Summary of Contents for Cisco Small Business Pro SA 520W
Page 1
ADMINISTRATION GUIDE Cisco Small Business Pro SA 500 Series Security Appliances...
Page 2
Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...
DMZ for Public Web Sites and Services Configuring ProtectLink Web & Email Security Site-to-Site Networking and Remote Access Wireless Networking Chapter 2: Status Device Status Device Status Port Statistics Wireless Statistics for the SA 520W Cisco SA 500 Series Security Appliances Administration Guide...
Page 4
Configuring Auto-Rollover, Load Balancing, and Failure Detection Configuring the Protocol Bindings for Load Balancing Configuring a DMZ Configuring the DMZ Settings DMZ Reserved IPs DMZ DHCP Leased Clients VLAN Configuration Default VLAN Settings Enabling or Disabling VLAN Support Cisco SA 500 Series Security Appliances Administration Guide...
Page 5
IPv6 Multi LAN IPv6 Static Routing Routing (RIPng) 6to4 Tunneling IPv6 Tunnels Status ISATAP Tunnels MLD Tunnels Router Advertisement Daemon (RADVD) Configuring Router Advertisement Adding RADVD Prefixes 802.1p Enabling 802.1p 802.1p Mapping Cisco SA 500 Series Security Appliances Administration Guide...
Page 6
Using Other Tools to Control Access to the Internet Configuring Content Filtering to Allow or Block Web Components Configuring Approved URLs to Allow Access to Websites Configuring Blocked URLs to Prevent Access to Websites Cisco SA 500 Series Security Appliances Administration Guide...
Page 7
Creating the SSL VPN Policies Specifying the Network Resources for SSL VPN Configuring SSL VPN Port Forwarding SSL VPN Tunnel Client Configuration Viewing the SSL VPN Client Portal VeriSign™ Identity Protection configuration Configuring VeriSign Identity Protection Cisco SA 500 Series Security Appliances Administration Guide...
Page 8
Local Logging Config IPv6 Logging Remote Logging Logs Facility Managing Certificates for Authentication Configuring RADIUS Server Records Chapter 10: Network Management RMON (Remote Management) SNMP Configuring SNMP Configuring SNMP System Info UPnP Bonjour Cisco SA 500 Series Security Appliances Administration Guide...
Page 9
Appendix B: Standard Services Appendix C: Technical Specifications and Environmental Requirements Appendix D: Factory Default Settings General Settings Router Settings Wireless Settings Storage Security Settings Appendix E: Where to Go From Here Cisco SA 500 Series Security Appliances Administration Guide...
LAN. • SPEED LED—(Green or Orange) Indicates the traffic rate for the associated port. Off = 10 Mbps, Green = 100 Mbps, Orange = 1000 Mbps. Cisco SA 500 Series Security Appliances Administration Guide...
USB Port—Connects the security appliance to a USB device. You can use a USB device to store configuration files for backup and restore operations. The back panel of the SA 520W includes three threaded connectors for the NOTE antennas. Cisco SA 500 Series Security Appliances Administration Guide...
To place the security appliance on a desktop, install the four rubber feet (included) on the bottom of the security appliance. Place the device on a flat surface. Cisco SA 500 Series Security Appliances Administration Guide...
Page 14
Getting Started Installation Wall Mounting Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9 STEP 1 inches). Leave 3-4 mm (about 1/8 inch) of the head exposed. Cisco SA 500 Series Security Appliances Administration Guide...
Page 15
Each security appliance requires 1 rack unit (RU) of space, which is 1.75 inches (44.45 mm) high. Do not overload the power outlet or circuit when installing multiple devices in a CAUTION rack. Cisco SA 500 Series Security Appliances Administration Guide...
For DSL, a cable modem, or other WAN connectivity devices, connect an Ethernet STEP 3 network cable from the device to the WAN port on the back panel. Cisco strongly recommends using Cat5E or better cable. For network devices, connect an Ethernet network cable from the network device STEP 4 to one of the dedicated LAN ports on the back panel.
PC or laptop. You can access the router by using any web browser (such as Microsoft Internet Explorer or Mozilla Firefox). Connecting to the Configuration Utility Connect your computer to an available LAN port on the back panel of the security STEP 1 appliance. Cisco SA 500 Series Security Appliances Administration Guide...
Page 18
Safari: Click Continue to proceed, or click Show Certificate. On the Certificate page, click Install the Certificate. Follow the instructions in the Wizard to complete the installation. Enter the default user name and password: STEP 4 • Username: cisco • Password: cisco Cisco SA 500 Series Security Appliances Administration Guide...
Page 19
STEP 5 Using the Getting Started Pages, page You can use the Cisco Configuration Assistant to launch the Configuration Utility if you are using the security appliance with a CCA-supported device, such as the UC 500. For more information about CCA, see: www.cisco.com/go/configassist.
Started button in the menu bar. • To prevent the Getting Started (Basic) page from appearing automatically after you log in, check the Don’t show this on start-up box at Figure 1 Getting Started (Basic) Page Cisco SA 500 Series Security Appliances Administration Guide...
Page 21
Getting Started Getting Started with the Configuration Utility Figure 2 Getting Started (Advanced) Page Cisco SA 500 Series Security Appliances Administration Guide...
2. Navigation Tree: Top-level links are indicated by arrows. Click a top-level link to open a list of options. Then click a link in the list to open a page where you can review or modify the configuration. Cisco SA 500 Series Security Appliances Administration Guide...
Help page, click the Help link in the top right corner of the screen. A new window appears with information about the page that you are currently viewing. Figure 4 Help Link Figure 5 Sample Help Screen Cisco SA 500 Series Security Appliances Administration Guide...
The access point is enabled by default. The security profile has Open security and identifies itself to all wireless devices that are in range. These settings make it easy for you to begin using your wireless network. Cisco SA 500 Series Security Appliances Administration Guide...
IP address of 192. 1 68.75. 1 . You can log on by entering cisco for the username and cisco for the password. You are strongly encouraged to change the default username and password.
In the Upgrade Firmware section of the Getting Started (Basic) page, click the STEP 3 Install the updated firmware link. The Firmware & Configuration (Network) page appears. In the Firmware Upgrade area, click Browse. Find the file that you downloaded. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
1. Review the WAN configuration and make any changes that are needed to set up your Internet connection. In the WAN & LAN Connectivity section of the Getting Started (Basic) page, click the WAN settings link. For more information, see Configuring the WAN Connection, page Cisco SA 500 Series Security Appliances Administration Guide...
