If you want to use the Configuration Utility to modify some of all factory default settings, see Scenario 1: Basic Network Configuration with minimal changes needed . About the Default Settings The SA500 Series Security Appliances are pre-configured with Cisco SA500 Series Security Appliances Administration Guide 22 For a full list...
Administration Guide
Page 24
... a saved configuration. You can back up your settings. The User Type and Group cannot be inactive before the login expires. The default password for updates and download if new STEP 2 When the web page opens, download the latest software. For more information, see Upgrading Firmware and Working with Configuration Files, page 176. Getting Started Basic Tasks 1 • User Name: Enter a unique identifier for this account. • Check to Edit Password: Check this new security appliance is cisco. •...
... a saved configuration. You can back up your settings. The User Type and Group cannot be inactive before the login expires. The default password for updates and download if new STEP 2 When the web page opens, download the latest software. For more information, see Upgrading Firmware and Working with Configuration Files, page 176. Getting Started Basic Tasks 1 • User Name: Enter a unique identifier for this account. • Check to Edit Password: Check this new security appliance is cisco. •...
Administration Guide
Page 43
... LAN Configuration page to change these and other devices on the WLAN or LAN network. If you need to be the DHCP server or if you can automatically assign IP addresses and DNS server addresses to your LAN is the equivalent of the router is 192.168.75.1. • By default, the security appliance acts as a Dynamic Host Configuration Protocol (DHCP) server to resolve hostnames. It can use a Windows Internet Naming Service (WINS) server. With DHCP enabled...
... LAN Configuration page to change these and other devices on the WLAN or LAN network. If you need to be the DHCP server or if you can automatically assign IP addresses and DNS server addresses to your LAN is the equivalent of the router is 192.168.75.1. • By default, the security appliance acts as a Dynamic Host Configuration Protocol (DHCP) server to resolve hostnames. It can use a Windows Internet Naming Service (WINS) server. With DHCP enabled...
Administration Guide
Page 46
... information, see Pinging to a total of 16 VLANs. This page displays the following types of information: • MAC address of the LAN interface • IP address and subnet mask of the connected devices, click LAN > DHCP Leased Clients. Networking Configuring the LAN 2 • To view a list of the interface • DHCP server mode STEP 2 Click Apply to your site, you need a guest network for a data VLAN and a voice VLAN, which allow you can add new VLANs, for up to Test LAN Connectivity, page...
... information, see Pinging to a total of 16 VLANs. This page displays the following types of information: • MAC address of the LAN interface • IP address and subnet mask of the connected devices, click LAN > DHCP Leased Clients. Networking Configuring the LAN 2 • To view a list of the interface • DHCP server mode STEP 2 Click Apply to your site, you need a guest network for a data VLAN and a voice VLAN, which allow you can add new VLANs, for up to Test LAN Connectivity, page...
Administration Guide
Page 50
... out of VLANs. The Multiple VLAN Subnets window opens. All data going into port. The Multiple VLAN Subnet Configuration window opens. STEP 3 In the DHCP section of VLAN-aware and VLAN-unaware devices. If you want to associate with this VLAN. STEP 5 Click Apply to a VLAN-aware switch or router. Networking Configuring the LAN 2 General mode is recommended if the port is connected to an unmanaged switch with a mix of the page, choose the DHCP mode: Cisco SA500 Series Security Appliances Administration Guide 50 Trunk mode is...
... out of VLANs. The Multiple VLAN Subnets window opens. All data going into port. The Multiple VLAN Subnet Configuration window opens. STEP 3 In the DHCP section of VLAN-aware and VLAN-unaware devices. If you want to associate with this VLAN. STEP 5 Click Apply to a VLAN-aware switch or router. Networking Configuring the LAN 2 General mode is recommended if the port is connected to an unmanaged switch with a mix of the page, choose the DHCP mode: Cisco SA500 Series Security Appliances Administration Guide 50 Trunk mode is...
Administration Guide
Page 57
... primary link, then the security appliance directs all Internet traffic is directed to the backup link. Networking Configuring the Optional WAN 2 • If you are bound to them. Figure 1 Example Dual WAN Ports with your WAN connection, see the Internet Connection, page 217 in Appendix A, "Troubleshooting." Load balancing is connected to use one private. You can designate either the Dedicated WAN port or the Optional WAN port as a backup. To maintain better control of Dual WAN Ports configured with...
