GemTek Technology ISA570 Cisco ISA570 Integrated Security Appliance with WiFi User Manual shiner admin guide

Gemtek Technology Co., Ltd. Cisco ISA570 Integrated Security Appliance with WiFi shiner admin guide

User Manual

Download: GemTek Technology ISA570 Cisco ISA570 Integrated Security Appliance with WiFi User Manual shiner admin guide
Mirror Download [FCC.gov]GemTek Technology ISA570 Cisco ISA570 Integrated Security Appliance with WiFi User Manual shiner admin guide
Document ID1477211
Application IDyJdOu6hUckSCx6TMa1q7FQ==
Document DescriptionUser Manual
Short Term ConfidentialNo
Permanent ConfidentialNo
SupercedeNo
Document TypeUser Manual
Display FormatAdobe Acrobat PDF - pdf
Filesize446.86kB (5585777 bits)
Date Submitted2011-06-03 00:00:00
Date Available2011-11-30 00:00:00
Creation Date2011-05-23 09:31:31
Producing SoftwareAcrobat Distiller 9.4.2 (Windows)
Document Lastmod2011-05-27 14:42:13
Document Titleshiner_admin_guide.book
Document CreatorFrameMaker 8.0
Document Author: chaoqima

ADMINISTRATION
GUIDE
Cisco Small Business
ISA500 Series Integrated Security Appliance
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found
at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (1005R)
© 2011 Cisco Systems, Inc. All rights reserved.
OL-23370-01
Federal Communication Commission Interference Statement
(For ISA570 and ISA570W)
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This equipment generates,
uses, and can radiate radio frequency energy and, if not installed and used in accordance with the
instruction manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference in which case the user will be
required to correct the interference at his own expense.
(For ISA550 and ISA550W)
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant
to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference in a residential installation. This equipment generates, uses and can radiate radio frequency
energy and, if not installed and used in accordance with the instructions, may cause harmful interference
to radio communications. However, there is no guarantee that interference will not occur in a particular
installation. If this equipment does cause harmful interference to radio or television reception, which
can be determined by turning the equipment off and on, the user is encouraged to try to correct the
interference by one of the following measures:
•
Reorient or relocate the receiving antenna.
•
Increase the separation between the equipment and receiver.
•
Connect the equipment into an outlet on a circuit different from that to which the receiver is
connected.
•
Consult the dealer or an experienced radio/TV technician for help.
FCC Caution: Any changes or modifications not expressly approved by the party responsible for
compliance could void the user's authority to operate this equipment.
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two
conditions: (1) This device may not cause harmful interference, and (2) this device must accept any
interference received, including interference that may cause undesired operation.
IMPORTANT NOTE:
FCC Radiation Exposure Statement: (For ISA550W and ISA570W)
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment.
This equipment should be installed and operated with minimum distance 20cm between the radiator &
your body.
This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.
The availability of some specific channels and/or operational frequency bands are country dependent
and are firmware programmed at the factory to match the intended destination. The firmware setting is
not accessible by the end user.
Industry Canada statement:
This device complies with RSS-210 of the Industry Canada Rules. Operation is subject to the following
two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any
interference received, including interference that may cause undesired operation.
OL-23370-01
Ce dispositif est conforme à la norme CNR-210 d'Industrie Canada applicable aux appareils radio
exempts de licence. Son fonctionnement est sujet aux deux conditions suivantes: (1) le dispositif ne doit
pas produire de brouillage préjudiciable, et (2) ce dispositif doit accepter tout brouillage reçu, y compris
un brouillage susceptible de provoquer un fonctionnement indésirable.
IMPORTANT NOTE:
Canada Radiation Exposure Statement: (For ISA550W and ISA570W)
This equipment complies with Canada radiation exposure limits set forth for an uncontrolled
environment. This equipment should be installed and operated with minimum distance 20cm between
the radiator and your body.
NOTE IMPORTANTE: (Pour l'utilisation de dispositifs mobiles)
Déclaration d'exposition aux radiations:
Cet équipement est conforme aux limites d'exposition aux rayonnements IC établies pour un
environnement non contrôlé. Cet équipement doit être installé et utilisé avec un minimum de 20 cm de
distance entre la source de rayonnement et votre corps.
This device has been designed to operate with an antenna having a maximum gain of 1.8 dBi. Antenna
having a higher gain is strictly prohibited per regulations of Industry Canada. The required antenna
impedance is 50 ohms.
Under Industry Canada regulations, this radio transmitter may only operate using an antenna of a type
and maximum (or lesser) gain approved for the transmitter by Industry Canada. To reduce potential radio
interference to other users, the antenna type and its gain should be so chosen that the equivalent
isotropically radiated power (e.i.r.p.) is not more than that necessary for successful communication.
(Le manuel d'utilisation de dispositifs émetteurs équipés d'antennes amovibles doit contenir les
informations suivantes dans un endroit bien en vue:)
Ce dispositif a été conçu pour fonctionner avec une antenne ayant un gain maximal de 1.8 dBi. Une
antenne à gain plus élevé est strictement interdite par les règlements d'Industrie Canada. L'impédance
d'antenne requise est de 50 ohms.
Conformément à la réglementation d'Industrie Canada, le présent émetteur radio peutfonctionner avec
une antenne d'un type et d'un gain maximal (ou inférieur) approuvé pourl'émetteur par Industrie Canada.
Dans le but de réduire les risques de brouillage radioélectriqueà l'intention des autres utilisateurs, il faut
choisir le type d'antenne et son gain de sorte que lapuissance isotrope rayonnée équivalente (p.i.r.e.) ne
dépasse pas l'intensité nécessaire àl'établissement d'une communication satisfaisante.
UL/CB
Rack Mount Instructions - The following or similar rack-mount instructions are included with the
installation instructions:
A) Elevated Operating Ambient - If installed in a closed or multi-unit rack assembly, the operating
ambient temperature of the rack environment may be greater than room ambient. Therefore,
consideration should be given to installing the equipment in an environment compatible with the
maximum ambient temperature (Tma) 40 degree C specified by the manufacturer.
B) Reduced Air Flow - Installation of the equipment in a rack should be such that the amount of air flow
required for safe operation of the equipment is not compromised.
C) Mechanical Loading - Mounting of the equipment in the rack should be such that a hazardous
condition is not achieved due to uneven mechanical loading.
OL-23370-01
D) Circuit Overloading - Consideration should be given to the connection of the equipment to the supply
circuit and the effect that overloading of the circuits might have on overcurrent protection and supply
wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this
concern.
OL-23370-01
6
OL-23370-01
Contents
Chapter 1: Getting Started
12
Introduction
12
Feature Overview
13
Device Overview
14
Front Panel
14
Back Panel
17
Installation
18
Before You Begin
19
Installation Options
19
Placement Tips
19
Wall Mounting
20
Rack Mounting
21
Hardware Installation
22
Getting Started with the Configuration Utility
23
Launching the Configuration Utility
23
Navigating Through the Configuration Utility
24
Using the Help System
25
Using the Management Buttons
25
About the Default Settings
25
Performing Common Configuration Tasks
27
Changing the User Name and Password of the Default Administrator Account
at Your First Login
27
Saving Your Configuration
28
Upgrading the Firmware if needed
29
Resetting the Device
30
Chapter 2: Wizards
32
Using the Startup Wizard
32
Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and
ISA570W
40
Using the Wireless Wizard to Configure the Wireless Settings
41
Configuring the SSID for Intranet WLAN Access
43
Configuring the SSID for Guest WLAN Access
44
Configuring the SSID for Guest WLAN Access (Captive Portal)
45
Cisco ISA500 Series Integrated Security Appliance Administration Guide
Contents
Using the DMZ Wizard to Configure the DMZ Settings
46
Using the DMZ Wizard to Configure the DMZ Settings
47
Configuring the DMZ
48
Configuring the DMZ Services
49
Using the Dual WAN Wizard to Configure the WAN Redundancy Settings
51
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels
53
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN tunnel
53
Configuring the IKE Policies
55
Configuring the Transform Policies
57
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN
Tunnels for Remote Access
58
Using Cisco IPSec VPN to Establish the IPSec VPN Tunnels
58
Configuring the Cisco IPSec VPN User Groups
63
Using SSL VPN to Establish the SSL VPN Tunnels
63
Configuring the SSL VPN Group Policies
66
Configuring the SSL VPN User Groups
69
Chapter 3: Status
70
System Status
70
Interface Status
74
ARP Table
74
DHCP Pool Assignment
75
Interface
75
Interface Statistics
77
Wireless Status for ISA550W and ISA570W
79
Wireless Status
80
Client Status
81
Active Users
81
VPN Status
81
IPSec VPN Status
82
SSL VPN Status
83
Reports
85
Reports of Event Logs
86
Reports of WAN Bandwidth
87
Reports of Security Services
87
Cisco ISA500 Series Integrated Security Appliance Administration Guide
Contents
Web Security Blocked Report
88
Anti-Virus Report
88
Email Security Report
89
Network Reputation Report
90
IPS Policy Protocol Inspection Report
90
IM and P2P Blocking Report
91
Process Status
92
Resource Utilization
92
Chapter 4: Networking
94
Configuring IP Routing Mode
95
Port Management
95
Viewing the Status of Physical Interfaces
95
Configuring the Physical Interfaces
96
Configuring 802.1X Access Control on Physical Ports
98
Configuring the Port Mirroring
Configuring the WAN
100
101
Configuring the Primary WAN
101
Configuring the Secondary WAN
104
Configuring the Network Addressing Mode
106
Configuring the PPPoE Profiles
111
Configuring the WAN Redundancy
112
Loading Balancing for WAN Redundancy
113
Load Balancing with Policy-based Routing Configuration Example
115
Failover for WAN Redundancy
116
Routing Table for WAN Redundancy
117
Configuring the Link Failover Detection
117
Configuring the VLAN
118
Configuring the VLANs
119
Configuring DHCP Reserved IPs
122
Configuring the DMZ
123
Configuring the Zones
127
Security Levels for Zones
128
Predefined Zones
128
Cisco ISA500 Series Integrated Security Appliance Administration Guide
Contents
Configuring the Zones
Configuring the Routing
129
130
Configuring the Routing Mode
131
Viewing the Routing Table
131
Configuring the Static Routing
132
Configuring the Dynamic Routing
133
Configuring Policy-based Routing Settings
134
Priority of Routing Rules
136
Dynamic DNS
136
IGMP
138
VRRP
139
Configuring the Quality of Service
140
General QoS Settings
141
Configuring the WAN QoS
141
Managing the WAN Bandwidth for Upstream Traffic
142
Configuring the WAN Queue Settings
142
Configuring the Traffic Selectors for WAN Interfaces
144
Configuring the WAN QoS Policy Profiles
145
Mapping the WAN QoS Policy Profiles to WAN Interfaces
146
Configuring the LAN QoS
147
Configuring the LAN Queue Settings
147
Configuring the LAN QoS Classification Methods
148
Mapping CoS to LAN Queue
149
Mapping DSCP to LAN Queue
149
Configuring Default CoS
149
Configuring the Wireless QoS
150
Default Wireless QoS Settings
150
Configuring the Wireless QoS Classification Methods
151
Mapping CoS to Wireless Queue
151
Mapping DSCP to Wireless Queue
151
Address Management
152
Configuring the Addresses
152
Configuring the Group Addresses
153
Service Management
Configuring the Services
Cisco ISA500 Series Integrated Security Appliance Administration Guide
154
154
Contents
Configuring the Group Services
Chapter 5: Wireless Configuration for ISA550W and ISA570W
155
157
Configuring the Radio Settings
157
Basic Radio Settings
158
Advanced Radio Settings
160
Configuring the Access Points
162
Configuring the Security Mode
162
Controlling the Wireless Access Based on MAC Addresses
169
Mapping the SSID to VLAN
170
Configuring the SSID Schedule
171
Configuring Wi-Fi Protected Setup
172
Configuring Wireless Rogue AP Detection
173
Configuring Wireless Captive Portal
174
Chapter 6: Firewall
177
Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
178
Default Firewall Settings
178
Priorities of Firewall Access Rules
180
Preliminary Tasks for Configuring the Firewall Access Rules
180
General Settings for Configuring the Firewall Access Rules
181
Configuring a Firewall Access Rule
183
Configuring a Firewall Access Rule to Allow the Multicast Traffic
185
Configuring the Firewall Schedule
186
Firewall Access Rule Configuration Examples
187
Configuring the NAT Rules to Securely Access a Remote Network
192
Configuring Dynamic PAT Rules
193
Configuring Static NAT Rules
194
Configuring Port Forwarding Rules
195
Configuring Port Triggering Rules
196
Configuring Advanced NAT Rules
197
Viewing NAT Translation Status
199
Cisco ISA500 Series Integrated Security Appliance Administration Guide
Contents
Priorities of NAT Rules
200
Configuring the Session Settings
200
Configuring the Content Filtering to Control Access to Internet
201
Configuring the Content Filtering Policy Profiles
201
Configuring the Website Access Control List
203
Mapping the Content Filtering Policy Profiles to Zones
204
Configuring Advanced Settings
204
Configuring the MAC Filtering to Permit or Block Traffic
205
Configuring the IP/MAC Binding to Prevent Spoofing
206
Configuring the Attack Protection
207
Configuring the Application Level Gateway
209
Chapter 7: Security Services
Managing the Security Services
210
210
About the Security Services
211
Security License
212
Priority of Security Services
212
Managing the Security Services
212
Viewing the Security Service Reports
214
Intrusion Prevention Service
214
General IPS Settings
215
Configuring the IPS Policy and Protocol Inspection
216
Blocking the Instant Messaging and Peer-to-Peer Applications
218
Anti-Virus
220
Configuring the Anti-Virus
220
Configuring the Email Notification
223
Configuring the HTTP Notification
224
Email Reputation Filter
224
Web URL Filter
226
Configuring the Web URL Filter Policy Profiles
226
Configuring the Whitelist and Blacklist of Websites
227
Mapping the Web URL Filter Policy Profiles to Zones
228
Cisco ISA500 Series Integrated Security Appliance Administration Guide
Contents
Configuring Advanced Web URL Filter Settings
229
Web Reputation Filter
230
Network Reputation
231
Chapter 8: VPN
232
About VPN
232
Configuring the Cisco IPSec VPN Server
233
Cisco VPN Client Compatibility
234
Configuring the Group Policies for Cisco IPSec VPN Server
235
Configuring the Cisco IPSec VPN Client
238
Restrictions for Cisco IPSec VPN Client
239
Benefits of the Cisco IPSec VPN Client Feature
239
Modes of Operation
240
Client Mode
240
Network Extension Mode
241
General Settings
242
Configuring the Group Policies for Cisco IPSec VPN Client
243
Configuring the Site-to-Site VPN
246
Configuration Tasks to Establish a Site-to-Site VPN
246
General Site-to-Site VPN Settings
247
Configuring the IPSec VPN Policies
248
Configuring the IPSec IKE Policies
254
Configuring the IPSec Transform Policies
256
Configuring the SSL VPN
257
Elements of the SSL VPN
258
Configuration Tasks to Establish a SSL VPN Tunnel
259
Installing the Cisco AnyConnect VPN Client on User’s PC
260
Importing the Certificates for User Authentication
260
Configuring the SSL VPN Users
260
Configuring the SSL VPN Gateway
261
Configuring the SSL VPN Group Policies
263
Configuring the SSL VPN Portal
266
Configuring the L2TP Server
Cisco ISA500 Series Integrated Security Appliance Administration Guide
266
Contents
Configuring the VPN Passthrough
268
Viewing the VPN Status
268
Monitoring the IPSec VPN Status
269
Monitoring the SSL VPN Status
270
Chapter 9: User Management
About the Users and Groups
273
273
Available Services for User Groups
273
Default User and Group
274
Preempt the Administrators
274
Configuring the Users and Groups
275
Configuring Local Users
275
Configuring Local User Groups
276
Configuring the User Authentication Settings
277
Authentication Methods for User Login
278
Using Local Database for Authentication
279
Using RADIUS Server for Authentication
279
Using Local Database and RADIUS Server for Authentication
282
Using LDAP for Authentication
283
Using Local Database and LDAP for Authentication
286
Configuring the User Session Settings
286
Viewing Active User Sessions
Chapter 10: Device Management
287
288
Remote Management
289
Administration
290
Changing the User Name and Password for the Default Administrator Account
290
Configuring the User Session Settings
291
SNMP
292
Configuration Management
294
Saving your Current Configurations
294
Restoring your Settings from a Saved Configuration File
295
Cisco ISA500 Series Integrated Security Appliance Administration Guide
Contents
Reverting to the Factory Default Settings
Firmware Management
296
297
Viewing the Firmware Information
297
Checking for New Firmwares
298
Upgrading the Firmware
299
Using the Secondary Firmware
300
Firmware Auto Fall Back Mechanism
301
Using the Rescue Mode to Recover the System
302
Rebooting the Security Appliance
302
Log Management
302
Configuring the Log Settings
303
Configuring the Log Facilities
305
Viewing the Logs
306
Managing the Security License
307
Checking the License Status
308
Renewing the Security License
309
Managing the Certificates for Authentication
310
Viewing the Certificate Status
310
Managing the Certificates
311
Exporting the Certificates to Local PC
312
Exporting the Certificates to a USB Device
313
Importing the Certificates from Your Local PC
313
Importing the Certificates from a Mounted USB Device
314
Importing the Signed Certificate for CSR from Your Local PC
314
Generating New Certificate Signing Requests
315
Configuring the Email Alert Settings
316
Configuring the RADIUS Servers
319
Configuring the Time Zone
320
Device Discovery
321
UPnP
321
Bonjour
322
CDP
323
LLDP
324
Cisco ISA500 Series Integrated Security Appliance Administration Guide
Contents
Diagnosing the Device
324
Ping
325
Tracert
325
DNS Lookup
326
Packet Capture
326
System Diagnostics
327
Measuring and Limiting Traffic with the Traffic Meter
328
Configuring the ViewMaster
330
Configuring the CCO Account
331
Configuring the Device Properties
332
Configuring the Debug Settings
332
Appendix A: Troubleshooting
333
Internet Connection
333
Date and Time
336
Pinging to Test LAN Connectivity
337
Testing the LAN Path from Your PC to Your Security Appliance
337
Testing the LAN Path from Your PC to a Remote Device
338
Restoring Factory Default Settings
339
Appendix B: Technical Specifications and Environmental Requirements
340
Appendix C: Factory Default Settings
343
Device Management
343
User Management
346
Networking
347
Wireless
352
VPN
353
Security Services
356
Firewall
357
Reports
359
Default Service Objects
360
Default Address Objects
363
Cisco ISA500 Series Integrated Security Appliance Administration Guide
10
Contents
Appendix D: Where to Go From Here
Cisco ISA500 Series Integrated Security Appliance Administration Guide
365
11
1
Getting Started
This chapter provides the product overview and installation instruction to help you
to install the security appliance, and describes the default settings and some
basic configuration tasks to help you to begin configuring your security appliance.
It includes the following sections:
•
Introduction, page 12
•
Feature Overview, page 13
•
Device Overview, page 14
•
Installation, page 18
•
Getting Started with the Configuration Utility, page 23
•
About the Default Settings, page 25
•
Performing Common Configuration Tasks, page 27
Introduction
The Cisco ISA500 Series Integrated Security Appliances are a set of Unified
Threat Management (UTM) security appliances that provide business class
security gateway solutions with zone-based firewall, site-to-site and remote
access VPN (including Cisco IPSec VPN and SSL VPN) support, and Internet
threat protection with multiple UTM security services. The ISA550W and
ISA570W include 802.11b/g/n access point capabilities.
The following table lists the available model numbers to help you become familiar
with your security appliance.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
12
1
Getting Started
Feature Overview
Models
Description
Configuration
ISA550
Cisco ISA550 Integrated
Security Appliance
1 WAN port, 2 LAN ports, 4
configurable ports, and 1 USB 2.0 port
ISA550W
Cisco ISA550 Integrated
Security Appliance with
WiFi
1 WAN port, 2 LAN ports, 4
configurable ports, 1 USB 2.0 port,
and 802.11b/g/n
ISA570
Cisco ISA570 Integrated
Security Appliance
1 WAN port, 4 LAN ports, 5
configurable ports, and 1 USB 2.0 port
ISA570W
Cisco ISA570 Integrated
Security Appliance with
WiFi
1 WAN port, 4 LAN ports, 5
configurable ports, 1 USB 2.0 port,
and 802.11b/g/n
Feature Overview
The features of the Cisco ISA500 Series Integrated Security Appliance are
compared in the following table.
Feature
ISA550
ISA550W
ISA570
ISA570W
Firewall Throughput
(1000B)
150 Mbps
150 Mbps
300 Mbps
300 Mbps
Firewall Throughput
(IMIX)
70 Mbps
70 Mbps
150 Mbps
150 Mbps
IPSec VPN (large
packet)
75 Mbps
75 Mbps
150 Mbps
150 Mbps
Anti-Virus
Throughput
60 Mbps
60 Mbps
130 Mbps
130 Mbps
Intrusion Prevention
Service Throughput
80 Mbps
80 Mbps
150 Mbps
150 Mbps
UTM Throughput
45 Mbps
45 Mbps
120 Mbps
120 Mbps
Cisco ISA500 Series Integrated Security Appliance Administration Guide
13
1
Getting Started
Device Overview
Feature
ISA550
ISA550W
ISA570
ISA570W
Maximum
Concurrent Sessions
15,000
15,000
40,000
40,000
Sessions per
Seconds (cps)
2,500
2,500
3,000
3,000
Wireless (802.11b/g/
n)
No
Yes
No
Yes
IPSec Tunnels
50
50
100
100
SSL VPN Tunnels
25
25
50
50
Device Overview
Before you begin to use the security appliance, become familiar with the lights on
the front panel and the ports on the rear panel. It includes the following sections:
•
Front Panel, page 14
•
Back Panel, page 17
Front Panel
ISA550 Front Panel
ISA550
282351
Cisco Small Business
SPEED
LINK /ACT
POWER/SYS
VPN
WAN
USB
LAN
CONFIGURABLE
ISA550W Front Panel
ISA550W
SPEED
LINK /ACT
POWER/SYS
VPN
USB
WLAN
WAN
LAN
Cisco ISA500 Series Integrated Security Appliance Administration Guide
CONFIGURABLE
281983
Cisco Small Business
14
1
Getting Started
Device Overview
ISA570 Front Panel
ISA570
282350
Cisco Small Business
SPEED
LINK /ACT
POWER/SYS
VPN
WAN
USB
LAN
CONFIGURABLE
10
ISA570W Front Panel
ISA570W
SPEED
LINK /ACT
POWER/SYS
VPN
USB
WLAN
WAN
LAN
CONFIGURABLE
10
281980
Cisco Small Business
Front Panel Lights
The following table describes the lights on the front panel of the security
appliance. These lights are used for monitoring system activity.
Lights
Description
POWER/SYS
Indicates the power status and system status.
VPN
•
Green lights when the system is powered on and
operates normally.
•
Green flashes when the system is booting.
•
Amber flashes when the system booting has a
problem, a device error occurs, or the system has a
problem.
Indicates the Site-to-Site VPN connection status.
•
Green lights when the Site-to-Site VPN tunnel is
established.
•
Green flashes when attempting to establish the Site-toSite VPN tunnel.
•
Amber flashes when the system is experiencing
problems setting up the Site-to-Site VPN connection.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
15
1
Getting Started
Device Overview
Lights
Description
USB
Indicates the USB device status.
WLAN
(ISA550W and
ISA570W
only)
SPEED
LINK/ACT
•
Green lights when a USB device is detected and
operates normally.
•
Green flashes when the USB device is transmitting and
receiving data.
Indicates the WLAN status.
•
Green lights when the WLAN is enabled and
associated.
•
Green flashes when the WLAN is transmitting and
receiving data.
Indicates the traffic rate of the associated port.
•
Off when the traffic rate is 10 or 100 Mbps.
•
Green lights when the traffic rate is 1000 Mbps.
Indicates a connection is being made through the port.
•
Green lights when the link is up.
•
Green flashes when the port is transmitting and
receiving data.
NOTE The front panel of the ISA550 and ISA570 does not include the WLAN light.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
16
1
Getting Started
Device Overview
Back Panel
The back panel is where you connect the network devices. The ports on the panel
vary depending on the model.
ISA550 and ISA550W Back Panel
ANT01
12VDC
A NT01
A NT02
LAN
CONFIGURABLE
USB
Port Configurable
Ports
WA N
LAN
Ports
RESET
WAN
Port
POWER
281984
Power
Switch
Reset
Button
ANT02
Power
Connector
ISA570 and ISA570W Back Panel
Power
Switch
Reset
Button
ANT02
ANT01
10
12VDC
A NT02
CONFIGURABLE
USB
Port
Configurable
Ports
Cisco ISA500 Series Integrated Security Appliance Administration Guide
LAN
LAN
Ports
WA N
WAN
Port
RESET
POWER
281981
A NT01
Power
Connector
17
1
Getting Started
Installation
Back Panel Descriptions
Feature
Description
ANT01/ANT02
Threaded connectors for the antennas (for ISA550W and
ISA570W only).
USB Port
Connects the unit to a USB device. You can use a USB
device to backup and restore the configurations, or to
upgrade the firmware images.
Configurable
Ports
Can be set to operate as WAN, LAN, or DMZ ports. The
ISA550 and ISA550W have 4 configurable ports. The
ISA570 and ISA570W have 5 configurable ports.
LAN Ports
Connects PCs and other network appliances to the unit.
The ISA550 and ISA550W have 2 dedicated LAN ports.
The ISA570 and ISA570W have 4 dedicated LAN ports.
WAN Port
Connects the unit to a DSL or a cable modem, or another
WAN connectivity device.
RESET Button
To reboot the unit, push and release the RESET button. To
restore the factory default settings, push and hold the
RESET button for 3 seconds.
Power Switch
Turns the unit on or off.
Power
Connector
Connects the unit to power using the supplied power cord
and adapter.
NOTE The back panel of ISA550 and ISA570 does not include two threaded connectors
for the antennas.
Installation
This section describes how to install the security appliance. It includes the
following topics:
•
Before You Begin, page 19
Cisco ISA500 Series Integrated Security Appliance Administration Guide
18
1
Getting Started
Installation
•
Installation Options, page 19
•
Hardware Installation, page 22
Before You Begin
Before you begin the installation, make sure that you have the following
equipments and services:
•
An active Internet account.
•
Mounting kits and tools for installing the hardware. The kits packed with the
security appliance are used for desktop placement and rack mounting. The
kits include 4 rubber feet, 2 brackets, 2 silicon rubber spacers, 8 M3
screws, 4 M5 screws, and 4 washers.
NOTE The Wall-mounting kit is not included.
•
RJ-45 Ethernet cables (Category 5 or higher) for connecting computers,
WAN and LAN interfaces, or other devices.
•
A computer with Microsoft Internet Explorer 8.0, or Mozilla Firefox 3.6.x (or
later) for using the web-based Configuration Utility.
Installation Options
You can place your security appliance on a desktop, mount it on a wall, or mount it
in a rack. It includes the following topics:
•
Placement Tips, page 19
•
Wall Mounting, page 20
•
Rack Mounting, page 21
Placement Tips
•
Ambient Temperature: To prevent the security appliance from overheating,
do not operate it in an area that exceeds an ambient temperature of 104°F
(40°C).
•
Air Flow: Be sure that there is adequate air flow around the device.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
19
1
Getting Started
Installation
•
Mechanical Loading: Be sure that the security appliance is level and stable
to avoid any hazardous conditions.
To place the security appliance on a desktop, install the supplied four rubber feet
on the bottom of the security appliance. Place the security appliance on a flat
surface.
Wall Mounting
There is no wall-mounting kit included with your security appliance. We
recommend that you use the following screws to install your security appliance to
the wall or the ceiling:
196243
1 8mm/0.32 in
2 25mm/0.98 in
3 6.5mm/0.26in
4 18.6mm/0.73in
WARNING Insecure mounting might damage the device or cause injury. Cisco is not
responsible for damages incurred by improper wall-mounting.
To mount the security appliance to the wall:
STEP 1
Determine where you want to mount the security appliance. Verify that the surface
is smooth, flat, dry, and sturdy.
STEP 2
Insert two 18.6 mm (0.73 inch) screws, with anchors, into the wall 234 mm apart
(9.21 inches). Leave 3 to 4 mm (about 1/8 inch) of the head exposed.
STEP 3
Place the security appliance wall-mount slots over the screws. Slide the security
appliance down until the screws fit snugly into the wall-mount slots.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
20
1
Getting Started
Installation
Rack Mounting
You can mount the security appliance in any standard size, 19-inch (about 48 cm)
wide rack. The security appliance requires 1 rack unit (RU) of space, which is 1.75
inches (44.45 mm) high.
CAUTION Do not overload the power outlet or circuit when installing multiple devices in a
rack.
STEP 1
Place one of the supplied silicon rubber spacers on the side of the security
appliance so that the four holes align to the screw holes. Place the rack mount
bracket next to the silicon rubber spacer and install the M3 screws.
NOTE If the M3 screws are not long enough to reattach the bracket with the silicon
rubber spacer, attach the bracket directly to the case without the silicon
rubber spacer.
Install the security appliance into a standard rack as shown below. Place the
washers on the brackets so that the holes align to the screw holes and then install
the M5 screws.
Step 1
Cisco ISA500 Series Integrated Security Appliance Administration Guide
Step 2
281985
STEP 2
21
1
Getting Started
Installation
Hardware Installation
Follow these steps to connect the security appliance:
STEP 1
Connect the security appliance to power using the supplied power cord and
adapter. Make sure that the power switch is turned off.
STEP 2
If you are installing the ISA550W and ISA570W, screw each antenna onto a
threaded connector on the back panel. Orient each antenna to point upward.
STEP 3
For a DSL or cable modem, or other WAN connectivity devices, connect an
Ethernet network cable from the device to the WAN port on the back panel. Cisco
strongly recommends using Cat5E or better cable.
STEP 4
For network devices, connect an Ethernet network cable from the network device
to one of the dedicated LAN ports on the back panel.
STEP 5
For a UC 500 or a UC 300, connect an Ethernet network cable from the WAN port
of the UC 500 or a UC 300 to an available LAN port of the security appliance.
STEP 6
For a UC500 or a UC300, connect an Ethernet network cable from the WAN port of
the UC500 or UC300 to an available LAN port on the back panel of the security
appliance.
STEP 7
Power on the connected devices.
STEP 8
Power on the security appliance. The lights on the front panel for all connected
ports light up to show active connections.
A sample configuration is illustrated below.
Public
Web Server
Power
12VDC
A NT01
A NT02
CONFIGURABLE
LAN
WA N
RESET
POWER
281982
10
Internet
Access
Device
Network
Devices
Congratulations! The installation of the security appliance is complete.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
22
Getting Started
Getting Started with the Configuration Utility
Getting Started with the Configuration Utility
The Configuration Utility is a web based device manager that is used to provision
the security appliance. To use this utility, you must be able to connect to the
security appliance from your administration PC or laptop. You can access the
security appliance by using web browser such as Microsoft Internet Explorer 8.0,
or Mozilla Firefox 3.6.x (or later). It includes the following sections:
•
Launching the Configuration Utility, page 23
•
Navigating Through the Configuration Utility, page 24
•
Using the Help System, page 25
•
Using the Management Buttons, page 25
Launching the Configuration Utility
STEP 1
Connect your computer to an available LAN port on the back panel of the security
appliance.
STEP 2
Start a web browser. In the Address bar, enter the default IP address of the
security appliance: 192.168.1.1.
NOTE The above address is the factory default LAN address. If you change this
setting in the DEFAULT VLAN configuration, you will need to enter the new IP
address to connect to the Configuration Utility.
STEP 3
STEP 4
Enter the default user name and password in the login screen:
•
Username: cisco
•
Password: cisco
Click Login.
For the first login, you are forced to immediately change the default user name and
password of the default administrator account to prevent unauthorized access.
For more information, see Changing the User Name and Password of the
Default Administrator Account at Your First Login, page 27.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
23
1
Getting Started
Getting Started with the Configuration Utility
After you change them, the Startup Wizard launches. For more information about
how to use the Startup Wizard to configure your security appliance, see Using the
Startup Wizard, page 32.
Navigating Through the Configuration Utility
Use the left hand navigation pane and content pane to perform the tasks in the
Configuration Utility.
Number
Components
Description
Left Hand
Navigation
Pane
The left hand navigation pane provides easy
navigation through the configurable features. The
main branches expand to provide the features.
Click on the main branch title to expand its
contents. Click on the right arrow of a feature to
open its subfeatures, or click on the down arrow of
a feature to contract its subfeatures. Click on the
title of a feature or subfeature to open it.
Content Pane
The content of the feature or subfeature appears in
this area.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
24
1
Getting Started
About the Default Settings
Using the Help System
The Configuration Utility includes a detailed Help file for all configuration tasks. To
view the Help page, click the Help link in the top right corner of the screen.
Using the Management Buttons
Device Management buttons and icons provide an easy method of configuring
device information. In this guide, we use the texts by replacing the buttons or icons
to indicate what the buttons or icons are used for.
Icons
Actions
Icons
Actions
Move
Expand
Move Down
Collapse
Move Up
Edit or other specific actions
with relative description
Delete or Delete Selection
About the Default Settings
The security appliance is predefined with the settings that allow you to start using
the device with minimal changes needed. Depending the requirements of your
Internet Service Provider (ISP) and the needs of your business, you might need to
modify some of these settings. You can use the Configuration Utility to customize
all settings, as needed.
Settings of particular interest are described below. For a full list of all factory
default settings, see Appendix C, "Factory Default Settings."
Cisco ISA500 Series Integrated Security Appliance Administration Guide
25
1
Getting Started
About the Default Settings
•
IP Routing Mode: By default, only the IPv4 mode is enabled. To support the
IPv4 and IPv6 addressing, you need to enable the IPv4/IPv6 mode. To
change the IP routing mode, see Configuring IP Routing Mode, page 95.
•
WAN Configuration: By default, the security appliance is configured to
obtain an IP address from your ISP by using Dynamic Host Configuration
Protocol (DHCP). Depending on the requirement of your ISP, you will need to
configure the network address mode for the primary WAN and the
secondary WAN if applicable. You can change other WAN settings as well.
See Configuring the WAN, page 101.
•
LAN Configuration: By default, the LAN of the security appliance is
configured in the 192.168.1.0 subnet and the LAN IP address is 192.168.1.1.
The security appliance acts as a DHCP server to the hosts on the WLAN or
LAN network. It can automatically assign IP addresses and DNS server
addresses to the PCs and other devices on the LAN. For most deployment
scenarios, the default DHCP and TCP/IP settings should be satisfactory.
However, you can change the subnet address or the default IP address. You
can assign static IP addresses to connected devices rather than allowing the
security appliance to act as a DHCP server. See Configuring the VLAN,
page 118.
•
VLAN Configuration: The security appliance predefines a native VLAN
(DEFAULT) and a guest VLAN (GUEST). You can customize new VLANs for
your specific business needs. See Configuring the VLAN, page 118.
•
Configurable Ports: By default, all configurable ports are set to act as LAN
ports. Alternatively, you can configure the configurable port for use as a DMZ
port or a secondary WAN port. See Configuring the WAN, page 101 or
Configuring the DMZ, page 123.
•
Wireless Network (for ISA550W and ISA570W only): The ISA550W or
ISA570W is configured with four SSIDs. All SSIDs are disabled by default.
For security purposes, we strongly recommend that you configure the SSIDs
with the appropriate security settings. See Wireless Configuration for
ISA550W and ISA570W, page 157.
•
Administrative Access: You can access the Configuration Utility by using a
web browser and entering the default LAN IP address of 192.168.1.1. You
can log into by entering the username and password of the default
administrator account. You are forced to change the default username and
password after the first login. See Changing the User Name and Password
of the Default Administrator Account at Your First Login, page 27. You
also may want to change the user login settings for authentication. See
Configuring the User Authentication Settings, page 277.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
26
Getting Started
Performing Common Configuration Tasks
•
Security Services: By default, the UTM security services such as Intrusion
Prevention Service (IPS), Web URL Filter, Web Reputation Filter, Anti-Virus,
and Email Reputation Filter are disabled. For more information about how to
configure the security services, see Security Services, page 210.
•
Firewall: By default, the firewall prevents inbound traffic and allows all
outbound traffic. If you want to allow some inbound traffic or prevent some
outbound traffic, you must customize firewall access rules. The security
appliance supports up to 100 custom access rules. See Configuring the
Firewall Access Rules to Control Inbound and Outbound Traffic,
page 178.
•
VPN: By default, the VPN feature is disabled. The security appliance can
function as a Cisco IPSec VPN server or a Cisco VPN hardware client, or as
a SSL VPN gateway so that remote users can securely access the corporate
network resources over the VPN tunnels. You can also establish a secure
IPSec VPN tunnel between two sites that are physically separated by using
the Site-to-Site VPN feature. For more information about how to configure the
VPN features, see VPN, page 232.
Performing Common Configuration Tasks
We strongly recommend that you complete the following common tasks before
you begin configuring your security appliance. It includes the following sections:
•
Changing the User Name and Password of the Default Administrator
Account at Your First Login, page 27
•
Saving Your Configuration, page 28
•
Upgrading the Firmware if needed, page 29
•
Resetting the Device, page 30
Changing the User Name and Password of the Default
Administrator Account at Your First Login
The default administrator account is an administrative account that has fully
privilege to set the configurations and read the system status. It does not belong to
any user group. To prevent unauthorized access, you are forced to immediately
change the default user name and password at its first login.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
27
1
Getting Started
Performing Common Configuration Tasks
STEP 1
After the first login, a prompt window opens.
STEP 2
Enter the following information:
•
User Name: Enter a new user name that contains the letters, numbers, or
underline for the default administrator account.
•
New Password: Enter a new password for the default administrator account.
Passwords are case-sensitive.
NOTE Restrictions for password: The password should contain at least
three types of these character classes: lower case letters, upper case
letters, numbers, and special characters. Do not repeat any character
more than three times consecutively. Do not set the password as the
user name or the reversed user name. The password cannot be set as
“cisco”, “ocsic”, or any variant obtained by changing the capitalization
of letters.
•
STEP 3
Confirm Password: Enter the new password again for confirmation.
Click Save to apply your settings.
Saving Your Configuration
At any point during the configuration process, you can save your configurations.
Later, if you make changes that you want to abandon, you can easily revert to the
saved configurations.
STEP 1
Click Device Management -> Firmware and Configuration -> Configuration.
The Configuration window opens.
STEP 2
To save the current settings on your local PC, perform the following steps:
a. In Backup/Restore Settings area, click Backup after the Save A Copy of
Current Settings option.
b. The Encryption window opens. You can optionally encrypt the configurations
for security purposes, check the Encrypt box and enter the password in the
Key field, and then click OK.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
28
Getting Started
Performing Common Configuration Tasks
c. Locate where to save the configuration file, and then click Save.
STEP 3
To save the current settings on a USB device, perform the following steps:
a. Insert a USB device into the USB interface on the back panel of your security
appliance. The USB device is automatically mounted once you insert it.
b. In the USB -> Mount/Unmount area, check the mounting status of the USB
device. Make sure that the USB Driver Status shows as “UP” when you use the
USB device to manage the configurations.
c. In the USB -> Backup/Restore Settings area, click Backup after the Save A
Copy of Current Settings option.
d. The Encryption window opens. You can optionally encrypt the configurations
for security purposes, check the Encrypt box and then enter the password in
the Key field, and then click OK. Your current settings are saved as a
configuration file on the root folder of the USB device.
Upgrading the Firmware if needed
Before you do any other tasks, ensure that you are using the latest firmware
version. You can upgrade from a firmware file stored on your computer or a
mounted USB device.