Page 29
LAN Settings link. For more information, see Configuring the LAN, page 3. If you are going to use your security appliance with your Cisco Smart Business Communications System (SBCS), install and configure your UC 500. Scenario 8: Cisco Smart Business Communications System Configuration, page 4.
Getting Started Common Configuration Scenarios Scenario 8: Cisco Smart Business Communications System Configuration You can use the security appliance to protect your Cisco Smart Business Communications System network. Laptop computer Outside Network Private Network Printer Internet Internet SA 500 Access Device...
Translation (NAT), and SIP Application Layer Gateway (SIP-ALG) for your network, disable those functions on the UC 500. For instructions, refer to the documentation or online Help for the Cisco Configuration Assistant (CCA). Scenario 6: Firewall for Controlling Inbound and Outbound Traffic By default, all outbound traffic is allowed and all inbound traffic is denied.
Configuration tasks for this scenario: To start configuring a DMZ, use the links in the DMZ Port section of the Getting Started (Advanced) page. For more information, see Configuring a DMZ, page Cisco SA 500 Series Security Appliances Administration Guide...
Cisco ProtectLink Security services. By using these services, your network is protected from email threats in the Internet “cloud” and web threats in the Cisco security appliance, providing access only to email and websites that are appropriate for your business.
Page 34
Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client, page 153. Cisco SA 500 Series Security Appliances Administration Guide...
Page 35
Getting Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client, page 153. Cisco SA 500 Series Security Appliances Administration Guide...
Page 36
VPN users. Optionally, you can use other links to configure the policies, client settings, routes, and resources for your SSL VPN. For more information, see Configuring SSL VPN for Browser-Based Remote Access, page 167. Cisco SA 500 Series Security Appliances Administration Guide...
2. Although you can begin using your wireless network right away, you should configure the security settings to protect your network and the data that you transmit. To configure your wireless network, see Chapter 4, “Wireless Configuration for the SA 520W.” Cisco SA 500 Series Security Appliances Administration Guide...
• System Name: The name of the device. • Primary Firmware Version: The version of the firmware that the router is currently using. By default, the router will boot from this version. Cisco SA 500 Series Security Appliances Administration Guide...
Page 39
NAT: The status of NAT mode for the current operation: enabled or disabled. If NAT is disabled, then the security appliance is in routing mode. • Wan State: The status of the WAN connection: UP or DOWN. Cisco SA 500 Series Security Appliances Administration Guide...
Page 40
Connection State: Indicates if the optional port is connected or not. • WAN Mode: Indicates whether the WAN mode is set to single port, load balancing or auto rollover mode. • Gateway: The Gateway IP address of the Optional port. Cisco SA 500 Series Security Appliances Administration Guide...
This table indicates cumulative statistics for the radio. • Radio: This is a numerical identification of the radio. • Packets: The number of transmitted/received (tx/rx) wireless packets reported to the radio, over all configured access points. Cisco SA 500 Series Security Appliances Administration Guide...
Page 42
Poll Interval: Enter a value in seconds for the poll interval. To modify the poll interval, click the Stop button and then click Start to restart the automatic refresh using the specified poll interval. Cisco SA 500 Series Security Appliances Administration Guide...
Stop button and then click Start to restart the automatic refresh using the specified poll interval. • Start: Click to enable the automatic page refresh feature. • Stop: Click to disable the automatic page refresh feature. Cisco SA 500 Series Security Appliances Administration Guide...
Poll Interval: Enter a value in seconds for the poll interval. To modify the poll interval, click the Stop button and then click Start to restart the automatic refresh using the specified poll interval. • Start: Click to enable the automatic page refresh feature. Cisco SA 500 Series Security Appliances Administration Guide...
Page 45
Stop button and use Start to restart automatic refresh. • Start: Click to enable automatic page refresh feature. • Stop: Click Stop to disable the automatic page refresh feature. Cisco SA 500 Series Security Appliances Administration Guide...
ProtectLink: Displays logs for ProtectLink Gateway and Endpoint services. VPN: Displays IKE and SSL VPN related logs. Firewall: Displays logs related to firewall rules, attacks, and content filtering. Network: Displays routing, DHCP, WAN, LAN and QoS logs. Cisco SA 500 Series Security Appliances Administration Guide...
This shows the status of the recent IPSec VPN activity. • Click Refresh Logs to see the entries added after the page was opened. • Click Clear Logs to delete all entries in the log window. Cisco SA 500 Series Security Appliances Administration Guide...
IP address: The IP Address of the host from which the user accessed the Router. • Login Time: The timestamp of when the user first logged into the Router. • Disconnect: Terminate an active user's session and hence the associated SSLVPN-Tunnel (if any). Cisco SA 500 Series Security Appliances Administration Guide...
CDP Neighbor CDP Neighbor The Cisco Discovery Protocol (CDP) provides information about other devices that are connected to this device and that support the CDP protocol. The page displays information specific to the device and identifies the network interface of this device on which the neighbor was discovered.
Configuring the LAN • Configuring the Optional WAN • Configuring a DMZ • VLAN Configuration • Routing • Port Management • Bandwidth Profiles • Dynamic DNS • Configuring IPv6 Addressing • 802.1p Cisco SA 500 Series Security Appliances Administration Guide...
User Name: The user name that is required to log in • Password: The password that is required to log in • Secret: Enter the secret phrase to log into the server (if applicable). Cisco SA 500 Series Security Appliances Administration Guide...
Page 52
• DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.
Page 53
Port Mode and choose WAN for the port mode. After saving your settings on that page, click Optional Port > WAN to configure the WAN connection. For more information, see Configuring the Optional WAN, page Cisco SA 500 Series Security Appliances Administration Guide...
Click Renew to renew the connection. • Click Release to release the connection. If you are having problems with your WAN connection, see the Internet NOTE Connection, page 217 Appendix A, “Troubleshooting.” Cisco SA 500 Series Security Appliances Administration Guide...
Idle Time in minutes. This choice is recommended if your ISP fees are based on the time that you spend online. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
DHCP request from a DHCP client. • By default, your LAN is configured for IPv4 addressing. If you need to enable IPv6 addressing, see Configuring IPv6 Addressing, page 90 Configuring the IPv6 LAN, page Cisco SA 500 Series Security Appliances Administration Guide...