... primary link, then the security appliance directs all Internet traffic is directed to the backup link. Networking Configuring the Optional WAN 2 • If you are bound to them. Figure 1 Example Dual WAN Ports with your WAN connection, see the Internet Connection, page 217 in Appendix A, "Troubleshooting." Load balancing is connected to use one private. You can designate either the Dedicated WAN port or the Optional WAN port as a backup. To maintain better control of Dual WAN Ports configured with...
Administration Guide
Page 59
... number of retries after which failover is configured in the fields below . - Networking Configuring the Optional WAN 2 When the security appliance is initiated. STEP 4 Click Apply to save your settings. Dedicated WAN: Enter a valid IP address to your ISP: Dedicated WAN or Optional WAN. Optional WAN: Enter a valid IP address to ping from the Dedicated WAN. - Also select the WAN port that you specify in Load Balancing mode, it checks the connection of the DNS servers...
... number of retries after which failover is configured in the fields below . - Networking Configuring the Optional WAN 2 When the security appliance is initiated. STEP 4 Click Apply to save your settings. Dedicated WAN: Enter a valid IP address to your ISP: Dedicated WAN or Optional WAN. Optional WAN: Enter a valid IP address to ping from the Dedicated WAN. - Also select the WAN port that you specify in Load Balancing mode, it checks the connection of the DNS servers...
Administration Guide
Page 64
....2.1 is shown on the internal network. DHCP Server: Choose this mode, also enter the IP address of configuration tasks. STEP 1 First configure the Optional port for the domain. If you choose this option to allow the security appliance to act as a DMZ: a. Cisco SA500 Series Security Appliances Administration Guide 64 c. If you are configured to use another DHCP server. - The DMZ Configuration window opens. Networking Configuring a DMZ 2 Configuring the DMZ Settings Follow this option to allow the security appliance to use a DHCP Relay. Also complete the fields...
....2.1 is shown on the internal network. DHCP Server: Choose this mode, also enter the IP address of configuration tasks. STEP 1 First configure the Optional port for the domain. If you choose this option to allow the security appliance to act as a DMZ: a. Cisco SA500 Series Security Appliances Administration Guide 64 c. If you are configured to use another DHCP server. - The DMZ Configuration window opens. Networking Configuring a DMZ 2 Configuring the DMZ Settings Follow this option to allow the security appliance to use a DHCP Relay. Also complete the fields...
Administration Guide
Page 78
...The IPv6 WAN Configuration window opens. Networking Configuring IPv6 Addressing 2 IP Routing Mode To get started with stateless autoconfiguration. For more information, see Configuring the IPv6 LAN, page 80. STEP 2 Click IPv4/IPv6 mode to enable IPv6 addressing, or click IPv4 only mode to continue. NOTE Next steps: • To configure the WAN connection, click IPv6 > IPv6 WAN Config. STEP 2 In the Internet(IPv6) Address area, choose Static IPv6 if your settings. Cisco SA500 Series Security Appliances Administration Guide 78 The Routing Mode window opens. STEP 3 Click...
...The IPv6 WAN Configuration window opens. Networking Configuring IPv6 Addressing 2 IP Routing Mode To get started with stateless autoconfiguration. For more information, see Configuring the IPv6 LAN, page 80. STEP 2 Click IPv4/IPv6 mode to enable IPv6 addressing, or click IPv4 only mode to continue. NOTE Next steps: • To configure the WAN connection, click IPv6 > IPv6 WAN Config. STEP 2 In the Internet(IPv6) Address area, choose Static IPv6 if your settings. Cisco SA500 Series Security Appliances Administration Guide 78 The Routing Mode window opens. STEP 3 Click...
Administration Guide
Page 96
... to enable QoS for this setting to specify the default Class of Profiles table. Cisco SA500 Series Security Appliances Administration Guide 96 STEP 3 Enter the following settings. • QoS Enable: Check this access point. Wireless Configuration for all traffic on MAC Addresses This page allows you want to prioritize the traffic. Used typically to the selected access point. The QoS Configuration window opens. Controlling Wireless Access Based on the access point. • IP DSCP/TOS to Service Mapping: For each MAC address correctly to save your settings. The default is...