CAUTION During a firmware upgrade, do NOT try to go online, turn off the device, shut down
the PC, remove the cable, or interrupt the process in anyway until the operation is
complete. This process should take several minutes or so including the reboot
process. Interrupting the upgrade process at specific points when the flash is
being written to can corrupt the flash memory and render the security appliance
unusable.
STEP 1
Click Device Management -> Firmware and Configuration -> Firmware.
The Firmware window opens.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
29
Getting Started
Performing Common Configuration Tasks
STEP 2
To manually upgrade the firmware from your local PC, perform the following steps:
a. In the Network -> Firmware Upgrade area, click Browse to locate and select
the firmware image from your local PC.
b. To upgrade the firmware and keep using the current settings, click Upgrade.
c. To upgrade the firmware and revert to the factory default settings, click
Upgrade & Factory Reset. When the operation is complete, the security
appliance automatically reboots with the factory default settings.
STEP 3
To upgrade the firmware through a USB device, perform the following steps:
a. Insert the USB device with the firmware images into the USB interface on the
back panel of your security appliance. The USB device is automatically
mounted after you inserted it.
b. In the USB -> Mount/Unmount area, check the mounting status of the USB
device. Make sure that the USB Driver Status shows as “UP” when you use the
USB device to manage the firmware.
c. In the USB -> Backup/Restore Settings area, all firmware images located on
the USB device appears in the list.
•
To upgrade the firmware and keep using the current settings, select the
latest firmware image from the list and then click Upgrade.
•
To upgrade the firmware and revert to the factory default settings, select the
latest firmware image from the list and then click Upgrade & Factory Reset.
When the operation is complete, the security appliance automatically
reboots with the factory default settings.
Resetting the Device
To revert your security appliance to the factory default settings, you can press and
hold the RESET button on the back panel for minimum of 3 seconds, or perform the
following procedures.
CAUTION The Revert To Factory Default Settings operation will wipe out the current
configurations used on your security appliance (including the imported
certificates). We recommmend that you save the current settings before reverting
to the factory default settings.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
30
Getting Started
Performing Common Configuration Tasks
STEP 1
Click Device Management -> Firmware and Configuration -> Configuration.
The Configuration window opens.
STEP 2
In the Backup/Restore Settings -> Revert To Factory Default Settings area,
click Default.
The security appliance will reboot with the factory default settings.
Cisco ISA500 Series Integrated Security Appliance Administration Guide
31
2
Wizards
This chapter describes how to use the wizards to configure your security
appliance.
•
Using the Startup Wizard, page 32
•
Using the Wireless Wizard to Configure the Wireless Settings for
ISA550W and ISA570W, page 40
•
Using the DMZ Wizard to Configure the DMZ Settings, page 46
•
Using the Dual WAN Wizard to Configure the WAN Redundancy
Settings, page 51
•
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels,
page 53
•
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or
SSL VPN Tunnels for Remote Access, page 58
To access the Wizards pages, click Wizards in the left hand navigation pane.
Using the Startup Wizard
The Startup Wizard helps you configure the remote management, port, WAN, LAN,
DMZ, and WLAN (for ISA550W and ISA570W only) settings. The first time you log
into your security appliance, the Startup Wizard automatically launches.
STEP 1
Click Wizard -> Startup Wizard.
The Getting Started window opens. A prompt warning message is displayed as
below.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
32
2
Wizards
Using the Startup Wizard
CAUTION When the Startup Wizard is complete, the previous settings relevant to the
changed WAN, DDNS, LAN, DMZ, and WLAN are cleaned up, and relevant services
are reinitialized.
For the first login, you can ignore this warning message and follow the on-screen
prompts to complete the initial configuration. If you have already configured the
security appliance, make sure that you have read the warning message before you
use the Startup Wizard to configure your security appliance. Click OK to close the
warning message window.
STEP 2
Click Begin.
The Remote Management window opens. The security appliance allows remote
management securely by using HTTPS and HTTP. For example, https://
xxx.xxx.xxx.xxx:8080.
Enter the following information:
•
Remote Management: Click On to enable remote management by using
HTTPS, or click Off to disable it. We recommend that you use HTTPS for
secure purposes.
•
HTTPS Listen Port Number: If you enable remote management by using
HTTPS, enter the port number to be listened on. By default, the listened port
for HTTPS is 8080.
•
HTTP Enable: Click On box to enable remote management by using HTTP,
or click Off to disable it.
•
HTTP Listen Port Number: If you enable remote management by using
HTTP, enter the port number to be listened on. By default, the listened port
for HTTP is 80.
•
Access Type: Choose the level of permission for remote management:
Allow access from any IP address: Any IP address from a remote WAN
network can access the Configuration Utility.
Restrict a specific IP address: Only the specified remote host can
access the Configuration Utility. Enter the IP address of the remote host
in the IP Address field.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
33
2
Wizards
Using the Startup Wizard
•
STEP 3
Restrict access to a range of IP addresses: Only the hosts in the
specified remote network can access the Configuration Utility. Enter the
starting IP address in the From field and the ending IP address in the To
field.
Remote SNMP: Click On to enable SNMP for the remote connection, or click
Off to disable SNMP. Enabling SNMP allows remote users to use the SNMP
protocol to access the Configuration Utility.
After you are finished, click Next.
The Port Configuration window opens. From this page you can specify the port
configuration. The Startup Wizard predefines four port configuration solutions. You
can also modify the port types for the configurable ports when you create a
secondary WAN or configure the DMZs.
If you are using the ISA570 or ISA570W, choose one of the following options:
•
1 WAN, 9 LAN Switch: This is the default setting. The security appliance is
set to one WAN port (WAN1) and nine LAN ports.
•
1 WAN, 1 DMZ, and 8 LAN Switch: The security appliance is set to one
WAN port (WAN1), one DMZ port, and eight LAN ports. The configurable port
GE10 is set to a DMZ port.
•
1 WAN, 1 WAN Backup, and 8 LAN Switch: The security appliance is set to
two WAN ports (WAN1 is the primary WAN and WAN2 is the secondary
WAN) and eight LAN ports. The configurable port GE10 is set to a secondary
WAN port.
•
1 WAN, 1 WAN Backup, 1 DMZ, and 7 LAN Switch: The security appliance
is set to two WAN ports (WAN1 is the primary WAN and WAN2 is the
secondary WAN), one DMZ port, and seven LAN ports. The configurable
port GE10 is set to a secondary WAN port and the configurable port GE9 is
set to a DMZ port.
If you are using the ISA550 or ISA550W, choose one of the following options:
•
1 WAN, 6 LAN Switch: This is the default setting. The security appliance is
set to one WAN port (WAN1) and six LAN ports.
•
1 WAN, 1 DMZ, and 5 LAN Switch: The security appliance is set to one
WAN port (WAN1), one DMZ port, and five LAN ports. The configurable port
GE7 is set to a DMZ port.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
34
2
Wizards
Using the Startup Wizard
•
1 WAN, 1 WAN Backup, and 5 LAN Switch: The security appliance is set to
two WAN ports (WAN1 is the primary WAN and WAN2 is the secondary
WAN) and five LAN ports. The configurable port GE7 is set to a secondary
WAN port.
•
1 WAN, 1 WAN Backup, 1 DMZ, and 4 LAN Switch: The security appliance
is set to two WAN ports (WAN1 is the primary WAN and WAN2 is the
secondary WAN), one DMZ port, and four LAN ports. The configurable port
GE7 is set to a secondary WAN port and the configurable port GE6 is set to
a DMZ port.
NOTE If you have two ISP links, we recommend that you set a backup WAN
so that you can provide backup connectivity or load balancing. If you
need to host public services, we recommend that you set a DMZ port.
NOTE The configurable ports can be set as the WAN, LAN, and DMZ ports.
Up to two WAN ports and four DMZ ports can be configured on the
security appliance. To configure multiple DMZ ports, go to the
Networking -> DMZ page. For more information, see Configuring the
DMZ, page 123.
STEP 4
After you are finished, click Next.
The Primary WAN Connection window opens. From this page you can configure
the primary WAN port.
Choose the network addressing mode from the IP Address Assignment dropdown list and complete the corresponding fields for the primary WAN port
depending on the requirements of your ISP. The security appliance supports
DHCPC, Static IP, PPPoE, PPTP, and L2TP. For complete details, see Configuring
the Network Addressing Mode, page 106.
NOTE If only one single WAN port is configured on your security appliance, skip the
next two steps and proceed to the step 7.
STEP 5
After you are finished, click Next.
The Secondary WAN Connection window opens. From this page you can
configure the secondary WAN port.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
35
2
Wizards
Using the Startup Wizard
Choose the network addressing mode from the IP Address Assignment dropdown list and complete the corresponding fields for the secondary WAN port
depending on the requirements of your ISP. For complete details, see Configuring
the Network Addressing Mode, page 106.
STEP 6
After you are finished, click Next.
The WAN Redundancy window opens. From this page you can determine how the
two ISP links are used.
•
Use the Loab Balancing mode if you want to use both ISP links
simultaneously. The two links will carry data for the protocols that are bound
to them. Enter the following information:
Equal Load Balancing (Round Robin): Re-orders the WAN interfaces for
Round Robin selection. The order is as follows: WAN1 and WAN2. The
Round Robin will then repeat back to WAN1 and continue the order.
Weighted Load Balancing: Distributes the bandwidth to two WAN ports
by the weighted percange or by the weighted link bandwidth. If you
choose this mode, then choose one of the following options and finish the
setting:
Weighted By percentage: Allows you to set the percentage for each
WAN, such as 80% percentage bandwidth for WAN1 and lest 20%
percentage bandwidth for WAN2.
Weighted By Link Bandwidth: Allows you to set the rate limiting for each
WAN, such as 10 Mbps for WAN1 and 5 Mbps for WAN2.
•
STEP 7
Use the Failover mode if you want to use one ISP link as a backup. If a failure
is detected on the primary link, then the security appliance directs all
Internet traffic to the backup link. When the primary link regains connectivity,
all Internet traffic is directed to the primary link, and the backup link becomes
idle. Enter the following information:
Auto Failover to: Choose either WAN1 or WAN2 as the primary link. By
default, WAN1 is set as the primary link and WAN2 is set as the backup
link. You can also set WAN2 as the primary link.
Preempt Delay Timer: Enter the time in seconds that the system will
preempt the primary link from the backup link when the primary link is up
again. The default is 5 seconds.
After you are finished, click Next.
The LAN Configuration window opens. From this page you can configure the
default LAN settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
36
2
Wizards
Using the Startup Wizard
•
IP: Enter the IP address of the default LAN.
•
Netmask: Enter the IP address of the netmask.
•
DHCP Server: Choose one of the following DHCP modes:
Disable: Choose this option if the computers on the VLAN are configured
with static IP addresses or are configured to use another DHCP server.
DHCP Server: Allows the security appliance to act as a DHCP server and
assigns IP addresses to all devices that are connected to the DEFAULT
VLAN. Any new DHCP client joining the DEFAULT VLAN is assigned an IP
address of the DHCP pool.
DHCP Relay: Allows the security appliance to use a DHCP Relay. If you
choose DHCP Relay, enter the IP address of the remote DHCP server in
the Relay IP field.
If you choose DHCP Server as the DHCP mode, enter the following information:
•
Start IP: Enter the starting IP address of the DHCP pool.
•
End IP: Enter the ending IP address of the DHCP pool.
NOTE The starting and ending IP addresses should be in the same range as
the LAN’s subnet address.
STEP 8
•
Lease Time: Enter the maximum connection time that a dynamic IP address
is “leased” to a network user. When the time elapses, the user is
automatically renewed the dynamic IP address.
•
DNS 1: Enter the IP address of the primary DNS server.
•
DNS 2: Optionally, enter the IP address of the secondary DNS server.
•
WINS 1: Enter the IP address for the primary WINS server.
•
WINS 2: Optionally, enter the IP address of the secondary WINS server.
•
Domain Name: Optionally, enter the domain name for the default LAN.
•
Default Gateway: Enter the IP address of default gateway.
After you are finished, click Next.
If you have no DMZ port, skip the next two steps and proceed to the step 10.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
37
2
Wizards
Using the Startup Wizard
If you have a DMZ port, the DMZ Configuration window opens. To host public
services, you need to configure a DMZ network in this page and specify the
relevant DMZ services from the next DMZ Service page.
•
IP: Enter the subnet IP address of the DMZ.
•
Netmask: Enter the subnet mask of the DMZ.
•
DHCP Service: Choose one of the following options:
Disable: Choose this option if the computers on the DMZ are configured
with static IP addresses or are configured to use another DHCP server.
DHCP Server: Allows the security appliance to act as a DHCP server and
assigns IP addresses to all devices that are connected to the DMZ. Any
new DHCP client joining the DMZ is assigned an IP address of the DHCP
pool.
DHCP Relay: Allows the security appliance to use a DHCP Relay. If you
choose DHCP Relay, enter the IP address of the remote DHCP server in
the Relay IP field.
If you choose DHCP Server as the DHCP mode, enter the following information:
•
Start IP: Enter the starting IP address of the DHCP pool.
•
End IP: Enter the ending IP address of the DHCP pool.
NOTE The starting and ending IP addresses should be in the same range as
the DMZ’s subnet address.
•
Lease Time: Enter the maximum connection time that a dynamic IP address
is “leased” to a network user. When the time elapses, the user is
automatically renewed the dynamic IP address.
•
DNS 1: Enter the IP address of the primary DNS server.
•
DNS 2: Optionally, enter the IP address of the secondary DNS server.
•
WINS 1: Enter the IP address for the primary WINS server.
•
WINS 2: Optionally, enter the IP address of the secondary WINS server.
•
Domain Name: Optionally, enter the domain name for the DMZ.
•
Default Gateway: Enter the IP address of default gateway.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
38
2
Wizards
Using the Startup Wizard
STEP 9
After you are finished, click Next.
The DMZ Service window opens. From this page you can configure the DMZ
services. For complete details, see Configuring the DMZ Services, page 49.
NOTE After you configure the DMZ services, the firewall access rules will
automatically generated by the security appliance to allow the access to the
services on your DMZ.
STEP 10 After you are finished, click Next.
The Wireless Radio Setting window opens. From this page you can configure the
wireless radio settings.
NOTE The wireless configurations such as wireless radio settings and Intranet
WLAN access (see next step) are only available for the ISA550W and
ISA570W. If your security appliance is not a wireless device, proceed to the
step 12.
•
Wireless Network Mode: Choose the 802.11 modulation technique. The
ISA550W and ISA550W supports the following radio modes:
802.11b only: Choose this mode if all devices in the wireless network
use 802.11b. Only 802.11b clients can connect to the access point.
802.11g only: Choose this mode if all devices in the wireless network
use 802.11g. Only 802.11g clients can connect to the access point.
802.11b/g mixed: Choose this mode if some devices in the wireless
network use 802.11b and others use 802.11g. Both 802.11b and 802.11g
clients can connect to the access point.
802.11n only: Choose this mode if all devices in the wireless network
can support 802.11n. Only 802.11n clients operating in the 2.4 GHz
frequency can connect to the access point.
802.11g/n mixed: Choose this mode to allow 802.11g and 802.11n
clients operating in the 2.4 GHz frequency to connect to the access point.
802.11b/g/n mixed: Choose this mode to allow 802.11b, 802.11g, and
802.11n clients operating in the 2.4 GHz frequency to connect to the
access point.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
39
Wizards
Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W
•
Wireless Channel: Choose a channel or choose Auto to let the system
determine the best channel to use based on the environmental noise levels
for the available channels.
STEP 11 After you are finished, click Next.
The Wireless Connectivity Type - Intranet WLAN Access window opens. From this
page you can configure the wireless connectivity settings for the SSID1.
NOTE The ISA550W and ISA570W support four SSIDs. To configure the wireless
connectivity settings for other SSIDs, go to the Wireless -> Basic Settings
page or use the Wireless wizard. For more information, see Configuring the
Access Points, page 151 or Using the Wireless Wizard to Configure the
Wireless Settings for ISA550W and ISA570W, page 40.
•
SSID Name: The SSID name.
•
Security Mode: Choose the encryption algorithm for data encryption for this
SSID. Depending on the selected security mode, configure the
corresponding settings. See Configuring the Security Mode, page 162.
•
VLAN Name: Choose the VLAN to which this SSID is mapped. All traffic from
the wireless clients that are connected to this SSID will be directed to the
selected VLAN.
STEP 12 After you are finished, click Next.
The Summary window opens. The Summary page displays the summary
information for all configurations you made.
STEP 13 Click Submit to save the settings.
Using the Wireless Wizard to Configure the Wireless Settings
for ISA550W and ISA570W
Use the Wireless Wizard to configure the wireless radio and Intranet connectivity
settings for the ISA550W and ISA570W. It includes the following sections:
•
Using the Wireless Wizard to Configure the Wireless Settings, page 41
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
40
Wizards
Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W
•
Configuring the SSID for Intranet WLAN Access, page 43
•
Configuring the SSID for Guest WLAN Access, page 44
•
Configuring the SSID for Guest WLAN Access (Captive Portal), page 45
Using the Wireless Wizard to Configure the Wireless Settings
STEP 1
Click Wizards -> Wireless Wizard.
The Getting Started window opens.
STEP 2
Click Begin.
The Wireless Radio Setting window opens. Enter the following information:
•
•
STEP 3
Wireless Network Mode: Specify the Physical Layer (PHY) standard that
the wireless radio uses.
802.11b only: Choose this mode if all devices in the wireless network
use 802.11b. Only 802.11b clients can connect to the access point.
802.11g only: Choose this mode if all devices in the wireless network
use 802.11g. Only 802.11g clients can connect to the access point.
802.11b/g mixed: Choose this mode if some devices in the wireless
network use 802.11b and others use 802.11g. Both 802.11b and 802.11g
clients can connect to the access point.
802.11n only: Choose this mode if all devices in the wireless network
can support 802.11n. Only 802.11n clients operating in the 2.4 GHz
frequency can connect to the access point.
802.11g/n mixed: Choose this mode to allow 802.11g and 802.11n
clients operating in the 2.4 GHz frequency to connect to the access point.
802.11b/g/n mixed: Choose this mode to allow 802.11b, 802.11g, and
802.11n clients operating in the 2.4 GHz frequency to connect to the
access point.
Wireless Channel: Choose a channel or choose Auto to let the system
determine the best channel to use based on the environmental noise levels
for the available channels.
After you are finished, click Next.
The Choose SSIDs window opens. From this page you can enable the SSIDs and
choose the wireless connectivity type for each active SSID.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
41
Wizards
Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W
•
Enable: Check this box to enable the SSID.
•
Mode: Choose the wireless connectivity type for each enabled SSID.
Intranet WLAN Access: Allows wireless users to access the corporate
network via the wireless network. The WLAN is mapped to the DEFAULT
VLAN.
Guest WLAN Access: Only allows guest users to access the corporate
network via the wireless network. The WLAN is mapped to the GUEST
VLAN.
Guest WLAN Access (Captive Portal): Only allows guest users who
authenticated successfully to access the corporate network via the
wireless network. The wireless users will be directed to a specific web
authentication login page to authenticate, and then be directed to a
specified web portal after login successfully before they can access the
Internet.
NOTE Only one SSID can be set for Guest WLAN access and Captive Portal
WLAN access.
STEP 4
Specify the wireless connectivity settings for all enabled SSIDs.
Depending on the wireless connectivity type that you selected for the SSID, you
need to complete the relevant settings for each enabled SSID.
For complete details to configure the Intranet WLAN access, see Configuring the
SSID for Intranet WLAN Access, page 43.
For complete details to configure the Guest WLAN access, see Configuring the
SSID for Guest WLAN Access, page 44.
For complete details to configure the Captive Portal WLAN access, see
Configuring the SSID for Guest WLAN Access (Captive Portal), page 45.
STEP 5
After you are finished, click Next.
The Summary window opens. The Summary page displays the summary
information for all configurations you made for the SSIDs.
STEP 6
Click Submit to save your settings and exit the Wireless Wizard.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
42
Wizards
Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W
Configuring the SSID for Intranet WLAN Access
This section describes how to configure the connectivity settings for Intranet
WLAN access.
STEP 1
After you enable the SSIDs and specify the wireless connectivity type for each
SSID, click Next.
If SSID1 is enabled and is set to Intranet WLAN Access, the SSID1 window opens.
STEP 2
STEP 3
Enter the following information:
•
SSID: Enter the SSID name.
•
Broadcast SSID: Check the box to broadcast the SSID in its beacon frames.
All wireless devices within range are able to see the SSID when they scan
for available networks. Uncheck the box to prevent auto-detection of the
SSID. In this case, users must know the SSID to set up a wireless connection
to this SSID.
•
PC Visibility: Check the box so that the wireless clients on the same SSID
will be able to see eachother.
In the Security Settings area, specify the wireless security settings.
•
Security Mode: Choose the security mode and configure the
correspoinding information. For security purposes, Cisco strongly
recommends WPA2 for wireless security. For example, if you choose WPA2Personal, enter the following information:
Encryption: WPA2-Personal always uses AES for data encryption.
Shared Secret: The Pre-shared Key (PSK ) is the shared secret key for
WPA. Enter a string of at least 8 characters to a maximum of 63
characters.
Key Renewal Timeout: Enter a value to set the interval at which the key
is refreshed for clients associated to this SSID. A value of 0 indicates that
the key is not refreshed. The default is 3600 seconds.
NOTE For complete details for other security modes, see Configuring the
Security Mode, page 162.
STEP 4
In the Advanced Settings area, enter the following information:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
43
Wizards
Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W
•
VLAN Mapping: Choose the VLAN to which the SSID is mapped. All traffic
from the wireless clients that are connected to this SSID will be directed to
the selected VLAN. For Intranet VLAN access, you should choose a VLAN
that is mapped to a trust zone.
•
User Limit: Specify the maximum number of users that can simultaneously
connect to this SSID.
Configuring the SSID for Guest WLAN Access
This section describes how to configure the connectivity settings for Guest WLAN
access.
STEP 1
After you are finished the SSID1 configuration, click Next.
If SSID2 is enabled and is set to Guest WLAN Access, the SSID2 window opens.
STEP 2
STEP 3
Enter the following information:
•
SSID: Enter the SSID name.
•
Broadcast SSID: Check the box to broadcast the SSID in its beacon frames.
All wireless devices within range are able to see the SSID when they scan
for available networks. Uncheck the box to prevent auto-detection of the
SSID. In this case, users must know the SSID to set up a wireless connection
to this SSID.
•
PC Visibility: Check the box so that the wireless clients on the same SSID
are able to see eachother.
In the Security Settings area, specify the wireless security settings.
•
STEP 4
Security Mode: Choose the security mode and configure the
correspoinding information. For the complete details for how to configure the
security modes, see Configuring the Security Mode, page 162.
In the Advanced Settings area, enter the following information:
•
VLAN Mapping: Choose the VLAN to which the SSID is mapped. All traffic
from the wireless clients that are connected to this SSID will be directed to
the selected VLAN. For Guest VLAN access, you should choose a VLAN that
is mapped to a guest zone.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
44
Wizards
Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W
•
User Limit: Specify the maximum number of users that can simultaneously
connect to this SSID.
Configuring the SSID for Guest WLAN Access (Captive Portal)
This section describes how to configure the connectivity settings for Captive
Portal WLAN access.
STEP 1
After you are finished the SSID2 configuration, click Next.
If SSID3 is enabled and is set to Guest WLAN Access (Captive Portal), the SSID3
window opens.
STEP 2
STEP 3
Enter the following information:
•
SSID: Enter the SSID name.
•
Broadcast SSID: Check the box to broadcast the SSID in its beacon frames.
All wireless devices within range are able to see the SSID when they scan
for available networks. Uncheck the box to prevent auto-detection of the
SSID. In this case, users must know the SSID to set up a wireless connection
to this SSID.
•
PC Visibility: Check the box so that the wireless clients on the same SSID
are able to see eachother.
In the Security Settings area, specify the wireless security settings.
•
STEP 4
In the Captive Portal WLAN Access -> Autentication area, enter the following
information:
•
STEP 5
Security Mode: Choose the security mode and configure the
correspoinding information. For the complete details for how to configure the
security modes, see Configuring the Security Mode, page 162.
Autentication Method: The authentication method that is used to
authenticate the wireless users. This setting is derived from the user login
settings. Go to the Users -> Settings page to set the authentication method.
For more information, see Configuring the User Authentication Settings,
page 277.
In the Captive Portal WLAN Access -> Captive Portal Authentication Type area,
specify the web authentication type and configure the relevant settings:
•
Web Authentication Type: Choose one of the following methods:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
45
Wizards
Using the DMZ Wizard to Configure the DMZ Settings
Internal: Allows you to use the default web authentication login page to
authenticate the wireless users. If you choose this option, enter the URL
of the portal in the Redirect URL After Login field and specify the
monitored HTTP port list. If you do not specify the portal, the wireless
user can access the original web site directly.
External Web Server: Allows you to use a customized web
authentication login page on an external web server to authenticate the
wireless users. If you choose this option, enter the IP address of the
external web server in the Authentication Web Server field and the key
in the Authentiation Web Key field. The authentication web key is used
to protect the user name and password that the external web server
sends to your security appliance for authentication.
For example, if you select Internal for authentication and the web portal
is set to www.ABcompanyC.com, when a wireless user tries to access
the website www.google.com, the default web authentication login page
opens. The user needs to enter the user name and password, and then
click Submit. After login, the user is directed to the
www.ABcompanyC.com and can then access the www.google.com.
STEP 6
In the Advanced Settings area, enter the following information:
•
VLAN Mapping: Choose the VLAN to which the SSID is mapped. All traffic
from the wireless clients that are connected to this SSID will be directed to
the selected VLAN.
•
User Limit: Specify the maximum number of users that can simultaneously
connect to this SSID.
Using the DMZ Wizard to Configure the DMZ Settings
Use the DMZ Wizard to configure the DMZ and DMZ services if you need to host
public services. It includes the following sections:
•
Using the DMZ Wizard to Configure the DMZ Settings, page 47
•
Configuring the DMZ, page 48
•
Configuring the DMZ Services, page 49
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
46
Wizards
Using the DMZ Wizard to Configure the DMZ Settings
Using the DMZ Wizard to Configure the DMZ Settings
STEP 1
Click Wizards -> DMZ Wizard.
The Getting Started window opens.
STEP 2
Click Begin.
The DDNS Setup window opens. From this page you can optionlly configure the
DDNS for the remote management of the DMZ network. Enter the following
information:
STEP 3
•
Service: Choose either DynDNS or No-IP service.
•
Active on Startup: Click On to activate the DDNS setting when the security
appliance starts up.
•
User Name: Enter the user name of the account that you registered in the
DDNS provider.
•
Password: Enter the password of the account that you registered in the
DDNS provider.
•
Host & Domain Name: Specify the complete host name and domain name
for the DDNS service.
After you are finised, click Next.
The DMZ Configure window opens. From this page you can the DMZ network. For
complete details, see Configuring the DMZ, page 48.
STEP 4
After you are finished, click Next.
The DMZ Service window opens. From this page you can configure the DMZ
services. For complete details, see Configuring the DMZ Services, page 49.
NOTE After you configure the DMZ services, the firewall access rules will
automatically generated by the security appliance to allow the access to the
services on your DMZ.
STEP 5
After you are finished, click Next.
The Summary window opens. The Summary window displays the summary
information for all configurations you made.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
47
Wizards
Using the DMZ Wizard to Configure the DMZ Settings
STEP 6
Click Submit to save your settings and exit the DMZ Wizard.
Configuring the DMZ
In the DMZ Configure window, follow these procedures to create a DMZ network.
STEP 1
Click Add to create a DMZ network.
Other Options: To edit an entry, click Edit. To delete an entry, click Delete.
The DMZ - Add/Edit window opens.
STEP 2
STEP 3
STEP 4
In the Basic Setting tab, enter the following information:
•
Name: Enter a descriptive name for the DMZ.
•
IP: Enter the subnet IP address of the DMZ.
•
Netmask: Enter the subnet mask of the DMZ.
•
Spanning Tree: Check the box to enable the Spanning Tree feature to
determine if there are loops in the network topology.
•
Port: Choose a configurable port from the Port list and click ->Access to
add it to the Member list. The selected configurable port will be set to a DMZ
port with Access mode.
•
Zone: Choose the default or custom DMZ zone to which the DMZ is mapped.
In the DHCP Pool Settings tab, choose the DHCP mode from the DHCP Server
drop-down list.
•
Disable: Choose this option if the computers on the DMZ are configured with
static IP addresses or are configured to use another DHCP server.
•
DHCP Server: Allows the security appliance to act as a DHCP server and
assigns IP addresses to all devices that are connected to the DMZ. Any new
DHCP client joining the DMZ is assigned an IP address of the DHCP pool.
•
DHCP Relay: Allows the security appliance to use a DHCP Relay. If you
choose DHCP Relay, enter the IP address of the remote DHCP server in the
Relay IP field.
If you choose DHCP Server as the DHCP mode, enter the following information:
•
Start IP: Enter the starting IP address of the DHCP pool.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
48
Wizards
Using the DMZ Wizard to Configure the DMZ Settings
•
End IP: Enter the ending IP address of the DHCP pool.
NOTE The starting and ending IP addresses should be in the same range as
the DMZ’s subnet address.
•
Lease Time: Enter the maximum connection time that a dynamic IP address
is “leased” to a network user. When the time elapses, the user is
automatically assigned a new dynamic IP address.
•
DNS 1: Enter the IP address of the primary DNS server.
•
DNS 2: Optionally, enter the IP address of a secondary DNS server.
•
WINS 1: Enter the IP address for the primary WINS server.
•
WINS 2: Optionally, enter the IP address of a secondary WINS server.
•
Domain Name: Optionally, enter the domain name for the DMZ.
•
Default Gateway: Enter the IP address of default gateway.
STEP 5
Click OK to save your settings.
STEP 6
Connect your local server to the specified DMZ port, and then configure the DMZ
service.
Configuring the DMZ Services
In the DMZ Service window, follow these procedures to configure the DMZ
services.
NOTE After you configure the DMZ services, the firewall access rules will automatically
generated by the security appliance to allow the access to the services on your
DMZ.
STEP 1
Click Add to create a DMZ service.
Other Options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
49
Wizards
Using the DMZ Wizard to Configure the DMZ Settings
The DMZ Service - Add/Edit window opens.
STEP 2
STEP 3
Enter the following information:
•
Original Service: Choose a service as the incoming service.
•
Translated Service: Choose a service as the translated service that you will
host. If the service you want is not in the list, choose Create a Service to
create a new service object. To maintain the service objects, go to the
Networking -> Service Management page. See Service Management,
page 154.
•
Translated IP: Choose the IP address of your local server that will need to
be translated. You can get the IP address after you connect your local server
to the specified DMZ port. If the IP address you want is not in the list, choose
Create an IP Address to create a new IP address object. To maintain the IP
address objects, go to the Networking -> Address Object Management
page. See Address Management, page 152.
•
WAN: Choose either WAN1 or WAN2, or both as the incoming WAN interface.
•
WAN IP: Specify the public IP address of the server. You can use the WAN’s
IP address or a public IP address that is provided by your ISP. When you
choose Both as the incoming WAN interface, this option is grayed out.
•
Enable DMZ Service: Click On to enable the DMZ service, or click Off to
create only the DMZ service.
•
Description: Enter the name for the DMZ service.
Click OK to save your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
50
Wizards
Using the Dual WAN Wizard to Configure the WAN Redundancy Settings
Using the Dual WAN Wizard to Configure the WAN
Redundancy Settings
If you have two ISP links, a backup WAN is required so that you can provide
backup connectivity or load balancing. Use the Dual WAN Wizard to configure the
WAN redundancy settings.
NOTE When the security appliance is working in the Load Balancing or Failover mode, if
one WAN link is down such as the cable is plug out, the WAN redundancy and
Policy-based Routing settings are ignored, and all traffic is handled by the active
WAN port. The WAN link means
STEP 1
Click Wizards -> Dual WAN Wizard.
The Getting Started window opens.
STEP 2
Click Begin.
The Port Configuration window opens. Specify a configurable port (from GE 6 to
GE10) as the secondary WAN interface. The dedicated physical port GE1 is set as
the primary WAN interface.
STEP 3
After you are finished, click Next.
The Primary WAN Connection window opens. Depending on the requirements of
your ISP, choose the network addressing mode from the IP Address Assignment
drop-down list for the primary WAN port and complete the corresponding fields.
The security appliance supports DHCPC, Static IP, PPPoE, PPTP, and L2TP. For
complete details, see Configuring the Network Addressing Mode, page 106.
STEP 4
After you are finished, click Next.
The Secondary WAN Connection window opens. Depending on the requirements
of your ISP, choose the network addressing mode from the IP Address
Assignment drop-down list for the secondary WAN port and complete the
corresponding fields. For complete details, see Configuring the Network
Addressing Mode, page 106.
STEP 5
After you are finished, click Next.
The WAN Redundancy Configuration window opens. From this page you can
determine how the two ISP links are used.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
51
Wizards
Using the Dual WAN Wizard to Configure the WAN Redundancy Settings
Choose the WAN redundancy mode and configure the relevant settings:
•
•
STEP 6
Weighted Load Balancing: Distributes the bandwidth to two WAN ports by
the weighted percentage or by weighted link bandwidth. If you choose this
mode, choose one of the following options:
Weighted By percentage: If you choose this option, specify the
percentage for each WAN, such as 80% percentage bandwidth for WAN1
and least 20% percentage bandwidth for WAN2.
Weighted By Link Bandwidth: If you choose this option, specify the rate
limiting for each WAN, such as 10 Mbps for WAN1 and 5 Mbps for WAN2.
Failover: Automatically directs all Internet traffic to the secondary link if the
primary link is down. When the primary link regains connectivity, all Internet
traffic is directed to the primary link and the secondary link becomes idle.
Auto Failover to: Choose either WAN1 or WAN2 as the primary link. By
default, WAN1 is set as the primary link and WAN2 is set as the backup
link. You can also set WAN2 as the primary link.
Preempt Delay Timer: Enter the time in seconds that the system will
preempt the primary link from the backup link after the primary link is up
again. The default is 5 seconds.
After you are finished, click Next.
The Network Detection window opens. From this page you can configure how to
detect the link failure.
Enter the following information:
STEP 7
•
Retry Count: Enter the number of retries. The security appliance repeatedly
tries to connect to the ISP after the link failure is detected.
•
Retry Timeout: Enter the interval value between two detection packets
(Ping or DNS detection).
•
Ping Detection-Ping using WAN Default Gateway: If you choose this
option, ping the IP address of the default WAN gateway. If the default WAN
gateway can be detected, the network connection is active.
•
DNS Detection-DNS Lookup using WAN DNS Servers: If you choose this
option, the security appliance sends out the DNS query for www.cisco.com
to the default WAN DNS server. If the DNS server can be detected, the
network connection is active.
After you are finished, click Next.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
52
Wizards
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels
The Summary window opens. The Summary window displays the summary
information for all configurations you made.
STEP 8
Click Submit to save your settings and exit the Dual WAN Wizard.
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN
Tunnels
Use the Site-to-Site Wizard to configure the site-to site VPN to provide a secure
connection between two routers that are physically separated over the IPSec VPN
tunnel. It includes the following sections:
•
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN tunnel,
page 53
•
Configuring the IKE Policies, page 55
•
Configuring the Transform Policies, page 57
NOTE Before you begin, you need to know the subnet address of your local and remote
networks, and import the digital certificates for authentication between the two
peers if needed.
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN tunnel
STEP 1
Click Wizards -> Site-to-Site Wizard.
The Getting Started window opens.
STEP 2
Click Begin.
The VPN Peer Settings window opens. From this page you can specify the IPSec
VPN policy profile for establishing the IPSec VPN tunnel with a remote router.
Enter the following information:
•
Profile Name: Enter the name for the IPSec VPN policy profile.
•
The Interface for this VPN: Choose the WAN interface that the traffic
passes through over the IPSec VPN tunnel.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
53
Wizards
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels
•
•
STEP 3
IP Address/FQDN of Remote Peer Site: Choose one of the following
options:
Static IP: If the remote peer uses a static IP address, choose this option.
Enter the IP address of the remote device in the Address field.
Dynamic IP: If the remote peer uses a dynamic IP address, choose this
option.
FQDN (Fully Qualified Domain Name): To use the domain name of the
remote network, such as vpn.company.com, choose this option. Enter the
domain name of the remote device in the Address field.
Authentication: Specify the authentication method.
Pre-Shared Key: If you choose this option, enter the desired value that
the peer device must provide to establish a connection in the Key field,
and enter the same value in the Retype Key field for confirmation. The
pre-shared key must be entered exactly the same here and on the remote
peer.
Certificate: If you choose this option, choose the local certificate and the
peer certificate for authentication. On the remote site, the selected local
certificate should be set as the peer certificate, and the selected peer
certificate should be set as the local certificate. If the certificate you want
is not in the list, go to the Device Management -> Certificate
Management page to import the certificates. See Managing the
Certificates for Authentication, page 310.
After you are finished, click Next.
The IKE Policy window opens. You must specify the IKE policy for the IPSec VPN
policy profile. You can choose the default or a custom IKE policy. For complete
detals, see Configuring the IKE Policies, page 55.
STEP 4
After you are finished, click Next.
The Transform Policy window opens. You must specify the transform policy for the
IPSec VPN policy profile. You can choose the default or a custom transform policy.
For complete detals, see Configuring the Transform Policies, page 57.
STEP 5
After you are finished, click Next.
The Local and Remote VPN Networks window opens. Enter the following
information:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
54
Wizards
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels
•
Local Network: Choose the IP address of the local network. If you want to
enable zone access control settings for the IPSec VPN tunnels, choose Any
for the local network.
•
Remote Network: Choose the IP address of the remote network. You must
know the IP address of the remote network before connecting the IPSec
VPN tunnel.
If the IP address object you want is not in the list, choose Create an IP
Address to add a new address object. To maintain the IP address objects,
go to the Networking -> Address Object Management page. See Address
Management, page 152.
NOTE The security appliance can support multiple subnets for IPSec VPN
tunnel, you may need to select a group address object including
multiple VLANs for local and remote network.
STEP 6
After you are finished, click Next.
The Summary window opens. The Summary window displays the summary
information for all configurations you made.
STEP 7
Click Submit to save your settings and exit the Site-to-Site Wizard.
Configuring the IKE Policies
In the IKE Policy window, follow these procedures to create a new IKE policy.
STEP 1
To add an IKE policy, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete.
After you click Add, the IKE Policy - Add/Edit window opens.
STEP 2
Enter the following information:
•
Name: Enter an unique name for the IKE policy.
•
Encryption: Choose the algorithm used to negotiate the security
association. There are four algorithms supported by the security appliance:
ESP_3DES, ESP_AES-128, ESP_AES-192, and ESP_AES-256.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
55
Wizards
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels
•
HASH: Specify the authentication algorithm for the VPN header. There are
two HASH algorithms supported by the security appliance: SHA1 and MD5.
NOTE Ensure that the authentication algorithm is configured identically on
both sides.
•
•
•
STEP 3
Authentication: Specify the authentication method that the security
appliance uses to establish the identity of each IPSec peer.
PRE-SHARE: Uses a simple password based key to authenticate. The
alpha-numeric key is shared with IKE peer. Pre-shared keys do not scale
well with a growing network but are easier to set up in a small network.
RSA-SIG: Uses a digital certificate to authenticate. RSA-SIG is a digital
certificate with keys generated by the RSA signatures algorithm. In this
case, a certificate must be configured in order for the RSA-Signature to
work.
D-H Group: Choose the Diffie-Hellman group identifier. The identifier is used
by two IPsec peers to derive a shared secret without transmitting it to each
other. The D-H Group sets the strength of the algorithm in bits. The default is
D-H Group 5. The lower the Diffie-Hellman group number, the less CPU time
it requires to execute. The higher the Diffie-Hellman group number, the
greater the security.