DHCP Relay: Choose this option to allow the security appliance to use a DHCP Relay. If you choose this mode, also enter the IP address of the Relay Gateway. • Domain Name (optional): Enter a name for the domain. Cisco SA 500 Series Security Appliances Administration Guide...
Page 58
Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Next steps: NOTE • If you are using the Getting Started (Basic) page, click Getting Started in the menu bar, and then continue with the list of configuration tasks. Cisco SA 500 Series Security Appliances Administration Guide...
MAC address of the LAN interface • IP address and subnet mask of the interface • DHCP server mode Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...
Enter the IP address and the MAC address of the device that you want to add. STEP 3 Each reserved IP address should be outside the configured DHCP pool addresses. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
Port, click Set Optional Port to WAN. The Optional Port Mode page appears. b. Choose WAN. c. Click Apply to save your settings, or click Reset to revert to the saved settings. Cisco SA 500 Series Security Appliances Administration Guide...
Page 62
• My IP Address: Enter the IP address assigned to you by the ISP. • Server IP Address: Enter the IP address of the PPTP, PPPoE, or other server. Cisco SA 500 Series Security Appliances Administration Guide...
Page 63
• DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.
Page 64
ISP links, click Optional Port > WAN Mode. For more information, see Configuring Auto-Rollover, Load Balancing, and Failure Detection, page • If you are having problems with your WAN connection, see the Internet Connection, page 217 Appendix A, “Troubleshooting.” Cisco SA 500 Series Security Appliances Administration Guide...
To maintain better control of WAN port traffic, consider making the WAN port Internet addresses public and keeping the other one private. Figure 7 shows an example of Dual WAN Ports configured with Load Balancing. Cisco SA 500 Series Security Appliances Administration Guide...
Page 66
Load Balancing: Choose this option if you have two ISP links that you want to use simultaneously. After you complete this procedure by clicking the Apply button, you need to configure the protocol bindings. See Configuring the Protocol Bindings for Load Balancing, page Cisco SA 500 Series Security Appliances Administration Guide...
Page 67
• Failover after: Specify the number of retries after which failover is initiated. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
Configure Protocol Bindings (Optional - if WAN Mode set to Load Balancing). The Protocol Bindings page appears. Any existing protocol bindings appear in the List of Available Protocol Bindings table. Click Add. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...
DMZ but cannot penetrate the LAN. You should configure your DMZ to include any hosts that must be exposed to the WAN (such as web or email servers). Cisco SA 500 Series Security Appliances Administration Guide...
Page 70
Internet Source Address Translation Public IP Address 209.165.200.225 172.16.2.30 209.165.200.225 DMZ Interface 172.16.2.1 SA 500 LAN Interface Web Server Private IP Address: 172.16.2.30 192.168.75.1 Public IP Address: 209.165.200.225 User User 192.168.75.10 192.168.75.11 Cisco SA 500 Series Security Appliances Administration Guide...
Page 71
172. 1 6.2.30. The firewall rule specifies an external IP address of 209. 1 65.200.226. Internet users can enter the domain name that is associated with the IP address 209. 1 65.200.226, and they are connected to the web server. Cisco SA 500 Series Security Appliances Administration Guide...
DHCP Server: Choose this option to allow the security appliance to act as a DHCP server and to assign IP addresses to all devices that are connected to the DMZ network. Also complete the fields that are highlighted with white backgrounds. Cisco SA 500 Series Security Appliances Administration Guide...
Page 73
DMZ. Also use the firewall rule to specify a public IP address for a server on your DMZ, if applicable. To get started, click Firewall on the menu bar. For more information, see Configuring a Firewall Rule for Inbound Traffic, page 125. Cisco SA 500 Series Security Appliances Administration Guide...
Other options: Click Edit to edit an entry. To delete an entry, check the box, and then click Delete. To select all entries in the table, check the box at the left side of the heading row. Cisco SA 500 Series Security Appliances Administration Guide...
LAN port is on a separate VLAN and cannot access other VLANs, unless you enable inter VLAN routing. Refer to the following topics: • Default VLAN Settings • Enabling or Disabling VLAN Support • Creating VLAN IDs • Assigning VLANs to LAN Ports Cisco SA 500 Series Security Appliances Administration Guide...
IP Address: 10. 1 . 1 . 1 IP Address Distribution: DHCP Server Start IP Address: 10. 1 . 1 .50 End IP Address: 10. 1 . 1 .254 Subnet Mask: 255.255.255.0 Cisco SA 500 Series Security Appliances Administration Guide...
After you click Add or Edit, the VLAN Configuration page appears. Enter the following information: STEP 3 • Name: Enter a descriptive name, for reference. • ID: Enter a unique identification number, which can be any number from 2 to 4091. Cisco SA 500 Series Security Appliances Administration Guide...
Access mode is recommended if the port is connected to a single end-user device which is VLAN unaware. If you choose this option, also enter a VLAN ID for the port, in the PVID field. Cisco SA 500 Series Security Appliances Administration Guide...
> Available VLANs page appear in the List of available Multiple VLAN Subnets table. The Multiple VLAN Subnet Configuration page appears. In the Multiple VLAN Subnet section of the page, enter the following settings: STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...
Page 80
In the LAN Proxies section, check the Enable DNS Proxy box to allow the VLAN to STEP 5 act as a proxy for all DNS requests and to communicate with the DNS servers of Cisco SA 500 Series Security Appliances Administration Guide...
IP address range while the WAN port on the router is configured with a single public IP address. Along with connection sharing, NAT also hides internal IP addresses from the computers on the Internet. Cisco SA 500 Series Security Appliances Administration Guide...
Active: Check this box to activate the route, or clear the box to deactivate a route that is not in use but that you do not want to delete. An inactive route is not broadcast if Routing Information Protocol (RIP) is enabled. Cisco SA 500 Series Security Appliances Administration Guide...
Both: The router both broadcasts its routing table and also processes RIP information received from other routers. Out Only: The router broadcasts its routing table periodically but does not accept RIP information from other routers. Cisco SA 500 Series Security Appliances Administration Guide...