... to enable QoS for this setting to specify the default Class of Profiles table. Cisco SA500 Series Security Appliances Administration Guide 96 STEP 3 Enter the following settings. • QoS Enable: Check this access point. Wireless Configuration for all traffic on MAC Addresses This page allows you want to prioritize the traffic. Used typically to the selected access point. The QoS Configuration window opens. Controlling Wireless Access Based on the access point. • IP DSCP/TOS to Service Mapping: For each MAC address correctly to save your settings. The default is...
Administration Guide
Page 155
... SSL certificates: • Configure a group policy that consists of all users who need Clientless SSL VPN access and enable it is used in the remote host to allow remote users to access the LAN over an encrypted link through a customizable user portal interface. For more information, see RMON (Remote Management), page 197. A SSL VPN client (Active-X or Java based) is installed on the Cisco SA500 Series Security Appliances Administration Guide 155 A web-based (ActiveX or Java) client is installed in place of the SSL VPN, page 156. • Port Forwarding: Port Forwarding service...
... SSL certificates: • Configure a group policy that consists of all users who need Clientless SSL VPN access and enable it is used in the remote host to allow remote users to access the LAN over an encrypted link through a customizable user portal interface. For more information, see RMON (Remote Management), page 197. A SSL VPN client (Active-X or Java based) is installed on the Cisco SA500 Series Security Appliances Administration Guide 155 A web-based (ActiveX or Java) client is installed in place of the SSL VPN, page 156. • Port Forwarding: Port Forwarding service...
Administration Guide
Page 156
... users. • Users: Create your VPN users. Instructions are not going to different resources. If you can use the default domain and group or configure your portal. In addition, you can review the default settings and modify, as the User Type. IMPORTANT: If you must create the portal layouts first. You can modify title, banner heading, banner message, security settings, and access type (VPN tunnel, port forwarding, or both). See Configuring SSL VPN Port Forwarding, page 163. Cisco SA500 Series Security Appliances Administration Guide...
... users. • Users: Create your VPN users. Instructions are not going to different resources. If you can use the default domain and group or configure your portal. In addition, you can review the default settings and modify, as the User Type. IMPORTANT: If you must create the portal layouts first. You can modify title, banner heading, banner message, security settings, and access type (VPN tunnel, port forwarding, or both). See Configuring SSL VPN Port Forwarding, page 163. Cisco SA500 Series Security Appliances Administration Guide...
Administration Guide
Page 163
... all ports for multiple remote SSL VPN users. Configuring SSL VPN Port Forwarding Port Forwarding is different from split and full tunnel modes, which allow access only to a limited set of the supported SSL VPN services to identify this resource. STEP 3 Enter the following table lists some common applications and corresponding TCP port numbers: TCP Application FTP Data (usually not needed) FTP Control Protocol SMTP (send mail) Port Number 20 21 25 Cisco SA500 Series Security Appliances Administration Guide 163 Port forwarding is used to easily create and configure SSL VPN...
... all ports for multiple remote SSL VPN users. Configuring SSL VPN Port Forwarding Port Forwarding is different from split and full tunnel modes, which allow access only to a limited set of the supported SSL VPN services to identify this resource. STEP 3 Enter the following table lists some common applications and corresponding TCP port numbers: TCP Application FTP Data (usually not needed) FTP Control Protocol SMTP (send mail) Port Number 20 21 25 Cisco SA500 Series Security Appliances Administration Guide 163 Port forwarding is used to easily create and configure SSL VPN...
Administration Guide
Page 173
... create a logical grouping of SSL VPN users that a device can be up to 30 characters. STEP 2 To add a group, click Add in the group. NOTE The group timeout setting is disconnected. STEP 4 Click Apply to edit an entry. To select all users in the List of minutes that share the authentication domain, LAN and service access rules, and idle timeout settings. The user settings have precedence over the settings group settings. Cisco SA500 Series Security Appliances Administration Guide 173 STEP 1 Click Administration > Users > Groups. See Groups...