Group 2 (1024-bit)
Group 5 (1536-bit)
Group 14 (2048-bit)
Lifetime: Enter the number of seconds for the IKE Security Association to
remain valid. The default is 24 hours. As a general rule, a shorter lifetime
provides more secure ISAKMP negotiations. However, with shorter lifetimes,
the security appliance sets up future IPsec SAs more quickly.
Click OK to save your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
56
Wizards
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels
Configuring the Transform Policies
In the Transform Policy window, follow these procedures to create a new
transform policy.
STEP 1
To add an entry, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete.
After you click Add, the Transform Policy - Add/Edit window opens.
STEP 2
Enter the following information:
•
Name: Enter an unique name for the transform policy.
•
Integrity: Choose the hash algorithm used to ensure data integrity. The hash
algorithm ensures that a packet comes from where it says it comes from, and
that it has not been modified in transit. The default is ESP_SHA1_HMAC.
•
STEP 3
ESP_SHA1_HMAC: Authentication with SHA_1 (160-bit).
ESP_MD5_HMAC: Authentication with MD5 (128-bit). MD5 has a smaller
digest and is considered to be slightly faster than SHA_1. A successful
(but extremely difficult) attack against MD5 has occurred; however, the
HMAC variant IKE uses prevents this attack.
Encryption: Choose the symmetric encryption algorithm that protects data
transmitted between two IPSec peers. The default is ESP-3DES. The
Advanced Encryption Standard supports key lengths of 128, 192, 256 bits.
ESP_3DES: Encryption with 3DES (168-bit).
ESP_AES_128: Encryption with AES (128-bit).
ESP_AES_192: Encryption with AES (192-bit).
ESP_AES_256: Encryption with AES (256-bit).
Click OK to save your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
57
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
Using the Remote Access Wizard to Establish the IPSec VPN
Tunnels or SSL VPN Tunnels for Remote Access
The Remote Access Wizard helps you configure your security appliance as a
Cisco IPSec VPN server or as a SSL VPN gateway so that remote users can
securely access the corporate network resources over the VPN tunnels. It
includes the following sections:
•
Using Cisco IPSec VPN to Establish the IPSec VPN Tunnels, page 58
•
Configuring the Cisco IPSec VPN User Groups, page 63
•
Using SSL VPN to Establish the SSL VPN Tunnels, page 63
•
Configuring the SSL VPN Group Policies, page 66
•
Configuring the SSL VPN User Groups, page 69
Using Cisco IPSec VPN to Establish the IPSec VPN Tunnels
The security appliance can function as a Cisco IPSec VPN server to allow the
remote users to establish the IPSec tunnels and securely access the corporate
network resources.
The Cisco IPSec VPN server pushes the security policies to remote clients so that
remote clients have up-to-date policies in place before establishing the
connections. This flexibility allows mobile and remote users to access critical data
and applications on the corporate Intranet. The remote client can be a Cisco
device that supports the Cisco VPN hardware client or a PC running the Cisco
VPN Client software (v4.x or v5.x).
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
58
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
Figure 1 IPSec Remote Access with a Cisco VPN Client Software or a Cisco
Device as a Cisco VPN Hardware Client
DNS Server
10.10.10.163
Personal Computer
running Cisco VPN Client software
ISA500
as a Cisco IPSec VPN Server
Internal
network
Inside
10.10.10.0
Outside
WINS Server
10.10.10.133
STEP 1
Internet
Personal Computer
running Cisco VPN Client software
Cisco Device
as a Cisco VPN hardware client
Click Wizards -> Remote Access.
The Getting Started window opens.
STEP 2
To establish the IPSec VPN tunnel for remote access, choose Cisco IPSec VPN as
the VPN tunnel type.
STEP 3
Click Begin.
The Group Setting window opens. From this page you can specify the Cisco
IPSec VPN server group policy:
•
Group Name: Enter the name for the group policy.
•
IKE Authentication Method: Specify the authentication method.
Preshare Key: If you choose this option, enter the desired value that the
peer device must provide to establish a connection. The pre-shared key
must be entered exactly the same here and on the remote clients.
Certificate: If you choose this option, choose a local certificate and a
remote certificate for authentication. On the remote clients, the selected
local certificate should be set as the remote certificate, and the selected
remote certificate should be set as the local certificate. If the certificate
is not in the list, go to the Device Management -> Certificate
Management page to import the certificates. See Managing the
Certificates for Authentication, page 310.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
59
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
STEP 4
After you are finished, click Next.
The WAN Setting window opens. From this page you can choose the WAN
interface that the traffic passes through over the IPSec VPN tunnel. If you have two
links, you can enable WAN Failover to redirect the traffic to the secondary link
when the primary link is down.
•
WAN Failover: Click On to enable WAN Failover, or click Off to disable it.
NOTE To enable the WAN Failover for Cisco IPSec VPN tunnels, make sure
that the secondary WAN interface was configured and the WAN
redundancy was set to the Loab Balancing or Failover mode.
NOTE The security appliance will automatically update the local WAN
gateway for the VPN tunnel based on the configurations of the backup
WAN link. For this purpose, Dynamic DNS has to be configured
because the IP address will change due to failover, or let the remote
gateway use a dynamic IP address.
•
STEP 5
WAN Interface: Choose the WAN interface that the traffic passes through
over the IPSec VPN tunnel.
After you are finished, click Next.
The Network Setting window opens. From this page you can configure the mode
of operation. The operation mode determines whether the inside host relative to
the Cisco VPN hardware client is accessible from the corporate network over the
tunnel. Specifying a operation mode is mandatory before making a connection
because the Cisco VPN hardware client does not have a default mode. For more
information, see Modes of Operation, page 240.
•
Client: Choose this mode for the group policy that is used for both the PC
running the Cisco VPN Client software and the Cisco device that supports
the Cisco VPN hardware client. In client mode, the server can assign the IP
address to the outside interface of remote clients. To define the pool range
for the clients, enter the starting and ending IP addresses in the Start IP and
End IP fields.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
60
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
•
STEP 6
NEM: Choose this mode for the group policy that is only used for the Cisco
device that supports the Cisco VPN hardware client. The Cisco VPN
hardware client will obtain a private IP address from a DHCP server over the
IPSec VPN tunnel.
After you are finished, click Next.
The Access Control Setting window opens. From this page you can control the
access from the PC running the Cisco VPN Client software or the private network
of the Cisco VPN hardware client to the zones over the IPSec VPN tunnels. Click
Permit to permit the access, or click Deny. By default, the access for all zones is
permitted.
NOTE The VPN access rules that generated by the Zone Access Control settings
will be automatically added to the firewall access rule table with the priority
higher than the default access rules, but lower than the custom access rules.
STEP 7
After you are finished, click Next.
The DNS/WINS Setting window opens. From this page you can specify the DNS
and domain settings:
STEP 8
•
Primary DNS Server: Enter the IP address of the primary DNS server.
•
Secondary DNS Server: Enter the IP address of the secondary DNS server.
•
Primary WINS Server: Enter the IP address of the primary WINS server.
•
Secondary WINS Server: Enter the IP address of the secondary WINS
server.
•
Default Domain: Enter the default domain name.
After you are finished, click Next.
The Backup Server Setting window opens. From this page you can specify up to
three backup servers. When the primary server is down, the client can connect to
the backup servers.
•
Backup Server 1/2/3: Enter the IP addresses of backup servers. The
backup server 1 has the highest priority and the backup server 3 has the
lowest priority.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
61
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
NOTE The backup servers specified on the Cisco IPSec VPN server will be
sent to remote clients when initiating the VPN connection. The remote
clients will cache them.
•
STEP 9
Peer Timeout: Enter the time in minutes that the client retries to connect the
backup server.
After you are finished, click Next.
The Split Tunnel Setting window opens. From this page you can specify the split
tunneling settings:
•
Split Tunnel: Click On to enable the split tunneling feature, or click Off to
disable it. Split tunneling allows only the traffic that is specified by the VPN
client routes to corporate resources through the VPN tunnel. If you enable the
split tunneling feature, you need to define the split subnets. To add a subnet,
enter the IP address in the IP filed and and netmask address in the Netmask
filed, and then click Add. To delete a subnet, choose a subnet from the list
and then click Delete.
STEP 10 After you are finished, click Next.
The Cisco IPSec VPN-Group Policy Summary window opens. The Group Policy
Summary page displays the summary information for all configurations that you
made for the Cisco IPSec VPN group policy.
STEP 11 Click Next to configure the Cisco IPSec VPN user group settings.
The Cisco IPSec VPN - User Group Setting window opens. From this page you
can configure the user groups and enable the Cisco IPSec VPN service for them.
The users in the specified user group can use the Cisco IPSec VPN group policies
to establish the IPSec VPN tunnels. For complete details, see Configuring the
Cisco IPSec VPN User Groups, page 63.
STEP 12 After you are finished, click Next.
The Cisco IPSec VPN Summary window opens. The Summary page displays the
summary information for all Cisco IPSec VPN group policies and user groups you
made.
STEP 13 Click Submit to save your settings and exit the Remote Access Wizard.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
62
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
Configuring the Cisco IPSec VPN User Groups
In the Cisco IPSec VPN - User Group Setting window, follow these procedures to
create a Cisco IPSec VPN user group.
STEP 1
Click Add to add a Cisco IPSec VPN user group.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add, the New Group - Add/Edit window opens.
STEP 2
STEP 3
STEP 4
In the Group Settings tab, enter the following information:
•
Name: Enter an unique name that contains the letters, numbers, or underline
for the Cisco IPSec VPN user group.
•
Services: Specify the service policy for the group. The Cisco IPSec VPN
service must be enabled for this user group so that all members of the group
to securely access your network resources over the IPSec VPN tunnels.
In the Membership tab, specify the members of the user group.
•
To add a member, select an existing user from the User list and then click the
right arrow ->. The members of the groups appear in the Membership list.
•
To delete a member from the group, select the member from the
Membership list and then click the left arrow <-.
•
To create a new user, enter the user name in the User Name field and the
password in the Password field, enter the password again in the Password
Confirm field, and click Create.
Click OK to save your settings.
Using SSL VPN to Establish the SSL VPN Tunnels
Use the Remote Access Wizard to set your security appliance as a SSL VPN
gateway to establish the SSL VPN tunnels and allow remote users to securely
access the corporate network resources.
STEP 1
Click Wizards -> Remote Access.
The Getting Started window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
63
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
STEP 2
To establish the SSL VPN tunnels for remote access, choose SSL VPN as the VPN
tunnel type.
STEP 3
Click Begin.
The SSL VPN Configuration window opens.
STEP 4
In the Gateway (Basic) area, enter the following information:
•
Gateway Interface: Choose the WAN interface that the traffic over the SSL
VPN tunnel passes through.
•
Gateway Port: Enter the port number used on the SSL VPN gateway. HTTPS
or SSL typically operates on port 443. However, the SSL VPN gateway can
also operate on a user defined port. The firewall should permit the port to
ensure delivery of packets destined for the SSL VPN gateway. The SSL VPN
clients need to enter the entire address pair “Gateway IP Address: Port
Number” for connectting purposes.
•
Certificate File: Choose a certificate to authenticate the users who want to
access your network resource through the SSL VPN tunnel.
•
Client Address Pool: The SSL VPN gateway has a configurable address
pool with maximum size of 255 which is used to allocate IP addresses to the
remote clients. Enter the IP address pool for all remote clients. The client is
assigned an IP address by the SSL VPN gateway.
NOTE Configure an IP address range that does not directly overlap with any
of addresses on your local network.
•
Client Netmask: Enter the IP address of the netmask used for SSL VPN
clients.
The Client Address Pool is used with the Client Netmask. If they are set as
follows, then the SSL VPN client will obtain a VPN address whose range is
from 10.0.0.1 to 10.0.0.254.
Client Address Pool = 10.0.0.0
Client Netmask = 255.255.255.0
•
Client Domain: Enter the domain name used for the SSL VPN clients.
•
Login Banner: After the user successfully logs into the SSL VPN server, a
configurable login banner is displayed. Enter the message text to display
along with the banner.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
64
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
STEP 5
STEP 6
In the Gateway (Advanced) area, enter the following information:
•
Idle Timeout: Enter the timeout value in seconds that the SSL VPN session
can remain idle.
•
Session Timeout: Enter the timeout value in seconds that the SSL VPN
session can remain connected.
•
Client DPD Timeout: Dead Peer Detection (DPD) allows detection of dead
peers. Enter the DPD timeout for client in this field.
•
Gateway DPD Timeout: Enter the DPD timeout for SSL VPN gateway in this
field.
•
Keep Alive: If you want the SSL VPN server to keep sending a message at
an interval, enter the interval value in this field.
•
Lease Duration: Enter the amount of time after which the SSL VPN client
must send an IP address lease renewal request to the server.
•
Max MTU: Enter the maximum transmission unit for the session.
•
Rekey Method: Specify the session rekey method (SSL or New Tunnel).
Rekey allows the SSL keys to be renegotiated after the session is
established.
•
Rekey Interval: Enter the frequency of the rekey in this field.
After you are finished, click Next.
The SSL VPN Group Policy window opens. From this page you can configure the
SSL VPN goup policies. For complete details, see Configuring the SSL VPN
Group Policies, page 66.
NOTE The security appliance supports up to 32 SSL VPN goup policies.
STEP 7
After you are finished, click Next.
The SSL VPN-User Group Setting window opens. From this page you can
configure the SSL VPN user groups and enable the SSL VPN service for them. The
users in the specified user group can use the selected SSL VPN group policy to
establish the SSL VPN tunnels. For complete details, see Configuring the SSL
VPN User Groups, page 69.
STEP 8
After you are finished, click Next.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
65
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
The SSL VPN Summary window opens. The Summary page displays the
summary information for all SSL VPN group policies and user groups you made.
STEP 9
Click Submit to save your settings and exit the Remote Access Wizard.
Configuring the SSL VPN Group Policies
In the SSL VPN Group Policy window, follow these procedures to create a SSL
VPN goup policy.
STEP 1
To add a new SSL VPN group policy, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add, the Group Policy - Add/Edit window opens.
STEP 2
STEP 3
In the Basic Settings tab, enter the following information:
•
Policy Name: Enter the name for the SSLP VPN group policy.
•
Primary DNS: Enter the IP address of the primary DNS server.
•
Secondary DNS: Enter the IP address of the secondary DNS server.
•
Primary WINS: Enter the IP address of the primary WINS server.
•
Secondary WINS: Enter the IP address of the secondary WINS server.
In the IE Proxy Settings tab, enter the following information:
The SSL VPN gateway can specify several Microsoft Internet Explorer (MSIE)
proxies for client PCs. If these settings are enabled, IE on the client PC is
automatically configured with these settings.
•
IE Proxy Policy: Choose one of the following options:
None: Allows the browser to use no proxy settings.
Auto: Allows the browser to automatically detect proxy settings.
Bypass-local: Allows the browser to bypass proxy settings that are
configured on the remote user.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
66
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
STEP 4
•
Address: If you choose Bypass-Local, enter the IP address or domain name
of the MSIE proxy server. It is configured as an IPv4 address or fully qualified
domain name, followed by a colon and port number, for example
xxx.xxx.xxx.xxx:80.
•
Port: Enter the port number of the MSIE proxy server.
•
IE Proxy Exception: If you choose Bypass-Local, enter the IP address or
domain name of an exception host. This option allows the browser not to
send traffic for the given hostname or IP address through the proxy.
In the Split Tunneling Settings area, enter the following information:
Split tunnel mode permits specific traffic to be carried outside of the SSL VPN
tunnel. Traffic is either included (resolved in tunnel) or excluded (resolved through
the Internet Service Provider or WAN connection). Tunnel resolution configuration
is mutually exclusive. An IP address cannot be both included and excluded at the
same time.
•
Enable Split Tunneling: By default, the SSL VPN gateway operates in full
tunnel mode which means that all of traffic from the host is directed through
the tunnel. Check the box to enable the Split Tunnel mode so that the tunnel
is used only for the traffic that is specified by the client routes.
•
Split Include: If you enable split tunneling, choose one of the following
options:
Include Traffic: Allows you to add the client routes on the SSL VPN client
so that only traffic to the destination networks redirected through the SSL
VPN tunnels.
To add a client route, enter the destination subnet to which a route is
added on the SSL VPN client in the Address field and the the subnet
mask for the destination network in the Netmask field, and then click
Add.
Exclude Traffic: Allows you to exclude the destination networks on the
SSL VPN client. The traffic to the destination networks is redirected using
the SSL VPN clients native network interface (resolved through the
Internet Service Provider or WAN connection).
To add a destination subnet, enter the destination subnet to which a route
is excluded on the SSL VPN client in the Address field and the the subnet
mask for the excluded destination in the Netmask field, and then click
Add.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
67
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
•
Exclude LAN: If you choose Exclude Traffic, click True to deny the SSL
VPN clients to access the local LANs over the VPN tunnel, or click False
to allow the SSL VPN clients to access the local LANs over the VPN
tunnel.
Split DNS: Split DNS provides the ability to direct DNS packets in clear text
over the Internet to domains served through an external DNS (serving your
ISP) or through a SSL VPN tunnel to domains served by the corporate DNS.
For example, a query for a packet destined for corporate.com would go
through the tunnel to the DNS that serves the private network, while a query
for a packet destined for myfavoritesearch.com would be handled by the
ISP's DNS. By default, this feature is configured on the SSL VPN gateway and
is enabled on the client. To use Split DNS, you must also have Split Tunnel
mode configured.
To add a domain to the Cisco AnyConnect VPN Client for tunneling packets
to destinations in the private network, end the domian name in the field and
then click Add. To delete a domain, select it from the list and click Delete.
STEP 5
In the Zone-based Firewall Settings area, you can control the access over the
SSL VPN tunnels.
•
Click Permit to permit the access from the SSL VPN clients to the zones.
•
Click Deny to deny the access from the SSL VPN clients to the zones.
NOTE The VPN access rules that automatically generated by the zone-
based firewall settings will be added to the firewall access rule table
with the priority higher than the default firewall ACL rules, but lower
than the custom firewall ACL rules.
STEP 6
Click OK to save your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
68
Wizards
Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote
Access
Configuring the SSL VPN User Groups
In the SSL VPN-User Group Setting window, follow these procedures to create a
SSL VPN user group.
STEP 1
Click Add to add a SSL VPN user group.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add, the New Group - Add/Edit window opens.
STEP 2
STEP 3
STEP 4
In the Group Settings tab, enter the following information:
•
Name: Enter an unique name that contains the letters, numbers, or underline
for the SSL VPN user group.
•
Services: Specify the service policy for the group. The SSL VPN service
must be enabled for this user group. Choose a SSL VPN group policy so that
all members of the group at the remote site can establish the SSL VPN
tunnels based on the selected SSL VPN group policy to access your
network resources.
In the Membership tab, specify the members of the user group.
•
To add a member, select an exsiting user from the User list and then click the
right arrow ->. The members of the groups appear in the Membership list.
•
To delete a member from the group, select the member from the
Membership list, and then click the left arrow <-.
•
To create a new member, enter the user name in the User Name field and the
password in the Password field, enter the password again in the Password
Confirm field, and click Create.
Click OK to save your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
69
3
Status
This chapter describes how to monitor the system status and performance for
your security appliance.
•
System Status, page 70
•
Interface Status, page 74
•
Wireless Status for ISA550W and ISA570W, page 79
•
Active Users, page 81
•
VPN Status, page 81
•
Reports, page 85
•
Process Status, page 92
•
Resource Utilization, page 92
To access the Status pages, click Status in the left hand navigation pane.
System Status
The Dashboard page displays the current system status. To open this page, click
Status -> Dashboard.
Router Information
System Name
The device name of your security appliance.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
70
3
Status
System Status
Firmware
(Primary/
Secondary)
The firmware version that the security appliance is
currently using (primary) and the firmware version that was
previously running (secondary). By default, the security
appliance boots up with the primary firmware.
To switch to the secondary firmware, see Using the
Secondary Firmware, page 300.
Bootloader
Version
The bootloader version.
Serial Number
The security appliance serial number.
PID
The product identifier (PID) of the security appliance, also
known as product name, model name, and product number.
UDI
The Unique Device Identifier (UDI) of the security appliance.
UID is Cisco’s product identification standard for hardware
products.
Resource Utilization
To see complete details for resource utilization, click Details.
CPU Utilization
The CPU usage.
Memory
Utilization
The allocated memory space after the security appliance
boots.
System Up Time
How long the security appliance has been running.
Licenses
Display the security license status. To manage the security license, click Manage.
Syslog Summary
Display the summary of the system event logs. Syslog entries are defined by
different severity levels. To see complete logs, click details.
Emergency
Total number of Emergency logs. Click the number link for
details.
Alert
Total number of Alert logs. Click the number link for details.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
71
3
Status
System Status
Critical
Total number of Critical logs. Click the number link for
details.
Error
Total number of Error logs. Click the number link for details.
Warning
Total number of Warning logs. Click the number link for
details.
Notification
Total number of Notification logs. Click the number link for
details.
Information
Total number of Information logs.
Site-to-Site VPN
Display the total number of Site-to-Site VPN sessions. To see complete details,
click details.
Remote Access VPN
SSL Users
Total number of active SSL VPN sessions. Click the SSL
Users link for details.
IPSec Users
Total number of active IPSec VPN sessions that initiated by
your security appliance. Click the IPSec Users link for
details. This option is available when your security
appliance is set as the Cisco IPSec VPN Server or Cisco
IPSec VPN Client.
Routing Mode
Display the routing mode between WAN and LAN. By default, the NAT mode is
enabled. Click details to enable or disable the Routing mode.
Physical Ports
To see complete details for all physical ports, click details.
Single Dedicated Port
How many WAN interfaces are set, for example, Single Dedicated Port.
Name
The name of the physical interface.
Port Type
The port type of the physical interface.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
72
3
Status
System Status
Mode
The link status of the physical interface.
WAN Mode
Display the WAN configuration mode of the security appliance (Single WAN port,
Failover, or Load Balancing). To see complete details for WAN redundancy, click
details.
WAN Interfaces
To see complete details for all WAN interfaces, click details.
WAN1 to WANx
The name of the WAN interface.
IP Address
The IP addresses assigned to the WAN interface.
LAN Interface
To see complete details for all VLANs, click details.
Index
The VLAN ID.
Name
The VLAN name.
DHCP Mode
The DHCP mode of the VLAN.
IP Address
The subnet IP address of the VLAN.
DMZ Interface
To see complete details for DMZ, click details.
Port
The configurable interface that is set as the DMZ interface.
Name
The name of the DMZ interface.
IP Address
The subnet IP address of the DMZ interface.
Wireless Interface
To see complete details for all SSIDs, click details.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
73
3
Status
Interface Status
SSID Number
The SSID ID.
SSID Name
The SSID name.
VLAN
The VLANs to which the SSID is mapped.
Client List
The number of client stations that are connected to the
SSID.
Interface Status
The Interface Status pages display the ARP entries, IP address assignment of
DHCP pool, and the status and statistic information for all Ethernet ports, WANs,
VLANs, and DMZs. It includes the following sections:
•
ARP Table, page 74
•
DHCP Pool Assignment, page 75
•
Interface, page 75
•
Interface Statistics, page 77
ARP Table
The Address Resolution Protocol (ARP) is a computer networking protocol that
determines a network host’s Link Layer or hardware address when only the
Internet Layer (IP) or Network Layer address is known.
The ARP table displays the IP addresses and corresponding MAC addresses of
the devices under your local network. To open this page, click Status -> Interface
Status -> Show ARP Table.
IP Address
Indicates the station IP address, which is associated with
the MAC address.
MAC Address
Indicates the station MAC address, which is associated
with the IP address.
Flag
Indicates the ARP entry status.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
74
3
Status
Interface Status
Device
Indicates the interface for which the ARP parameters are
defined.
DHCP Pool Assignment
The DHCP Pool Assignment page displays the IP address assignment by the
DHCP server on your security appliance. Click Refresh to refresh the data. To
open this page, click Status -> Interface Status -> DHCP Pool Assignment.
IP Address
The IP address assigned to the host or the remote device.
MAC Address
The MAC address of the host or the remote device.
Lease Start
Time
The lease starting time of the IP address.
Lease End Time
The lease ending time of the IP address.
Interface
The Interface page displays the status for all Ethernet ports, WANs, VLANs, and
DMZs. To open this page, click Status -> Interface Status -> Interface.
Ethernet Table
The Ethernet table displays the following information for all physical ports:
Port
The number of the physical port.
Name
The name of the physical port.
Enable
Shows if the physical port is enabled or disabled.
Port Type
The physical port type, such as WAN, LAN, or DMZ.
Mode
The physical port access mode. A WAN or DMZ port is
always set to Access mode and a LAN port can be set to
Access or Trunk mode.
VLAN
The VLANs to which the physical port is mapped.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
75
3
Status
Interface Status
PVID
The Port VLAN ID (PVID) to be used to forward or filter the
untagged packets coming into the port. The PVID of a Trunk
port is fixed to the DEFAULT VLAN (1).
Speed/Duplex
The duplex mode (speed and duplex setting) of the
physical port.
Link Status
Shows if the physical port is connected or not.
WAN Table
The WAN table displays the following information of all WAN interfaces:
Name
The name of the WAN interface.
WAN Type
The network addressing mode used to connect to the
Internet for the WAN interface.
Connection Time
How long the WAN interface is connected, in seconds.
Connection
Status
Shows if the WAN interface obtains an IP address
successfully or not. If yes, the connection status shows as
“Connected”.
MAC Address
The MAC address of the WAN interface.
IP Address
The IP address of the WAN interface that is accessible from
the Internet.
Netmask
The IP address of subnet mask for the WAN interface.
Gateway
The IP address of default gateway for the WAN interface.
DNS Server
The IP address of the DNS server for the WAN interface.
Physical Port
The physical interface that is associated with the WAN
interface.
Link Status
Shows if the cable is inserted to the WAN interface or not. If
the link status shows as “Not Link”, the cable may be loose
or malfunctioning.
Zone
The zone to which the WAN interface is assigned.
VLAN Table
The VLAN table displays the following VLAN information:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
76
3
Status
Interface Status
Name
The VLAN name.
VID
The VLAN ID.
Address
The subnet IP address and netmask of the VLAN.
Physical Port
The physical ports that are assigned to the VLAN.
Zone
The zone to which the VLAN is mapped.
DMZ Table
The DMZ table displays the following DMZ information:
Name
The DMZ name.
VID
The VLAN ID.
Address
The subnet IP address and netmask of the DMZ.
Physical Port
The physical port that is assigned to the DMZ.
Zone
The zone to which the DMZ is mapped.
Interface Statistics
The Interface Statistics page displays the traffic data for active physical ports,
WANs, VLANs, and DMZs. This page is automatically updated every 10 seconds.
To open this page, click Status -> Interface Status -> Interface Statistics.
Ethernet Table
The Ethernet table displays the traffic data for all active physical ports:
Port
The name of the physical port.
Link Status
Shows if the port is connected or not.
Tx Pxts
The number of IP packets going out of the port.
Rx Pxts
The number of IP packets received by the port.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
77
3
Status
Interface Status
Collisions
The number of signal collisions that have occurred on this
port. A collision occurs when the port tries to send data at
the same time as a port on the other router or computer that
is connected to this port.
Tx B/s
The number of bytes going out of the port per second.
Rx B/s
The number of bytes received by the port per second.
Up Time
How long the port has been active. The uptime is reset to
zero when the security appliance or the port is restarted.
WAN Table
The WAN table displays the traffic statistic information for all WAN ports:
Name
The name of the WAN port.
Tx Pkts
The number of IP packets going out of the WAN port.
Rx Pkts
The number of IP packets received by the WAN port.
Collisions
The number of signal collisions that have occurred on this
WAN port.
Tx B/s
The number of bytes going out of the WAN port per
second.
Rx B/s
The number of bytes received by the WAN port per
second.
Up Time
How long the WAN port has been active. The uptime is
reset to zero when the security appliance or the WAN port
is restarted.
VLAN Table
The VLAN table displays the flow statistic information for all VLANs:
Name
The VLAN name.
Tx Pkts
The number of IP packets going out of the VLAN.
Rx Pkts
The number of IP packets received by the VLAN.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
78
3
Status
Wireless Status for ISA550W and ISA570W
Collisions
The number of signal collisions that have occurred on this
VLAN.
Tx B/s
The number of bytes going out of the VLAN per second.
Rx B/s
The number of bytes received by the VLAN per second.
Up Time
How long the LAN port has been active.
DMZ Table
The DMZ table displays the flow statistic information for all DMZs:
Name
The name of the DMZ.
Tx Pkts
The number of IP packets going out of the DMZ.
Rx Pkts
The number of IP packets received by the DMZ.
Collisions
The number of signal collisions that occurred on the DMZ.
Tx B/s
The number of bytes going out of the DMZ per second.
Rx B/s
The number of bytes received by the DMZ per second.
Up Time
How long the DMZ port has been active.
Poll Interval
Enter a value in seconds for the poll interval. This causes the page to re-read the
statistic information from the security appliance and refreshes the page
automatically.
To modify the poll interval, click Stop and then click Start to restart the automatic
refresh by using the specified poll interval.
Wireless Status for ISA550W and ISA570W
Use the Wireless pages to view the wireless status and the number of client
stations that are connected to the SSIDs. It includes the following sections:
•
Wireless Status, page 80
•
Client Status, page 81
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
79
3
Status
Wireless Status for ISA550W and ISA570W
Wireless Status
The Wireless Status page displays the cumulative total of relevant wireless
statistics for all active SSIDs. The counters is reset when the security appliance
reboots. To open this page, click Status -> Wireless -> Wireless Status.
Wireless Table
The security appliance may have multiple SSIDs enabled and configured
concurrently. This table displays the following information of all active SSIDs.
SSID Number
The SSID ID.
SSID Name
The SSID name.
MAC
The MAC address of the SSID.
VLAN
The VLAN to which the SSID is mapped.
Client List
The number of client stations that are connected to the
SSID.
Wireless Statistics Table
This table displays the traffic data for a given SSID.
Name
The SSID name.
Tx Pkts
The number of transmitted packets on the SSID.
Rx Pkts
The number of received packets on the SSID.
Collisions
The number of packet collisions reported to the SSID.
Tx B/s
The number of transmitted bytes of information on the
SSID.
Rx B/s
The number of received bytes of information on the SSID.
Up Time
How long the SSID has been active.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
80
3
Status
Active Users
Client Status
The Client Status page displays the MAC address and IP address of all client
stations that are already connected to each SSID. Click Refresh to refresh the
data. To open this page, click Status -> Wireless -> Client Status.
Active Users
The Active Users page displays all active users who are currently logged into the
security appliance. Click the Logout button to terminate an active user session. To
open this page, click Status -> Active Users.
You can check the following user session information.
User Name
The name of the logged user.
Address
Information
The host IP address from which the user accessed the
security appliance.
Login Method
How the user logs into the security appliance, such as web
login, SSL VPN, or Cisco IPSec VPN.
Session Time
How long the user logged into the security appliance.
VPN Status
The VPN Status pages display the status and statistic information of IPSec and
SSL VPN sessions. You can manually connect or disconnect the VPN tunnels. It
includes the following sections:
•
IPSec VPN Status, page 82
•
SSL VPN Status, page 83
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
81
3
Status
VPN Status
IPSec VPN Status
The VPN Table page displays the status and statistic information for IPsec VPN
sessions. To open this page, click Status -> VPN Status -> VPN Table.
Status for all IPSec VPN Sessions
The Active Sessions tab displays the following IPsec VPN session information:
Name
The name of the IPSec VPN policy that is used for the VPN
session.
VPN Type
The connection type of the IPSec VPN session, such as
Site-to-Site, Cisco IPSec VPN Server, or Cisco IPSec VPN
Client.
WAN Interface
The WAN interface used for the IPSec VPN session.
Remote
Gateway
The IP address of the remote gateway for a Site-to-Site
VPN session or the IP address of the remote VPN client for
a Cisco IPSec VPN session.
Local Network
The subnet IP address and netmask of your local network.
Remote Network
The subnet IP address and netmask of the remote network.
Connect
Click this button to manually establish a VPN connection.
Disconnect
Click this button to manually terminate an active VPN
connection.
Statistics for all active IPSec VPN Sessions
The IPSec VPN Statistic tab displays the statistic information for all active IPsec
VPN sessions:
Name
The name of the IPSec VPN policy used for the VPN
session.
VPN Type
The connection type of the IPSec VPN session.
WAN Interface
The WAN interface used for the IPSec VPN session.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
82
3
Status
VPN Status
Remote
Gateway
The IP address of the remote gateway for a Site-to-Site
VPN session or the IP address of the remote VPN client for
a Cisco IPSec VPN session.
Tx Bytes
The volume of traffic in Kilobytes transmitted from the VPN
tunnel.
Rx Bytes
The volume of traffic in Kilobytes received from the VPN
tunnel.
Tx Pkts
The number of IP packets transmitted from the VPN tunnel.
Rx Pkts
The number of IP packets received from the VPN tunnel.
SSL VPN Status
The SSL VPN Monitoring page displays the status and traffic statistic information
of all SSL VPN sessions. To open this page, click Status -> VPN Status ->
SSLVPN Monitoring.
Status of all Active SSL VPN Sessions
The Sessions tab displays the following information of all active SSL VPN
sessions:
Session ID
The SSL VPN session ID.
User Name
The name of the connected SSL VPN user.
Client IP (Actual)
The actual IP address used by the SSL VPN client.
Client IP (VPN)
The virtual IP address assigned by the SSL VPN gateway.
Time Connected
The amount of time since the user first established the
connection.
Disconnect
Click this button to terminate an active SSL VPN session
and hence the associated SSL VPN tunnel.
Disconnect All
Click this button to terminate all active SSL VPN sessions
and hence the associated SSL VPN tunnels.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
83
3
Status
VPN Status
Statistics for all SSL VPN Sessions or for a single SSL VPN session
The Statistic tab displays the global statistic information for all active SSL VPN
sessions or for each SSL VPN session.
In the Global Status area, the global statistic information is displayed. To clear the
global statistic information, click Clear Global.
Active Users
The number of all connected SSL VPN users.
In CSTP frames
The number of CSTP frames received from all clients.
In CSTP bytes
The total number of bytes in the CSTP frames received
from all clients.
In CSTP data
The number of CSTP data frames received from all clients.
In CSTP control
The number of CSTP control frames received from all
clients.
Out CSTP
frames
The number of CSTP frames sent to all clients.
Out CSTP bytes
The total number of bytes in the CSTP frames sent to all
clients.
Out CSTP data
The number of CSTP data frames sent to all clients.
Out CSTP
control
The number of CSTP control frames sent to all clients.
The following statistic information for each SSL VPN session is displayed in the
table. To clear the statistic information of a single SSL VPN session, click Clear.
Session ID
The SSL VPN session ID.
In CSTP frames
The number of CSTP frames received from the client.
In CSTP bytes
The total number of bytes in the CSTP frames received
from the client.
In CSTP data
The number of CSTP data frames received from the client.
In CSTP control
The number of CSTP control frames received from the
client.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
84
3
Status
Reports
Out CSTP
frames
The number of CSTP frames sent to the client.
Out CSTP bytes
The total number of bytes in the CSTP frames sent to the
client.
Out CSTP data
The number of CSTP data frames sent to the client.
Out CSTP
control
The number of CSTP control frames sent to the client.
NOTE CSTP is a Cisco proprietary protocol for SSL VPN tunneling. “In” means “from the
client” and “Out” means “to the client”. The client is the PC running the Cisco
AnyConnect VPN Client software that connects to the security appliance running
the SSL VPN server. A CSTP frame is a packet that carrying CSTP protocol
information. There are two major frame types, control frames and data frames.
Control frames implement control functions within the protocol. Data frames carry
the client data, such as the tunneled payload.
Reports
The security appliance provides the report ability to help the operator or
administrator analyze the system performance and security. It includes the
following sections:
•
Reports of Event Logs, page 86
•
Reports of WAN Bandwidth, page 87
•
Reports of Security Services, page 87
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
85
3
Status
Reports
Reports of Event Logs
The security appliance can perform a rolling analysis of the event logs. The Report
page displays the top 25 most frequently accessed websites, the top 25 users of
bandwidth usage, and the top 25 services that consume the most bandwidth.
CAUTION Enabling the IP Bandwidth, Service Bandwidth, and TopN Web reports consumes
additional system resources and may impact the system performance. Go to the
Status -> Dashboard page to view the CPU and memory utilization. To conserve
the system resources, disable the reports when they are no longer needed.
STEP 1
To open the Report page, click Status -> Report -> Report.
STEP 2
Click On to enable a report, or click Off to disable a report.
STEP 3
Click Save to save your settings.
STEP 4
If you enable a report, choose this report from the Type drop-down list, the
corresponding statistic information is displayed.
•
IP Bandwidth: This report lists the top 25 users of bandwidth usage. It
displays the number of megabytes transmitted per IP address since the
system is up.
•
Service Bandwidth: This report lists the top 25 Internet services that
consume the most bandwidth. It displays the number of megabytes
received from the service since the system is up.
This report is helpful to determine whether the services being used are
appropriate for your organization. If the services such as video or push
broadcasts are consuming a large portion of the available bandwidth, you
can block them.
•
Web Vistor: This report lists the top 25 most frequently accessed websites.
It displays the number of hits to a website since the system is up.
This report ensures that the majority of web access is to appropriate
websites. If inappropriate sites appear in this report, you can block the
websites. For more information on blocking inappropriate websites, see
Configuring the Content Filtering to Control Access to Internet,
page 201, or Web URL Filter, page 226.
Click on the domain name or site name of a website to open that site in a new
prompt window to see what this website is about.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
86
3
Status
Reports
STEP 5
Click Refresh Data to update the data on the screen or click Reset Data to reset
the values to zero.
Reports of WAN Bandwidth
The WAN Bandwidth report displays the run-time WAN network bandwidth usage
by hour in the past 24 hours.
STEP 1
Click Status -> Report -> WAN Bandwidth.
STEP 2
Check the Enable WAN Bandwidth box to enable this report.
STEP 3
Click Save to save your settings.
STEP 4
After you enable this report, in the Primary WAN tab, you can see the run-time
network bandwidth usage for the primary WAN interface by hour in the past 24
hours.
STEP 5
If a secondary WAN interface is configured, in the Secondary WAN tab, you can
see the run-time network bandwidth usage for the secondary WAN interface by
hour in the past 24 hours.
STEP 6
Click Reset to reset the network bandwidth usages for both the primary WAN and
secondary WAN interfaces.
Reports of Security Services
The Security Services page displays the statistical information for all enabled
security services. To open the pages, click Status -> Report -> Security
Services. It includes the following sections:
•
Web Security Blocked Report, page 88
•
Anti-Virus Report, page 88
•
Email Security Report, page 89
•
Network Reputation Report, page 90
•
IPS Policy Protocol Inspection Report, page 90
•
IM and P2P Blocking Report, page 91
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
87
3
Status
Reports
NOTE The reports for the security services are provided only if the corresponding
security services are enabled.
Web Security Blocked Report
This report displays the number of web access requests logged and the number
of websites blocked by the Web URL Filter service, Web Reputation Filter service,
or both.
In the Web Security Blocked Report tab, check the Enable Web Security
Blocked Report box to enable this report, and then click Save to save your
settings.
After you enable this report, the corresponding statistic information is displayed.
Device System
Date
The current date for counting the data.
Total since the
service was
actived
The total number of web access requests processed and
the total number of websites blocked since the Web URL
Filter service, Web Reputation Filter service, or both were
enabled.
Total for last 7
days
The total number of web access requests processed and
the total number of websites blocked in last seven days.
Total for today
The total number of web access requests processed and
the total number of websites blocked in one day.
Graph
Shows the total number of web access requests
processed and the total number of websites blocked by
day for last seven days.
Anti-Virus Report
This report displays the number of files checked and the number of viruses
detected by the Anti-Virus service.
In the Anti-Virus tab, check the Enable Anti-Virus Report box to enable this
report, and then click Save to save your settings.