Page 84
Not Valid After: End date of the First Key for MD5 based authentication between routers. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
This feature may be useful for debugging or for traffic monitoring by an external application. You can choose one LAN port to monitor the traffic on all other LAN ports. Cisco SA 500 Series Security Appliances Administration Guide...
The traffic selector identifies the stream of traffic, which will then be subject to the specified bandwidth control. Cisco SA 500 Series Security Appliances Administration Guide...
Minimum Bandwidth Rate and the Maximum Bandwidth Rate. • Choose the interface to which this bandwidth profile is applicable. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Cisco SA 500 Series Security Appliances Administration Guide...
Then enter the IP Address, MAC Address, Port Name, or VLAN, based on the chosen match type. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
DynDNS and keep the subscription active after the 30 day trial. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
To configure the WAN connection, click IPv6 > IPv6 WAN Config. For more information, see Configuring the IPv6 WAN Connection, page • To configure the LAN, click IPv6 > IPv6 LAN Config. For more information, Configuring the IPv6 LAN, page Cisco SA 500 Series Security Appliances Administration Guide...
Stateful Address Auto Configuration: If you choose this option, the security appliance connects to the DHCPv6 server at the ISP to obtain a leased address. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Cisco SA 500 Series Security Appliances Administration Guide...
DHCP server that dynamically assigns IP addresses to all connected devices, click Enable DHCPv6 Server, and then complete all fields that are highlighted with white backgrounds. Cisco SA 500 Series Security Appliances Administration Guide...
Page 94
Router Advertisement Deamon (RADVD). For more information, see Router Advertisement Daemon (RADVD), page 101. • If you want to configure the LAN address pools, click IPv6 > IPv6 Address Pools. For more information, see IPv6 LAN Address Pools, page Cisco SA 500 Series Security Appliances Administration Guide...
All hosts in the network have the identical initial bits for the IPv6 address. The number of common initial bits in the addresses is set by the prefix length field. Cisco SA 500 Series Security Appliances Administration Guide...
IPv6 address. The number of common initial bits in the addresses is set by the prefix length field. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
15. If multiple routes to the same destination exist, the security appliance chooses route with the lowest metric. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
WAN IPv4 network, and vice versa. You should enable this feature if you have an end site or end user that needs to connect to the IPv6 Internet using the existing IPv4 network. Cisco SA 500 Series Security Appliances Administration Guide...
Other options: Click the Edit button to edit an entry. To delete an entry, check the box and then click Delete. To select all entries in the table, check the box at the left side of the heading row. Cisco SA 500 Series Security Appliances Administration Guide...
Enter a higher value if a link is expected to be lossy. The default value is 2. The minimum value of Robustness Variable is 2 and maximum value is 8. Cisco SA 500 Series Security Appliances Administration Guide...
• Advertise Mode: Choose one of the following modes: Unsolicited Multicast: Choose this option to send router advertisements to all interfaces belonging to the multicast group. Also enter the Advertise Internal. Cisco SA 500 Series Security Appliances Administration Guide...
The Advertisement Prefixes page appears. Any existing prefixes appear in the List of Prefixes to Advertise table. To add a prefix to the table, click Add. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...
Page 103
Prefix Lifetime: Enter the maximum number of seconds that the requesting router is allowed to use the prefix. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
For each 802. 1 p priority value (Priority 0, Priority 1, and so on), use the drop-down STEP 2 list to choose the corresponding queue: Lowest, Low, Medium or High. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
For each 802. 1 p priority value (Priority 0, Priority 1, and so on), enter a priority STEP 2 value. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
A wireless profile specifies the security settings. Optionally, you can configure advanced wireless settings, QoS settings, and MAC filtering. After you configure a wireless profile, you can assign it to any access point. Cisco strongly recommends WPA2 for wireless security. Other security modes are NOTE vulnerable to attack.
Page 107
To protect your information as it is transmitted over the airwaves, you should enable the highest level of encryption supported by your network equipment. Cisco SA 500 Series Security Appliances Administration Guide...
Page 108
WEP Key boxes. The length of the key should be 5 ASCII characters (or 10 hex characters) for 64-bit WEP and 13 ASCII characters (or 26 hex characters) for 128-bit WEP. Cisco SA 500 Series Security Appliances Administration Guide...
The Profiles page appears. The existing profiles appear in the List of Profiles table. Find the profile that you want to edit, and click the button in the Adv Config STEP 2 column. Cisco SA 500 Series Security Appliances Administration Guide...
IP data is sent to this queue. • Background: Lowest priority queue, high throughput. Bulk data that requires maximum throughput and is not time-sensitive is typically sent to this queue (FTP data, for example). Cisco SA 500 Series Security Appliances Administration Guide...
IMPORTANT: Any time that you add or delete addresses from the MAC Address table, click the Apply button to save your settings. The policy applies only to the addresses that are in the table when you click Apply. Cisco SA 500 Series Security Appliances Administration Guide...
Page 112
Deny: All of the devices in the MAC Address table are prevented from using this access point. All other devices are allowed access. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 6 Cisco SA 500 Series Security Appliances Administration Guide...
SSID: Specify the Service Set Identifier, or network name, that clients use to connect to the access point. It is a good practice to replace the default SSID with a unique identifier. Cisco SA 500 Series Security Appliances Administration Guide...
Country: Choose a country from the drop-down list of countries. This list is populated according to the region selected. This impacts the available Wi-Fi™ channels as determined by wireless authorities in the corresponding country/region. Cisco SA 500 Series Security Appliances Administration Guide...
Page 115
Default Transmit Power: Enter a value in dBm as the default transmitted power level for all APs that use this radio. The default is 20 dBm. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
Preamble mode: 802. 1 1b requires that a preamble be appended to every frame before it is transmitted through the air. The preamble can be either the traditional long preamble, which requires 192 μs for transmission, or it can be Cisco SA 500 Series Security Appliances Administration Guide...
Page 117
Retries are used for both long and short frames, of size less than or equal to the RTS threshold. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
Direction of the traffic • Days of the week and times of day • Keywords in a domain name or on a URL of a web page • MAC addresses of devices • Port triggers Cisco SA 500 Series Security Appliances Administration Guide...
Services.”) If you need to configure a firewall rule for a service that is not on the standard list, first you must identify the service by entering a name, specifying the type, and assigning the port range. Cisco SA 500 Series Security Appliances Administration Guide...