... create a logical grouping of SSL VPN users that a device can be up to 30 characters. STEP 2 To add a group, click Add in the group. NOTE The group timeout setting is disconnected. STEP 4 Click Apply to edit an entry. To select all users in the List of minutes that share the authentication domain, LAN and service access rules, and idle timeout settings. The user settings have precedence over the settings group settings. Cisco SA500 Series Security Appliances Administration Guide 173 STEP 1 Click Administration > Users > Groups. See Groups...
Administration Guide
Page 198
... password. - Cisco SA500 Series Security Appliances Administration Guide 198 The Remote Management (RMON) window opens. Network Management RMON (Remote Management) 9 STEP 1 Click Network Management > Remote Management. All IP Addresses: If this option is selected, set the following information: • Enable Remote Management?: By default, Remote management is selected, make sure that you change the admin and guest passwords before continuing. • Access Type: Choose the level of the PC given remote management permissions • Port Number: Displays the port number used...
... password. - Cisco SA500 Series Security Appliances Administration Guide 198 The Remote Management (RMON) window opens. Network Management RMON (Remote Management) 9 STEP 1 Click Network Management > Remote Management. All IP Addresses: If this option is selected, set the following information: • Enable Remote Management?: By default, Remote management is selected, make sure that you change the admin and guest passwords before continuing. • Access Type: Choose the level of the PC given remote management permissions • Port Number: Displays the port number used...
Administration Guide
Page 217
.... Cisco SA500 Series Security Appliances Administration Guide 217 If the PC cannot reach a DHCP server, some versions of your PC. STEP 4 If your IP address has changed and you don't know what it again. STEP 6 Ensure that you are using Internet Explorer, click Refresh to ensure that Java, JavaScript, or ActiveX is , reset the security appliance to the factory default settings (including firewall IP address 192.168.75.1). These autogenerated addresses are using...
.... Cisco SA500 Series Security Appliances Administration Guide 217 If the PC cannot reach a DHCP server, some versions of your PC. STEP 4 If your IP address has changed and you don't know what it again. STEP 6 Ensure that you are using Internet Explorer, click Refresh to ensure that Java, JavaScript, or ActiveX is , reset the security appliance to the factory default settings (including firewall IP address 192.168.75.1). These autogenerated addresses are using...
Administration Guide
Page 221
..., test the network configuration: • Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC. • Verify that sends an ICMP echo-request packet to the designated device. Troubleshooting Pinging to Test LAN Connectivity A Pinging to Test LAN Connectivity Most TCP/IP terminal devices and firewalls contain a ping utility that the IP address for any hub ports that are connected to your security appliance STEP 1 On your PC, click the Windows Start...
..., test the network configuration: • Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC. • Verify that sends an ICMP echo-request packet to the designated device. Troubleshooting Pinging to Test LAN Connectivity A Pinging to Test LAN Connectivity Most TCP/IP terminal devices and firewalls contain a ping utility that the IP address for any hub ports that are connected to your security appliance STEP 1 On your PC, click the Windows Start...
Administration Guide
Page 229
... Savings enable Time Date and Time - Protocol NTP Date and Time - Time Zone Pacific Time (US & Canada) DDNS disable HTTP Remote Access enable HTTPS Remote Access enable SNMP - Trusted Peer IP address SNMP Agent disable Cisco SA500 Series Security Appliances Administration Guide 229 D Factory Default Settings General Settings Feature Setting Host Name Model number Device Name Model number Administrator Username cisco Administrator Password cisco Allow ICMP echo replies (good for validating connectivity) disable Date and Time - Automatic Time enable Update...
... Savings enable Time Date and Time - Protocol NTP Date and Time - Time Zone Pacific Time (US & Canada) DDNS disable HTTP Remote Access enable HTTPS Remote Access enable SNMP - Trusted Peer IP address SNMP Agent disable Cisco SA500 Series Security Appliances Administration Guide 229 D Factory Default Settings General Settings Feature Setting Host Name Model number Device Name Model number Administrator Username cisco Administrator Password cisco Allow ICMP echo replies (good for validating connectivity) disable Date and Time - Automatic Time enable Update...