After you enable this report, the corresponding statistic information is displayed.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
88
3
Status
Reports
Device System
Date
The current date for counting the data.
Total since the
service was
actived
The total number of files checked and the total number of
viruses detected since the Anti-Virus service was enabled.
Total for last 7
days
The total number of files checked and the total number of
viruses detected in last seven days.
Total for today
The total number of files checked and the total number of
viruses detected in one day.
Graph
Shows the total number of files checked and the total
number of viruses detected by day for last seven days.
Email Security Report
This report displays the number of emails checked and the number of spams or
supposed spams detected by the Email Reputation Filter service.
In the Email Security Report tab, check the Enable Email Security Report box to
enable this report, and then click Save to save your settings.
After you enable this report, the corresponding statistic information is displayed.
Device System
Date
The current date for counting the data.
Total since the
service was
actived
The total number of emails checked and the total number of
spams or supposed spams detected since the Email
Reputation Filter service was enabled.
Total for last 7
days
The total number of emails checked and the total number of
spams or supposed spams detected in last seven days.
Total for today
The total number of emails checked and the total number of
spams or supposed spams detected in one day.
Graph
Shows the total number of emails checked and the total
number of spams or supposed spams detected by day for
last seven days.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
89
3
Status
Reports
Network Reputation Report
This report displays the total number of packets checked and the number of
packets blocked by the Network Reputation service.
In the Network Reputation Report tab, check the Enable Network Reputation
Report box to enable this report, and then click Save to save your settings.
After you enable this report, the corresponding statistic information is displayed.
Device System
Date
The current date for counting the data.
Total since the
service was
actived
The total number of packets checked and the total number
of packets blocked since the Network Reputation service
was enabled.
Total for last 7
days
The total number of packets checked and the total number
of packets blocked in last seven days.
Total for today
The total number of packets checked and the total number
of packets blocked in one day.
Graph
Shows the total number of packets checked and the total
number of packets blocked by day for last seven days.
IPS Policy Protocol Inspection Report
This report displays the total number of packets for suspicious behaviors and
attacks (such as Denial-of-Service attacks, malware, and backdoor exploits)
detected and the number of packets dropped by the IPS service.
In the IPS Policy Protocol Inspection tab, check the Enable IPS Policy Protocol
Inspection Report box to enable this report, and then click Save to save your
settings.
After you enable this report, the corresponding statistic information is displayed.
Device System
Date
The current date for counting the data.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
90
3
Status
Reports
Total since the
service was
actived
The total number of packets for suspicious behaviors and
attacks detected and the total number of packets dropped
since both the IPS service and the IPS Policy and Protocol
Inspection were enabled.
Total for last 7
days
The total number of packets for suspicious behaviors and
attacks detected and the total number of packets dropped
in last seven days.
Total for today
The total number of packets for suspicious behaviors and
attacks detected and the total number of packets dropped
in one day.
Graph
Shows the total number of packets for suspicious behaviors
and attacks detected and the total number of packets
dropped by day for last seven days.
IM and P2P Blocking Report
This report displays the number of packets for the predefined Instant Message
(IM) and Peer-to-Peer (P2P) applications detected, and the number of packets
blocked by the IPS service.
In the IM and P2P Blocking tab, check the Enable IM and P2P Blocking Report
box to enable this report, and then click Save to save your settings.
After you enable this report, the corresponding statistic information is displayed.
Device System
Date
The current date for counting the data.
Total since the
service was
actived
The total number of packets for the predefined IM and P2P
applications detected and the total number of packets
blocked since both the IPS service and the IM & P2P
Blocking were enabled.
Total for last 7
days
The total number of packets for the predefined IM and P2P
applications detected and the number of packets blocked
in the last seven days.
Total for today
The total number of packets for the predefined IM and P2P
applications detected and the number of packets blocked
in one day.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
91
3
Status
Process Status
Graph
Shows the total number of packets for the predefined IM
and P2P applications detected and the total number of
packets blocked by day for last seven days.
Process Status
The Process Status page displays the status for all sockets and the processes to
which each socket belongs. To open this page, click Status -> Process Status.
Name
The process name that is running on your security
appliance.
Description
A brief description for the running process.
Protocol
The protocol that is used by the socket.
Port
The port number of the local end of the socket.
Local Address
The IP address of the local end of the socket.
Foreign Address
The IP address of the remote end of the socket.
Resource Utilization
The Resource Utilization page displays the overall CPU and memory utilizations.
To open this page, click Status -> Resource Utilization.
CPU Utilization
CPU Usage by User
The percentage of CPU resource used by user space
processes since the security appliance boots up.
CPU Usage by kernal
The percentage of CPU resource used by kernel
space processes since the security appliance boots
up.
CPU Idle
The percentage of CPU idle since the security
appliance boots up.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
92
3
Status
Resource Utilization
CPU Waiting for I/O
The percentage of CPU waiting for I/O since the
security appliance boots up.
Memory Utilization
Total Memory
The total amount of memory space available on the
security appliance.
Used Memory
The amount of memory space used by the processes
at current time.
Free Memory
The amount of memory space not used by the
processes at current time.
Cached Memory
The amount of memory space used as cache at
current time.
Buffer Memory
The amount of memory space used as buffers at
current time.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
93
4
Networking
This chapter describes how to configure your Internet connection, VLAN, DMZ,
zones, routing, Quality of Service, and related features. It includes the following
sections:
•
Configuring IP Routing Mode, page 95
•
Port Management, page 95
•
Configuring the WAN, page 101
•
Configuring the WAN Redundancy, page 112
•
Configuring the VLAN, page 118
•
Configuring the DMZ, page 123
•
Configuring the Zones, page 127
•
Configuring the Routing, page 130
•
Dynamic DNS, page 136
•
IGMP, page 138
•
VRRP, page 139
•
Configuring the Quality of Service, page 140
•
Address Management, page 152
•
Service Management, page 154
To access the Networking pages, click Networking in the left hand navigation
pane.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
94
4
Networking
Configuring IP Routing Mode
Configuring IP Routing Mode
Internet Protocol Version 6 (IPv6) is a new IP protocol designed to replace IPv4, the
Internet protocol that is predominantly deployed and extensively used throughout
the world. IPv6 quadruples the number of network address bits from 32 bits (in
IPv4) to 128 bits, resulting in an exponentially larger address space. You can
configure the security appliance to support IPv6 addressing on the WAN, LAN, and
DMZ.
By default, only IPv4 addressing is supported. If you need to configure IPv6
addressing, enable the IPv4/IPv6 mode.
STEP 1
Click Networking -> IPv4/IPv6 Routing Mode.
The IPv4/IPv6 Routing Mode window opens.
STEP 2
Click IPv4/IPv6 mode to enable both IPv4 and IPv6 addressing, or click IPv4 only
mode to enable only IPv4 addressing.
STEP 3
Click Save to save your settings.
Port Management
This section describes how to configure the physical ports, enable or disable the
port mirroring, and configure 802.1X access control settings on the physical ports.
It includes the following topics:
•
Viewing the Status of Physical Interfaces, page 95
•
Configuring the Physical Interfaces, page 96
•
Configuring 802.1X Access Control on Physical Ports, page 98
•
Configuring the Port Mirroring, page 100
Viewing the Status of Physical Interfaces
STEP 1
Click Networking -> Port -> Physical Interface.
The Physical Interface window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
95
4
Networking
Port Management
In the Physical Interfaces area, all physical ports available on your security
appliance are listed in the table. The following information is displayed:
•
Name: The name of the physical port.
•
Enable: Shows if the physical port is enabled or disabled.
•
Port Type: The physical port type, such as WAN, LAN, or DMZ. The type of
the dedicated WAN and LAN ports cannot be changed, but the type of the
configurable ports can be set to LAN, WAN, or DMZ.
•
Mode: The physical port access mode. A WAN or DMZ port is always set to
Access mode. A LAN port can be set to Access or Trunk mode.
•
VLAN: The VLANs to which the physical port is mapped.
•
PVID: The Port VLAN ID (PVID) to be used to forward or filter the untagged
packets coming into port. The PVID of a trunk port is fixed to the DEFAULT
VLAN (1).
•
Speed/Duplex: The duplex mode (speed and duplex setting) of the physical
port.
•
Link Status: Shows if the physical port is connected or not.
If you are using the ISA550W or ISA570W, in the Wireless Interfaces area, all
active SSIDs available on your security appliance are listed in the table. The
following information is displayed:
•
SSID Name: The SSID name.
•
VLAN: The VLAN to which the SSID is mapped.
•
Client List: The number of client stations that are connected to the SSID.
To configure the wireless radio and connectivity settings, go to the Wireless
pages. See Wireless Configuration for ISA550W and ISA570W.
Configuring the Physical Interfaces
You can enable or disable a physical interface, assign the physical interfaces to
VLANs, and configure the duplex mode.
STEP 1
Click Networking -> Port -> Physical Interface.
The Physical Interface window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
96
4
Networking
Port Management
STEP 2
To edit the setting of a physical port, click Edit.
After you click Edit, the Ethernet Configuration - Add/Edit window opens.
STEP 3
Enter the following information:
•
Name: The name of the physical port.
•
Port Type: The physical port type, such as WAN , LAN, or DMZ.
•
Mode: Choose either Access or Trunk mode for a LAN port, and choose
Access mode for a WAN or DMZ port. By default, all ports are set to Access
mode.
Access: All data going into and out of the Access port is untagged.
Access mode is recommended if the port is connected to a single enduser device which is VLAN unaware.
Trunk: All data going into and out of the Trunk port is tagged. Untagged
data coming into the port is not forwarded, except for the DEFAULT VLAN,
which is untagged. Trunk mode is recommended if the port is connected
to a VLAN-aware switch or router.
•
Port: Click On to enable the port, or click Off to disable it. By default, all ports
are enabled.
•
VLAN: You can assign the physical port to VLANs.
To assign the port to a VLAN, choose an existing VLAN from the Availbale
VLAN list and click the right arrows >> to add it to the VLAN list.
To release the port from a VLAN, choose a VLAN from the VLAN list and
click the left arrows <<.
NOTE A LAN port can be assigned to multiple VLANs, but an Access LAN
port can only be assigned to one VLAN. A DMZ port must be assigned
to a DMZ network.
NOTE To create new VLANs, click Create VLAN. For more information about
how to configure the VLANs, see Configuring the VLAN, page 118.
•
Flow Control: Click On to control the flow on the port, or click Off to disable
it.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
97
4
Networking
Port Management
•
Speed: Choose one of these options: AUTO, 10 Mbps, 100 Mbps, and 1000
Mbps. The default is AUTO for all ports. The AUTO option lets the system and
network determine the optimal port speed.
•
Duplex: Choose either Half Duplex or Full Duplex based on the port support.
The default is Full Duplex for all ports.
Full: Indicates that the port supports transmissions between the device
and the client in both directions simultaneously.
Half: Indicates that the port supports transmissions between the device
and the client in only one direction at a time.
STEP 4
Click OK to save your settings.
STEP 5
Repeat the above steps to edit the settings for other physical ports.
STEP 6
Click Save to apply your settings.
Configuring 802.1X Access Control on Physical Ports
Port-Based Access Control configures IEEE 802.1X port-based authentication to
prevent unauthorized devices (802.1X-capable clients) from gaining access to the
network.
The IEEE 802.1X standard defines a client-server-based access control and
authentication protocol that restricts unauthorized devices from connecting to a
LAN through publicly accessible ports. The authentication server authenticates
each client (supplicant in Windows 2000, XP, Vista, Windows 7, and Mac OS)
connected to a port before making available any service offered by the security
appliance or the LAN.
Until the client is authenticated, 802.1X access control allows only Extensible
Authentication Protocol over LAN (EAPOL) traffic through the port to which the
client is connected. After authentication is successful, normal traffic can pass
through the port.
This feature simplifies the security management by allowing you to control access
from a master database in a single server (although you can use up to three
RADIUS servers to provide backups in case access to the primary server fails). It
also means that user can enter the same authorized RADIUS username and
password pair for authentication, regardless of which switch is the access point
into the LAN.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
98
4
Networking
Port Management
STEP 1
Click Networking -> Port -> Port-Based Access Control.
The Port-Based Access Control window opens.
STEP 2
Specify the RADIUS servers for authentication.
The security appliance predefines three RADIUS groups. You can choose a
predefined RADIUS group from the RADIUS Index drop-down list to authenticate
the users on 802.1X-capable clients. The RADIUS server settings of the selected
group are displayed. You can also edit the RADIUS server settings here but the
settings that you specify will replace the default settings of the selected group.
For more information, see Configuring the RADIUS Servers, page 319.
STEP 3
To configure the access control settings for a physical port, click Edit in the Action
column.
The Port-Base Access Control window opens.
STEP 4
STEP 5
Enter the following information:
•
Access Control: Check the box to enable 802.1X access control. This
feature is not available for Trunk ports.
•
Authenticated VLAN: If you enable 802.1X access control, choose the
authenticated VLAN to which this port is assigned. The users who
authenticated successfully can access the authenticated VLAN through the
port. If the authentication fails, block the access on the port.
•
Guest Authenticated: If you enable 802.1X access control, check the box to
enable Guest Authentication.
•
Authenticated VLAN: If you enable Guest Authentication, choose the guest
VLAN to be associated with the port. If the authentication fails, the port is
assigned to the selected guest VLAN instead of shutting down. For 802.1Xincapable clients, the port is also assigned to the selected guest VLAN when
Guest Authentication is enabled.
You can perform other actions as follows:
•
Access Control: Check the box in this column to enable 802.1X access
control, or uncheck the box to disable it.
•
Guest Authentication: After you enable 802.1X access control, check the
box in this column to enable Guest Authentication, or uncheck the box to
disable it.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
99
4
Networking
Port Management
STEP 6
•
Forced Authentication: Disables 802.1X access control and causes the port
to transition to the authorized state without any authentication exchange
required. The port transmits and receives normal traffic without 802.1Xbased authentication of the client.
•
Forced Unauthentication: Causes the port to remain in the unauthorized
state, ignoring all attempts by the client to authenticate. The security
appliance cannot provide authentication services to the client through the
port.
•
Auto: Enables 802.1X access control and causes the port to begin in the
unauthorized state, allowing only EAPOL frames to be sent and received
through the port. The authentication process begins when the link state of
the port transitions from down to up, or when an EAPOL-start frame is
received. The security appliance requests the identity of the client and
begins relaying authentication messages between the client and the
authentication server. Each client attempting to access the network is
uniquely identified by the security appliance by using the client's MAC
address.
Click Save to apply your settings.
Configuring the Port Mirroring
Port Mirroring allows the traffic on one port to be visible on other ports. This
feature is useful for debugging or traffic monitoring.
NOTE The dedicated WAN port (GE1 ) can not be set as a destination or monitored port.
STEP 1
Click Networking -> Port -> Port Mirroring.
The Port Mirroring window opens.
STEP 2
Click On to enable port mirroring, or click Off to disable it.
STEP 3
If you enable port mirroring, enter the following information:
•
TX Destination: Choose the port that monitors the tranmitted traffic for other
ports.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
100
4
Networking
Configuring the WAN
STEP 4
•
TX Monitored Ports: Check the boxes of the ports that are monitored. The
port that you set as a TX Destination port cannot be selected as a monitored
port.
•
RX Destination: Choose the port that monitors the received traffic for other
ports.
•
RX Monitored Ports: Check the boxes of the ports that are monitored. The
port that you set as a RX Destination port cannot be selected as a monitored
port.
Click Save to apply your settings.
Configuring the WAN
By default, the security appliance is configured to receive a public IP address from
your ISP automatically through DHCP. Depending on the requirements of your ISP,
you may need to modify the WAN settings to ensure Internet connectivity.
This section describes how to configure the WAN connections by using the
account information provided by your ISP. It includes the following sections:
•
Configuring the Primary WAN, page 101
•
Configuring the Secondary WAN, page 104
•
Configuring the Network Addressing Mode, page 106
•
Configuring the PPPoE Profiles, page 111
Configuring the Primary WAN
STEP 1
Click Networking -> WAN.
The WAN window opens.
STEP 2
To edit the settings of the primary WAN, click Edit.
After you click Edit, the WAN - Add/Edit window opens.
STEP 3
In the IPv4 tab, enter the following information:
•
Physical Port: The physical port associated with the primary WAN.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
101
4
Networking
Configuring the WAN
•
WAN Name: The name of the primary WAN (WAN1).
•
IP Address Assignment: Choose the network addressing mode for the
primary WAN depending on the requirements of your ISP. The security
appliance supports DHCPC, Static IP, PPPoE, PPTP, and L2TP. For complete
details to configure the network addressing mode, see Configuring the
Network Addressing Mode, page 106.
•
DNS Server Source: DNS servers map Internet domain names (example:
www.cisco.com) to IP addresses. You can get DNS server addresses
automatically from your ISP or use ISP-specified addresses.
•
STEP 4
Get Dynamically from ISP: Choose this option if you have not been
assigned a static DNS IP address.
Use These DNS Servers: Choose this option if your ISP assigned a static
DNS IP address. Also enter the addresses for the DNS1 and DNS2 fields.
MAC Address Source: Specify the MAC address for the primary WAN.
Typically, you can use the unique 48-bit local Ethernet address of the
security appliance as your MAC address source.
Use Default MAC Address: Choose this option to use the default MAC
address.
Use the Following MAC Address: If your ISP requires MAC
authentication and another MAC address has been previously registered
with your ISP, choose this option and enter the MAC address that your ISP
requires for this connection.
•
MAC Address: Enter the MAC Address in the format xx:xx:xx:xx:xx:xx where
x is a number from 0 to 9 (inclusive) or an alphabetical letter between A and
F (inclusive), for example, 01:23:45:67:89:ab.
•
Zone: The primary WAN must be mapped to an untrusted zone. The WAN
zone is the default unstrusted zone. Click Create Zone to create other
untrusted zones. See Configuring the Zones, page 127.
In the IPv6 tab, specify the IPv6 addressing if you enable the IPv4/IPv6 mode.
•
IP Address Assignment: Choose Static IP if your ISP assigned a fixed
(static or permanent) IP address. If you were not assigned a static IP address,
choose SLAAC. By default, your security appliance is configured to be a
DHCPv6 client of the ISP, with stateless address auto-configuration
(SLAAC).
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
102
4
Networking
Configuring the WAN
SLAAC: SLAAC provides a convenient method to assign IP addresses to
IPv6 nodes. This method does not require any human intervention from
an IPv6 user. If you choose SLAAC, the security appliance can generate
its own addresses using a combination of locally available information
and information advertised by routers.
Static IP: If your ISP assigned a static IPv6 address, configure the IPv6
WAN connection in the following fields:
IPv6 Address: Enter the static IP address that was provided by your ISP.
IPv6 Prefix Length: The IPv6 network (subnet) is identified by the initial
bits of the address called the prefix. All hosts in the network have the
identical initial bits for their IPv6 address. Enter the number of common
initial bits in the network’s addresses. The default prefix length is 64.
Default IPv6 Gateway: Enter the IPv6 address of the gateway for your
ISP. This is usually provided by the ISP or your network administrator.
Primary DNS Server: Enter a valid IP address of the primary DNS Server.
Secondary DNS Server (Optional): Optionally, enter a valid IP address
of the secondary DNS Server.
STEP 5
Click OK to save your settings.
STEP 6
Click Save to apply your settings.
NOTE Next steps:
•
To configure another ISP link, click Add. See Configuring the Secondary
WAN, page 104.
•
To create multiple PPPoE profiles, go to the Networking -> PPPoE Profile
page. See Configuring the PPPoE Profiles, page 111.
•
To determine how the two ISP links are used, you first need to add a
secondary WAN port, and then configure the WAN redundancy settings.
See Configuring the WAN Redundancy, page 112.
•
If you are having problems with your WAN connection, see the Internet
Connection, page 333 in Troubleshooting, page 333.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
103
4
Networking
Configuring the WAN
Configuring the Secondary WAN
A secondary WAN is required to set up two ISP links for your network. You can use
one link as the primary link and another link for backup purposes, or you can
configure the load balancing to use both links simultaneously.
STEP 1
Click Networking -> WAN.
The WAN window opens.
STEP 2
To add the secondary WAN, click Add.
After you click Add, the WAN - Add/Edit window opens.
STEP 3
In the IPv4 tab, enter the following information:
•
Physical Port: Choose a configurable port for the secondary WAN. The
selected configurable port is set to a WAN port. Up to two WAN interfaces
can be configured for the security appliance, which means that only one
configurable port can be set as a WAN port.
•
WAN Name: The name of the secondary WAN (WAN2).
•
IP Address Assignment: Choose the network addressing mode for the
secondary WAN depending on the requirements of your ISP. For complete
details, see Configuring the Network Addressing Mode, page 106.
•
DNS Server Source: DNS servers map Internet domain names (example:
www.cisco.com) to IP addresses. You can get DNS server addresses
automatically from your ISP or use ISP-specified addresses.
•
Get Dynamically from ISP: Choose this option if you have not been
assigned a static DNS IP address.
Use These DNS Servers: Choose this option if your ISP assigned a static
DNS IP address. Also enter the addresses for the DNS1 and DNS2 fields.
MAC Address Source: Specify the MAC address for the secondary WAN.
Typically, you can use the unique 48-bit local Ethernet address of the
security appliance as your MAC address source.
Use Default MAC Address: Choose this option to use the default MAC
address
Use the Following MAC Address: If your ISP requires MAC
authentication and another MAC address has been previously registered
with your ISP, choose this option and enter the MAC address that your ISP
requires for this connection.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
104
4
Networking
Configuring the WAN
STEP 4
•
MAC Address: Enter the MAC address in the format xx:xx:xx:xx:xx:xx where
x is a number from 0 to 9 (inclusive) or an alphabetical letter between A and
F (inclusive), for example, 01:23:45:67:89:ab.
•
Zone: Maps the secondary WAN to an untrusted zone. The WAN zone is the
default unstrusted zone. Click Create Zone to create other untrusted zones.
See Configuring the Zones, page 127.
In the IPv6 tab, specify the IPv6 addressing settings for the secondary WAN
connection if you enable the IPv4/IPv6 mode.
•
IP Address Assignment: Choose Static IP if your ISP assigned a fixed
(static or permanent) IP address. If you were not assigned a static IP address,
choose SLAAC.
SLAAC: If you choose SLAAC, the security appliance can generate its
own addresses using a combination of locally available information and
information advertised by routers.
Static IP: If your ISP assigned a static IPv6 address, configure the IPv6
WAN connection in the following fields:
IPv6 Address: Enter the static IP address that was provided by your ISP.
IPv6 Prefix Length: The IPv6 network (subnet) is identified by the initial
bits of the address called the prefix. All hosts in the network have the
identical initial bits for their IPv6 address. Enter the number of common
initial bits in the network’s addresses. The default prefix length is 64.
Default IPv6 Gateway: Enter the IPv6 address of the gateway for your
ISP. This is usually provided by the ISP or your network administrator.
Primary DNS Server: Enter a valid IP address of the primary DNS Server.
Secondary DNS Server (Optional): Optionally, enter a valid IP address
of the secondary DNS Server.
STEP 5
Click OK to save your settings.
STEP 6
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
105
4
Networking
Configuring the WAN
Configuring the Network Addressing Mode
The security appliance supports five types of network addressing modes.
Specify the network addressing mode for the primary WAN and the secondary
WAN depending on your ISP requirements.
Network
Addressing
Mode
Configurations
DHCPC
DHCP is the default settting. If you use DHCP, the WAN port will
be the DHCP client and get the IP address from your ISP or the
peer router. Choose DHCP for most of Internet service providers
that use the cable modem.
Choose this option if your ISP automatically assigns you a
dynamic IP address, and enter the following information:
•
MTU: The Maximum Transmission Unit is the size, in
bytes, of the largest packet that can be passed on.
Choose Auto to use the default MTU size, or choose
Manual if you want to specify another size.
•
MTU Value: If you choose Manual, enter the custom MTU
size in bytes.
NOTE Unless a change is required by your ISP, it is recommended
that the MTU values be left as is.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
106
4
Networking
Configuring the WAN
Network
Addressing
Mode
Configurations
Static IP
Choose this option if your ISP assigns you a specific IP address
or a group of addresses. Use the corresponding information
from your ISP to complete the following fields:
•
IP Address: Enter the IP address of the WAN port that
can be accessable from the Internet.
•
Netmask: Enter the IP address of the subnet mask.
•
Gateway: Enter the IP address of default gateway.
•
DNS0: Enter the IP address of the primary DNS server.
•
DNS1: Enter the IP address of the secondary DNS server.
•
MTU: The Maximum Transmission Unit is the size, in
bytes, of the largest packet that can be passed on.
Choose Auto to use the default MTU size, or choose
Manual if you want to specify another size.
•
MTU Value: If you choose Manual, enter the custom MTU
size in bytes.
NOTE Unless a change is required by your ISP, it is recommended
that the MTU values be left as is.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
107
4
Networking
Configuring the WAN
Network
Addressing
Mode
Configurations
PPPoE
PPPoE uses Point to Point Protocol over Ethernet (PPPoE) to
connect to the Internet. The PPPoE protocol is typically found
when using a DSL modem. Choose this option if your ISP
provides you with client software, user name, and password.
Use the necessary PPPoE information from your ISP to
complete the PPPoE configurations. You can predefine multiple
PPPoE profiles before you set the network addressing mode as
PPPoE.
•
Profile Name: Choose an existing PPPoE profile. The
User Name, Password, Authentication Type, and
Connectivity Type settings of the selected PPPoE profile
are displayed. You can edit the settings of the selected
PPPoE profile, or create a new PPPoE profile by choosing
Create a PPPoE Profile. See Configuring the PPPoE
Profiles, page 111.
•
User Name/Password: Enter the user name and
password that are required to log into the ISP.
•
Authentication Type: Choose the authentication type
specified by your ISP.
•
Connect Idle Time: Choose this option to let the security
appliance disconnect from the Internet after a specified
period of inactivity (Idle Time). This choice is
recommended if your ISP fees are based on the time that
you spend online.
•
Keep Live: Choose this option to keep the connection
always on, regardless of the level of activity. This choice
is recommended if you pay a flat fee for your Internet
service.
•
MTU: Choose Auto to use the default MTU size, or
choose Manual if you want to specify another size.
•
MTU Value: If you choose Manual, enter the custom MTU
size in bytes.
NOTE Unless a change is required by your ISP, it is recommended
that the MTU values be left as is.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
108
4
Networking
Configuring the WAN
Network
Addressing
Mode
Configurations
PPTP
The PPTP protocol is typically used for VPN connection. Use
the necessary information from your ISP to complete the PPTP
configurations:
•
IP Address: Enter the IP address of the WAN port that
can be accessable from the Internet.
•
Netmask: Enter the IP address of the subnet mask.
•
Gateway: Enter the IP address of default gateway.
•
User Name/Password: Enter the user name and
password that are required to log into the PPTP server.
•
PPTP Server IP Address: Enter the IP address of the
PPTP server.
•
MPPE Encryption: Microsoft Point-to-Point Encryption
(MPPE) encrypts data in PPP-based dial-up connections
or PPTP VPN connections. Check the box to enable the
MPPE encryption to provide data security for the PPTP
connection that is between the VPN client and VPN
server.
•
Connect Idle Time: Choose this option to let the security
appliance disconnect from the Internet after a specified
period of inactivity (Idle Time). This choice is
recommended if your ISP fees are based on the time that
you spend online.
•
Keep Live: Choose this option to keep the connection
always on, regardless of the level of activity. This choice
is recommended if you pay a flat fee for your Internet
service.
•
MTU: Choose Auto to use the default MTU size, or
choose Manual if you want to specify another size.
•
MTU Value: If you choose Manual, enter the custom MTU
size in bytes.
NOTE Unless a change is required by your ISP, it is recommended
that the MTU values be left as is.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
109
4
Networking
Configuring the WAN
Network
Addressing
Mode
Configurations
L2TP
Choose this option if you want to use IPSec to connect a L2TP
(Layer 2 Tunneling Protocol) server and encrypt all data
transmitted from the client to the server. However, it does not
encrypt network traffic to other destinations. Use the necessary
information from your ISP to complete the L2TP configurations:
•
IP Address: Enter the IP address of the WAN port that
can be accessable from the Internet.
•
Netmask: Enter the IP address of the subnet mask.
•
Gateway: Enter the IP address of default gateway.
•
User Name/Password: Enter the user name and
password that are required to log into the L2TP server.
•
L2TP Server IP Address: Enter the IP address of the
L2TP server.
•
Secret (Optional): L2TP incorporates a simple, optional,
CHAP-like tunnel authentication system during control
connection establishment. Enter the secret for tunnel
authentication if necessary.
•
Connect Idle Time: Choose this option to let the security
appliance disconnect from the Internet after a specified
period of inactivity (Idle Time). This choice is
recommended if your ISP fees are based on the time that
you spend online.
•
Keep Live: Choose this option to keep the connection
always on, regardless of the level of activity. This choice
is recommended if you pay a flat fee for your Internet
service.
•
MTU: Choose Auto to use the default MTU size, or
choose Manual if you want to specify another size.
•
MTU Value: If you choose Manual, enter the custom MTU
size in bytes.
NOTE Unless a change is required by your ISP, it is recommended
that the MTU values be left as is.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
110
4
Networking
Configuring the WAN
NOTE Confirm that you have the proper network information from your ISP or a peer
router to configure the security appliance to access the Internet.
Configuring the PPPoE Profiles
If you have multiple PPPoE accounts, use the PPPoE Profile page to configure
multiple PPPoE profiles for later use.
STEP 1
Click Networking -> PPPoE Profile.
The PPPoE Profile window opens. All existing PPPoE profiles are listed in the table.
STEP 2
To add a new PPPoE profile, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete.
After you click Add or Edit, the PPPoE Profile - Add/Edit window opens.
STEP 3
Enter the following information:
•
Name: Enter the name for the PPPoE profile.
•
User Name: Enter the user name that is required to log into the ISP.
•
Password: Enter the password that is required to log into the ISP.
•
Authentication Type: Choose the method to authenticate the PPP sessions,
as specified by your ISP.
Auto: The PPP protocol auto-negotiates the authentication method.
PAP: Password authentication protocol (PAP) is used by PPP protocol to
validate the users before allowing them access to server resources.
Almost all network operating system remote servers support PAP.
CHAP: Challenge Handshake Authentication Protocol (CHAP) is an
authentication scheme used by Point to Point Protocol (PPP) servers to
validate the identity of remote clients. CHAP periodically verifies the
identity of the client by using a three-way handshake. The verification is
based on a shared secret (such as the client user's password).
MS-CHAP: MS-CHAP is the Microsoft version of the CHAP. The protocol
exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MSCHAPv2 (defined in RFC 2759).
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
111
4
Networking
Configuring the WAN Redundancy
MS-CHAPv2: MS-CHAPv2 provides mutual authentication between
peers by piggybacking a peer challenge on the Response packet and an
authenticator response on the Success packet.
•
Keep Live: Keeps the connection always on, regardless of the level of
activity. This option is recommended if you pay a flat fee for your Internet
service.
•
Max Idle Time: Lets the security appliance disconnect from the Internet
after a specified period of inactivity (Idle Time). If you choose this option,
enter the value in minutes in the Maximum Idle Time field. This option is
recommended if your ISP fees are based on the time that you spend online.
•
MTU: The Maximum Transmission Unit (MTU) is the size, in bytes, of the
largest packet that can be passed on. Choose Auto to use the default MTU
size, or choose Manual if you want to specify another size.
•
MTU Size: If you choose Manual, enter the custom MTU size in bytes.
NOTE For PPPoE connections, the default MTU size is 1492 bytes. Unless a
change is required by your ISP, it is recommended that the MTU
values be left as is.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Configuring the WAN Redundancy
If you have two ISP links, one for WAN1 and another for WAN2, you can configure
the WAN redundancy to determine how the two ISP links are used.
NOTE Before you configure the WAN redundancy, you must configure the secondary
WAN connection. See Configuring the Secondary WAN, page 104.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
112
4
Networking
Configuring the WAN Redundancy
NOTE When the security appliance is working in Dual WAN mode, if one WAN link is down,
the WAN redundancy and Policy-based Routing settings are ignored and all traffic
is handled by the active WAN port.
This section describes how to configure the WAN redundancy and the link failover
detection settings. It includes the following topics:
•
Loading Balancing for WAN Redundancy, page 113
•
Load Balancing with Policy-based Routing Configuration Example,
page 115
•
Failover for WAN Redundancy, page 116
•
Routing Table for WAN Redundancy, page 117
•
Configuring the Link Failover Detection, page 117
Loading Balancing for WAN Redundancy
The Load Balancing can segregate traffic between links that are not of the same
speed. For example, you can bind the high-volume services through the port that
is connected to a high speed link, and bind the low-volume services to the port
that is connected to the slower link.
The Load Balancing is implemented for outgoing traffic and not for incoming traffic.
To maintain better control of WAN port traffic, consider making the WAN port
Internet address public and keeping the other one private.
Figure?2 shows an example of Dual WAN configured with the Load Balancing.
Figure 2
Example of Dual WAN Ports with Load Balancing
Dual WAN Ports (Load Balancing)
WAN1 IP
ISA500
yourcompany1.dyndns.org
Internet
yourcompany2.dyndns.org
197402
WAN2 IP
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
113
4
Networking
Configuring the WAN Redundancy
NOTE To configure the Loading Balancing, make sure that you configure both WAN ports
to Keep Live. If the WAN port is configured to time out after a specified period of
inactivity, then the Loading Balancing is not applicable.
STEP 1
Click Networking -> WAN Redundancy -> WAN Redundancy Operation
Configuration.
The WAN Redundancy Operation Configuration opens.
STEP 2
STEP 3
Use the Load Balancing mode if you want to use both ISP links simultaneously. The
two links will carry data for the protocols that are bound to them. Enter the
following information:
•
Equal Load Balancing (Round Robin): Re-orders the WAN interfaces for
Round Robin selection. The order is as follows: WAN1 and WAN2. The Round
Robin will then repeat back to WAN1 and continue the order. This is the
default setting.
•
Weighted Load Balancing: Distributes the bandwidth to two WAN ports by
the weighted percange or by the weighted link bandwidth. If you choose this
mode, choose one of the following options and finish the setting:
Weighted By Percentage: Allows you to set the percentage for each
WAN, such as 80% percentage bandwidth for WAN1 and lest 20%
percentage bandwidth for WAN2.
Weighted By Link Bandwidth: Allows you to set the rate limiting for each
WAN, such as 10 Mbps for WAN1 and 5 Mbps for WAN2.
If you choose Load Balancing as the WAN redundancy operation mode, you can
optionally enable the Policy-based Routing (PBR) settings to determine how the
traffic is balanced between the two ISP links. The PBR settings specify the internal
IP and/or service going through a specified WAN port to provide more flexbile and
granular traffic handling capabilities.
•
Policy Based Routing Enable: Click On to enable the PBR settings, or click
Off to disable it. To configure the PBR settings, click Configure PBR.
NOTE If you enable PBR, the PBR settings will be applied first and then the
load balancing settings next.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
114
4
Networking
Configuring the WAN Redundancy
STEP 4
Click Save to apply your settings.
STEP 5
To check the connection of both links at regular intervals after you enable the Load
Balancing mode, you first need to enable the Link Failover Detection feature. To
configure the Link Failover Detection settings, go to the Networking -> Link
Failover Detection Settings page. See Configuring the Link Failover Detection,
page 117.
Load Balancing with Policy-based Routing Configuration
Example
Use Cases: The customer has two lines, one is a cable link and another is a DSL
link. The majority of trafffic goes through the cable link since it has larger
bandwidth, and the rest traffic goes through the DSL link. As lots of secure
websites (such as bank, or online shopping) are sensitive to flip flop the source IP
address, let the traffic for https, ftp, video, and game go through the cable link.
Configuration Tasks:
•
Configure a configurable port as the secondary WAN port (WAN2). See
Configuring the Secondary WAN, page 104.
•
Connect the cable modem to the primary WAN port (WAN1), and connect
the DSL modem to the secondary WAN port (WAN2).
•
Enable the Weighted Load Balancing mode, and set the weighted value of
WAN1 to 80% and the weighted value of WAN2 to 20%. See Loading
Balancing for WAN Redundancy, page 113.
•
Enable the Policy-based Routing (PBR) feature, and configure PBR rules so
that the traffic for https, ftp, video, and game is directed to the WAN1 port.
See Configuring Policy-based Routing Settings, page 134.
•
Enable the IP Bandwidth, Service Bandwidth, and WAN Bandwidth reports
so that you can check the WAN bandwidth usage by IP address, service,
and time. See Reports, page 85.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
115
4
Networking
Configuring the WAN Redundancy
Failover for WAN Redundancy
Use the Failover mode when you want to use one ISP link as a backup. If a failure is
detected on the primary link, then the security appliance directs all Internet traffic
to the backup link. When the primary link regains connectivity, all Internet traffic is
directed to the primary link and the backup link becomes idle. By default, the
primary WAN is set as the primary link and the secondary WAN is set to the
backup link.
NOTE When the security appliance is working in the Failover mode, the Policy-based
Routing settings will be ignored.
Figure?3 shows an example of Dual WAN configured with Failover.
Figure 3
Example Dual WAN Ports with Failover
Dual WAN Ports (Before Rollover)
WAN1 IP (N/A)
ISA500 WAN1 port inactive
WAN1 IP
ISA500
yourcompany.dyndns.org
Internet
Dual WAN Ports (After Rollover)
Internet
yourcompany.dyndns.org
WAN2 IP
197401
WAN2 port inactive
WAN2 IP (N/A)
STEP 1
Click Networking -> WAN Redundancy -> WAN Redundancy Operation
Configuration.
The WAN Redundancy Operation Configuration opens.
STEP 2
STEP 3
Choose Failover if you want to use one ISP link as a backup and enter the
following information:
•
Auto Failover to: Choose either WAN1 or WAN2 as the primary link. By
default, WAN1 is set as the primary link and WAN2 is set as the backup link.
You can also set WAN2 as the primary link.
•
Preempt Delay Timer: Enter the time in seconds that the system will
preempt the primary link from the backup link when the primary link is up
again. The default is 5 seconds.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
116
4
Networking
Configuring the WAN Redundancy
STEP 4
To check the connection of both links at regular intervals after you enable the
Failover mode, you first need to enable the Link Failover Detection feature. To
configure the Link Failover Detection settings, go to the Networking -> Link
Failover Detection Settings page. See Configuring the Link Failover Detection,
page 117.
Routing Table for WAN Redundancy
The Routing Table feature allows the traffic to meet the static routing policies you
defined on your security appliance to pass through different WAN interfaces.
You need to add default routing policies that forward the traffic to the primary
WAN. The traffic for other static routings are forwarded to the secondary WAN. For
more inforamtion to configure the static routing policies, see Configuring the
Static Routing, page 132.
NOTE The Link Failover Detection settings will be ignored if you enable the Routing Table
feature.
Configuring the Link Failover Detection
The Link Failover Detection feature detects the link failure. If a failure occurs, traffic
for the unavailable link is diverted to the active link.
NOTE The Link Failover Detection settings are only available when the WAN redundancy
is set to Load Balancing or Failover.
STEP 1
Click Networking -> WAN Redundancy -> Link Failover Detection Settings.
The Link Failover Detection Settings window opens.
STEP 2
Enter the following information:
•
Failover Detection: Click On to enable the Link Failover Detection feature, or
click Off to disable it.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
117
4
Networking
Configuring the VLAN
•
Retry Count: Enter the number of retries. The security appliance repeatedly
tries to connect to the ISP after the link failure is detected. The default is 5.
•
Retry Timeout: If the connection to the ISP is down, the security appliance
tries to connect to the ISP after a specified timeout. Enter the timeout in
seconds to re-connect to the ISP. The default is 5 seconds.
•
Ping Detection: Choose this option to detect the WAN failure by pinging the
IP address that you specify in the following fields:
•
STEP 3
Ping using WAN Default Gateway: Ping the IP address of the WAN
default gateway. If the default WAN gateway can be detected, the
network connection is active.