Page 120
Weekend that is active all day on Saturday and Sunday. For more information about the time settings for your security appliance, see Configuring the Time Settings, page 199. Cisco SA 500 Series Security Appliances Administration Guide...
Page 121
STEP 1 To add IP Aliases, click Add. STEP 2 Choose the WAN interface from the Interface drop-down menu. This is the STEP 3 interface where you will add the IP address to. Cisco SA 500 Series Security Appliances Administration Guide...
This procedure explains how to configure a firewall rule for the following traffic flows: • From the LAN to the WAN • From the LAN to the DMZ • From the DMZ to the WAN For examples, see Firewall Rule Configuration Examples, page 129. Cisco SA 500 Series Security Appliances Administration Guide...
Page 123
• To Zone: For an outbound rule, choose INSECURE (WAN) if the traffic is going to the Internet, or choose DMZ if the traffic is going to a server on your DMZ. Cisco SA 500 Series Security Appliances Administration Guide...
Page 124
QoS Priority: You can use this rule to prioritize traffic. Each priority level corresponds to a Term of Service (ToS) value. Normal-Service: ToS=0 (lowest QoS) Minimize-Cost: ToS=1 Maximize-Reliability: ToS=2 Maximize-Throughput: ToS=4 Minimize-Delay: ToS=8 (highest QoS) Cisco SA 500 Series Security Appliances Administration Guide...
In addition to configuring firewall rules, you can use the following methods to NOTE control inbound traffic: • You can prevent common types of attacks. For more information, see Configuring Attack Checks, page 133. Cisco SA 500 Series Security Appliances Administration Guide...
Page 126
LAN, or choose DMZ if the traffic is going to a server on your DMZ. If the From Zone is the WAN, the To Zone can be the public DMZ or secure LAN. Cisco SA 500 Series Security Appliances Administration Guide...
Page 127
Destination NAT Settings area: • Internal IP Address: Enter the IP address of the server that is hosting the service. • Enable Port Forwarding: Check the box to forward traffic to a particular port. Cisco SA 500 Series Security Appliances Administration Guide...
To view the list of rules belonging to the same group, choose the source and STEP 2 destination from the From Zone and To Zone drop-down menus and click Display Rules. Only the rules for the specified security zones appear. Cisco SA 500 Series Security Appliances Administration Guide...
HTTP requests from any outside IP address. The inbound traffic is addressed to your WAN IP address but is directed to a web server. Solution: Create an inbound rule as follows: Parameter Value From Zone Insecure (WAN1) To Zone Service HTTP Action ALLOW always Cisco SA 500 Series Security Appliances Administration Guide...
Page 130
IP addresses (132. 1 77.88.2 - 132. 1 77.88.254). Solution: Create an inbound rule as shown below. In the example, connections for CU-SeeMe (an Internet video-conferencing client) are allowed only from a specified range of external IP addresses. Cisco SA 500 Series Security Appliances Administration Guide...
Page 131
IP address range of 10. 1 . 1 . 1 to 10. 1 . 1 . 1 00. Parameter Value From Zone Secure (LAN) To Zone INSECURE (Dedicated WAN/Optional WAN) Service HTTP Action BLOCK by schedule Schedule Weekend Source Hosts Address Range From 10. 1 . 1 . 1 Cisco SA 500 Series Security Appliances Administration Guide...
• Configuring Attack Checks • Configuring MAC Filtering to Allow or Block Traffic • Configuring IP/MAC Binding to Prevent Spoofing • Configuring a Port Triggering Rule to Direct Traffic to Specified Ports Cisco SA 500 Series Security Appliances Administration Guide...
• Block Ping to WAN interface: Check this box to prevent attackers from discovering your network through ICMP Echo (ping) requests. Cisco recommends that you uncheck this box only if you need to allow the security appliance to respond to pings for diagnostic purposes.
STEP 1 navigation tree. The Source MAC Filter page appears. Before you can add any addresses to the table, you must check the box to enable MAC filtering, and then click Apply. Cisco SA 500 Series Security Appliances Administration Guide...
LAN IP addresses or IP addresses ranges. In addition, the ports are not left open when they are not in use, thereby providing a level of security that static port forwarding does not offer. Cisco SA 500 Series Security Appliances Administration Guide...
In the Incoming (Response) Port Range area, enter the Start Port and End Port to STEP 5 specify the incoming port range for this rule. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 6 Cisco SA 500 Series Security Appliances Administration Guide...
ACK packet. Under normal circumstances, a session is allowed to remain in the half-open state for 10 seconds. The maximum value can range between 0 and 3,000. The default is 1,024 sessions. Cisco SA 500 Series Security Appliances Administration Guide...
Configuring Content Filtering to Allow or Block Web Components • Configuring Approved URLs to Allow Access to Websites • Configuring Blocked URLs to Prevent Access to Websites • Configuring IP/MAC Binding to Prevent Spoofing Cisco SA 500 Series Security Appliances Administration Guide...
Cookies: For added security, check this box to block cookies, which typically contain session information. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Cisco SA 500 Series Security Appliances Administration Guide...
URL, then your users are prevented from accessing websites such as www.yahoo.com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
Status on the menu bar, and then clicking View Log > View All Logs in the navigation tree. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
If this feature is disabled, the router will not allow incoming calls to the UAC (User Agent Client) behind the router. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
You configure IPS from IPS Setup page. From this page you can enable IPS for the security zone you want to protect (LAN or DMZ), update the IPS signatures, and view the IPS status. Cisco SA 500 Series Security Appliances Administration Guide...
Page 145
• Manual Signature Updates: To manually update the latest signature file, click the Cisco.com link to obtain the file and download it to your computer. Browse to the location of the signature file on the local PC and then click Upload.
Disabled: Choose this option to disable inspection checking for this protocol. • Detect Only: Choose this option to check for attacks on this protocol and to log a message upon detection.This option is mostly used for troubleshooting purposes. Cisco SA 500 Series Security Appliances Administration Guide...
For IPS messages to be logged, you must configure IPS as the facility. For more information, see Logs Facility, page 204 Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
REVIEW DRAFT — CISCO CONFIDENTIAL Using Cisco ProtectLink Security Services The SA 500 Series supports Cisco ProtectLink Security Services. These services provide layers of protection against different security threats on your network. • Cisco ProtectLink Web provides all users with Web threat protection to prevent access to dangerous websites and URL filtering to control employee access to non-business related websites.