Ping using these Hosts: Ping the specified remote hosts. Enter the IP
addresses in the Primary WAN Remote Host and Secondary WAN
Remote Host fields. In Failover mode, if the primary WAN remote host
can be detected, the network connection is active. In Load Balancing
mode, if the primary WAN and secondary WAN remote hosts can be
detected, the WAN connection is active.
DNS Detection: Choose this option to detect the WAN failure by looking up
the DNS servers that you specify in the following fields:
DNS Lookup using WAN DNS Servers: The security appliance sends
the DNS query for www.cisco.com to the default WAN DNS server. If the
DNS server can be detected, the network connection is active.
DNS Lookup using these DNS Servers: The security appliance sends
the DNS query for www.cisco.com to the specified DNS servers. Enter
the IP addresses in the Primary WAN DNS Server and Secondary WAN
DNS Server fields. If the primary or secondary DNS server can be
detected, the network connection is active.
Click Save to apply your settings.
Configuring the VLAN
The Virtual LANs (VLANs) allow you to segregate the network into LANs that are
isolated from one another. Any PC that is connected to the specified LAN port is
on a separate VLAN and cannot access other VLANs. You can add up to 16
VLANs.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
118
4
Networking
Configuring the VLAN
This section describes how to configure the VLANs. It includes the following
topics:
•
Configuring the VLANs, page 119
•
Configuring DHCP Reserved IPs, page 122
Configuring the VLANs
The security appliance predefines a native VLAN (DEFAULT) and a guest VLAN
(GUEST). You can change the settings for the predefined VLANs, or add new
VLANs, for up to a total of 16 VLANs. Any PC that is connected to the specified
LAN port is on a separate VLAN and cannot access other VLANs.
STEP 1
Click Networking -> VLAN.
The VLAN window opens.
STEP 2
To add a new VLAN, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. The
default VLANs can not be deleted.
After you click Add or Edit, the VLAN - Add/Edit window opens.
STEP 3
In the Basic Setting tab, enter the following information:
•
Name: Enter a descriptive name for the VLAN.
•
VID: Enter an unique identification number for the VLAN, which can be any
number from 3 to 4089. The VLAN ID 1 is reserved for the DEFAULT VLAN
and the VLAN ID 2 is reserved for the GUEST VLAN.
•
IP: Enter the subnet IP address for the VLAN.
•
Netmask: Enter the subnet mask for the VLAN.
•
Spanning Tree: Check the box to enable the Spanning Tree feature to
determine if there are loops in the network topology. The Spanning Tree
Protocol (STP) is a link layer network protocol that ensures a loop-free
topology for any bridged LAN. The STP is used to prevent bridge loops and
to ensure broadcast radiation.
•
Port: Assigns the LAN ports to the VLAN. The traffic through the selected
LAN ports is directed to the VLAN. All available ports including the dedicated
LAN ports and configurable ports appear in the Port list.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
119
4
Networking
Configuring the VLAN
Choose the ports from the Port list and click ->Access to add them to the
Member list and set the selected ports as Access mode. All packets going
into and out of the Access ports are untagged. Access mode is
recommended if the port is connected to a single end-user device which is
VLAN unaware.
Alternatively, you can choose the ports from the Port list and click ->Trunk
to add them to the Member list and set the selected ports as Trunk mode. All
packets going into and out of the Trunk port are tagged. Untagged data
coming into the port is not forwarded. Trunk mode is recommended if the
port is connected to a VLAN-aware switch or router.
NOTE This setting will change the port type and access mode of the
selected physical ports. For example, choose a port that was set as a
DMZ port and add it to the Member list. The DMZ port will be changed
to a LAN port. Changing the port type will wipe out all configurations
relative to the physical port.
•
STEP 4
STEP 5
Zone: Choose the zone to which the VLAN is mapped. By default, the
DEFAULT VLAN is mapped to the LAN zone and the GUEST VLAN is mapped
to the GUEST zone.
In the DHCP Pool Settings tab, choose the DHCP mode from the DHCP Server
drop-down list.
•
Disable: Choose this option if the computers on the VLAN are configured
with static IP addresses or are configured to use another DHCP server.
•
DHCP Server: Allows the security appliance to act as a DHCP server and
assigns IP addresses to all devices that are connected to the VLAN. Any new
DHCP client joining the VLAN is assigned an IP address of the DHCP pool.
•
DHCP Relay: Allows the security appliance to use a DHCP Relay. If you
choose DHCP Relay, enter the IP address of the remote DHCP server in the
Relay IP field.
If you choose DHCP Server as the DHCP mode, enter the following information:
•
Start IP: Enter the first IP address in the DHCP range.
•
End IP: Enter the last IP address in the DHCP range. Any new DHCP client
joining the VLAN is assigned an IP address between the Start IP address and
End IP address.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
120
4
Networking
Configuring the VLAN
NOTE The Start and End IP addresses must be in the same subnet with the
VLAN IP address.
•
Lease Time: Enter the maximum connection time that a dynamic IP address
is “leased” to a network user. When the time elapses, the user will be
automatically renewed the dynamic IP address.
•
DNS 1: Enter the IP address of the primary DNS server.
•
DNS 2: Optionally, enter the IP address of the secondary DNS server.
•
WINS 1: Enter the IP address for the primary WINS server.
•
WINS 2: Optionally, enter the IP address of the secondary WINS server.
•
Domain Name: Optionally, enter the domain name for the VLAN
•
Optional 66: Only supports the IP address or host name of a single TFTP
server. Enter the IP address of the single TFTP server for the VLAN.
•
Optional 67: Enter the boot file name or configuration file name on the
specified TFTP server.
•
Optional 150: Supports a list of TFTP servers (2 TFTP servers). Enter the IP
addresses of TFTP servers. Separate multiple entries with commas (,).
NOTE Enterprises with small branch offices that implement a Cisco IP
Telephony Voice over IP solution typically implement Cisco
CallManager at a central office to control Cisco IP Phones at small
branch offices. This implementation allows centralized call
processing, reduces the equipment required, and eliminates the
administration of additional Cisco CallManager and other servers at
branch offices. Cisco IP Phones download their configuration from a
TFTP server. When a Cisco IP Phone starts, if it does not have both the
IP address and TFTP server IP address pre-configured, it sends a
request with option 150 or 66 to the DHCP server to obtain this
information.
STEP 6
In the IPv6 Setting tab, specify the IPv6 addressing for the VLAN if you enable the
IIPv4/Pv6 mode.
•
IPv6 Address: Enter the IPv6 address based on your network requirements.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
121
4
Networking
Configuring the VLAN
•
IPv6 Prefix Length: Enter the number of characters in the IPv6 prefix.
The IPv6 network (subnet) is identified by the prefix, which consists of the
initial bits of the address. The default prefix length is 64 bits. All hosts in the
network have the identical initial bits for the IPv6 address. The number of
common initial bits in the addresses is set by the prefix length field.
STEP 7
Click OK to save your settings.
STEP 8
Click Save to apply your settings.
Configuring DHCP Reserved IPs
Even when the security appliance is configured to act as a DHCP server, you can
reserve certain IP addresses to always be assigned to specified devices.
Use the Static IP Reservations page to bind the MAC address of the device with
the desired IP address. Whenever the DHCP server receives a request from a
device, the hardware address is compared with the database. If the device is
found, then the reserved IP address is used. Otherwise, an IP address is assigned
automatically from the DHCP pool.
STEP 1
Click Networking -> Static IP Reservations.
The Static IP Reservations window opens.
STEP 2
To add a new reserved IP, click Add.
Other Options: To edit an entry, click Edit. To delete an entry, click Delete.
After you click Add or Edit, the Static IP Reservations - Add/Edit window opens.
STEP 3
Enter the following information:
•
Name: Enter the name for the static IP reservation rule.
•
MAC Address: Enter the MAC address of the host under a VLAN.
•
IP Address: Enter the IP address within the VLAN’s DHCP pool that is
assigned to the host.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
122
4
Networking
Configuring the DMZ
Configuring the DMZ
A DMZ (Demarcation Zone or Demilitarized Zone) is a subnetwork that is behind
the firewall but that is open to the public. By placing your public services on a
DMZ, you can add an additional layer of security to the LAN. The public can
connect to the services on the DMZ but cannot penetrate the LAN. You should
configure your DMZ to include any hosts that must be exposed to the WAN (such
as web or email servers).
The DMZ configuration is identical to the VLAN configuration. There are no
restrictions on the IP address or subnet assigned to the DMZ port, except it cannot
be identical to the IP address given to the predefined VLANs.
Figure 4
Example DMZ with One Public IP Address for WAN and DMZ
www.example.com
Internet
Source Address Translation
209.165.200.225
172.16.2.30
Public IP Address
209.165.200.225
LAN Interface
192.168.75.1
User
192.168.75.10
Web Server
Private IP Address: 172.16.2.30
Public IP Address: 209.165.200.225
User
192.168.75.11
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
235140
ISA500
DMZ Interface
172.16.2.1
123
4
Networking
Configuring the DMZ
In this scenario, the business has one public IP address, 209.165.200.225, which is
used for both the security appliance’s public IP address and the web server’s
public IP address. The administrator configures the configurable port to be used
as a DMZ port. A firewall access rule allows inbound HTTP traffic to the web
server at 172.16.2.30. Internet users enter the domain name that is associated with
the IP address 209.165.200.225 and can then connect to the web server. The
same IP address is used for the WAN interface.
Figure 5
Example DMZ with Two Public IP Addresses
www.example.com
Internet
Public IP Addresses
209.165.200.225 (router)
209.165.200.226 (web server)
DMZ interface
172.16.2.1
Web Server
Private IP Address: 172.16.2.30
Public IP Address: 209.165.200.226
LAN Interface
192.168.75.1
User
192.168.75.10
User
192.168.75.11
235610
ISA500
Source Address Translation
209.165.200.226
172.16.2.30
In this scenario, the ISP has supplied two static IP addresses: 209.165.200.225
and 209.165.200.226. The address 209.165.200.225 is used for the security
appliance’s public IP address. The administrator configures the configurable port
to be used as a DMZ port and created a firewall access rule to allow inbound
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
124
4
Networking
Configuring the DMZ
HTTP traffic to the web server at 172.16.2.30. The firewall rule specifies an
external IP address of 209.165.200.226. Internet users enter the domain name that
is associated with the IP address 209.165.200.226 and can then connect to the
web server.
STEP 1
Click Networking -> DMZ.
The DMZ window opens.
STEP 2
To add a DMZ, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete.
After you click Add or Edit, the DMZ - Add/Edit window opens.
STEP 3
In the Basic Setting tab, enter the following information:
•
Name: Enter the name for the DMZ.
•
IP Address: Enter the subnet IP address for the DMZ.
•
Netmask: Enter the subnet mask for the DMZ.
•
Spanning Tree: Check the box to enable the Spanning Tree feature to
determine if there are loops in the network topology.
•
Port: Specify a configurable port as a DMZ port. The traffic through the DMZ
port is directed to the DMZ. All available configurable ports appears in the
Port list, choose a port and click ->Access to add it to the Member list. The
selected configurable port will be set to a DMZ port with Access mode. All
data going into and out of the Access port is untagged.
NOTE This setting will change the port type and access mode of the
selected configurable port. Changing the port type will wipe out all
configurations relative to the physical port.
NOTE Up to five DMZ interfaces can be configured for ISA570 and
ISA570W. Up to four DMZ interfaces can be configured for ISA550
and ISA550W.
•
Zone: Choose the default or custom DMZ zone to which the DMZ is mapped.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
125
4
Networking
Configuring the DMZ
STEP 4
STEP 5
In the DHCP Pool Settings tab, choose the DHCP mode from the DHCP Server
drop-down list.
•
Disable: Choose this option if the computers on the DMZ are configured with
static IP addresses or are configured to use another DHCP server.
•
DHCP Server: Allows the security appliance to act as a DHCP server and
assigns IP addresses to all devices that are connected to the DMZ. Any new
DHCP client joining the DMZ is assigned an IP address of the DHCP pool.
•
DHCP Relay: Allows the security appliance to use a DHCP Relay. If you
choose DHCP Relay, enter the IP address of the remote DHCP server in the
Relay IP field.
If you choose DHCP Server as the DHCP mode, enter the following information:
•
Start IP: Enter the first IP address in the DHCP range.
•
End IP: Enter the last IP address in the DHCP range. Any new DHCP client
joining the DMZ is assigned an IP address between the Start IP address and
the End IP address.
NOTE The Start and End IP addresses must be in the same subnet with the
DMZ’s subnet IP address .
STEP 6
•
Lease Time: Enter the maximum connection time that a dynamic IP address
is “leased” to a network user. When the time elapses, the user will be
automatically renewed the dynamic IP address.
•
DNS 1: Enter the IP address of the primary DNS server.
•
DNS 2: Enter the IP address of the secondary DNS server.
•
WINS 1: Enter the IP address for the primary WINS server.
•
WINS 2: Enter the IP address of the secondary WINS server.
•
Domain Name: Enter the domain name for the DMZ.
•
Default Gateway: Enter the IP address of default gateway.
In the IPv6 Setting tab, specify the IPv6 addressing for the DMZ if you enable the
IPv4/IPv6 mode.
•
IPv6 Address: Enter the IPv6 address based on your network requirements.
•
IPv6 Prefix Length: Enter the number of characters in the IPv6 prefix.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
126
4
Networking
Configuring the Zones
The IPv6 network (subnet) is identified by the prefix, which consists of the
initial bits of the address. The default prefix length is 64 bits. All hosts in the
network have the identical initial bits for the IPv16 address. The number of
common initial bits in the addresses is set by the prefix length field.
STEP 7
Click OK to save your settings.
STEP 8
Click Save to apply your settings.
NOTE Next steps:
•
After you configure the DMZ, connect the local server that you want to
public to Internet to the specified DMZ port, and then configure a port
forwarding rule or an advanced NAT rule to specify the public IP address of
the server (see Configuring Port Forwarding Rules, page 195 or
Configuring Advanced NAT Rules, page 197), and create a firewall access
rule to allow the inbound access to the server (see Configuring a Firewall
Access Rule, page 183).
•
If you want to reserve certain IP addresses for specified devices, go to the
Networking -> Static IP Reservations page. See Configuring DHCP
Reserved IPs, page 122. You must enable DCHP Server mode or DHCP
Relay mode for this purpose.
Configuring the Zones
A zone is a group of interfaces to which a security policy can be applied. The
interfaces in a zone share common functions or features. The interfaces are IPbased interfaces (VLANs, WAN1, WAN2, and so forth). Each interface can only join
one zone, but each zone with specific security level can have multiple interfaces.
This section describes the security level definition for zones, the predefined
zones, and how to create new zones. It includes the following topics:
•
Security Levels for Zones, page 128
•
Predefined Zones, page 128
•
Configuring the Zones, page 129
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
127
4
Networking
Configuring the Zones
NOTE We recommend that you configure the zones before configuring the WAN, VLAN,
DMZ, and the security features such as zone-based firewall and UTM security
services.
Security Levels for Zones
The security appliance supports five security levels for zones as described below.
The greater value, the higher the permission level. The VPN and SSLVPN zones
have the same security level.
•
Trusted (100): Offers the highest level of trust. The LAN zone is always
trusted.
•
VPN (75): Used exclusively by the predefined VPN and SSLVPN zones. All
traffic to and from a VPN zone is encrypted.
•
Public (50): Offers a higher level of trust than a Guest zone, but a lower
level of trust than a VPN zone. The DMZ zone is a public zone.
•
Guest (25): Offers a higher level of trust than an untrusted zone, but a lower
level of trust than a public zone. Guest zones can only be used for guest
access.
•
Untrusted (0): Offers the lowest level of trust. It is used by both the WAN
and the virtual multicast zones. You can map one or multiple WAN interfaces
to an untrusted zone.
Predefined Zones
The security appliance predefines the following zones with different security
levels:
•
WAN: The WAN zone is an untrusted zone. By default, the WAN1 interface
is mapped to the WAN zone. If the secondary WAN (WAN2) is applicable, it
can be mapped to the WAN zone or other untrusted zones.
•
LAN: The LAN zone is a trusted zone. You can map one or multiple VLANs to
a trusted zone. By default, the DEFAULT VLAN is mapped to the LAN zone.
•
DMZ: The DMZ zone is a public zone used for accessible servers.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
128
4
Networking
Configuring the Zones
•
SSLVPN: The SSLVPN zone is a virtual zone used for simplifying secure and
remote SSL VPN connections. This zone does not have an assigned
physical interface.
•
VPN: The VPN zone is a virtual zone used for simplifying secure IPSec VPN
connections. This zone does not have an assigned physical interface.
•
GUEST: The GUEST zone can only be used for guest access. By default,
the GUEST VLAN is mapped to this zone.
•
VOICE: The VOICE zone is a security zone designed for voice traffic. Traffic
coming and outgoing from this zone will be optimized for voice operations.
If you have voice devices, such as a Cisco IP Phone, it is desirable to place
the devices into the VOICE zone.
Configuring the Zones
You can custom new zones for your specific business needs.
STEP 1
Click Networking -> Zone.
The Zone window opens. All predefined and custom zones are listed in the table.
STEP 2
Click Reset Zone Configuration to restore your zone configurations to the factory
default settings. All custom zones will be removed and the relevant settings to
these custom zones will be cleaned up after you perform this operation.
STEP 3
To add a new zone, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entires, check the boxes of multiple entries and then click Delete
Selection.
NOTE All predefined zones (except for the VOICE zone) cannot be deleted. Only the
associated interfaces and VLANs for the predefined zones can be edited.
The VPN and SSLVPN zones cannot be edited.
After you click Add or Edit, the Zone - Add/Edit window opens.
STEP 4
Enter the following information:
•
Name: Enter the name for the zone.
•
Security Level: Specify the security level for the zone.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
129
4
Networking
Configuring the Routing
•
For VLANs, all security levels are selectable.
For DMZs, choose Public (50).
For WAN interfaces, choose Untrusted (0).
Map VLANs to This Zone: Choose the existing VLANs or WAN interfaces
from the Available VLANs list, and click the right arrow -> to add them to the
Mapped to Zone list. You can create new VLANs by clicking Create VLAN.
STEP 5
Click OK to save your settings.
STEP 6
Click Save to apply your settings.
NOTE Next Steps:
•
After you create a new zone, a certain of firewall access rules are
automatically generated to permit or block the traffic from the new zone to
any other zone or from any other zone to the new zone. The permit or block
action is determined by the security level of the new zone. By default, the
firewall prevents all inbound traffic and allows all outbound traffic. To
customize firewall access rules for the new zone, go to the Firewall -> ACL
Rules -> Rule page. For more information, see Configuring the Firewall
Access Rules to Control Inbound and Outbound Traffic, page 178.
•
Map the security services to zones. If you enabled the security services
such as IPS and Anti-Virus on your security appliance, you need to map the
security services to the zones. By default, the IPS and Anti-Virus services
are mapped to the WAN zone. To specify the mapping relationships
between the security services and zones, go to the Security Services
pages. See Security Services, page 210.
Configuring the Routing
Use the Routing pages to change the routing mode between WAN and LAN, view
the routing table, configure the static routing, dynamic routing, and Policy-based
Routing settings. It includes the following sections:
•
Configuring the Routing Mode, page 131
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
130
4
Networking
Configuring the Routing
•
Viewing the Routing Table, page 131
•
Configuring the Static Routing, page 132
•
Configuring the Dynamic Routing, page 133
•
Configuring Policy-based Routing Settings, page 134
•
Priority of Routing Rules, page 136
Configuring the Routing Mode
Depending on the requirements of your ISP, you can configure your security
appliance to operate in NAT mode or Routing mode. By default, NAT mode is
enabled.
STEP 1
Click Networking -> Routing -> Routing.
The Routing window opens.
STEP 2
If your ISP assigns an IP address for each of the computers that you use, click On
to enable the Routing mode. When you enable the Routing mode, the NAT settings
are disabled.
STEP 3
If you are sharing IP addresses across several devices such as your LAN and using
other dedicated devices for the DMZ, click Off to disable the Routing mode.
STEP 4
Click Save to apply your settings.
Viewing the Routing Table
STEP 1
Click Networking -> Routing -> Routing Table.
The Routing Table window opens. The Routing table displays the following routing
information:
•
Destination Address: The IP address of the host or the network that the
route leads to.
•
Netmask: The subnet mask of the destination network.
•
Gateway: The IP address of the gateway through which the destination host
or network can be reached.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
131
4
Networking
Configuring the Routing
STEP 2
•
Symbol: The routing status flags.
•
Metric: The cost of a route. Routing metrics are assigned to routes by routing
protocols to provide measurable values that can be used to judge how
useful (or how low cost) a route will be.
•
Interface: The physical network interface through which this route is
accessible.
Click Refresh to refresh the routing table.
Configuring the Static Routing
To configure static routes, specify the IP address and related information for the
destination. You must also assign a priority, which determines the selected route
when there are multiple routes travelling to the same destination.
STEP 1
Click Networking -> Routing -> Static Routing.
The Static Routing window opens.
STEP 2
To add a static route, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add or Edit, the Static Routing - Add/Edit window opens.
STEP 3
Enter the following information:
•
Destination Address: Choose an existing IP address object of the host or of
the network that the route leads to. If the address object is not in the list,
choose Create an IP Address/Network to create a new address object. To
main the address objects, go to the Networking -> Address Object
Management page. See Address Management, page 152.
•
Setting as Default Route: Check this box to set this static route as the
default route.
•
Next Hop: Choose an interface or an IP address as the next hop for this static
route.
Interface: Choose either WAN1 or WAN2 as the next hop.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
132
4
Networking
Configuring the Routing
•
IP Address: Choose an IP address of the gateway through which the
destination host or network can be reached.
Metric: If needed, enter a number to manage the route priority. If multiple
routes to the same destination exist, the route with the lowest metric is
selected.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Configuring the Dynamic Routing
Dynamic Routing or RIP, is an Interior Gateway Protocol (IGP) that is commonly
used in internal networks. It allows a router to exchange its routing information
automatically with other routers, and allows it to dynamically adjust its routing
tables and adapt to changes in the network.
STEP 1
Click Networking -> Routing -> Dynamic-RIP.
The Dynamic-RIP window opens.
STEP 2
STEP 3
Enter the following information:
•
RIP Enable: Click On to enable RIP, or click Off to disable it. By default, RIP
is disabled.
•
RIP Version: If you enable RIP, specify the RIP version. The security
appliance supports RIPv1 and RIPv2.
RIPv1 is a class-based routing version that does not include subnet
information. This is the most commonly supported version.
RIPv2 includes all the functionality of RIPv1 plus it supports subnet
information.
Default: The data is sent in RIPv1 format and received in RIPv1 and RIPv2
format. This is the default setting.
Specify the RIP setting for each available interface:
•
RIP Enable: Check this box to enable the RIP settings on the interface or
VLAN.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
133
4
Networking
Configuring the Routing
STEP 4
•
Port Passive: Determines how the security appliance receives RIP packets.
Check this box to enable this feature on the interface or VLAN.
•
Authentication: If you are using RIPv2, click Edit to specify the
authentication method for the interface or VLAN.
None: Choose this option to invalidate the authentication.
Simple Password Authentication: Choose this option to validate the
simple password authentication. Enter the password in the field.
MD5 Authentication: Choose this option to validate the MD5
authentication. Enter the unique key ID in the MD5 Key ID field and the
Key in the MD5 Auth Key field.
Click Save to apply your settings.
Configuring Policy-based Routing Settings
Policy-based Routing (PBR) allows users to specify the internal IP and/or service
going through a specified WAN port to provide more flexbile and granular traffic
handling capabilities.
This feature can be used to segregate traffic between links that are not of the
same speed. High volume traffic can be routed through the port connected to a
high speed link and low volume traffic can be routed through the port connected
to the slow link.
For example, although HTTP traffics is typically routed through WAN1, by using
PBR you can bind the HTTP protocol to WAN1 and bind the FTP protocol to WAN2.
In this case, the security appliance automatically channels FTP data through
WAN2.
NOTE Make sure that you configure a secondary WAN connection and that the WAN
redundancy is set to the Load Balancing or Routing Table mode before you
configure the policy-based routing settings. See Configuring the Secondary
WAN, page 104 and Configuring the WAN Redundancy, page 112.
NOTE The security appliance supports up to 100 PBR rules.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
134
4
Networking
Configuring the Routing
STEP 1
Click Networking -> Routing -> Policy Based Routing.
The Policy-based Routing window opens.
STEP 2
Click On to enable PBR, or click Off to disable it.
STEP 3
To add a new PBR rule, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete.
The Policy-based Routing - Add/Edit window opens.
STEP 4
Enter the following information;
•
From VLAN: Choose the VLAN for the outbound traffic.
•
Service: For service binding only, choose an existing service or choose
Create New Service to create a new service. For IP binding only, choose All
Traffic.
•
Source IP: For service binding only, choose Any. For IP binding only, choose
an internal IP address that passes through the specific WAN port.
•
Dest IP: For service binding only, choose Any. For IP binding only, choose an
IP address as the destination IP address of the outbound traffic. If the
address object is not in the list, choose Create New Address to create a
new address object. To main the address objects, go to the Networking ->
Address Object Management page. See Address Management,
page 152.
•
DCSP: Choose the DCSP remarking value to assign the traffic priority.
•
Route to: Choose the WAN interface that the outbound traffic passes
through.
•
Failover: Click On to enable WAN Failover, or click Off to disable it. When the
selected WAN interface for routing is down, enabling Failover will forward
the traffic to the backup WAN.
NOTE If one WAN connection is down (a connection failure is detected by
ping the host or DNS server) and the PBR Failover is “Off”, the traffic
will be dropped.
STEP 5
Click OK to save your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
135
4
Networking
Dynamic DNS
STEP 6
Click Save to apply your settings.
Priority of Routing Rules
If multiple routing features operate simultaneously, the security appliance first
matches up with the Policy-based Routing rules, and then matches up with the
Static Routing and default Routing rules.
For example, if WAN redundancy is set to the Weighted Loading Balancing mode,
and the PBR and Static Routing rules are configured, the routing priority works as
follows:
1. If all traffic cannot match up with the PBR or Static Routing rules, all traffic
follows the Weighted Loading Balance settings.
2. If traffic A matches up with the PBR or Static Routing rules, traffic A will be firstly
handled by the PBR or Static Routing rules, while other traffic follows the
Weighted Loading Balance settings.
Dynamic DNS
Dynamic DNS (DDNS) is an Internet service that allows routers with varying public
IP addresses to be located using Internet domain names. If your ISP has not
provided you with a static IP and your WAN connection is configured to use DHCP
to obtain an IP address dynamically, then DDNS provides the domain name to map
the dynamic IP address for your website. To use DDNS, you must set up an
account with a DDNS provider such as DynDNS.com.
STEP 1
Click Networking -> DDNS.
The DDNS window opens.
STEP 2
To add a new DDNS service, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete.
After you click Add or Edit, the Edit window opens.
STEP 3
Enter the following information:
•
Service: Choose either DynDNS or No-IP service.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
136
4
Networking
Dynamic DNS
DynDNS.org: Dynamic Network Services provides world-class DNS
hosting and management services, domain registration, email services,
network monitoring by hostname or IP address, and web redirection.
No-IP.com: No-IP is a dynamic DNS provider (DDNS), both free and paid,
backed by our industry proven network of highly available name servers.
•
Active on Startup: Check this box to activate the DDNS service when the
security appliance starts up.
•
WAN Interface: Choose the WAN interface for the DDNS service. The traffic
for DDNS services will pass through the specified WAN interface.
NOTE If the WAN redundancy is set to the Failover mode, this option is
grayed out. When WAN failover occurs, DDNS will switch the traffic to
the active WAN interface.
STEP 4
•
User Name: Enter the user name of the account you registered in the DDNS
provider.
•
Password: Enter the password of the account you registered in the DDNS
provider.
•
Host and Domain Name: Specify the complete host name and domain
name for the DDNS service.
•
Use wildcards: Check this box to allow all subdomains of your DDNS host
name to share the same public IP address as the host name.
•
Update every 30 mins: Check this box to update the host information every
30 minutes.
•
Status: Displays the status of DDNS service.
Non-active: Indicates that the DDNS service is not active (daemon does
not start).
Active(initial): Indicates that the DDNS daemon starts but the DDNS
updating process is NOT complete yet.
Active(updated WANx): Indicates that the DDNS updating process is
complete and the address of WANx is updated to the user-specified
domain name.
Click OK to save your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
137
4
Networking
IGMP
STEP 5
Click Save to apply your settings.
IGMP
The Internet Group Management Protocol (IGMP) is a communication protocol
used by hosts and adjacent routers on IP networks to establish multicast group
memberships. IGMP can be used for online streaming video and gaming, and
allows more efficient use of resources when supporting these types of
applications.
The IGMP Proxy mechanism enables hosts that are not directly connected to a
downstream router to join a multicast group sourced from an upstream network.
IGMP snooping constrains IPv4 multicast traffic at Layer 2 by configuring Layer 2
LAN ports dynamically to forward IPv4 multicast traffic only to those ports that
want to receive it. The IGMP snooping is based on the IGMP version 3 that is
backward compatible with the previous versions.
NOTE By default, the multicast traffic from Any zone to Any zone is blocked by the default
firewall access rules. When you enable IGMP Proxy and want to receive the
multicast packets from WAN to LAN, you need to uncheck the Block Multicast
Packets box in the Firewall -> Attack Protection page, and create a firewall
access rule to permit the multicast traffic from WAN to LAN. For more information,
see Configuring a Firewall Access Rule to Allow the Multicast Traffic, page 185.
STEP 1
Click Networking -> IGMP.
The IGMP window opens.
STEP 2
Enter the following information:
•
IGMP Proxy: Click On to enable IGMP Proxy so that your security appliance
can act as a proxy for all IGMP requests and communicate with the IGMP
servers of the ISP, or click Off to disable it.
•
IGMP Version: Choose either IGMPv1&v2 or IGMPv3.
IGMPv1: Hosts can join multicast groups. There are no leave messages.
Routers use a time-out based mechanism to discover the groups that are
of no interest to the members.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
138
4
Networking
VRRP
•
STEP 3
IGMPv2: Leave messages are added to the protocol. This allows group
membership termination to be quickly reported to the routing protocol,
which is important for high-bandwidth multicast groups and/or subnets
with highly volatile group membership.
IGMPv3: Major revision of the protocol. It allows hosts to specify the lists
of hosts from which they want to receive traffic. Traffic from other hosts
is blocked inside the network. It also allows hosts to block packets inside
the network that come from sources sending unwanted traffic.
IGMP Snooping: You can use IGMP snooping in subnets that receive IGMP
queries from either IGMP or the IGMP snooping querier. Click On to enable
IGMP Snooping, or click Off to disable it.
Click Save to apply your settings.
VRRP
The Virtual Router Redundancy Protocol (VRRP) is a redundancy protocol for LAN
access device. VRRP configures a groups of routers (include a master router and
several backup routers) as a virtual router.
STEP 1
Click Networking -> VRRP.
The VRRP window opens.
STEP 2
Check the box of Enable Virutal Router Redundancy Protocol (VRRP) to enable
VRRP, or uncheck the box to disable it.
STEP 3
If you enable VRRP, enter the following information:
•
Interface: The default interface of the master virtual router (your security
appliance).
•
Source IP: The source IP address of the master virtual router.
NOTE If a VRRP router owns the IP address of the virtual router and the IP
address of the physical interface, this router will function as a master
virtual router .
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
139
4
Networking
Configuring the Quality of Service
•
VRID: The master virtual router ID. A virtual router has an unique ID that will
be represented as the unique virtual MAC address. Enter a value from 1 to
255.
•
Priority: The priority of the master virtual router. Priority determines the role
that each VRRP router plays and what happens if the master virtual router
fails. Enter a value from 1 to 254.
•
Advertisement Interval: Specify the interval in seconds between
successive advertisements by the master virtual router in a VRRP group. By
default, the advertisements are sent every second (1). The advertisements
being sent by the master virtual router communicate the state and priority of
the current master virtual router.
NOTE All routers in a VRRP group must use the same advertisement interval
value. If the interval values are not same, the routers in the VRRP group
will not communicate with eachother and any misconfigured router
will change its state to master.
•
•
STEP 4
Verify: Click On to enable the authentication, or click Off to disable it. If you
enable the authentication, specify the authentication method.
Pass: Uses the simple text password as the authentication method. Enter
the password in the field.
AH: Uses the IP authentication as the authentication method.
Virtual IP Address: Enter the virtual IP address used for all backup virtual
routers in the same group.
Click Save to apply your settings.
Configuring the Quality of Service
The Quality of Service (QoS) feature is applied throughout the network to ensure
that network traffic is prioritized according to required criteria and that the desired
traffic receives preferential treatment.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
140
4
Networking
Configuring the Quality of Service
QoS guarantees are important if the network capacity is insufficient, especially for
real-time streaming multimedia applications such as voice over IP, online games,
and IPTV, since these applications are delay sensitive and often require a fixed bit
rate.
This section describes how to configure the WAN, LAN, and WLAN QoS. It
includes the following topics:
•
General QoS Settings, page 141
•
Configuring the WAN QoS, page 141
•
Configuring the LAN QoS, page 147
•
Configuring the Wireless QoS, page 150
General QoS Settings
STEP 1
Click Networking -> QoS -> General Settings.
The General Settings window opens.
STEP 2
STEP 3
Enter the following information:
•
WAN QoS: Check this box to enbale the WAN QoS feature. By default, WAN
QoS is disabled.
•
LAN QoS: The LAN QoS specifies priority values that can be used to
differentiate the traffic and give preference to higher-priority traffic, such as
telephone calls. Check this box to enbale the LAN QoS feature. By default,
LAN QoS is disabled.
•
Wireless QoS: The Wireless QoS controls priority differentiation for data
packets in wireless egress direction. Check this box to enbale the Wireless
QoS feature. By default, Wireless QoS is disabled.
Click Save to apply your settings.
Configuring the WAN QoS
This section describes how to configure the WAN QoS settings. It includes the
following topics:
•
Managing the WAN Bandwidth for Upstream Traffic, page 142
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
141
4
Networking
Configuring the Quality of Service
•
Configuring the WAN Queue Settings, page 142
•
Configuring the Traffic Selectors for WAN Interfaces, page 144
•
Configuring the WAN QoS Policy Profiles, page 145
•
Mapping the WAN QoS Policy Profiles to WAN Interfaces, page 146
Managing the WAN Bandwidth for Upstream Traffic
Use the Bandwidth Settings page to determine how much traffic the WAN
interfaces can send and receive.
STEP 1
Click Networking -> QoS -> WAN QoS -> Bandwidth Settings.
The Bandwidth Settings window opens.
STEP 2
Enter the amount of maximum bandwidth for upstream traffic to allow on WAN1
and WAN2 ports. The range is 0 to 1000000 Kbps.
STEP 3
Click Save to apply your settings.
NOTE Next Steps:
•
To specify the WAN queue settings, go to the WAN QoS -> Queue Settings
page. See Configuring the WAN Queue Settings, page 142.
•
To specify the traffic classes for WAN interfaces, go to the WAN QoS ->
Traffic Selector (Classification) page. See Configuring the Traffic
Selectors for WAN Interfaces, page 144.
•
To create the WAN QoS policy profiles, go to the WAN QoS -> QoS Policy
Profile page. See Configuring the WAN QoS Policy Profiles, page 145.
•
To assign the WAN QoS policy profiles to WAN interfaces, go to the WAN
QoS -> Policy Profile to Interface Mapping page. See Mapping the WAN
QoS Policy Profiles to WAN Interfaces, page 146.
Configuring the WAN Queue Settings
The security appliance supports six queues for WAN ports, Q1 to Q6. There are
three ways of determining how traffic in queues is handled: Strict Priority (SP),
Weighted Round Robin (WRR), and Low Latency Queueing (LLQ).
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
142
4
Networking
Configuring the Quality of Service
STEP 1
SP
Egress traffic from the highest-priority queue (Q1) is transmitted
first. Traffic from the lower queues is processed only after the
highest queue has been transmitted, thus providing the highest
level of priority of traffic to the highest numbered queue.
WRR
Distributes the bandwidth between the classes using the
weighted round robin scheme. The weights decide how fast each
queue can send packets. In WRR mode the number of packets
sent from the queue is proportional to the weight of the queue.
The higher the weight, the more frames are sent.
LLQ
Integrates the SP and WRR queues to provide strict priority
queuing (PQ) to Class-Based Weighted Fair Queuing (CBWFQ).
LLQ allows delay-sensitive data (such as voice) to be given
preferential treatment over other traffic by letting the data to be
dequeued and sent first.
Click Networking -> QoS -> WAN QoS -> Queue Settings.
The Queue Settings window opens.
STEP 2
Specify the way of determining how traffic in queues is handled for each WAN
port.
•
SP: Set the order in which queues are serviced, traffic scheduling for the
selected queue and all higher queues is based strictly on the queue priority,
starting with Q1 (the highest priority queue) and going to the next lower
queue when each queue is complete.
•
WRR: Enter the WRR weight, in percentage, assigned to the queues that you
want to use. Traffic scheduling for the selected queue is based on WRR.
•
LLQ: Applies SP mode to Q1 and WRR mode to Q2 to Q6. Q1 has the highest
priority and is always processed to completion before the lower priority
queues. If you choose LLQ, enter the amount of bandwidth assigned to Q1,
and enter the WRR weights for other queues that you want to use.
•
Random Early Detection: Check the box to enable the Random Early
Detection (RED) mechanism. RED is a congestion avoidance mechanism that
takes advantage of TCP's congestion control mechanism. By randomly
dropping packets prior to periods of high congestion, RED tells the packet
source to decrease its transmission rate. Assuming the packet source is
using TCP, it will decrease its transmission rate until all the packets reach
their destination, indicating that the congestion is cleared.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
143
4
Networking
Configuring the Quality of Service
STEP 3
If needed, you can enter a brief description for each queue in the Queue
Description field.
STEP 4
Click Save to apply your settings.
Configuring the Traffic Selectors for WAN Interfaces
Traffic Selector (or Traffic Classification) is used to classify the traffic through WAN
interfaces to a given traffic class so that traffic in need of management can be
identified.
NOTE The security appliance allows you to create up to 256 traffic selectors.
STEP 1
Click Networking -> QoS -> WAN QoS -> Traffic Selector (Classification).
The Traffic Selector window opens. All existing traffic selectors are listed in the
table.
STEP 2
To add a new traffic selector, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete.
After you click Add or Edit, the QoS Class - Add/Edit window opens.
STEP 3
Enter the following information:
•
Class Name: Enter a descriptive name for the traffic class.
•
Source Address: Choose Any or choose an existing address or group
address (network) that the traffic comes from.
•
Destination Address: Choose Any or choose an existing address or group
address (network) that the traffic goes to.
If the address objects you want are not in the list, choose Create a Group
Address to create a new group address object or choose Create a Single
Address to create a new address object. To maintain the address or group
address objects, go to the Networking -> Address Object Management
page. See Address Management, page 152.
•
Source Service: Choose Any or choose an existing service from the dropdown list.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
144
4
Networking
Configuring the Quality of Service
•
Destination Service: Choose Any or choose an existing service from the
drop-down list.
If the service objects you want are not in the list, choose Create a Single
Service to create a new service object. To maintain the service objects, go
to the Networking -> Service Management page. See Service
Management, page 154.
•
DSCP: DSCP is a field in an IP packet that enables different levels of service
to be assigned to network traffic. Choose the DSCP remarking values for the
traffic class to assign its priority.
•
CoS: QoS-based IEEE 802.1p class of service (CoS) specifies a priority
value of between 0 and 7 that can be used to differentiate traffic and give
preference to higher-priority traffic.Choose the CoS remarking value for the
traffic class.
•
VLAN: Choose the VLAN for identifying the host to which the traffic selector
will apply.
NOTE The traffic that matches up with the above settings will be classified
to a class for management purposes.
STEP 4
Click Save to apply your settings.
Configuring the WAN QoS Policy Profiles
You can create class-based policy profiles for managing traffic through the WAN
ports.
STEP 1
Click Networking -> QoS -> WAN QoS -> QoS Policy Profile.
The QoS Policy Profile window opens. All existing WAN QoS policy profiles are
listed in the table.
STEP 2
To add a new WAN QoS policy profile, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete.
After you click Add or Edit, the QoS Policy Profile - Add/Edit window opens.
STEP 3
Enter the following information:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
145
4
Networking
Configuring the Quality of Service
STEP 4
•
Policy Name: Enter the name for the WAN QoS policy profile.
•
Policy In/Out: Click Inbound to enable this policy profile for inbound traffic,
or click Outbound to enable this policy profile for outbound traffic.
Specify the QoS settings for the traffic classes that you want to associate with the
policy profile. Up to 64 traffic classes can be associate with one WAN QoS policy
profile.
Click Add to add a rule. After you click Add, the QoS Class - Add/Edit window
opens. Enter the following information:
•
Class: Choose an existing traffic selector (traffic class) to associate with the
policy profile.
•
Queue: For an outbound traffic policy profile, choose the queue for sending
the packets that belongs to the selected traffic class. This option will be
disabled for the inbound traffic policy profile.
•
DSCP Marking: Choose the DSCP remarking value to assign the priority for
the traffic.
•
CoS Marking: For an inbound traffic policy profile, choose the CoS
remarking value to assign the priority for the inbound traffic. This option will
be disabled for the outbound traffic policy profile.
•
Policing: Enter the amount of bandwidth limitation for the selected traffic
class. For example, if this policy profile is applied to inbound traffic, the
policing setting only appies to the incoming traffic that belongs to the
selected class.
STEP 5
Click OK to save your settings.
STEP 6
Click Save to apply your settings.
Mapping the WAN QoS Policy Profiles to WAN Interfaces
You can associate the WAN QoS policy profiles with the WAN interfaces.
STEP 1
Click Networking -> QoS -> WAN QoS -> Policy Profile to Interfaces Mapping.
The Policy Profile to Interfaces Mapping window opens.
STEP 2
To edit the policy profile settings associated with a WAN interface, click Edit.
After you click Edit, the Policy Profile to Interfaces Mapping - Edit window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
146
4
Networking
Configuring the Quality of Service
STEP 3
Enter the following information:
•
Interface: The name of the WAN interface with which the policy profiles are
associated.
•
Inbound Policy Name: Choose an inbound policy profile for managing the
inbound traffic through the selected WAN interface.
•
Outbound Policy Name: Choose an outbound policy profile for managing
the outbound traffic through the selected WAN interface.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Configuring the LAN QoS
The LAN QoS specifies priority values that can be used to differentiate traffic and
give preference to higher-priority traffic, such as telephone calls. It includes the
following topics:
•
Configuring the LAN Queue Settings, page 147
•
Configuring the LAN QoS Classification Methods, page 148
•
Mapping CoS to LAN Queue, page 149
•
Mapping DSCP to LAN Queue, page 149
•
Configuring Default CoS, page 149
Configuring the LAN Queue Settings
Use the Queue Settings page to configure whether traffic scheduling on Ethernet
interfaces is based on either SP or WRR, or the combination of the two. The
security appliance supports four queues for LAN traffic, Q1 to Q4.
STEP 1
Click Networking -> QoS -> LAN QoS -> Queue Settings.
The Queue Settings window opens.
STEP 2
If needed, enter the description for each queue in the Queue Description column.
STEP 3
Specify how to determine the traffic in queues.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
147
4
Networking
Configuring the Quality of Service
STEP 4
•
SP: Indicates that traffic scheduling for the selected queue is based strictly
on the queue priority.
•
WRR: Indicates that traffic scheduling for the selected queue is based
strictly on the WRR weights. If WRR is selected, the predefined weights 8, 4,
2 and 1 are assigned to queues 1, 2, 3 and 4 respectively.
•
SP+WRR: Integrates the SP and WRR queues. It applies SP to two groups.
The first group contains the PQ and the second group contains other queues.
If SP+WRR is selected, the PQ is assigned to the Q1 and the predefined
weights 4, 2 and 1 are assigned to Q2, Q3, and Q4 respectively. There is no
limit for PQ, indicating that WRR queues may be starved if PQ is always
sending traffic greater than the maximum bandwidth of the LAN ports.
Click Save to apply your settings.
NOTE Next Steps:
•
To specify the LAN QoS classification method, go to the LAN QoS ->
Classification Method page. See Configuring the LAN QoS Classification
Methods, page 148.
•
To map the CoS to LAN queues, go to the LAN QoS -> Mapping CoS to
Queue page. See Mapping CoS to LAN Queue, page 149.
•
To map the DSCP to LAN queues, go to the LAN QoS -> Mapping DSCP to
Queue page. See Mapping DSCP to LAN Queue, page 149.
•
To configure the default CoS value and trust mode for traffic through each
LAN interface, go to the LAN QoS -> Default CoS page. See Configuring
Default CoS, page 149.
Configuring the LAN QoS Classification Methods
Traffic Classification is used to classify the traffic through the LAN interfaces to a
given traffic class so that the traffic in need of management can be identified.
STEP 1
Click Networking -> QoS -> LAN QoS -> Classification Method.
The Classification Method window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
148
Networking
Configuring the Quality of Service
STEP 2
Depending on your networking design, choose either DSCP or CoS remarking
method for traffic through each LAN interface.
STEP 3
Click Save to apply your settings.
Mapping CoS to LAN Queue
STEP 1
Click Networking -> QoS -> LAN QoS -> Mapping CoS to Queue.
The Mapping CoS to Queue window opens.
STEP 2
Choose the traffic forwarding queue to which the CoS priority tag value is
mapped. Four traffic priority queues are supported, where Q4 is the lowest and
Q1 is the highest.
STEP 3
Click Save to apply your settings.
Mapping DSCP to LAN Queue
STEP 1
Click Networking -> QoS -> LAN QoS -> Mapping DSCP to Queue.
The Mapping DSCP to Queue window opens.
STEP 2
Choose the traffic forwarding queue to which the DSCP priority tag value is
mapped. Four traffic priority queues are supported, where Q4 is the lowest and
Q1 is the highest.
STEP 3
Click Save to apply your settings.
Configuring Default CoS
Use the Default CoS page to configure the default CoS values for incoming
packets through each LAN interface. The possible field values are 0 to 7. The
default CoS value is 0.
STEP 1
Click Networking -> QoS -> LAN QoS -> Default CoS.
The Default CoS window opens.
STEP 2
Enter the following information:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
149
4
Networking
Configuring the Quality of Service
STEP 3
•
Default CoS: Choose the default CoS priority tag value for the LAN
interfaces, where 0 is the lowest and 7 is the highest.
•
Trust: Choose Yes to keep the CoS tag value for packets through the LAN
interfaces, or choose No to change the CoS tag value for packets through the
LAN interface.
Click Save to apply your settings.
Configuring the Wireless QoS
The Wireless QoS controls priority differentiation for data packets in wireless
egress direction. It includes the following topics:
•
Default Wireless QoS Settings, page 150
•
Configuring the Wireless QoS Classification Methods, page 151
•
Mapping CoS to Wireless Queue, page 151
•
Mapping DSCP to Wireless Queue, page 151
Default Wireless QoS Settings
The Wireless QoS uses the default queuing method for wireless traffic. Wireless
traffic is always trusted. The wireless QoS treats all untagged packets as tagged
packets with the default CoS value 0 so that the security appliance can refer to the
CoS to Queue mapping settings to obtain the corresponding wireless egress
queue.
If you enable WMM for the SSIDs, the following table displays the default mapping
settings between DSCP and WMM. The default mapping settings between CoS or
DSCP and WMM cannot be changed, but the default mapping settings between
CoS or DSCP and wireless queues are editable.
802.1p
DSCP
Wireless Queue
WMM value
000xxx
Q3 (Best Effort Priority)
001xxx
Q4 (Background Priority)
010xxx
Q4 (Background Priority)
011xxx
Q3 (Best Effort Priority)
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
150
4
Networking
Configuring the Quality of Service
802.1p
DSCP
Wireless Queue
WMM value
100xxx
Q2 (Video Priority)
101xxx
Q2 (Video Priority)
110xxx
Q1 (Voice Priority)
111xxx
Q1 (Voice Priority)
Configuring the Wireless QoS Classification Methods
Traffic Classification is used to classify the traffic through the SSIDs to a given
traffic class so that traffic in need of management can be identified. Use the
Classification Method page to specify the classification method that is used by
each SSID individually.
STEP 1
Click Networking -> QoS -> Wireless QoS -> Classification Method.
The Wireless Classification Method window opens.
STEP 2
Depending on your networking design, choose either DSCP or CoS remarking
method for traffic through each active SSID.
STEP 3
Click Save to apply your settings.
Mapping CoS to Wireless Queue
STEP 1
Click Networking -> QoS -> Wireless QoS -> Mapping CoS to Queue.
The Mapping CoS to Queue window opens.
STEP 2
Choose the traffic forwarding queue to which the CoS priority tag value is
mapped.
STEP 3
Click Save to apply your settings.
Mapping DSCP to Wireless Queue
STEP 1
Click Networking -> QoS -> Wireless QoS -> Mapping DSCP to Queue.
The Mapping DSCP to Queue window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
151
4
Networking
Address Management
STEP 2
Choose the traffic forwarding queue to which the DSCP priority tag value is
mapped.
STEP 3
Click Save to apply your settings.
Address Management
Use the Address Object Management page to manage the address and group
address objects. The security appliance is configured with a long list of common
address objects so that you can use to configure the firewall access rules, port
forwarding rules, or other features. For more information, see Default Address
Objects, page 363.
This section includes the following topics:
•
Configuring the Addresses, page 152
•
Configuring the Group Addresses, page 153
Configuring the Addresses
STEP 1
Click Networking -> Address Object Management.
The Address Object Management window opens. All existing address objects are
listed in the Address table.
STEP 2
In the Address Table area, click Add to add a new address.
Other options: To edit an entry, check the box and click Edit. To delete an entry,
check the box and click Delete. To delete multiple entries, check the boxes of
multiple entries and click Delete Selection. The default address object cannot be
edited.
After you click Add or Edit, the Address Table - Add/Edit window opens.
STEP 3
Enter the following informaiton:
•
Name: Enter the name for the address object.
•
Type: Specify the address type and then enter the corresponding
information.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
152
4
Networking
Address Management
Host: Defines a single host by its IP address. The netmask for a Host
address object will automatically be set to 32-bit (255.255.255.255) to
identify it as a single host. If you choose Host, enter the IP address of the
host in the IP Address field.
Range: Defines a range of contiguous IP addresses. No netmask is
associated with the Range address object, but internal logic generally
treats each member of the specified range as a 32-bit masked host
object. If you choose Range, enter the starting IP address in the IP
Address field and the ending IP address in the End IP Address field.
Network: Network address object like the Range object comprises
multiple hosts, but rather than being bound by specified upper and lower
range delimiters, the boundaries are defined by a valid netmask. Network
address objects must be defined by the network’s address and a
corresponding netmask. As a general rule, the first address in a network
(the network address) and the last address in a network (the broadcast
address) are unusable. If you choose Network, enter the subnet IP
address in the IP Address field and the broadcast address in the
Netmask field.
MAC: Identifies a host by its hardware address or MAC (Media Access
Control) address. MAC addresses are uniquely assigned to wired or
wireless networking devices by their hardware manufacturers. MAC
addresses are 48-bit values that are expressed in 6 byte hex-notation. If
you choose MAC, enter the MAC address in the MAC field.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Configuring the Group Addresses
A group address combines with multiple addresses. The security appliance can
support up to 64 group addresses. A group address can include up to 64 address
members.
STEP 1
Click Networking -> Address Object Management.
The Address Object Management window opens. All existing group address
objects are listed in the Group Address table.
STEP 2
In the Group Address Table area, click Add Group to add a new group address.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
153
4
Networking
Service Management
Other options: To edit an entry, check the box and click Edit. To delete an entry,
check the box and click Delete. To delete multiple entries, check the boxes of
multiple entries and click Delete Group.
After you click Add or Edit, the Address Table - Add/Edit window opens.
STEP 3
Enter the name for the group address in the Group Name field.
STEP 4
To add the address objects to the group, select the address objects from the left
list and click the right arrow ->.
STEP 5
To remove the address objects from the group, select the address objects from
the right list and click the left arrow <-.
STEP 6
Click OK to save your settings.
STEP 7
Click Save to apply your settings.
Service Management
Use the Services page to maintain the service or group service objects. The
security appliance is configured with a long list of standard services so you can
use to configure the firewall access rules, port forwarding rules, or other features.
For more information, see Default Service Objects, page 360.
This section includes the following topics:
•
Configuring the Services, page 154
•
Configuring the Group Services, page 155
Configuring the Services
If you need to configure a feature for a custom service that is not in the standard
list, you must first define the service object.
STEP 1
Click Network -> Services.
The Services window opens. All existing service objects are listed in the Service
table.
STEP 2
In the Service Table area, click Add to add a new service.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
154
4
Networking
Service Management
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxs of multiple entries and click Delete
Service.
After you click Add or Edit, the Service Table - Add/Edit window opens.
STEP 3
Enter the following information:
•
Name: Enter the name for the service.
•
Protocol: Specify the protocol and port range for the service:
IP: Uses only the predefined IP types. If you choose this option, enter the
protocol number in the IP Type field.
ICMP: Internet Control Message Protocol (ICMP) is a TCP/IP protocol
used to send error and control messages. If you choose this option, enter
the ICMP type in the ICMP Type field.
TCP: Transmission Control Protocol (TCP) is a transport protocol in TCP/
IP. TCP ensures that a message is sent accurately and in its entirety. If you
choose this option, enter the starting port number in the Port Range
Start field and the ending port number in the Port Range End field.
UDP: User Datagram Protocol (UDP) is a protocol within the TCP/IP
protocol suite that is used in place of TCP when a reliable delivery is not
required. If you choose this option, enter the starting port number in the
Port Range Start field and the ending port number in the Port Range
End field.
Both (TCP/UDP): If you choose this option, enter the starting port
number in the Port Range Start field and the ending port number in the
Port Range End field.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Configuring the Group Services
Services that apply to common applications are grouped as a group service
object. The group service object is treated as a single service. A group service
can include up to 64 service members. The security appliance can support up to
64 group services.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
155
4
Networking
Service Management
STEP 1
Click Network -> Services.
The Services window opens. All existing group service objects are listed in the
Group Service table.
STEP 2
In the Group Service Table area, click Add Group to add a new group service.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxs of multiple entries and click Delete Group.
After you click Add or Edit, the Service Table - Add/Edit window opens.
STEP 3
Enter the name for the group service in the Name field.
STEP 4
To add the services to the group, select the services from the Services list and
click the right arrow -> to add them into the Member list.
STEP 5
To remove the services from the group, select the services from the Member list
and click the left arrow <-.
STEP 6
Click OK to save your settings.
STEP 7
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
156
5
Wireless Configuration for ISA550W and
ISA570W
This chapter describes how to configure the the radio settings and SSIDs for the
ISA550W and ISA570W. It includes the following sections:
•
Configuring the Radio Settings, page 157
•
Configuring the Access Points, page 162
•
Configuring Wi-Fi Protected Setup, page 172
•
Configuring Wireless Rogue AP Detection, page 173
•
Configuring Wireless Captive Portal, page 174
To access the Wireless pages, click Wireless in the left hand navigation pane.
Configuring the Radio Settings
The ISA550W and ISA570W can function as an Internet or network gateway for
the wireless clients. The ISA550W and ISA570W supports wireless protocols
called IEEE 802.11b, 802.11g, and 802.11n.
This section describes how to configure the wireless radio settings. It includes the
following topics:
•
Basic Radio Settings, page 158
•
Advanced Radio Settings, page 160
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
157
Wireless Configuration for ISA550W and ISA570W
Configuring the Radio Settings
Basic Radio Settings
You can change the wireless network mode to suit the devices in your network,
specify the wireless channel and bandwidth for operation to resolve issues with
interference from other access points in the area, or enable the U-APSD and SSID
Isolation if needed.
STEP 1
Click Wireless -> Basic Settings.
The Basic Settings window opens.
STEP 2
Enter the following information:
•
Wireless Radio: Click On to turn the wireless radio on and hence enable the
wireless network, or click Off to turn the wireless radio off. By default, the
security appliance turns on the wireless radio with predefined standard
settings.
•
Wireless Network Mode: Choose the 802.11 modulation technique. The
ISA550W and ISA550W supports the following radio modes:
•
802.11b only: Choose this mode if all devices in the wireless network
use 802.11b. Only 802.11b clients can connect to the access point.
802.11g only: Choose this mode if all devices in the wireless network
use 802.11g. Only 802.11g clients can connect to the access point.
802.11b/g mixed: Choose this mode if some devices in the wireless
network use 802.11b and others use 802.11g. Both 802.11b and 802.11g
clients can connect to the access point.
802.11n only: Choose this mode if all devices in the wireless network
can support 802.11n. Only 802.11n clients operating in the 2.4 GHz
frequency can connect to the access point.
802.11g/n mixed: Choose this mode to allow 802.11g and 802.11n
clients operating in the 2.4 GHz frequency to connect to the access point.
802.11b/g/n mixed: Choose this mode to allow 802.11b, 802.11g, and
802.11n clients operating in the 2.4 GHz frequency to connect to the
access point.
Wireless Channel: Choose a channel or choose Auto to let the system
determine the optical channel to use based on the environmental noise
levels for the available channels.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
158
Wireless Configuration for ISA550W and ISA570W
Configuring the Radio Settings
STEP 3
•
Bandwidth Channel: Choose 20 MHz or choose Auto to let the system
determine the optical bandwidth channel to use. This setting is specific to
802.11n traffic.
•
Extension Channel: If you choose Auto as the bandwidth channel, choose
either Lower or Upper.
•
U-APSD: Click Enable to enable the Unscheduled Automatic Power Save
Delivery (U-APSD) feature to conserve the power, or click Disable to disable
it.
•
SSID Isolation: Click Enable to enable the SSID Isolation feature so that
SSIDs will not be able to see each other when SSIDs belong to the same
VLAN, or click Disable to disable it. When you enable the SSID Isolation
(among SSIDs), traffic on one SSID will not be forwarded to any other SSIDs.
In the SSID Table area, the SSID table lists four predefined SSIDs on your security
appliance. If needed, you can perform the following tasks:
•
Enable: Check the box to enable the SSID, uncheck the box to disable the
SSID. By default, all four SSID are enabled.
•
SSID Name: Enter an unique identifier for the SSID.
•
SSID Broadcast: Check this box to broadcast the SSID in its beacon frames.
All wireless devices within range are able to see the SSID when they scan
for available networks. Uncheck this box to prevent auto-detection of the
SSID. In this case, users must know the SSID to set up a wireless connection
to this SSID. By default, SSID Broadcast is enabled for each SSID.
NOTE Disabling the SSID Broadcast is sufficient to prevent clients from
accidentally connecting to your network, but it will not prevent even
the simplest of attempts by a hacker to connect or monitor
unencrypted traffic. Suppressing the SSID broadcast offers a very
minimal level of protection on an otherwise exposed network (such as
a guest network) where the priority is making it easy for clients to get
a connection and where no sensitive information is available.
•
WMM: Check this box to enable the Wi-Fi Multimedia (WMM) QoS feature for
the SSID. WMM refers to QoS over Wi-Fi. QoS enables Wi-Fi SSIDs to
prioritize traffic and optimizes the way shared network resources are
allocated among different applications.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
159
Wireless Configuration for ISA550W and ISA570W
Configuring the Radio Settings
If you enable WMM, the wireless QoS settings control the downstream
traffic from the SSID to the client station and the upstream traffic from the
client station to the SSID. Fore more information about Wireless QoS, see
Configuring the Wireless QoS, page 150.
•
STEP 4
Station Isolation: Check this box so that the wireless clients on the same
SSID will not be able to see eachother.
Click Save to apply your settings.
Advanced Radio Settings
Use the Advanced Settings page to specify the advanced radio settings, such as
Guard Interval, CTS Protection Mode, and so forth.
STEP 1
Click Wireless -> Advanced Settings.
The Wireless Advanced Settings window opens.
STEP 2
Enter the following information:
•
Guard Interval: Choose either Long (800 ns) or Short (400 ns) that the
security appliance will retry a frame transmission that fails.
NOTE The short frame is only available when the specified wireless network
mode includes 802.11n.
•
•
CTS Protection Mode: CTS (Clear-To-Send) Protection Mode function
boosts the ability of the access point to catch all Wireless-G transmissions
but will severely decrease performance.
Click AUTO if you want to perform a CTS handshake before transmitting
a packet. This mode can minimize collisions among hidden stations.
Click Disabled if you want to permanently disable this feature.
Power Output: You can adjust the output power of the access point to get
the appropriate coverage for your wireless network. Choose the level you
need for your environment. If you are not sure of which setting to select, then
keep the default setting, 100%.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
160
Wireless Configuration for ISA550W and ISA570W
Configuring the Radio Settings
STEP 3
•
Beacon Interval: Beacon frames are transmitted by the access point at
regular intervals to announce the existence of the wireless network. Set the
interval by entering a value in milliseconds. Enter a value from 20 to 999. The
default is 100 milliseconds, which means that beacon frames are sent every
100 milliseconds.
•
DTIM Interval: The Delivery Traffic Information Map (DTIM) message is an
element that is included in some beacon frames. It indicates that the client
stations that are currently sleeping in low-power mode and have buffered
data on the access point awaiting pickup. Set the interval by entering a value
in beacon frames. Enter a value from 1 to 255. The default is 1 beacon frame,
which means that the DTIM message is included in every second beacon
frame.
•
RTS Threshold: The RTS threshold determines the packet size that requires
a Request To Send (RTS)/Clear To Send (CTS) handshake before sending. A
low threshold setting can be useful in areas where many client devices are
associating with the wireless device, or in areas where the clients are far
apart and can detect only the access point but not other clients. Although a
low threshold value consumes more bandwidth and reduces the throughput
of the packet, frequent RTS packets can help the network to recover from
interference or collisions. Set the threshold by entering the packet size in
bytes. Enter a value from 1 to 2347. The default value is 2347, which
effectively disables RTS.
•
Fragmentation Threshold: The fragmentation threshold is the frame length
that requires packets to be broken up (fragmented) into two or more frames.
Setting a lower value can reduce collisions because collisions occur more
often in the transmission of long frames, which occupy the channel for a
longer time. Use a low setting in areas where communication is poor or
where there is a great deal of radio interference. Set the threshold by
entering the frame length in bytes. Enter a value from 256 to 2346. The
default value is 2346, which effectively disables fragmentation.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
161
Wireless Configuration for ISA550W and ISA570W
Configuring the Access Points
Configuring the Access Points
The ISA550W and ISA570W support four SSIDs. By default, each SSID has Open
security and is identifying itself to all wireless devices that are in range. For
security purposes, we strongly recommend that you configure each SSID with the
highest level of security that is supported by the wireless devices that you want to
allow into your network.
Multiple SSIDs can segment the wireless LAN into multiple broadcast domains.
This configuration helps you to maintain better control over broadcast and
multicast traffic, which affects network performance.
This section includes the following topics:
•
Configuring the Security Mode, page 162
•
Controlling the Wireless Access Based on MAC Addresses, page 169
•
Mapping the SSID to VLAN, page 170
•
Configuring the SSID Schedule, page 171
Configuring the Security Mode
This section describes how to configure the security mode for the SSID.
NOTE Cisco strongly recommends WPA2 for wireless security. Other security modes are
vulnerable to attacks.
NOTE If the security mode is set as WEP or as WPA with TKIP encryption algorithm for the
SSID that supports 802.11n, the transmit rate for its associated client stations will
not exceed 54 Mbps.
STEP 1
Click Wireless -> Basic Settings.
The Basic Settings window opens.
STEP 2
In the SSID table area, click Edit to edit the settings for the SSID.
After you click Edit, the SSID Configurations - Edit window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
162
Wireless Configuration for ISA550W and ISA570W
Configuring the Access Points
STEP 3
In the Edit Security Mode tab, choose the security mode and configure the
correponding settings:
•
SSID Name: The name of the SSID on which the security mode settings are
applied.
•
Security Mode: Choose the encryption algorithm for the data encryption to
be configured in the SSID.
Security
Mode
Description
Open
Any wireless device that is in range can connect to the SSID.
WEP
Wired Equivalent Privacy (WEP) is a data encryption
protocol for 802.11 wireless networks. All wireless stations
and SSIDs on the network are configured with a static 64-bit
or 128-bit Shared Key for data encryption. The higher the bit
for data encryption, the more secure for your network.
WEP encryption is an older encryption method that is not
considered to be secure and can easily be broken. Select
this option only if you need to allow access to devices that
do not support WPA or WPA2.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
163
Wireless Configuration for ISA550W and ISA570W
Configuring the Access Points
Security
Mode
Description
WPA
Wi-Fi Protected Access (WPA) provides better security than
WEP because it uses dynamic key encryption. This
standard was implemented as an intermediate measure to
replace WEP, pending final completion of the 802.11i
standard for WPA2.
The following WPA security modes are supported on your
security appliance. Choose one of them if you need to allow
access to devices that do not support WPA2.
WPA2
•
WPA-Personal: WPA-Personal supports TKIP
(Temporal Key Integrity Protocol) or AES (Advanced
Encryption System) encryption mechanisms for data
encryption (default is TKIP). TKIP uses dynamic keys
and incorporates Message Integrity Code (MIC) to
provide protection against hackers. AES uses
symmetric 128-bit block data encryption.
•
WPA-Enterprise: WPA-Enterprise uses an external
RADIUS server for client authentication. WPAEnterprise supports TKIP and AES encryption
mechanisms (default is TKIP). This security mode is
only available when a RADIUS server is connected to
the SSID.
WPA2 provides the best security for wireless transmissions.
This method implements the security standards specified in
the final version of 802.11i.
The following WPA2 security modes are supported on your
security appliance:
•
WPA2-Personal: WPA2-Personal always uses AES
encryption mechanism for data encryption.
•
WPA2-Enterprise: WPA2-Enterprise uses an
external RADIUS server for client authentication.
WPA2-Enterprise always uses AES encryption
mechanism for data encryption. This security mode is
only available when a RADIUS server is connected to
the SSID.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
164
Wireless Configuration for ISA550W and ISA570W
Configuring the Access Points
Security
Mode
Description
WPA +
WPA2
This mode allows both WPA and WPA2 clients to connect
simultaneously. The SSID automatically chooses the
encryption algorithm used by each client device. This
option is a good choice to enable a higher level of security
while allowing access by devices that might not support
WPA2.
The following WPA+WPA2 security modes are supported
on your security appliance:
RADIUS
•
WPA/WPA2-Personal Mixed: This security mode
supports the transition from WPA?Personal to
WPA2?Personal. You can have client devices that use
either WPA?Personal or WPA2?Personal.
•
WPA/WPA2-Enterprise Mixed: This security mode
supports the transition from WPA?Enterprise to
WPA2?Enterprise. You can have client devices that
use either WPA?Enterprise or WPA2?Enterprise.
This security mode uses the RADIUS servers for client
authentication and uses dynamic WEP key generation for
data encryption.
This security mode is only available when a RADIUS server
is connected to the SSID.
STEP 4
If you choose Open as the security mode, no other options are configurable. This
mode means that any data transferred to and from the SSID is not encrypted. This
security mode can be useful during initial network configuration or for problem
solving, but it is not recommended for regular use on the Internal network because
it is not secure.
STEP 5
If you choose WEP as the security mode, enter the following information:
•
Authentication Type: Choose either Open System or Shared key, or
choose Auto to let the security appliance accept both Open System and
Shared Key schemes.
•
Default Transmit Key: Choose a key index as the default transmit key. Key
indexes 1 through 4 are available.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
165
Wireless Configuration for ISA550W and ISA570W
Configuring the Access Points
STEP 6
STEP 7
STEP 8
•
Encryption: Choose the encryption type: 64 bits (10 hex digits), 64 bits (5
ASCII), 128 bits (26 hex digits), or 128 bits (13 ASCII). The default is 64 bits
(10 hex digits). The larger size keys provide stronger encryption, thus making
the key more difficult to crack.
•
Passphrase: If you want to generate WEP keys by using a Passphrase, enter
any alphanumeric phrase (longer than 8 characters for optimal security) and
then click Generate to generate four unique WEP keys. Select one key to use
as the key that devices must have to use the wireless network.
•
Key 1-4: If a WEP Passphrase is not specified, a key can be entered directly
into one of the Key boxes. The length of the key should be 5 ASCII characters
(or 10 hex characters) for 64-bit WEP and 13 ASCII characters (or 26 hex
characters) for 128-bit WEP.
If you choose WPA-Personal as the security mode, enter the following
information:
•
Encryption: Choose either TKIP or AES as the encryption algorithm for data
encryption. The default is TKIP.
•
Shared Secret: The Pre-shared Key (PSK ) is the shared secret key for WPA.
Enter a string of at least 8 characters to a maximum of 63 characters.
•
Key Renewal Timeout: Enter a value to set the interval at which the key is
refreshed for clients associated to this SSID. The valid range is 0 to 86400
seconds. A value of 0 indicates that the key is not refreshed. The default is
3600 seconds.
If you choose WPA2-Personal as the security mode, enter the following
information:
•
Encryption: WPA2-Personal always uses AES for data encryption.
•
Shared Secret: The Pre-shared Key (PSK ) is the shared secret key for WPA.
Enter a string of at least 8 characters to a maximum of 63 characters.
•
Key Renewal Timeout: Enter a value to set the interval at which the key is
refreshed for clients associated to this SSID. The valid range is 0 to 86400
seconds. A value of 0 indicates that the key is not refreshed. The default is
3600 seconds.
If you choose WPA/WPA2-Personal Mixed as the security mode, enter the
following information:
•
Encryption: WPA/WPA2-Personal Mixed automtically choose TKIP or AES
for data encryption.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
166
Wireless Configuration for ISA550W and ISA570W
Configuring the Access Points
STEP 9
•
Shared Secret: The Pre-shared Key (PSK ) is the shared secret key for WPA.
Enter a string of at least 8 characters to a maximum of 63 characters.
•
Key Renewal Timeout: Enter a value to set the interval at which the key is
refreshed for clients associated to this SSID. The valid range is 0 to 86400
seconds. A value of 0 indicates that the key is not refreshed. The default is
3600 seconds.
If you choose WPA-Enterprise as the security mode, enter the following
information:
•
Encryption: Choose either TKIP or AES as the encryption algorithm for data
encryption. The default is TKIP.
•
Key Renewal Timeout: Enter a value to set the interval at which the key is
refreshed for clients associated to this AP. The valid range is 0 to 86400
seconds. A value of 0 indicates that the key is not refreshed. The default is
3600 seconds.
•
RADIUS Server ID: The security appliance predefines three RADIUS
groups, choose an existing RADIUS group for client authentication. The
following RADIUS server settings of the selected group are displayed.
Primary RADIUS Server IP Address: The IP address for the primary
RADIUS server.
Primary RADIUS Server Port: The port number for the primary RADIUS
server.
Primary RADIUS Server Shared Secret: The shared secret key for the
primary RADIUS server.
Secondary RADIUS Server IP Address: The IP address for the
secondary RADIUS server.
Secondary RADIUS Server Port: The port number for the secondary
RADIUS server.
Secondary RADIUS Server Shared Secret: The shared secret key for
the secondary RADIUS server.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
167
Wireless Configuration for ISA550W and ISA570W
Configuring the Access Points
NOTE You can also change the settings in the above fields.The RADIUS
server settings you specify will replace the default settings of the
selected group. Go to the Device Management -> RADIUS Settings
page to maintain the RADIUS server settings. See Configuring the
RADIUS Servers, page 319.
STEP 10 If you choose WPA2-Enterprise as the security mode, enter the following
information:
•
Encryption: WPA2-Enterprise always uses AES encryption algorithm for
data encryption.
•
Key Renewal Timeout: Enter a value to set the interval at which the key is
refreshed for clients associated to this AP. The valid range is 0 to 86400
seconds. A value of 0 indicates that the key is not refreshed. The default is
3600 seconds.
•
RADIUS Server ID: Choose an existing RADIUS group for client
authentication. The RADIUS server settings of the selected group are
displayed. You can also change the RADIUS server settings.The RADIUS
server settings you specify will replace the default settings of the selected
group. Go to the Device Management -> RADIUS Settings page to
maintain the RADIUS server settings. See Configuring the RADIUS
Servers, page 319.
STEP 11 If you choose WPA/WPA2-Enterprise Mixed as the security mode, enter the
following information:
•
Encryption: WPA/WPA2-Enterprise Mixed automatically choose TKIP or
AES encryption algorithm for data encryption.
•
Key Renewal Timeout: Enter a value to set the interval at which the key is
refreshed for clients associated to this AP. The valid range is 0 to 86400
seconds. A value of 0 indicates that the key is not refreshed. The default is
3600 seconds.
•
RADIUS Server ID: Choose an existing RADIUS group for client
authentication. The RADIUS server settings of the selected group are
displayed. You can also change the RADIUS server settings.The RADIUS
server settings you specify will replace the default settings of the selected
group. Go to the Device Management -> RADIUS Settings page to
maintain the RADIUS server settings. See Configuring the RADIUS
Servers, page 319.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
168
Wireless Configuration for ISA550W and ISA570W
Configuring the Access Points
STEP 12 If you choose RADIUS as the security mode, choose an existing RADIUS group for
client authentication from the RADIUS Server-ID drop-down list. The RADIUS
server settings of the selected group are displayed. You can also change the
RADIUS server settings.The RADIUS server settings you specify will replace the
default settings of the selected group. Go to the Device Management -> RADIUS
Settings page to maintain the RADIUS server settings. See Configuring the
RADIUS Servers, page 319.
STEP 13 Click OK to save your settings.
STEP 14 Click Save to apply your settings.
Controlling the Wireless Access Based on MAC Addresses
The MAC Filtering feature can permit or block the access to the SSID by the MAC
addresses of wireless clients. The default is “Open” access, which means that the
MAC filtering is disabled.
The MAC Filtering provides additional security, but it also adds to the complexity
and maintenance. Be sure to enter each MAC address correctly to ensure that the
policy is applied as intended.
Before performing this procedure, decide whether you want to enter a list of MAC
addresses that will be blocked or allowed access. Generally it is easier and more
secure to use this feature to allow access to the specified MAC addresses,
thereby denying access to unknown MAC addresses.
STEP 1
Click Wireless -> Basic Settings.
The Wireless Basic Settings window opens.
STEP 2
In the SSID table area, click Edit to edit the settings of the SSID.
After you click Edit, the Edit window opens.
STEP 3
In the Edit MAC Filtering tab, enter the following information:
•
SSID Name: The name of the SSID on which the MAC Filtering settings are
applied.
•
Connection Control: Check the Enable box to enable the MAC Filtering
feature for the SSID. If you enabled this feature, choose one of the following
options as the MAC filtering policy:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
169
Wireless Configuration for ISA550W and ISA570W
Configuring the Access Points
Allow Only the Following MAC Addresses to Connect to the Wireless
Network: All devices in the MAC Address table are allowed to connect
to this SSID. All other devices are denied access.
Prevent the Following MAC Addresses from Connecting to the
Wireless Network: All devices in the MAC Address table are prevented
from connecting to this SSID. All other devices are allowed access.
STEP 4
Specify the list of MAC addresses. You can add up to 16 MAC addresses you
want to deny or permit.
STEP 5
Click OK to save your settings.
STEP 6
Click Save to apply your settings.
Mapping the SSID to VLAN
STEP 1
Click Wireless -> Basic Settings.
The Wireless Basic Settings window opens.
STEP 2
In the SSID table area, click Edit to edit the settings of the SSID.
After you click Edit, the Edit window opens.
STEP 3
In the Edit VLAN tab, enter the following information:
•
SSID Name: The name of the SSID on what the VLAN mapping setting is
applied.
•
VLAN ID: Choose the VLAN from the drop-down list. The SSID is mapped to
the selected VLAN. All traffic from the wireless clients that are connected to
this SSID will be directed to the selected VLAN.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
170
Wireless Configuration for ISA550W and ISA570W
Configuring the Access Points
Configuring the SSID Schedule
You can specify the schedule to keep the SSID active within a certained time per
day.
STEP 1
Click Wireless -> Basic Settings.
The Wireless Basic Settings window opens.
STEP 2
In the SSID table area, click Edit to edit the settings of the SSID.
After you click Edit, the Edit window opens.
STEP 3
In the Scheduling tab, you can specify the time per day to keep the SSID active.
Enter the following information:
•
SSID Name: The name of the SSID on which the schedule setting is applied.
•
Active Time: Click On to enable the schedule feature for the SSID, or click
Off to disable it. Disabling the schedule feature will keep the SSID active in
24 hours per day. If you enable this feature, configure the time range per day
to keep this SSID active.
Start Time: Enter the values in the hour and minute fields, and choose
AM or PM from the drop-down list.
Stop Time: Enter the values in the hour and minute fields, and choose
AM or PM from the drop-down list.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
171
Wireless Configuration for ISA550W and ISA570W
Configuring Wi-Fi Protected Setup
Configuring Wi-Fi Protected Setup
The Wi-Fi Protected Setup (WPS) protocol can simplify the process of configuring
the security on wireless networks. The WPS protocol allows the home users who
know little of wireless security and may be intimidated by the available security
options to configure the Wi-Fi Protected Access, which is supported by all Wi-Fi
certified devices.
STEP 1
Click Wireless -> Wi-Fi Protected Setup.
The Wi-Fi Protected Setup window opens.
STEP 2
Click On to enable WPS, or click Off to disable it. Three WPS methods are
available to the wireless clients.
STEP 3
If the wireless client has a WPS button, follow these steps to estabilsh the wireless
connection:
a. Press the WPS button on the wireless client.
b. Click the WPS button on this page.
c. Verify that the wireless client is connected to the SSID.
STEP 4
If the wireless client has a WPS PIN number, follow these steps to establish the
wireless connection:
a. Get the PIN number on the wireless client.
b. Enter the PIN number on this page, and then click Enter.
c. Verify that the wireless client is connected to the SSID.
STEP 5
If the wireless client asks for the PIN number of the security appliance, follow
these steps to establish the wireless connection:
a. Click Generate to generate a PIN number.
b. Enter the registered PIN number on the wireless client.
c. Verify that the wireless client is connected to the SSID.
STEP 6
Check the following WPS status:
•
WPS Config Status: If you enable WPS, it shows as “Configured”.
•
Network Name (SSID): Choose the SSID on which the WPS setting is
applied.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
172
Wireless Configuration for ISA550W and ISA570W
Configuring Wireless Rogue AP Detection
STEP 7
•
Security: The security mode used for the selected SSID.
•
Encryption: The encryption method used for the selected SSID.
Click Save to apply your settings.
Configuring Wireless Rogue AP Detection
A Rogue access point (Rogue AP) is any Wi-Fi access point connected to your
network without authorization. It is not under the management of your network
administrators and does not necessarily conform to your network security
policies.
A Rogue AP allows anyone with a Wi-Fi-equipped device to connect to your
corporate network, leaving your IT assets wide open for the casual snooper or
criminal hacker.
Rogue APs can be a problem even if your company does not have its own wireless
LAN. Often employees seeking to enhance their productivity will innocently install
an access point for their personal use on your network without understanding the
security risks.
The security appliance is configurable by the network administrator to provide
proactive rogue AP detection in the 2.4 GHz band. Rogue AP Detection (RAD) is
able to discover, detect, and report an unauthorized AP. You can specify an
authorized AP by its MAC address.
STEP 1
Click Wireless -> Rogue AP Detection.