Remote Access with a Web Browser: A remote worker uses a web browser to initiate a VPN tunnel to access the available services on the corporate network. See Configuring SSL VPN for Browser-Based Remote Access, page 167. Cisco SA 500 Series Security Appliances Administration Guide...
—OR—From the Getting Started (Advanced) page, under Site-to-Site VPN, click VPN Wizard. The VPN Wizard page appears. In the About VPN Wizard area, choose Site-to-Site to create a site-to-site VPN STEP 2 tunnel from the security appliance to another VPN gateway. Cisco SA 500 Series Security Appliances Administration Guide...
Page 151
In the Secure Connection Remote Accessibility area, enter the following STEP 5 information about the LAN at the remote site: • Remote LAN IP Address: Enter the IP address of the remote LAN. Cisco SA 500 Series Security Appliances Administration Guide...
Page 152
For more information, see Configuring the IKE Policies for IPSec VPN, page 157. • To configure IPSec passthrough, click IPSec > Passthrough. For more information, see Configuring IPSec Passthrough, page 166. Cisco SA 500 Series Security Appliances Administration Guide...
Inside Outside Internet network 10.10.10.0 Personal Computer Using VPN Software Client WINS Server 10.10.10.133 Personal Computer Using VPN Software Client For information about the VPNC recommendations, visit the following website: NOTE www.vpnc.org/vpn-standards.html Cisco SA 500 Series Security Appliances Administration Guide...
Page 154
Then enter that address or name in the Local WAN’s IP Address or Internet Name field. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Cisco SA 500 Series Security Appliances Administration Guide...
If you are using IPSec VPN for remote access by remote workers, use this page to manage the users (both XAUTH and Cisco QuickVPN). The VPN gateway authenticates the users in this list when XAUTH is used in an IKE policy.
Page 156
Quick VPN. This option should be selected when the clients use QuickVPN Client. • Allow user to change password?: If you chose Cisco QuickVPN for the Remote Peer Type, you can check this box to allow the user to change the password.
Optionally, review and modify the default settings and policies. See Advanced Configuration of IPSec VPN, page 157. • For Cisco QuickVPN, you also must enable Remote Management. See RMON (Remote Management), page 210. Advanced Configuration of IPSec VPN The following topics are helpful for users who want to review and modify the settings that are created by the VPN Wizard.
Page 158
In Aggressive Mode there are fewer key exchanges between the initiator and the receiver. Both sides exchange information even before there is a secure channel. This feature creates a faster connection but with less security than Main Mode. Cisco SA 500 Series Security Appliances Administration Guide...
Page 159
Authentication Algorithm: Specify the authentication algorithm for the VPN header. There are five algorithms supported by this router: MD5, SHA-1, SHA2-256, SHA2-384 and SHA2-512. Ensure that the authentication algorithm is configured identically on NOTE both sides. Cisco SA 500 Series Security Appliances Administration Guide...
Page 160
In this mode, the security appliance acts as a VPN Client of the remote gateway. If you choose this option, also enter a Username and Password. Cisco SA 500 Series Security Appliances Administration Guide...
Before you create an Auto Policy, first create an IKE policy. Then you can apply the NOTE IKE policy on this page. For more information, see Configuring the IKE Policies for IPSec VPN, page 157. Cisco SA 500 Series Security Appliances Administration Guide...
Page 162
Remote End Point: Choose to identify the remote end point by the IP address or the Internet Name/FQDN of the remote gateway or the client PC. Also enter the IP address or the Internet Name/FQDN in the field below the drop-down list. Cisco SA 500 Series Security Appliances Administration Guide...
Page 163
8 characters. For example: 0a1234. • Encryption Algorithm: Choose the algorithm that is used to encrypt the data. • Key-In: Enter the encryption key of the inbound policy. • Key-Out: Encryption key of the outbound policy. Cisco SA 500 Series Security Appliances Administration Guide...
Page 164
Kilobytes: If you specify the SA Lifetime in kilobytes, the SA is renegotiated after the specified number of kilobytes of data is transferred over the original SA. The minimum value is 300 seconds or 1920000 KB. Cisco SA 500 Series Security Appliances Administration Guide...
Page 165
2. The DPD should be enabled. 3. The Direction should be either initiator or both. 4. The XAuth configuration should be None or IPSec Host. 5. The policy should be Gateway only, not client. Cisco SA 500 Series Security Appliances Administration Guide...
Page 166
Check the box for each type of traffic that you want to allow to pass through the STEP 2 VPN tunnel. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
NT/Active Directory and FTP file shares • E-mail proxies, including POP3S, IMAP4S, and SMTPS • MS Outlook Web Access • MAPI • Applications (that is, port forwarding for access to other TCP-based applications) Cisco SA 500 Series Security Appliances Administration Guide...
To do this, you could restrict the user from accessing general content on the Internet. Then, you could configure links to specific targets on the internal network that you want users of Clientless SSL VPN to be able to access. Cisco SA 500 Series Security Appliances Administration Guide...
Port Forwarding: You can configure port forwarding to allow access to a limited set of resources. For example, you may want the SSL VPN users to access the email service only. See Configuring SSL VPN Port Forwarding, page 176. Cisco SA 500 Series Security Appliances Administration Guide...
URL. The browser displays a login page with several features that you can configure: 1. Portal Site Title 2. Banner Title 3. Banner Message Figure 12 Configurable Areas of the SSL VPN Portal Layout Cisco SA 500 Series Security Appliances Administration Guide...
Page 171
• ActiveX web cache cleaner: Check this box to load an ActiveX cache control whenever users login to this SSL VPN portal. Cisco SA 500 Series Security Appliances Administration Guide...
The User page appears. The default Administrator and Guest users appear in the List of Users table, along with any new users that you add. To add a user, click Add. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...
You can create user, group, and global policies. Policies are applied based on the following levels of precedence: • User-level policies take precedence over Group-level policies. • Group-level policies take precedence over Global policies. Cisco SA 500 Series Security Appliances Administration Guide...
Page 174
Policy For: Choose the type of policy: Global, Group, or User. If you choose Group, also choose the group from the Available Groups list. If you choose User, also choose the user from the Available Users list. Cisco SA 500 Series Security Appliances Administration Guide...