The Rogue AP Detection window opens.
STEP 2
Click On to enable the Rogue AP Detection feature, or click Off to disable it.
STEP 3
After you enable Rogue AP Detection, Rogue APs detected by your security
appliance appear in the Detected Rogue AP list. Click Refresh to update the
Detected Rogue AP list.
STEP 4
To set an AP as an authorized AP, click Grant Access. The granted AP is moved to
the Known AP list.
STEP 5
The security appliance will not detect the authorized APs. You can specify the
authorized APs in the known AP list.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
173
Wireless Configuration for ISA550W and ISA570W
Configuring Wireless Captive Portal
STEP 6
•
To add an authorized AP in the known AP list, click Add.
•
To delete an authorized AP from the known AP list, click Delete.
•
To change the MAC address of an authorized AP, click Edit.
•
To export the known AP list to a file, click Export List.
•
To import the known AP list from a file, click Import List.
If you want to replace the current known AP list, choose Replace. Click
Browse to locate the file, and then click OK.
If you want to merge with the current known AP list, choose Merge. click
Browse to locate the file, and then click OK.
Click Save to apply your settings.
Configuring Wireless Captive Portal
The Captive Portal feature allows the wireless users who authenticated
successfully to be directed to a specified web page (portal) before they can
access the Internet. The wireless users will be directed to a specified web
authentication login page to authenticate, and then be directed to the specified
web portal after login.
STEP 1
Click Wireless -> Captive Portal.
The Captive Portal window opens.
STEP 2
Enter the following information:
•
Enable Captive Portal: Click On to enable the captive portal feature, or click
Off to disable it.
•
Apply On: Choose the SSID on which the captive portal settings are applied.
NOTE The captive portal WLAN access can be only applied on one SSID.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
174
Wireless Configuration for ISA550W and ISA570W
Configuring Wireless Captive Portal
•
Web Authentication Type: Choose one of the following methods for web
authentication. The security appliance can authenticate the wireless users
by using the local database and external AAA server (such as RADIUS, AD,
LDAP, and so forth). The authentication method is derived from the user login
settings that you specified in the Users -> Settings page.
Internal: Uses the default web authentication login page to authenticate
the wireless users. If you choose this option, you can modify the following
information on the default web authentication login page:
Cisco Logo: If you want to hide the Cisco logo that appears in the top
right corner of the default page, choose Hide. Otherwise, choose Show.
Headline: If you want to create your own headline on the login page,
enter the desired text in this field.
Message: If you want to create your own message on the login page,
enter the desired text in this field.
•
Internal, No auth with accept button: Allows users to access the
wireless network without entering a user name and password. If you
choose this option, a web passthrough window is prompted. Click the
Accept button to access the network without the user name and
password.
External Web Server: Uses a customized web authentication login page
on an external web server to authenticate the wireless users. If you
choose this option, enter the IP address of the external web server in the
Authentication Web Server field and the key in the Authentiation Web
Key field. The authentication web key is used to protect the user name
and password that the external web server sends to your security
appliance for authentication.
External, No auth with accept button: Allows users to access the
wireless network without entering a user name and password. If you
choose this option, a web passthrough window is prompted. Click the
Accept button to access the network without the user name and
password.
Redirected URL After Login: If you want the wireless users to be directed
to a particular URL (such as the URL for your company) after login, enter the
desired URL (such as www.AcompanyBC.com) in this field. If you do not
specify the portal (keep it blank), the wireless user can access the original
web site directly.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
175
Wireless Configuration for ISA550W and ISA570W
Configuring Wireless Captive Portal
For example, if you select Internal for authentication and the web portal is
set to www.ABcompanyC.com. When a wireless user tries to access the
website www.google.com, the default web authentication login page opens.
The user needs to enter the user name and password information, and then
click Submit. After passed the authentication, first the user is directed to the
web portal (www.ABcompanyC.com), and then access the website
(www.google.com).
STEP 3
•
Session Timeout: Enter the timeout value in minutes that the wireless
session can remain connected. The session is terminated and the client
needs to re-authenticate over the session timeout. A value of zero (0)
indicates that the wireless client can log in and use the service as long as he
or she wants to.
•
Logo File: You can import your company logo to change the default Cisco
logo that appears in the top right corner of the default page. Click Browse to
locate and select the logo file from your local PC, and then click Upgrade. To
delete the upgraded logo file and revert the default Cisco logo, click Delete.
In the Monitored HTTP Port List area, you can specify the HTTP ports to be
monitored. The security appliance redirects the wireless access through the
monitored ports to the specified web portal.
a. To add a monitored http port, click Add. After you click Add, the Port
Configuration - Add/Edit window opens.
b. Enter the port number from 1 to 65535 in the Port field.
c. Click OK to save your settings.
STEP 4
In the Open Domain List area, you can specify an IP address or a domain name of
a website to be opened by the security appliance. The wireless users can access
the website directly.
a. To add an open domain, click Add. After you click Add, the Domain
Configuration - Add/Edit window opens.
b. Enter the IP address or domain name in the Domain field.
c. Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
176
6
Firewall
This chapter describes how to control network access through the security
appliance by using the zone-based firewall access rules or other methods such as
MAC Filtering and Content Filtering. It includes the following sections:
•
Configuring the Firewall Access Rules to Control Inbound and Outbound
Traffic, page 178
•
Configuring the Firewall Schedule, page 186
•
Firewall Access Rule Configuration Examples, page 187
•
Configuring the NAT Rules to Securely Access a Remote Network,
page 192
•
Configuring the Session Settings, page 200
•
Configuring the Content Filtering to Control Access to Internet,
page 201
•
Configuring the MAC Filtering to Permit or Block Traffic, page 205
•
Configuring the IP/MAC Binding to Prevent Spoofing, page 206
•
Configuring the Attack Protection, page 207
•
Configuring the Application Level Gateway, page 209
To access the Firewall pages, click Firewall in the left hand navigation pane.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
177
6
Firewall
Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
Configuring the Firewall Access Rules to Control Inbound and
Outbound Traffic
The zone-based firewall access rules can permit or deny inbound or outbound
traffic based on the zone, service, source and destination address. It includes the
following sections:
•
Default Firewall Settings, page 178
•
Priorities of Firewall Access Rules, page 180
•
Preliminary Tasks for Configuring the Firewall Access Rules, page 180
•
General Settings for Configuring the Firewall Access Rules, page 181
•
Configuring a Firewall Access Rule, page 183
•
Configuring a Firewall Access Rule to Allow the Multicast Traffic,
page 185
NOTE For detailed firewall configuration examples, see Firewall Access Rule
Configuration Examples, page 187.
Default Firewall Settings
By default, your firewall prevents all traffic from a lower security level to a higher
security level (commonly known as Inbound) and allows all traffic from a higher
security level to a lower security level (commonly known as Outbound). If you want
to allow some inbound access or prevent some outbound access, you must
configure the firewall access rules.
The following table lists the default access control settings for the traffic between
different security levels. For more information about the security level definition for
zones, see Security Levels for Zones, page 128.
From\To
Trusted(100)
VPN(75)
Public(50)
GUEST(25)
Untrust(0)
Trusted(100)
Deny
Permit
Permit
Permit
Permit
VPN(75)
Deny
Deny
Permit
Permit
Permit
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
178
6
Firewall
Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
From\To
Trusted(100)
VPN(75)
Public(50)
GUEST(25)
Untrust(0)
Public(50)
Deny
Deny
Deny
Permit
Permit
GUEST(25)
Deny
Deny
Deny
Deny
Permit
Untrust(0)
Deny
Deny
Deny
Deny
Deny
The default access behaviors for all predefined zones and new zones follow the
above settings depending on their security levels. For example, if you create a
new trusted zone called “Data”, a certain of firewall access rules are automatically
generated to permit or block the traffic from the Data zone to other zones or from
other zones to the Data zone. The permit or block action is determined by the
security levels of the From and To zones. For example, the traffic from the Data
zone to the predefined WAN zone is permitted, but the traffic from the Data zone to
the predefined LAN zone is blocked.
Use the Default Policy page to view the default firewall access settings for all
predefined zones.
STEP 1
Click Firewall -> ACL Rules -> Default Policy.
The Default Policy window opens. The default access settings for all predefined
zones are listed in the table.
STEP 2
To expand the default access settings for a specific zone, click the Expand button.
To hide the default access settings for a specific zone, click the Collapse button.
The following behaviors are predefined on the security appliance.
From \To
LAN
VIOCE
VPN
SSLVPN
DMZ
GUEST
WAN
LAN
NA
Deny
Permit
Permit
Permit
Permit
Permit
VOICE
Deny
NA
Permit
Permit
Permit
Permit
Permit
VPN
Deny
Deny
NA
Deny
Permit
Permit
Permit
SSLVPN
Deny
Deny
Deny
NA
Permit
Permit
Permit
DMZ
Deny
Deny
Deny
Deny
NA
Permit
Permit
GUEST
Deny
Deny
Deny
Deny
Deny
NA
Permit
WAN
Deny
Deny
Deny
Deny
Deny
Deny
NA
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
179
Firewall
Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
NOTE The firewall access rules only support for inter-zones.
Priorities of Firewall Access Rules
The security appliance includes three types of firewall access rules:
•
Default access rules: The firewall access rules that are predefined on your
security appliance for all predefined zones and new zones. The default
access rules cannot be deleted and edited.
•
Custom access rules: The firewall access rules that are customized by
users. The security appliance supports up to 100 custom access rules.
•
VPN access rules: The firewall access rules that are automatically
generated by the VPN access control settings. The VPN access rules
cannot be edited in the Firewall -> ACL Rules -> Rule page. To edit the
VPN access control settings, go to the VPN pages. For more information
about the VPN access control settings, see VPN, page 232.
All firewall access rules are displayed in the Rule table and sorted by the priority.
The custom access rules have the highest priority. The VPN access rules have
higher priorities than the default access rules, but lower than the custom access
rules.
Preliminary Tasks for Configuring the Firewall Access Rules
Depending on the firewall settings that you want to use, you might need to
complete the following tasks before you configure the firewall access rules:
•
To create the firewall access rule that applies only to a specific zone except
the predefined zones, first create the zone. See Configuring the Zones,
page 127.
•
To create the firewall access rule that applies to a specific service or
service group, first create the service or service group object. See Service
Management, page 154.
•
To create the firewall access rule that applies only to a specific address or
group address, first create the address or group address object. See
Address Management, page 152.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
180
Firewall
Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
•
To create the firewall access rule that applies only at a specific day and
time, first create the firewall schedule. See Configuring the Firewall
Schedule, page 186.
General Settings for Configuring the Firewall Access Rules
STEP 1
Click Firewall -> ACL Rules-> Rule.
The ACL Rules window opens. The Rule table includes the default access rules,
the custom access rules that are customized by users, and the VPN access rules
that are automatically generated by your VPN configurations. The firewall access
rules are sorted by the priority. The custom access rule with the highest priority
locates at the top of the table.
STEP 2
You can reorder the custom access rules by priority. You can move a rule up, move
a rule down, or move it to a specified location in the table.
•
MoveUp: Moves the rule up one position.
•
MoveDown: Moves the rule down one position.
•
Move: Moves the rule to a specific location. Enter the target index number to
move the selected rule to.
For example: A target index of 2 moves the rule to position 2 and moves the
other rules down to position 3 in the list.
NOTE You cannot reorder the default access rules and VPN access rules.
The custom access rules cannot be moved lower than the default
access rules and VPN access rules.
STEP 3
To view the access rules belonging to the same group, choose the source and
destination zone from the From Zone and To Zone drop-down lists and click
Apply. Only the rules for the specified zones appear.
For example: If you choose WAN from the From Zone drop-down list and choose
LAN from the To Zone drop-down list, only the access rules from WAN zone to
LAN zone appear.
STEP 4
You can perform other tasks for access rules:
•
Enable: Check this box to enable an access rule, or uncheck this box to
disable it. By default, all default access rules are enabled.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
181
Firewall
Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
•
Add: To add a new entry, click Add.
•
Edit: To edit an entry, click Edit.
•
Delete: To delete an entry, click Delete.
•
Delete Selection: To delete multiple selected entries, check the boxes in the
first column of the table heading and click Delete Selection.
•
Log: Check this box to log the events when a firewall access rule is hit.
To log the firewall events, check the Log boxes for the firewall access rules,
and then go to the Device Management -> Loggings pages to configure the
log settings and log facilities:
To save the firewall logs in the lcoal syslog daemon, you need to enable
the Log feature, set the log buffer size and the severity for local log, and
then check the Local Log box for the Firewall log facility.
To save the firewall logs to the remote syslog server if you have a remote
syslog server support, you need to enable the Log feature, specify the
Remote Log settings, and then check the Remote Log box for the
Firewall log facility.
For more information about how to configure the log settings and log
facilities, and how to view the logs, see Log Management, page 302.
•
Action: To permit traffic access, choose Permit. To deny traffic access,
choose Deny. To increase the Hit Count number by one when the packet hits
the access rule, choose Accounting.
•
Detail: To view the detail of an access rule, click Detail.
•
Reset Count: To set the values in the Hit Count culumn for all access rules to
zero, click Reset Count.
NOTE The default access rules can not be disabled, deleted, edited, and
moved.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
182
Firewall
Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
Configuring a Firewall Access Rule
STEP 1
Click Firewall -> ACL Rules -> Rule.
The ACL Rules window opens.
STEP 2
To add a new access rule, click Add.
After you click Add, the Rule - Add/Edit window opens.
STEP 3
Enter the following information:
•
Enable: Click On to enable the access rule, or click Off to create only the
access rule.
•
From Zone: Choose the source zone for the traffic that is covered by this
access rule. For example, choose DMZ if the traffic is coming from a server
on your DMZ.
•
To Zone: Choose the destination zone for the traffic that is covered by this
access rule. For example, choose WAN if the traffic is going to the Internet.
NOTE Only the existing zones are selectable. To create new zones, go to the
Networking -> Zone page. For more information about zone
configurations, see Configuring the Zones, page 127.
•
Services: Choose an existing service or group service that is covered by
this rule. If the service or group service you want is not in the list, choose
Create New Service to create new service objects, or choose Create New
Group to create new group service objects. To maintain the service and
group service objects, go to the Networking -> Service Management
page. See Service Management, page 154.
•
Source Address: Choose an existing address or group address as the
source address or network that is covered by this access rule.
•
Destination Address: Choose an existing address or group address as the
destination address or network that is covered by this access rule.
If the address or group address you want is not in the list, choose Create
New Address to create new address objects, or choose Create New Group
to create new group address objects. To maintain the address and address
group objects, go to the Networking -> Address Object Management
page. See Address Management, page 152.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
183
Firewall
Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
•
Schedule: By default, the access rule is always on. If you want to keep the
access rule active at the specified date and time, choose the schedule for
the access rule. If the schedule you want is not in the list, choose Create
New Schedule to create new firewall schedules. To maintain the firewall
schedules, go to the Firewall -> Schedule page. See Configuring the
Firewall Schedule, page 186.
•
Log: Click On to log the event when a firewall access rule is hit. To log the
firewall events, you first need to enable the Log feature and configure the log
settings and log facilities. For more information about how to configure the
log settings and log facilities, and how to view the logs, see Log
Management, page 302.
•
Match Action: Choose the action when the traffic match up with the access
rule.
Deny: Deny the access.
Permit: Permit the access.
Accounting: Increase the Hit Count number by one when the packet hits
the access rule.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
NOTE In addition to configuring the firewall access rules, you can use the following
methods to control the traffic:
•
Preventing common types of attacks. See Configuring the Attack
Protection, page 207.
•
Allowing or blocking traffic from specified MAC addresses. See
Configuring the MAC Filtering to Permit or Block Traffic, page 205
•
Associating IP addresses with MAC addresses to prevent spoofing. See
Configuring the IP/MAC Binding to Prevent Spoofing, page 206
•
Allowing or blocking the websites that contain a specific URL or URL
keyword. See Configuring the Content Filtering to Control Access to
Internet, page 201.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
184
Firewall
Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
Configuring a Firewall Access Rule to Allow the Multicast
Traffic
By default, the multicast traffic from any zone to any zone is blocked by the default
firewall access rules. To enable the multicast, you first need to uncheck the Block
Multicast Packets box in the Firewall -> Attack Protection page and then
manually create the firewall rules to allow multicast forwarding from a specific
zone to other zones. The security appliance predefines a multicast address for this
purpose.
For example, IGMP Proxy can be active from WAN to LAN. When you enable IGMP
Proxy and want to receive the multicast packets from WAN to LAN, you need to
uncheck the Block Multicast Packets box in the Firewall -> Attack Protection
page, and create a firewall access rule to permit the multicast traffic from WAN to
LAN.
This section provides a configuration example about how to create a WAN-to-LAN
access rule to permit the multicast traffic by using the predefined multicast
address.
STEP 1
Click Firewall -> ACL Rules -> Rule.
The ACL Rules window opens.
STEP 2
To add a new access rule, click Add.
After you click Add, the Rule - Add/Edit window opens.
STEP 3
Enter the following information:
•
Enable: Click On to enable the fireall access rule.
•
From Zone: Choose WAN as the source zone of the traffic.
•
To Zone: Choose LAN as the destination zone of the traffic.
•
Services: Choose ANY for this rule.
•
Source Address: Choose ANY as the source address for this rule.
•
Destination Address: Choose the existing address called “Multicast” as the
destination address for this rule. The Multicast address object is predefined
on your security appliance for creating multicast firewall access rules.
•
Schedule: Choose Always On for this rule.
•
Log: Click Off for this rule. We recommend that you disable the Log feature
for a multicast firewall access rule.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
185
6
Firewall
Configuring the Firewall Schedule
•
Match Action: Choose Permit to allow the access, or choose Deny to deny
the access.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Configuring the Firewall Schedule
The schedule specifies when the access rule is active. For example, if you want a
firewall access rule only to work on the weekend, you can create a schedule
called “Weekend” that is only active on Saturday and Sunday.
STEP 1
Click Firewall -> Schedules.
The Schedules window opens.
STEP 2
To create a new schedule, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add or Edit, the Schedule - Add/Edit window opens.
STEP 3
Enter the following information:
•
Schedule Name: Enter the name for the schedule.
•
Schedule Days: Schedule the access rules on all days or on specific days.
•
All Days: Choose this option if you want to keep the access rule always
on.
Specific Days: Check the boxes of days you want to keep the access
rule active in specific days.
Scheduled Time of Day: Schedule the access rules on all days or at a
specific time of day.
All Days: Choose this option if you want to keep the access rule always
on.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
186
6
Firewall
Firewall Access Rule Configuration Examples
Specific Times: Choose this option if you want to keep the access rule
active at specific times. Specify the Start Time and End Time by
entering the hour and minute.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Firewall Access Rule Configuration Examples
This section provides some configuration examples on adding firewall access and
NAT rules.
Allowing Inbound traffic to an Internal FTP server using the WAN IP Address
User Case: You host a FTP server on your LAN. You want to open the FTP server
to Internet by using the IP address of the WAN1 interface. The inbound traffic is
addressed to your WAN1 IP address but is directed to the FTP server.
Solution: You can create a port forwarding rule or an Advanced NAT rule to open
the internal FTP server to Internet, and create a firewall access rule to allow the
access.
STEP 1
Set the IP address 172.39.202.101 to the WAN1 interface.
STEP 2
Create a host address object with the IP 192.168.1.100 called “InternalFTP”.
STEP 3
Go to the Firewall -> NAT -> Port Forwarding page to create a port forwarding
rule as follows.
Original Service
FTP-CONTROL
Translated Service
FTP-CONTROL
Translated IP
InternalFTP
WAN
WAN1
WAN IP
WAN1_IP
Enable Port Forwarding
On
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
187
6
Firewall
Firewall Access Rule Configuration Examples
STEP 4
STEP 5
Or go to the Firewall -> NAT -> Advanced NAT page to create an Advanced NAT
rule as follows.
From
WAN1
To
DEFAULT
Original source address
ANY
Original destination
address
WAN1_IP
Original services
FTP-CONTROL
Translated source
address
ANY
Translated destination
address
InternalFTP
Translated services
FTP-CONTROL
Then go to the Firewall -> ACL Rules -> Rule page to create a firewall access rule
as follows to allow the access:
From Zone
WAN
To Zone
LAN
Services
FTP-CONTROL
Source Address
ANY
Destination Address
InternalFTP
Match Action
Permit
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
188
6
Firewall
Firewall Access Rule Configuration Examples
Allowing Inbound Traffic to the RDP Server using a Specified Public IP address
User Case: You host a RDP server on the DMZ. Your ISP has provided a static IP
address that you want to expose to the public as your RDP server address. You
want to allow Internet user to access the internal RDP server by using the
specified public IP address.
Solution: You can create a port forwarding rule or an Advanced NAT rule and a
firewall access rule as follows to allow inbound traffic to the RDP server.
Problem:
DMZ Wizard?
STEP 1
Set the IP address of 172.39.202.101 to the WAN interface.
STEP 2
Create a host address object with the IP 192.168.12.101 called “RDPServer” and a
host address object with the IP 172.39.202.102 called “PublicIP”.
STEP 3
Create a TCP service object with the port range from 3389 to 3389 called “RDP”.
STEP 4
Go to the Firewall -> NAT -> Port Forwarding page to create a port forwarding
rule as follows.
STEP 5
Original Service
RDP
Translated Service
RDP
Translated IP
RDPServer
WAN
WAN1
WAN IP
PublicIP
Enable Port Forwarding
On
Or go to the Firewall -> NAT -> Advanced NAT page to create an Advanced NAT
rule as follows.
From
WAN1
To
DMZ
Original source address
ANY
Original destination
address
PublicIP
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
189
6
Firewall
Firewall Access Rule Configuration Examples
STEP 6
Original services
RDP
Translated source
address
ANY
Translated destination
address
RDPServer
Translated services
RDP
Then go to the Firewall -> ACL Rules -> Rule page to create a firewall access rule
as follows to allow the access:
From Zone
WAN
To Zone
DMZ
Services
RDP
Source Address
ANY
Destination Address
RDPServer
Match Action
Permit
Allowing Inbound Traffic from Specified Range of Outside Hosts
User Case: You want to allow incoming video conferencing to be initiated from a
restricted range of outside IP addresses (132.177.88.2 to 132.177.88.254).
Solution: Create a range address object with the range 132.177.88.2 to
132.177.88.254 called “OutsideNetwork” and a host address object with the IP
address 192.168.1.110 called “InternalIP”, and then create an access rule as
follows. In the example, connections for CU-SeeMe (an Internet video-conferencing
client) are allowed only from a specified range of external IP addresses.
Parameter
Value
From Zone
WAN
To Zone
LAN
Services
CU-SEEME
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
190
6
Firewall
Firewall Access Rule Configuration Examples
Parameter
Value
Source Address
OutsideNetwork
Destination Address
InternalIP
Match Action
Permit
Blocking Outbound Traffic By Schedule and IP Address Range
User Case: Block all weekend Internet usage if the request originates from a
specified range of IP addresses.
Solution: Create a range address object with the range 10.1.1.1 to 10.1.1.100
called “TempNetwork” and a schedule called “Weekend” to define the time period
when the access rule is in effect, and then configure an access rule as follows.
Parameter
Value
From Zone
LAN
To Zone
WAN
Services
HTTP
Source Address
TempNetwork
Destination Address
Any
Schedule
Weekend
Match Action
Deny
Blocking Outbound Traffic to an Offsite Mail Server
User Case: If you want to block access to the SMTP service to prevent a user
from sending email through an offsite mail server.
Solution: Create a host address object with the IP address 10.64.173.20 called
“OffsiteMail”, and then configure an access rule as follows.
Parameter
Value
From Zone
LAN
To Zone
WAN
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
191
Firewall
Configuring the NAT Rules to Securely Access a Remote Network
Parameter
Value
Services
SMTP
Source Address
Any
Destination Address
OffsiteMail
Match Action
Deny
Configuring the NAT Rules to Securely Access a Remote
Network
Network address translation (NAT) enables private IP networks to connect to the
Internet. NAT replaces a private IP address with a public IP address, translating the
private addresses in the internal private network into legal, routable addresses
that can be used on the public Internet. In this way, NAT conserves public
addresses because it can be configured to advertise only one public address for
the entire network to the outside world.
NAT can also provide the following benefits:
•
Security: Keeping internal IP addresses hidden discourages direct attacks.
•
IP routing solutions: Overlapping IP addresses are not a problem when
you use NAT.
•
Flexibility: You can change internal IP addressing schemes without
affecting the public addresses available externally; for example, for a server
accessible to the Internet, you can maintain a fixed IP address for Internet
use, but internally, you can change the server address.
This section includes the following topics:
•
Configuring Dynamic PAT Rules, page 193
•
Configuring Static NAT Rules, page 194
•
Configuring Port Forwarding Rules, page 195
•
Configuring Port Triggering Rules, page 196
•
Configuring Advanced NAT Rules, page 197
•
Viewing NAT Translation Status, page 199
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
192
Firewall
Configuring the NAT Rules to Securely Access a Remote Network
•
Priorities of NAT Rules, page 200
Configuring Dynamic PAT Rules
Dynamic PAT can only be used to establish connections from private network to
public network. Dynamic PAT translates multiple private addresses to one or more
public IP address.
NOTE For the duration of the translation, a remote host can initiate a connection to the
translated host if a firewall access rule allows it. Because the port address (both
real and mapped) is unpredictable, a connection to the host is unlikely.
Nevertheless, in this case you can rely on the security of the firewall access rules.
STEP 1
Click Firewall -> NAT -> Dynamic PAT.
The Dynamic PAT window opens.
STEP 2
STEP 3
STEP 4
Specify the PAT IP address for each WAN interface.
•
Auto: Use the IP address of the WAN port as the translated IP address.
•
Manual: Choose a single public IP address or a network address as the
translated IP address. If the address object you want is not in the list, choose
Create an IP Address to create a new address object. To maintain the
address objects, go to the Networking -> Address Object Management
page. See Address Management, page 152.
Translate multiple private IP addresses of a VLAN to one or more mapped IP
addresses.
•
Enable WAN1: Check this box to translate all IP addresses of the selected
VLAN into the public IP address specified on the WAN1 port.
•
Enable WAN2: Check this box to translate all IP addresses of the selected
VLAN into the public IP address specified on the WAN2 port.
•
VLAN IP: The subnet IP address and netmask of the selected VLAN.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
193
Firewall
Configuring the NAT Rules to Securely Access a Remote Network
Configuring Static NAT Rules
Static NAT creates a fixed translation of a real address to a mapped address.
Because the mapped address is the same for each consecutive connection, static
NAT allows bidirectional connection initiation, both to and from the host (if a
firewall access rule allows it). With dynamic PAT, on the other hand, each host uses
a different address or port for each subsequent translation, so bidirectional
initiation is not supported.
NOTE The security appliance supports up to 128 Static NAT mapping rules.
NOTE You must create a firewall access rule to allow the access so that the Static NAT
rule can function properly.
STEP 1
Click Firewall -> NAT -> Static NAT.
The Static NAT window opens.
STEP 2
To add a static NAT rule, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add or Edit, the Static NAT - Add/Edit window opens.
STEP 3
Enter the following information:
•
WAN: Choose either WAN1 or WAN2 as the WAN interface for the static NAT
rule.
•
Public IP: Choose an IP address object as the public IP address.
•
Private IP: Choose an IP address object as the private IP address.
If the IP address you want is not in the list, choose Create an IP Address to
create a new IP address object. To maintain the IP address objects, go to the
Networking -> Address Object Management page. See Address
Management, page 152.
STEP 4
Click OK to save your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
194
Firewall
Configuring the NAT Rules to Securely Access a Remote Network
STEP 5
Click Save to apply your settings.
Configuring Port Forwarding Rules
Port forwarding forwards a TCP/IP packet traversing a Network Address
Translator (NAT) gateway to a pre-determined network port on a host within a
NAT-masqueraded, typically private network based on the port number on which
it was received at the gateway from the originating host.
Use the Port Forwarding page to assign a port number to a service that is
associated with the application you want to run, such as web servers, ftp servers,
email servers, or other specialized Internet applications.
NOTE You must create a firewall access rule to allow the access so that the port
forwarding rule can function properly.
NOTE To open an internal FTP server to Internet, make sure that the internal FTP server is
listening on TCP port 21 or the FTP server and client must use the active mode
when the internal FTP server is listening on some other TCP port. Otherwise the
FTP client cannot access the FTP server.
STEP 1
Click Firewall -> NAT -> Port Forwarding.
The Port Forwarding window opens.
STEP 2
To add a port forwarding rule, click Add.
Other Options: To edit an entry, click Edit. To delete an entry, click Delete. To
select multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add or Edit, the Port Forwrding - Add/Edit window opens.
STEP 3
Enter the following information:
•
Original Service: Choose an existing service as the incoming service.
•
Translated Service: Choose an existing service as the translated service
that you will host.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
195
Firewall
Configuring the NAT Rules to Securely Access a Remote Network
If the service you want is not in the list, choose Create a Service to create a
new service object. To maintain the service objects, go to the Networking > Service Management page. See Service Management, page 154.
•
Translated IP: Choose the IP address of your local server that needs to be
translated. If the IP address you want is not in the list, choose Create an IP
Address to create a new IP address object. To maintain the IP address
objects, go to the Networking -> Address Object Management page. See
Address Management, page 152.
•
WAN: Choose either WAN1 or WAN2, or both as the incoming WAN interface.
•
WAN IP: Specify the public IP address of the server. You can use the WAN’s
IP address or a public IP address that is provided by your ISP. When you
choose Both as the incoming WAN interface, this option is grayed out.
•
Enable Port Forwarding: Click On to enable the port forwarding rule, or click
Off to create only the port forwarding rule .
•
Description: Enter the name for the port forwarding rule.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Configuring Port Triggering Rules
Port triggering opens an incoming port for a specified type of traffic on a defined
outgoing port. When a LAN device makes a connection on one of the defined
outgoing ports, the security appliance opens the specified incoming port to
support the exchange of data. The open ports will be closed again after 600
seconds when the data exchange is complete.
Port triggering is more flexible and secure than port forwarding, because the
incoming ports are not open all the time. They are open only when a program is
actively using the trigger port.
Some applications may require port triggering. Such applications require that,
when external devices connect to them, they receive data on a specific port or
range of ports in order to function properly. The security appliance must send all
incoming data for that application only on the required port or range of ports. You
can specify a port triggering rule by defining the type of traffic (TCP or UDP) and
the range of incoming and outgoing ports to open when enabled.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
196
Firewall
Configuring the NAT Rules to Securely Access a Remote Network
NOTE Port triggering is not appropriate for servers on the LAN, since the LAN device must
make an outgoing connection before an incoming port is opened. In this case, you
can create port forwarding rules for this purpose.
STEP 1
Click Firewall -> NAT -> Port Trigger.
The Port Trigger window opens. All existing port triggering rules are listed in the
table.
STEP 2
To enable a port triggering rule, check the box in the Enable column.
STEP 3
To add a new port triggering rule, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
select multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add or Edit, the Port Triggering - Add/Edit window opens.
STEP 4
Enter the following information:
•
Description: Enter the name for the port triggering rule.
•
Trigger Service: Choose an outgoing TCP or UDP service.
•
Opened Service: Choose an incoming TCP or UDP service.
If the service you want is not in the list, choose Create a Service to create a
new service object. To maintain the service objects, go to the Networking > Service Management page. See Service Management, page 154.
STEP 5
Click OK to save your settings.
STEP 6
Click Save to apply your settings.
Configuring Advanced NAT Rules
Advanced NAT allows you to identify real addresses and real ports for address
translation by specifying the source and destination addresses.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
197
Firewall
Configuring the NAT Rules to Securely Access a Remote Network
NOTE You must create firewall access rules to allow the access so that the advanced NAT
rule can function properly.
STEP 1
Click Firewall -> NAT -> Advanced NAT.
The Advanced NAT window opens. All existing advanced NAT rules are listed in
the table.
STEP 2
To add a new advanced NAT rule, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add, the Add/Edit Rule window opens.
STEP 3
Enter the following information:
•
Name: Enter the name for the advanced NAT rule.
•
Enable: Click On to enable the advanced NAT rule, or click Off to create only
the advanced NAT rule.
•
From: Choose the WAN interface or the VLAN that the traffic originates from.
•
To: Choose the VLAN or the WAN interface that the traffic goes to.
•
Original Source Address: Choose the original source address for the
packet.
•
Original Destination Address: Choose the original destination address for
the packet.
•
Original Service: Choose the original TCP or UDP service.
•
Translated Source Address: Choose the translated source address for the
packet.
•
Translated Destination Address: Choose the translated destination
address for the packet.
•
Translated Service: Choose the translated TCP or UDP service.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
198
Firewall
Configuring the NAT Rules to Securely Access a Remote Network
If the IP address you want is not in the list, choose Create a New Address to
create a new IP address object. To maintain the IP address objects, go to the
Networking -> Address Object Management page. See Address
Management, page 152.
If the service you want is not in the list, choose Create a New Service to
create a new service object. To maintain the service objects, go to the
Networking -> Service Management page. See Service Management,
page 154.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Viewing NAT Translation Status
Use the NAT Status page to view the status of all NAT rules.
STEP 1
Click Firewall -> NAT -> NAT Status.
The NAT Status window opens. All existing NAT rules are listed in the table. You
can check the following information:
•
Original Source Address: The original source IP address in the packet.
•
Original Destination Address: The original destination IP address in the
packet.
•
Source Port: The interface that the traffic comes from.
•
Destination Port: The interface that the traffic goes to.
•
Translated Source Address: The IP address that the specified original
source address is translated to.
•
Translated Destination Address: The destination IP address that the
specified original destination address is translated to.
•
Translated Source Port: The source interface that the specified source port
is translated to.
•
Translated Destination Port: The destination interface that the specified
destination port is translated to.
•
TxPkt: The number of transmitted packets.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
199
6
Firewall
Configuring the Session Settings
•
RxPkt: The number of received packets.
•
Tx Traffic (bytes): The volume in bytes of transmitted traffic.
•
Rx Traffic (bytes): The volume in bytes of received traffic.
Priorities of NAT Rules
If multiple NAT features operate simultaneously on the security appliance:
•
For pre-routing, the security appliance first matches up with the advanced
NAT rules, and then matches up with the static NAT, port forwarding, and
port triggering rules.
•
For post-routing, the security appliance first matches up with the advanced
NAT rules, and then matches up with the static NAT and dynamic PAT rules.
Configuring the Session Settings
Use the Session Settings page to configure the maximum number of connection
sessions. When the connnection table is full, the new sessions that access the
security appliance are dropped.
STEP 1
Click Firewall -> Session Settings.
The Session Settings window opens.
STEP 2
Enter the following information:
•
Current All Connections: Displays the number of all current connected
sessions. Click Disconnect All to clear up all connected sessions.
•
Maximum Connection: Limits the number for TCP and UDP connections.
The default is 60000.
•
TCP Timeout: Enter the timeout value in seconds for TCP session. Inactive
TCP sessions are removed from the session table after this duration. The
default is 1200 seconds.
•
UDP Timeout: Enter the timeout value in seconds for UDP session. Inactive
UDP sessions are removed from the session table after this duration. The
default is 180 seconds.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
200
Firewall
Configuring the Content Filtering to Control Access to Internet
STEP 3
Click Save to apply your settings.
Configuring the Content Filtering to Control Access to Internet
The Content Filtering feature provides protection against websites. It blocks or
allows web access based on analysis of its content (URL or URL keywords), rather
than its source or other criteria. It is most widely used on the Internet to filter the
web access.
The Content Filtering policy profile assigned to each zone determines whether to
block or forward the HTTP request from the hosts in the zone. The blocked
request will be logged.
This section includes the following topics:
•
Configuring the Content Filtering Policy Profiles, page 201
•
Configuring the Website Access Control List, page 203
•
Mapping the Content Filtering Policy Profiles to Zones, page 204
•
Configuring Advanced Settings, page 204
CAUTION Enabling the Web URL Filter service will disable the firewall content filtering
settings.
Configuring the Content Filtering Policy Profiles
A Content Filtering policy profile is used to specify the websites to be blocked or
permitted.
NOTE The security appliance supports up to 16 content filtering policy profiles.
STEP 1
Click Firewall -> Content Filtering -> Content Filtering Policy.
The Content Filtering Policy window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
201
Firewall
Configuring the Content Filtering to Control Access to Internet
STEP 2
To add a content filtering policy profile, click Add.
Other Options: To edit an entry, click Edit. To delete an entry, click Delete.
After you click Add or Edit, the Add/Edit window opens.
STEP 3
Enter the following information:
•
Policy Profile: Enter a descriptive name for the content filtering policy
profile.
•
Description: Enter a brief message to describe the content filtering policy
profile.
STEP 4
In the Website Access Control List area, specify the whitelist and blacklist of
websites that you want to permit or block. For complete details, see Configuring
the Website Access Control List, page 203.
STEP 5
In the For URLs not Specified Above area, specify the action how to deal with the
websites that are not specified in the whitelist or blacklist.
•
Permit Them: If you choose this option, all websites not specified in the list
are permitted.
•
Deny Them: If you choose this option, all websites not specified in the list
are blocked.
STEP 6
Click OK to save your settings.
STEP 7
Click Save to apply your settings.
NOTE Next Steps:
•
To map the content filtering policy profile to zones, go to the Policy Profile
& Zone Mapping page. See Mapping the Content Filtering Policy Profiles
to Zones, page 204.
•
To configure advanced content filtering settings, go to the Advanced
Settings page. See Configuring Advanced Settings, page 204.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
202
Firewall
Configuring the Content Filtering to Control Access to Internet
Configuring the Website Access Control List
The whitelist and blacklist defines the websites that you want to permit or block.
Up to 32 websites can be defined for each content filtering policy profile.
STEP 1
To add a website access rule in the list, click Add.
Other Options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete all entries, click Delete All.
After you click Add or Edit, the Add/Edit window opens.
STEP 2
Enter the following information:
•
Enable Content Filter URL: Click On to enable the access control rule, or
click Off to create only the access control rule.
•
URL: Enter the domain name or URL keyword of a website that you want to
permit or block.
•
Match Type: Specify how to match up with this rule:
Domain: If you choose this option, permit or block the HTTP access of a
website that fully matches up with the domain you entered in the URL
field.
For example, if you enter yahoo.com in the URL field, then it can match up
with the website such as http://*.yahoo.com/*, but cannot match up with
the website such as http://*.yahoo.com.uk/*.
Keyword: If you choose this option, permit or block the HTTP access of
a website that contains the keyword you entered in the URL field.
For example, if you enter yahoo in the URL field, then it can match up with
the websites such as www.yahoo.com, tw.yahoo.com,
www.yahoo.com.uk, and www.yahoo.co.jp.
•
STEP 3
Action: Choose Permit to permit the access, or choose Block to block the
access.
Click OK to save your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
203
Firewall
Configuring the Content Filtering to Control Access to Internet
Mapping the Content Filtering Policy Profiles to Zones
Use the Policy Profile & Zone Mapping page to map the content filtering policy
profile to each zone.
STEP 1
Click Firewall -> Content Filtering -> Policy Profile & Zone Mapping.
The Policy Profile & Zone Mapping window opens.
STEP 2
Click On to enable the content filtering feature, or click Off to disable it.
STEP 3
In the Policy Profile & Zone Mapping List area, choose the policy profile used for
each zone. By default, the Default_Profile that permits all web access is selected
for all predefined and new zones.
STEP 4
Click Save to apply your settings. .
Configuring Advanced Settings
STEP 1
Click Firewall -> Content Filtering -> Advanced Settings.
The Advanced Settings window opens.
STEP 2
Enter the following information:
•
Specify HTTP port for the filtering (default: 80): Enter the port number that
is used for content filtering. The default is 80.
For example, if you permit the HTTP access to the website http://
www.ABcompanyC.com and set the HTTP port to 80. The access to http://
www.ABcompanyC.com:8080 will be blocked.