Page 175
Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 6 Next steps: NOTE Enable Remote Management (RMON), if you have not done so previously. If RMON is disabled, SSL VPN access is blocked. See RMON (Remote Management), page 210. Cisco SA 500 Series Security Appliances Administration Guide...
The following table lists some common applications and corresponding TCP port numbers: TCP Application Port Number FTP Data (usually not needed) FTP Control Protocol SMTP (send mail) Cisco SA 500 Series Security Appliances Administration Guide...
Page 177
TCP Port Number: Enter the port number of the TCP application that enables port forwarding. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
“network adapter” with an IP address from the corporate subnet, DNS and WINS settings is automatically created. This feature allows access to services on the private network without any special network configuration on the remote SSL VPN client machine. Cisco SA 500 Series Security Appliances Administration Guide...
Page 179
Client Routes for Split Tunnel Mode, page 180. • DNS Suffix (Optional): Enter the DNS Suffix for this client. • Primary DNS Server (Optional): Enter the IP address of the primary DNS Server for this client. Cisco SA 500 Series Security Appliances Administration Guide...
Page 180
Destination Network using this page. You can configure client routes only if Split Tunnel support is enabled on the SSL NOTE VPN Client page. See Configuring the SSL VPN Client, page 179. Cisco SA 500 Series Security Appliances Administration Guide...
Port Forwarding information page appears. The user can click the Launcher icon to connect to the remote servers. • Change Password: The user can click this link to change his or her password. Cisco SA 500 Series Security Appliances Administration Guide...
VIP Production: Choose this option if you have purchased VeriSign service. The service will use VIP production servers to authenticate your users. c. Click Apply to save your settings, or click Reset to revert to the saved settings. Cisco SA 500 Series Security Appliances Administration Guide...
Only available users are shown in the user list. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
To enable the account, edit the User Login Policies. See Adding or Editing User Login Policies, page 188. • SSL VPN: An SSL VPN account, which allows access to the services specified in the SSL VPN configuration. Cisco SA 500 Series Security Appliances Administration Guide...
When you create a domain, a group is created automatically. It has the same name as the domain and is associated with the domain. To edit the group settings, see Groups, page 186. Cisco SA 500 Series Security Appliances Administration Guide...
Adding or Editing User Settings The users are part of a group which in turn is a part of an authenticating domain. Before you configure users, configure the groups. See Groups, page 186. NOTE Cisco SA 500 Series Security Appliances Administration Guide...
Page 187
Enter any value from 0 to 999. The timeout value for the individual user has precedence over the timeout for the group. If you want to ensure that the group’s timeout settings are used, set this value to 0. Cisco SA 500 Series Security Appliances Administration Guide...
To delete a browser, check the box, and then click Delete. • User Login Policy By IP Address: Click the third button in the Edit User Policies column. When the User Policy By Source IP Address page appears, enter the following information: Cisco SA 500 Series Security Appliances Administration Guide...
For the SA 540 model, a free upgrade to 50 seats is available. You must download a license key from Cisco to enable these seats. To obtain the license key, click the Upgrade to 50 Seats link on the License Management page.
Page 190
Status: Shows if the license is installed or not installed. Licenses cannot be transferred or revoked once they are installed. • Seats Available: Current number of licenses installed. • Expiration: Date on which the license expires shown in MM/DD/YYYY format. For example: 04/23/2010. Cisco SA 500 Series Security Appliances Administration Guide...
Page 191
Installation License Type License Code (PAK) from cisco.com: Automatically retrieves and installs the license on the device from the Cisco server. To use this option, enter your PAK ID and Cisco.com username and password. These credentials are required for the device to authenticate to the Cisco server.
Cisco.com. See http://www.cisco.com/en/US/products/ps9932/ tsd_products_support_series_home.html. If a firmware upgrade is available, select one of the following: Upload: Check this option to upgrade the firmware. Cisco SA 500 Series Security Appliances Administration Guide...
Page 193
Check for New Firmware & Download: Check Periodically: Check this option to automatically check for firmware updates on a daily basis (every 24 hours). Enter your Cisco User Name and Password and click Apply to save your settings. If new firmware is available it is automatically downloaded to your device and you are prompted to install it.
5. Do NOT remove or unmount the USB device. Click Administration on the menu bar, and then click Firmware & Configuration > STEP 1 USB in the navigation tree. The Firmware & Configuration (USB) page appears. Cisco SA 500 Series Security Appliances Administration Guide...
Page 195
Status > Device Status. The Firmware Version (Primary) should be the same as the version that you attempted to install. If the upgrade was unsuccessful, see Appendix A, “Troubleshooting.” • Reboot: Click Reboot if it is necessary to reboot the router. Cisco SA 500 Series Security Appliances Administration Guide...
To test connectivity between the security appliance and a connected device on the network, enter the IP Address of the device and then click Ping. The results appear in the Command Output page. Click Back to return to the Diagnostics page. Cisco SA 500 Series Security Appliances Administration Guide...
The security appliance will keep a record of the volume of traffic going from this interface. You also can configure the security appliance to place a restriction on the volume of data being transferred. Cisco SA 500 Series Security Appliances Administration Guide...
Page 198
Send E-mail Report before restarting counter: Choose this option to send an email report before the traffic counter is restarted. The email is sent to the address configured in the Logging section, if logging is enabled. See Remote Logging, page 203. Cisco SA 500 Series Security Appliances Administration Guide...
Time, and with which Network Time Protocol (NTP) server to synchronize the date and time. The security appliance then gets its date and time information from the NTP server. Please follow the steps below to configure NTP and time settings: Cisco SA 500 Series Security Appliances Administration Guide...
Page 200
Administration Configuring the Time Settings Click Administration on the menu bar, and then click Time Zone in the navigation STEP 1 tree. The Time Zone page appears. Cisco SA 500 Series Security Appliances Administration Guide...
MAC filtering. Enabling logging options can generate a significant volume of log messages and is NOTE recommended for debugging purposes only. Cisco SA 500 Series Security Appliances Administration Guide...
Accepted Packets: This logs packets that were successfully transferred through the segment. This option is useful when the Default Outbound Policy is “Block Always” (see the Firewall Rules page under the Firewall menu). Cisco SA 500 Series Security Appliances Administration Guide...
The log identifier is added to email and syslog messages. In the Enable E-Mail Logs area, enter the following information: STEP 3 • Enable E-Mail Logs: Check this box to enable email logs. Cisco SA 500 Series Security Appliances Administration Guide...
A variety of events can be captured and logged for review. These logs can be sent to a syslog server or emailed to a specified address. You can also specify which system messages are logged based on the facility that generated the message and its severity level. Cisco SA 500 Series Security Appliances Administration Guide...
Page 205
Check the box for each event that you want to display in the local log or to send to STEP 3 the syslog server. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
The Certificate Signing Request table lists the name of the certificates you request and the certificate status. Cisco SA 500 Series Security Appliances Administration Guide...
Page 207
CSR. To include more than one subject field, enter each subject separated by a comma. For example: CN=hostname.domain.com, ST=CA, C=USA • Hash Algorithm: Algorithm used by the certificate. Choose between MD5 and SHA-1 Cisco SA 500 Series Security Appliances Administration Guide...
Secret: Enter the shared key that is configured on the Radius server. The Secret can contain all characters except for single quote, double quote and space. • Timeout: Enter the number of seconds that the connection can exist before re-authentication is required. Cisco SA 500 Series Security Appliances Administration Guide...
Page 209
Retries: Enter the number of retries for the device to re-authenticate with the Radius server. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Cisco SA 500 Series Security Appliances Administration Guide...
Click Network Management on the menu bar, and then click Remote STEP 1 Management in the navigation tree. The Remote Management (RMON) page appears. Cisco SA 500 Series Security Appliances Administration Guide...
Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco manufactured equipment. Each CDP enabled device sends periodic messages to a multicast address and also listens to the periodic messages sent by others in order to learn about neighboring devices and determine the status of these devices.
Configuring SNMP Click Network Management on the menu bar, and then click SNMP > SNMP in STEP 1 the navigation tree. The SNMP page appears. To add an entry, click Add. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...
SysLocation: The physical location of the security appliance. • SysName: A name given for easy identification of the security appliance. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
This is the number of steps a packet is allowed to propagate before being discarded. Small values will limit the UPnP broadcast range. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
The default services will only be visible to the hosts belonging to the associated VLANs. By default, LAN/Default-VLAN is the broadcasting domain. Click Apply to add the VLAN, or click Reset to revert to the previous settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
Page 216
Network Management Bonjour The VLAN associated to the service appears in the List of VLANs table. To dissociate the VLAN from the service, check the box next the appropriate VLAN and click Delete. Cisco SA 500 Series Security Appliances Administration Guide...
Ensure that you are using the correct login information. The factory default login STEP 6 name is cisco and the password is cisco. Ensure that CAPS LOCK is off when entering this information. Cisco SA 500 Series Security Appliances Administration Guide...
Page 218
When the modem LEDs indicate that it has resynchronized with the ISP, reapply STEP 4 power to the security appliance. If the security appliance still cannot obtain an ISP address, see the next symptom. Cisco SA 500 Series Security Appliances Administration Guide...
Page 219
Ask your ISP for the addresses of its designated Domain Name System (DNS) STEP 1 servers. Configure your PC to recognize those addresses. For details, see your operating system documentation. On your PC, configure the security appliance to be its TCP/IP gateway. STEP 2 Cisco SA 500 Series Security Appliances Administration Guide...
Click Administration on the menu bar, and then click Time Zone in the navigation STEP 1 tree. Check or uncheck Automatically adjust for Daylight Savings Time. STEP 2 Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Cisco SA 500 Series Security Appliances Administration Guide...
Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC. • Verify that the IP address for the security appliance and PC are correct and on the same subnet. Cisco SA 500 Series Security Appliances Administration Guide...
Page 222
MAC address of just a single PC connected to that modem. If this is the case, configure your firewall to clone or spoof the MAC address from the authorized PC. For more information, see Configuring the WAN Connection, page Cisco SA 500 Series Security Appliances Administration Guide...
After a restore to factory defaults, the following settings apply: • LAN IP address: 192.168.75.1 • Username: cisco • Password: cisco • DHCP server on LAN: enabled • WAN port configuration: Get configuration via DHCP Cisco SA 500 Series Security Appliances Administration Guide...
1 X USB connector for USB 2.0 • 3 X external antennas Operating 32 to 104ºF (0 to 40ºC) 32 to 104ºF (0 to 40ºC) 32 to 104ºF (0 to 40ºC) Temperature Cisco SA 500 Series Security Appliances Administration Guide...
Page 228
(H x W x D) Antenna adds approximately 6- 3/4 inches (171 mm) to height and 1-2/8 inches (30 mm) to depth. Weight (with 4.91 lb 5. 1 5 5. 1 4 lb Power Supply) Cisco SA 500 Series Security Appliances Administration Guide...
Date and Time - Time Zone Pacific Time (US & Canada) DDNS disable HTTP Remote Access enable HTTPS Remote Access enable Secure Telnet over SSL enable (if applicable) SNMP - Trusted Peer IP address Cisco SA 500 Series Security Appliances Administration Guide...
Page 230
Changes Email Server Requires disable Authentication Cisco Discovery Protocol enabled on LAN / disabled on WAN port Bonjour enabled on LAN / disabled on WAN port UPnP disable Radius Server Port 1812 Cisco SA 500 Series Security Appliances Administration Guide...
VLAN - Data, IP Address (Failover See Product Tab when no DHCP Server Available) VLAN - Data, Subnet Mask 255.255.255.0 (Failover when no DHCP Server Available) VLAN - Data, Name (optional) Data VLAN Cisco SA 500 Series Security Appliances Administration Guide...
Page 235
Radio disabled 802.1x supplicant disabled Clustering of Access Points - disabled unique to AP54x Broadcast / Multicast Rate disabled Limiting Broadcast / Multicast Rate Limit 50pps Multicast traffic rate per radio auto Cisco SA 500 Series Security Appliances Administration Guide...
Where to Go From Here Cisco provides a wide range of resources to help you and your customer obtain the full benefits of the SA 500 Series Security Appliances. Product Resources Support Cisco Small Business www.cisco.com/go/smallbizsupport Support Community Cisco Small Business www.cisco.com/go/smallbizhelp...
Page 241
Where to Go From Here Cisco Small Business Cisco Partner Central for www.cisco.com/web/partners/sell/smb Small Business (Partner Login Required) Cisco Small Business www.cisco.com/smb Home Cisco SA 500 Series Security Appliances Administration Guide...