•
Web Components: You can block web components like Proxy, Java,
ActiveX, and Cookies. By default, all of them are permitted.
Proxy: Check the box to block proxy servers, which can be used to
circumvent certain firewall rules and thus present a potential security
gap.
Java: Check the box to block applets from being downloaded from
internet sites.
ActiveX: Check the box to prevent ActiveX controls from being
downloaded via Internet Explorer.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
204
Firewall
Configuring the MAC Filtering to Permit or Block Traffic
•
STEP 3
Cookies: Check the box to block cookies, which typically contain
sessions.
When a web page is blocked: Choose one of the following actions when a
web page is blocked:
Use the default blocked page: Use the default blocked page if a web
page is blocked. The default blocked page will display a message such
as “Access of this website is blocked due to security policy
configurations on the security appliance”. You can edit the message in
the Block Message field.
Redirect to this URL: Enter the URL to be redirected if a web page is
blocked.
Click Save to apply your settings.
Configuring the MAC Filtering to Permit or Block Traffic
The MAC filtering feature can permit and deny network access from specific
devices through the use of MAC address list. The firewall MAC filtering settings
apply for all traffic except the traffic for Intra-VLAN and Intra-SSID.
STEP 1
Click Firewall -> MAC Filtering -> MAC Filtering.
The MAC Filtering window opens.
STEP 2
Click On to enable the MAC Filtering feature, or click Off to disable it.
STEP 3
If you enable MAC Filtering, specify the MAC filtering policy:
STEP 4
•
Block and Accept the rest: If you choose this option, the MAC addresses in
the table are blocked and all other MAC addresses not included in the table
are permitted.
•
Accept and Block the rest: If you choose this option, only the MAC
addresses in the table are permitted and all other MAC addresses not
included in the table are blocked.
Specify the list of MAC addresses. To add a MAC address to the table, click Add.
To edit an entry, click Edit. To delete an entry, click Delete. To delete all selected
entries, check the boxes of multiple entries and click Delete Selection.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
205
Firewall
Configuring the IP/MAC Binding to Prevent Spoofing
For example, if you click Add, the MAC Filtering - Add/Edit window opens. Select
the MAC address object from the MAC Address drop-down list, and then click
OK.
If the MAC address object you want is not in the list, choose Create New Address
to create a new MAC Address object. To maintain the MAC Address objects, go to
the Networking -> Address Object Management page. See Address
Management, page 152.
STEP 5
Click Save to apply your settings.
Configuring the IP/MAC Binding to Prevent Spoofing
The IP/MAC binding feature allows the traffic only when the host has an IP address
that matches up with a specified MAC address. By requiring the gateway to
validate the source traffic’s IP address with the unique MAC address of device,
please ensure that traffic from the specified IP address is not spoofed. If a violation
(the traffic’s source IP address doesn’t match up with the expected MAC address
having the same IP address) occurs, the packets will be dropped and can be
logged for diagnosis.
STEP 1
Click Firewall -> MAC Filtering -> IP/MAC Binding.
The IP/MAC Binding window opens.
STEP 2
To add an IP/MAC binding rule, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete all selected entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add or Edit, the IP/MAC Binding - Add/Edit window opens.
STEP 3
Enter the following information:
•
Name: Enter a descriptive name for the IP/MAC binding rule.
•
MAC Address: Choose an existing MAC address object. If the MAC address
object you want is not in the list, choose Create a MAC to add a new MAC
address object. To maintain the MAC address objects, go to the Networking
-> Address Object Management page. See Address Management,
page 152.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
206
6
Firewall
Configuring the Attack Protection
•
IP Address: Choose an existing IP address object that you want to bind with
the selected MAC address. If the IP address object you want is not in the list,
choose Create an IP Address to add a new IP address object. To maintain
the IP address objects, go to the Networking -> Address Object
Management page. See Address Management, page 152.
•
Log Dropped Packets: Choose Enable to log all packets that are dropped.
Otherwise, choose Disable.
STEP 4
Click OK to save your settings.
STEP 5
Click Save to save your settings.
Configuring the Attack Protection
Use the Attack Protection page to specify how to protect your network against
common types of attacks including discovery, flooding, and echo storms.
STEP 1
Click Firewall -> Attack Protection.
The Attack Protection window opens.
STEP 2
STEP 3
In the WAN Security Checks area, enter the following information:
•
Block Ping to WAN interface: Check the box to prevent attackers from
discovering your network through ICMP Echo (ping) requests. We
recommend that you disable this feature only if you need to allow the
security appliance to respond to pings for diagnostic purposes.
•
Enable Stealth Mode: Check the box to prevent the security appliance from
responding to incoming connection requests from the WAN. In Stealth Mode,
your security appliance does not respond to blocked inbound connection
requests, and your network is less susceptible to discovery and attacks.
•
Block TCP Flood: Check this box to drop all invalid TCP packets. This feature
protects your network from a SYN flood attack, in which an attacker sends a
succession of SYN (synchronize) requests to a target system. It blocks all
TCP SYN flood attackes (200 packets per seconds) from the WAN
interfaces.
In the LAN Security Checks section, enter the following information:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
207
6
Firewall
Configuring the Attack Protection
•
STEP 4
STEP 5
STEP 6
Block UDP Flood: Check the box to prevent the security appliance from
accepting more than 200 simultaneous, active UDP connections per second
from a single computer on the LAN.
In the Firewall Settings area, enter the following information:
•
Block ICMP Notification: Check the box to silently block without sending an
ICMP notification to the sender. Some protocols, such as MTU Path
Discovery, require ICMP notifications.
•
Block Fragmented Packets: Check the box to block fragmented packets
from Any zone to Any zone.
•
Block Multicast Packets: Check the box to block multicast packets. By
default, the firewall blocks all multicast packets. This feature has higher
priority than the firewall access rules, which means that the firewall access
rules that permit the multicast traffic will be overrided if you enable this
feature.
In the DoS Attacks area, enter the following information:
•
SYN Flood Detect Rate (max/sec): Enter the maximum number of SYN
packets per second that will cause the security appliance to determine that
a SYN Flood Intrusion is occurring. Enter a value from 0 to 10000 SYN
packets per second. A value of zero indicates that the SYN Flook Detect
feature is disabled.
•
Echo Storm (ping pkts./sec): Enter the number of pings per second that will
cause the security appliance to determine that an echo storm intrusion event
is occurring. Enter a value from 0 to 10000 ping packets per second. A value
of zero indicates that the Echo Storm feature is disabled.
•
ICMP Flood (ICMP pkts./sec): Enter the number of ICMP packets per
second, including PING packets, that will cause the security appliance to
determine that an ICMP flood intrusion event is occurring. Enter a value from
0 to 10000 ICMP packets per second. A value of zero indicates that the IGMP
Flood feature is disabled.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
208
6
Firewall
Configuring the Application Level Gateway
Configuring the Application Level Gateway
The security appliance can function as an Application Level Gateway (ALG) to
allow certain NAT un-friendly applications (such as SIP or H.323) to operate
properly through the security appliance.
If Voice-over-IP (VoIP) is used in your organization, you should enable the H.323
ALG or SIP ALG to open the ports necessary to enable the VoIP through your voice
device. The ALGs are created to work in a NAT environment to maintain the
security for privately addressed conferencing equipment protected by your voice
device.
You can use both H.323 and SIP ALGs at the same time, if necessary. To determine
which ALG to use, consult the documentation for your VoIP devices or
applications.
STEP 1
Click Firewall -> Application Level Gateway.
The Application Level Gateway window opens.
STEP 2
Enter the following information:
•
SIP Protocol Support: SIP ALG can rewrite the information within the SIP
messages (SIP headers and SDP body) to make signaling and audio traffic
between the client behind NAT and the SIP endpoint possible. Check this
box to allow the SIP sessions to pass through the security appliance, or
uncheck this box to block the SIP sessions.
NOTE Enable SIP ALG when voice devices such as UC 500, UC 300, or SIP
phones are connected to the network behind the security appliance.
•
STEP 3
H323 Support: H.323 is a standard teleconferencing protocol suite that
provides audio, data, and video conferencing. It allows for real-time point-topoint and multipoint communication between client computers over a
packet-based network that does not provide a guaranteed quality of
service. Check this box to allow the H.323 sessions to pass through the
security appliance, or uncheck this box to block the H.323 sessions.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
209
7
Security Services
This chapter describe how to configure the UTM security services to provide the
Internet threat protection.
•
Managing the Security Services, page 210
•
Intrusion Prevention Service, page 214
•
Anti-Virus, page 220
•
Email Reputation Filter, page 224
•
Web URL Filter, page 226
•
Web Reputation Filter, page 230
•
Network Reputation, page 231
To access the Security Services pages, click Security Services in the left hand
navigation pane.
Managing the Security Services
This section includes the following topics:
•
About the Security Services, page 211
•
Security License, page 212
•
Priority of Security Services, page 212
•
Managing the Security Services, page 212
•
Viewing the Security Service Reports, page 214
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
210
7
Security Services
Managing the Security Services
About the Security Services
The security services activated by the security license are listed in the following
table.
Security Services
Description
Intrusion
Prevention System
The Intrusion Prevention System (IPS) service can protect
the zones for a given set of categories. IPS monitors
network traffic for malicious or unwanted behaviors on
the security appliance and can react, in real-time, to block
or prevent those activities. For more information, see
Intrusion Prevention Service, page 214.
Anti-Virus
The Anti-Virus service prevents network threats over a
multitude of protocols including HTTP, FTP, POP3, SMTP,
CIFS, NETBIOS, and IMAP. For more information, see AntiVirus, page 220.
Email Reputation
Filter
The Email Reputation Filter service detects the email
sender’s reputation score. If the reputation score is below
a threshold, then the email is blocked or tagged as SPAM
or SUSPECT SPAM. For more information, see Email
Reputation Filter, page 224.
Web URL Filter
The Web URL Filter service provides protection against
URL categories. For more information, see Web URL
Filter, page 226.
Web Reputation
Filter
The Web Reputation Filter service detects threats based
on a web page’s reputation score. Web pages with
reputation scores below a specific threshold are
considered threats and blocked. For more information,
see Web Reputation Filter, page 230.
Network
Reputation
The Network Reputation service checks the source and
destination address of each packet against the address
blacklist to determine whether to proceed or drop the
packet. For more information, see Network Reputation,
page 231.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
211
Security Services
Managing the Security Services
Security License
The security services are licensable. The security license is valid for one year or
three years depending on the bundle type. By default, the security appliance
comes with a one year bundle license for all security services. To renew the
security license before it expires, go to the Device Management -> License
Management page. See Managing the Security License, page 307.
Priority of Security Services
Multiple security services can work simultaneously to protect your network. If you
enable both the Web URL Filter and Web Reputation Filter services, the whitelist
and blacklist of websites that you defined in the Web URL Filter settings cannot
override the Web Reputation Filter settings.
For example, a website is permitted by the Web URL Filter setting, but it has
reputation score lower than the web reputation threshold, the connection to this
website will be blocked even if it is in the whitelist, unless you change the web
reputation threshold.
Managing the Security Services
Use the Dashboard page to view the status of the security license, enable or
disable the security services, and check new updates for all signature-based
security services.
CAUTION Enabling the security services consumes additional system resources and may
impact the system performance. Go to the Status -> Dashboard page to view the
CPU and memory utilization. To conserve the system resources, disable the
security services when they are no longer needed.
STEP 1
Click Security Services -> Dashboard.
The Dashboard window opens.
STEP 2
In the License Status area, check the expiration date for the security license. If the
security license expires, go to the Device Management -> License Management
page to renew the license.
STEP 3
In the Settings Summary area, you can perform the following tasks:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
212
7
Security Services
Managing the Security Services
•
To enable a security service, check the box in the Enable column. By default,
only the Network Reputation service is enabled.
NOTE If you enable the IM & P2P Blocking service, it will enable both the IPS
service and the IM & P2P Blocking settings. If you enable the IPS
(Signature) service, it will enable both the IPS service and the IPS
Policy and Protocol Inspection settings. Disabling the IM & P2P
Blocking or IPS (Signature) service will not disable the IPS service.
When both of them are disabled, the IPS service will be disabled.
•
To configure the settings for a security service, click the Configure botton.
•
For the signature-based security services, such as Anti-Virus and IPS, click
Check for Updates Now to check for new signatures from the Cisco server.
The date and time of the last check are displayed in the Last Check column.
When the signature file is upated successfully, the date and time of the last
successful update are displayed in the Last Update column.
If a new signature file is available, the new signature file will be downloaded
to your local flash partition. The registered CCO account is required to log
into the Cisco server to download the signature file. To configure your CCO
account, go to the Device Management -> CCO Account page. See
Configuring the CCO Account, page 331.
NOTE Email Reputation Filter, Web URL Filter, and Web Reputation Filter are
reputation-based services, clicking the Check for Updates Now
button will not check for any new udpate.
STEP 4
In the External Web Proxy Settings area, enter the following information:
•
Web Proxy: Click On to support such as Scansafe and third party outbound
web proxies, or click Off to disable it.
NOTE When the external web proxy is enabled, the Firewall, QoS, Web URL
Filter, and Web Reputation Filter settings will not work or be skipped
for HTTP traffic.
•
Redirected Web Proxy IP: Enter the IP address of the external web proxy
used to redirect the HTTP traffic.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
213
7
Security Services
Intrusion Prevention Service
•
STEP 5
Redirected HTTP Port List: Specify the number of the ports used to
redirect the HTTP traffic. To add an entry, click Add. To edit an entry, click
Edit. To delete an entry, click Delete.
Click Save to apply your settings.
Viewing the Security Service Reports
After you enable and configure the security services, you can enable the
corresponding reports for these services to analyze the security performance.
For example, if the Web URL Filter and Web Reputation Filter services are enabled
on your security appliance, you can enable the Web Security Blocked Report to
view the total number of web access requests processed and the total number of
websites blocked since these services were enabled, in last seven days, or in one
day. A graph is provided to show the total number of web access requests
processed and the total number of websites blocked by day for the last seven
days.
For more information about the security service reports, go to the Status ->
Report -> Security Services page. See Reports of Security Services, page 87.
Intrusion Prevention Service
The Intrusion Prevention Service (IPS) feature can protect the zones for a given set
of categories. IPS monitors network traffic for malicious or unwanted behavior on
the device and can react, in real-time, to block or prevent those activities.
When an attack is detected, offending packets are dropped or alerts are logged
depending on the administrative settings, but all other traffic is unaffected. Unlike
traditional firewalls, IPS makes access control decisions based on application
content, rather than IP address or ports.
CAUTION Enabling IPS consumes additional system resources and may impact the system
performance. Go to the Status -> Dashboard page to view the CPU and memory
utilizations. To conserve the system resources, disable the IPS service when it is no
longer needed.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
214
7
Security Services
Intrusion Prevention Service
This section includes the following topics:
•
General IPS Settings, page 215
•
Configuring the IPS Policy and Protocol Inspection, page 216
•
Blocking the Instant Messaging and Peer-to-Peer Applications,
page 218
General IPS Settings
Use the IPS Setup page to enable or disable the IPS service, choose the security
zones you want to protect, update the IPS signatures, and view the IPS signature
status and logs.
STEP 1
Click Security Services -> IPS -> IPS Setup.
The IPS Setup window opens.
STEP 2
Click On to enable IPS, or Click Off to disable IPS.
STEP 3
Specify the zones to block the intrusion for incoming traffic from the selected
zones:
STEP 4
•
WAN zone: Choose this option to block the intrusion for incoming traffic from
the WAN zone. This is the default setting.
•
WAN + VPN zone: Choose this option to block the intrusion for incoming
traffic from both WAN and VPN zones.
•
All zones: Choose this option to block the intrusion for the incoming traffic
from all zones.
In the IPS Status area, you can perform the following tasks:
•
IPS Signatures: Displays the status of IPS signature file, including the
expiration date of the security license, the name of the signature file, and the
date and time of your last signature update.
•
View IPS Logs: IPS logs a message if an attack is detected. Click this button
to view all IPS log messages.
•
Email Alert Setting: IPS sends an alert message to the specified email
account if an attack hits the email alert threshold. Click this link to see the
email alert settings for IPS Alert events.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
215
7
Security Services
Intrusion Prevention Service
To send alert emails for IPS Alert events, you first need to enable the IPS
Alert feature and configure the email account settings, see Configuring the
Email Alert Settings, page 316. And then configure the IPS Policy and
Protocol Inspection settings and/or the IM and P2P Blocking settings, see
Configuring the IPS Policy and Protocol Inspection, page 216 and
Blocking the Instant Messaging and Peer-to-Peer Applications,
page 218.
STEP 5
The IPS service uses the signatures to identify the attacks in progress. You can
manually or automatically update the IPS signatures.
•
•
STEP 6
Automatic Signature Updates: Click On to automatically update the IPS
signatures periodically if a new signature file is available, or click Off to
disable it.
User Name: The user name of your registered CCO account used to
download the IPS signature file. To configure the CCO account, click Edit
Account Setting.
Update: Click this button to immediately update the IPS signatures if a
new signature file is available. The new signature file will be downloaded
from the Cisco server and saved on the flash partition of your device.
Manual Signature Updates: To manually update the IPS signatures, you first
need to download the latest signature file from the Cisco server to your local
PC. The user name and password of your registered CCO account are
required to log into the Cisco server. Then click Browse to locate and select
the signature file from your local PC, and click Upload.
Click Save to apply your settings.
Configuring the IPS Policy and Protocol Inspection
The IPS Policy protects the network against threats such as Denial-of-Service
attacks, malware, and backdoor exploits. The Protocol Inspection detects
suspicious behavior and attacks on various types of protocols.
STEP 1
Click Security Services -> IPS -> IPS Policy & Protocol Inspection.
The IPS Policy and Protocol Inspection window opens. The IPS categories and
protocols supported on the security appliance are listed in the IPS table.
STEP 2
Enter the following information:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
216
7
Security Services
Intrusion Prevention Service
•
IPS (Signature) Enable: If you enable IPS, click On to enable the IPS Policy
and Protocol Inspection settings.
•
View IPS Category Items: Allows you to view the signatures under a
specific IPS category or protocol. For example, if you choose DoS, only the
signatures under the DoS category are displayed. To display all signatures,
choose All.
•
Search by IPS Signature ID: Allows you to view a specific signature by
searching the signature ID. Enter the signature ID in this field, and then click
Search. To display all categories and protocols, click Reset.
•
Expand/Collapse: To expand the signatures under a category, click the +
button next to the category heading. To hide the signatures, click the - button.
NOTE To get the definition of the signatures, go to http://tools.cisco.com/
security/center/search.x?search=Signature to check the Small
Business IPS signature definitions by using the Signature ID or other
information.
STEP 3
Specify the inspection setting for all signatures under a category or for a signature
only.
•
Disabled: Click this option to disable checking the attacks.
•
Detect Only: Click this option to check the attacks and to log the event when
an attack is detected. This option is mostly used for troubleshooting
purposes.
•
Detect and Prevent: Click this option to check the attacks and to log the
event and drop the packet when an attack is detected.
To log the IPS events, you first need to choose Detect Only or Detect and
Prevent for the IPS categories or IPS signatures, and then go to the Device
Management -> Loggings pages to configure the log settings and log
facilities:
To save the IPS logs in the lcoal syslog daemon, you need to enable the
Log feature, set the log buffer size and the severity for local log, and then
check the Local Log box for the IPS (signature based) and IPS
(reputation based) log facilities.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
217
7
Security Services
Intrusion Prevention Service
To save the IPS logs to the remote syslog server if you have a remote
syslog server support, you need to enable the Log feature, specify the
Remote Log settings, and check the Remote Log boxes for the IPS
(signature based) and IPS (reputation based) log facilities.
For more information about how to configure the log settings and log
facilities, and how to view the logs, see Log Management, page 302.
•
Email Alert Threshold: Enter the value of the email alert threshold. When the
hit count is over the email alert threshold, an alert email is sent to the
specified email acount.
To send the IPS alert emails to the specified email accont, you first need to
enable the IPS Alert feature and configure the email account settings, see
Configuring the Email Alert Settings, page 316.
STEP 4
Click Save to apply your settings.
Blocking the Instant Messaging and Peer-to-Peer
Applications
Use the IM & P2P blocking page to block Instant Message (IM) and Peer-to-Peer
(P2P) traffic on the security appliance.
STEP 1
Click Security Services -> IPS -> IM & P2P Blocking.
The IM & P2P Blocking window opens. The supported IM applications are listed in
the IM Blocking table. The supported P2P applications are listed in the P2P
Blocking table.
STEP 2
Enter the following information:
•
IM & P2P Blocking Enable: If you enable IPS, click On to enable the IM and
P2P Blocking settings.
•
View IM Blocking Item: Allows you to view the signatures under a specific
IM application.
For example, if you choose MSN, only the signatures under the MSN
application are displayed. To display all signatures, choose All.
•
View P2P Blocking Item: Allows you to view the signatures under a specific
P2P application.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
218
7
Security Services
Intrusion Prevention Service
For example, if you choose BitTorrent, only the signatures under the
BitTorrent application are displayed. To display all signatures, choose All.
STEP 3
•
Search by Signature ID: Allows you to view a specific signature by
searching the signature ID. Enter the signature ID in this field, and then click
Search. To display all categories, click Reset.
•
Expand/Collapse: To expand the signatures under an IM or P2P application,
click the + button. To hide the signatures, click the - button.
Specify the setting for all signatures under an IM or P2P application or for a single
signature:
•
Disabled: Choose this option to disable checking attacks.
•
Detect Only: Click this option to check the attacks and to log a message
when an attack is detected. This option is mostly used for troubleshooting
purposes.
•
Detect and Prevent: Click this option to check the attacks, and to log a
message and drop the packet when an attack is detected.
To log the IPS events, you first need to choose Detect Only or Detect and
Prevent for the IM or P2P applications, and then go to the Device
Management -> Loggings pages to configure the log settings and log
facilities:
To save the IPS logs in the lcoal syslog daemon, you need to enable the
Log feature, set the log buffer size and the severity for local log, and then
check the Local Log box for the IM/P2P Blocking log facility.
To save the IPS logs to the remote syslog server if you have a remote
syslog server support, you need to enable the Log feature, specify the
Remote Log settings, and check the Remote Log box for the IM/P2P
Blocking log facility.
For more information about how to configure the log settings and log
facilities, and how to view the logs, see Log Management, page 302.
•
Email Alert Threshold: Enter the value of the email alert threshold. When the
hit count is over the email alert threshold, an alert email is sent to the
specified email acount.
To send the IPS alert emails to the specified email accont, you first need to
enable the IPS Alert feature and configure the email account settings, see
Configuring the Email Alert Settings, page 316.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
219
7
Security Services
Anti-Virus
STEP 4
Click Save to apply your settings.
Anti-Virus
The security appliance can scan for viruses over a multitude of protocols including
HTTP, FTP, POP3, SMTP, CIFS, NETBIOS, and IMAP. Because files containing
malicious code and viruses can also be compressed and therefore inaccessible to
conventional anti-virus solutions, the security appliance integrates advanced
decompression technology that automatically decompresses and scans the files
on a per packet basis.
NOTE The Anti-Virus feature supports virus scanning for one layer compressed files in the
zip, gzip, tar, bzip2, and rar2.0 formats.
CAUTION Enabling Anti-Virus consumes additional system resources and may impact the
system performance. Go to the Status -> Dashboard page to view the CPU and
memory utilizations. To conserve the system resources, disable the service when
it is no longer needed.
This section includes the following topics:
•
Configuring the Anti-Virus, page 220
•
Configuring the Email Notification, page 223
•
Configuring the HTTP Notification, page 224
Configuring the Anti-Virus
STEP 1
Click Security Services -> Anti-Virus -> General Settings.
The General Settings window opens.
STEP 2
Enter the following information:
•
Enable Anti-Virus: Click On to enable Anti-Virus, or click Off to disable it.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
220
7
Security Services
Anti-Virus
•
STEP 3
Select which zone to scan for virus: Specify the zones to scan the viruses
for the incoming traffic from the selected zones:
WAN zone: Choose this option to scan the viruses only for the traffic from
WAN zone to all other zones.
WAN + VPN zone: Choose this option to scan the viruses for the traffic
from both WAN and VPN zones to all other zones.
All zones: Choose this option to scan the viruses for the incoming traffic
from all zones. This is the default setting.
Specify the following settings for the protocols that you want to scan for viruses:
•
Enable: Check the box in this column to scan for the viruses for the protocol.
•
Log: Check the box in this column to log the event when viruses are
detected.
To log the Anti-Virus events, you first need to check the Log box for the
protocols, and then go to the Device Management -> Loggings pages to
configure the log settings and log facilities:
To save the Anti-Virus logs in the lcoal syslog daemon, you need to enable
the Log feature, set the log buffer size and the severity for local log, and
then check the Local Log box for the Anti-Virus log facility.
To save the Anti-Virus logs to the remote syslog server if you have a
remote syslog server support, you need to enable the Log feature,
specify the Remote Log settings, and check the Remote Log box for the
Anti-Virus log facility.
For more information about how to configure the log settings and log
facilities, and how to view the logs, see Log Management, page 302.
•
Action: Specify the preventive action for each protocol when viruses are
detected.
None: No action is required when viruses are detected.
Alert: Sends an alert email to the specified email account when viruses
are detected for the SMTP or POP3 protocol, or sends an alert message
to the user when using the HTTP protocol to download the files
containing viruses.
Drop Connection: Drops the connection when viruses are detected.
Destruct File: Destructs the file when viruses are detected.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
221
7
Security Services
Anti-Virus
The available preventive actions for each protocol are listed in the following
table.
Protocols
Preventive Actions
HTTP
None, Alert, Alert+Drop Connection
SMTP
None, Alert, Alert+Destruct File
FTP
None, Drop Connection
POP3
None, Alert, Alert+Destruct File
IMAP
None, Drop Connection
NETBIOS
None, Drop Connection
CIFS
None, Drop Connection
STEP 4
Because the compressed files in .bz2 and .rar formats can be reassembled and
uncompressed after collecting the whole packets, you need to specify the
maximum size for scanning the viruses for them. Enter the value in Kilobytes in the
Max Scan File Compression File Size field. When the size of the detected
compressed file is larger than this setting, the compressed file will not be
detected.
STEP 5
Click Save to apply your settings.
NOTE Next Steps:
•
If you select Alert or Alert+Descruct File for SMTP or POP3 protocol, go to
the Email Notification page to configure the email notification settings. See
Configuring the Email Notification, page 223.
•
If you select Alert or Alert+Drop Connection for HTTP protocol, go to the
HTTP Notification page to configure the HTTP notification settings. See
Configuring the HTTP Notification, page 224.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
222
7
Security Services
Anti-Virus
Configuring the Email Notification
Use the Email Notification page to configure the tag and content message that are
displayed in the alert email. The subject of the alert email will be tagged such as
[Virus] Email Subject.
If you select Alert for SMTP or POP3 protocol, when viruses are detected in the
email, the original email and an alert email are sent to the email receiver.
If you select Alert + Descruct File for SMTP or POP3 protocol, when viruses are
detected in the email, the original email is destructed and an alert email is sent to
the email receiver.
STEP 1
Click Security Services -> Anti-Virus -> Email Notification.
The Email Notification window opens.
STEP 2
Enter the following information:
•
Email Alert Status: Shows if the Alert or Alert+Destruct File action is
selected or not for SMTP or POP3 protocol.
•
From Email Address: The email address of the SMTP email account to send
the alert email.
•
SMTP Server: The IP address or Internet name of the SMTP server.
•
SMTP Authentication: Shows if the SMTP authentication is enabled or
disabled.
NOTE The above email account settings are read only. They are used to
send the alert emails to the original email receiver. Click the Email
Alert Setting link to configure the email account settings. For more
information, see Configuring the Email Alert Settings, page 316.
STEP 3
•
Mail Tag: Enter the tag that shows in the alert email ’s subject. The tag will
insert to the alert email subject in the [Tag] Email Subject format.
•
Mail Content: Enter the content that appears in the alert email.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
223
7
Security Services
Email Reputation Filter
Configuring the HTTP Notification
Use the HTTP Notification page to configure the alert message if viruses are
detected when using the HTTP protocol to download the files containing viruses.
If you select Alert , an alert message is sent to the user when viruses are detected.
If you select Alert+Drop Connection, the connection is dropped and an alert
message is sent to the user when viruses are detected.
STEP 1
Click Security Services -> Anti-Virus -> HTTP Notification.
The HTTP Notification window opens.
STEP 2
Enter the alert message in the HTTP Content field.
STEP 3
Click Save to apply your settings.
Email Reputation Filter
The Email Reputation Filter feature detects the email sender’s reputation score.
The reputation scores range from -10 (bad) to +10 (good). An email is classified as
SPAM if the sender’s reputation is below the SPAM threshold, or is classified as
SUSPECT SPAM if the sender’s reputation is between the SPAM threshold and
SUSPECT SPAM threshold. An email is not classified as SPAM if the sender’s
reputation is above the SUSPECT SPAM threshold.
CAUTION Enabling Email Reputation Filter consumes additional system resources and may
impact the system performance. Go to the Status -> Dashboard page to view the
CPU and memory utilizations. To conserve the system resources, disable the
service when it is no longer needed.
STEP 1
Click Security Services -> Anti-Spam.
The Email Reputation Filter window opens.
STEP 2
Enter the following information:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
224
7
Security Services
Email Reputation Filter
•
Enable Anti-Spam Filter: Click On to enable Email Reputation Filter, or check
Off to disable it.
•
SMTP Server Address: Enter the address of the SMTP server.
•
Choose Reputation Threshold: Specify the block sensitivity as either
Conservative, Moderate or Aggressive, or as a numerical threshold (Custom).
When the Custom radio button is selected, the drop-down lists next to it are
enabled allowing the threshold values to be entered. The allowable values
for the threshold are integers from -10 to -1 and the value -0.5.
The Email Reputation Filter detects spam emails based on the reputation
score of the sender’s IP address. The sender’s address is the address that
initiated the connection to the SMTP server, not an address within the email
header.
STEP 3
STEP 4
STEP 5
Specify the actions for SPAM and SUSPECT SPAM emails:
•
Action for SPAM Is: Choose Block to block the email, or choose TAG to get
the email tagged with [SPAM].
•
Action for SUSPECT SPAM Is: Choose Block to block the email, or choose
TAG to get the email tagged with [SUSPECT SPAM].
Choose one of the following actions if the Email Reputation Filter service is
unavailable:
•
Do not accept any emails until reputation services are restored (emails
will be delayed): If you choose this option, all emails will be delayed until the
Email Reputation Filter service is restrored.
•
Deliver all emails without checking for spam: If you choose this option, you
can deliver all emails without checking for spam. This is the default setting if
Email Reputation Filter service is unavailable.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
225
7
Security Services
Web URL Filter
Web URL Filter
The Web URL Filter feature provides protection against URL categories. The Web
URL Filter policy profile assigned to each zone determines whether to block or
forward the HTTP request from the hosts in the zone. The blocked request will be
logged.
CAUTION Enabling Web URL Filter consumes additional system resources and may impact
the system performance. Go to the Status -> Dashboard page to view the CPU and
memory utilizations. To conserve the system resources, disable the service when
it is no longer needed.
This section includes the following topics:
•
Configuring the Web URL Filter Policy Profiles, page 226
•
Mapping the Web URL Filter Policy Profiles to Zones, page 228
•
Configuring Advanced Web URL Filter Settings, page 229
Configuring the Web URL Filter Policy Profiles
A Web URL Filter policy profile is used to specify the URL categories to be
blocked.
STEP 1
Click Security Services -> Web URL Filter -> Policy Profile.
The Web URL Filter Policy Profile window opens. The default and custom Web
URL Filter policy profiles are listed in the table.
STEP 2
To add a new Web URL Filter policy profile, click Add.
Other Options: To edit an entry, click Edit. To delete an entry, click Delete. The
default profile cannot be deleted.
After you click Add or Edit, the Add/Edit window opens.
STEP 3
Enter the following information:
•
Policy: Enter an unique name for the policy profile.
•
Description: Enter a brief message to describe the policy profile.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
226
7
Security Services
Web URL Filter
•
STEP 4
Select URL Categories to Block: Specify the URL categories to be blocked.
To block an URL catetory, check the box. Click Select All to block all
categories, or click Clear All to permit all categories.
If needed, specify the whitelist and blacklist of websites to permit or block
specific websites. For complete details, see Configuring the Whitelist and
Blacklist of Websites, page 227.
If an URL category is blocked (or permited), all websites that belongs to this
category will be blocked (or permited). The whitelist and blacklist of websites
allows you to permit or block the websites against the URL category settings. The
whitelist and blacklist have higher priority than the URL category settings.
For example, if the Sports category is blocked , but you want to permit the
www.espn.com, you can add it to the whitelist.
STEP 5
Click Save to apply your settings.
NOTE Next Steps:
•
To map the Web URL Filter policy profile to zones, go to the Zone Mapping
page. See Mapping the Web URL Filter Policy Profiles to Zones,
page 228.
•
To configure advanced Web URL Filter settings, go to the Advanced
Settings page. See Configuring Advanced Web URL Filter Settings,
page 229.
Configuring the Whitelist and Blacklist of Websites
Blocking an URL category will block all websites that belong to this category. You
can specify the whitelist and blacklist of websites to permit or block specific
websites against the URL category settings.
STEP 1
In the Define Policy Specify URLs or URL keywords you want to permit or deny
area, click Edit.
The Add/Edit window opens. The URLs and URL keywords specified in the
whitelist and blacklist are displayed in the website access control list.
STEP 2
To add an access control rule for a website, click Add.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
227
7
Security Services
Web URL Filter
Other Options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete all entries, click Delete All.
After you click Add or Edit, the Add/Edit window opens.
STEP 3
Enter the following information:
•
Enable Content Filter URL: Click On to enable the access control rule, or
click Off to create only the access control rule.
•
URL: Enter the domain name or URL keyword of a website that you want to
permit or block.
•
Match Type: Specify the method for applying this rule:
Domain: Permit or deny the HTTP access of a website that fully matches
up with the domain name you entered in the URL field.
For example, if you enter yahoo.com in the URL field, then it can match up
with the website such as http://*.yahoo.com/*, but cannot match up with
the website such as http://*.yahoo.com.uk/*.
Keyword: Permit or deny the HTTP access of a website that contains the
keyword you entered in the URL field.
For example, if you enter yahoo in the URL field, then it can match up with
the websites such as www.yahoo.com, tw.yahoo.com,
www.yahoo.com.uk, and www.yahoo.co.jp.
•
STEP 4
Action: Choose Permit to permit the access, or choose Block to block the
access.
Click OK to save your settings.
Mapping the Web URL Filter Policy Profiles to Zones
Use the Zone Mapping page to map the Web URL Filter policy profile to zones. By
default, the Default Profile is assigned to all predefined zones and new zones.
STEP 1
Click Security Services -> Web URL Filter -> Zone Mapping.
The Zone Mapping window opens.
STEP 2
Click On to enable the Web URL Filter feature, or click Off to disable it.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
228
7
Security Services
Web URL Filter
NOTE Enabling the Web URL Filter service will disable the firewall content filtering
settings.
STEP 3
In the Specify the policy used for each zone area, choose the Web URL Filter
policy profile used for each zone.
STEP 4
Click Save to apply your settings.
Configuring Advanced Web URL Filter Settings
STEP 1
Click Security Services -> Web URL Filter -> Advanced Settings.
The Advanced Settings window opens.
STEP 2
Enter the following information:
•
Specify HTTP port for Web URL Filter (default: 80): Enter the port number
that is used for the Web URL Filter settings. The default is 80.
For example, if you permit the HTTP access to the website http://
www.ABcompanyC.com and set the HTTP port to 80. The access to http://
www.ABcompanyC.com:8080 will be blocked.
•
•
Select which Web Components to block: You can block or permit the web
components like Proxy, Java, ActiveX, and Cookies. By default, all of them
are permitted.
Proxy: Check the box to block proxy servers, which can be used to
circumvent certain firewall rules and thus present a potential security
gap.
Java: Check the box to block applets from being downloaded from
internet sites.
ActiveX: Check the box to prevent ActiveX controls from being
downloaded via Internet Explorer.
Cookies: Check the box to block cookies, which typically contain
session information.
If Web URL Filter services are unavailable: Specify one of the following
actions if Web URL Filter services are unavailable:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
229
7
Security Services
Web Reputation Filter
•
STEP 3
Block all web traffic until web URL filter services are restored: If you
choose this option, all web traffic will be blocked until the Web URL Filter
services are restored, and displays the default blocked page. The default
blocked page will display a message to remind the user. You can edit the
message in the Block Message field.
Allow all web traffic until web URL filter services are restored: If you
choose this option, all web traffic will be permitted until the Web URL
Filter services are restored.
When a web page is blocked: Specify one of the following actions if a web
page is blocked:
Use the default blocked page: Use the default blocked page if a web
page is blocked. The default blocked page will display a message such
as “Access of this website is blocked due to security policy
configurations on the security appliance”. You can edit the message in
the Block Message field.
Redirect to this URL: Enter the URL to be redirected if a web page is
blocked.
Click Save to apply your settings.
Web Reputation Filter
The Web Reputation Filter service detects the web threats based on the
reputation score of a web page. Reputation scores range from -10 (bad) to +10
(good). Web pages with reputation scores below a specific threshold are
considered threats and blocked.
CAUTION Enabling Web Reputation Filter consumes additional system resources and may
impact the system performance. Go to the Status -> Dashboard page to view the
CPU and memory utilizations. To conserve the system resources, disable the
service when it is no longer needed.
STEP 1
Click Security Services -> Web Reputation Filter.
The Web Reputation Filter window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
230
7
Security Services
Network Reputation
STEP 2
STEP 3
STEP 4
Enter the folllowing information:
•
Enable Web Threat Filter: Click On to enable the Web Reputation Filter
feature, or click Off to disable it.
•
Choose Reputation Threshold: If you enable the Web Reputation Filter
feature, specify the block sensitivity as either Conservative, Moderate, or
Aggressive, or as a numerical threshold (Custom). The threshold values for
Conservative, Moderate, or Aggressive option are predefined and
uneditable. If you want to customize a threshold value, click Custom and
choose the threshold value from the drop-down list. The available values for
the threshold are integers from -10 to -1 and the value -0.5.
Specify one of the following actions if the Web Reputation Filter services are
unavailable:
•
Block all web traffic until the web reputation filter services are restored:
If you choose this option, all web traffic will be blocked until the Web
Reputation Filter services are restored, and the default blocked page will
used. The default blocked page displays a message to remind the user. You
can edit the message in the Block Message field.
•
Allow all web traffic until the web reputation filter services are restored:
If you choose this option, all web traffic will be allowed until the Web
Reputation Filter services are restored.
Click Save to apply your settings.
Network Reputation
Network Reputation checks the source and destination address of each packet
against the address blacklist to determine whether to proceed or to drop the
packet. The blacklist data is automatically updated in its entirety a few times per
day.
NOTE No configuration is needed for the Network Reputation feature. You only need to
enable or disable this feature from the Security Services -> Dashboard page.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
231
8
VPN
This chapter describes how to configure Virtual Private Networks (VPN) that
allowing other sites and remote workers to access your network resources. It
includes the following sections:
•
About VPN, page 232
•
Configuring the Cisco IPSec VPN Server, page 233
•
Configuring the Cisco IPSec VPN Client, page 238
•
Configuring the Site-to-Site VPN, page 246
•
Configuring the SSL VPN, page 257
•
Configuring the L2TP Server, page 266
•
Configuring the VPN Passthrough, page 268
•
Viewing the VPN Status, page 268
To access the VPN pages, click VPN in the left hand navigation pane.
About VPN
A VPN provides a secure communication channel (“tunnel”) between two gateway
routers or between a remote PC and a gateway router. The security appliance
provides the following VPN solutions:
•
Cisco IPSec VPN Server: The Cisco IPSec VPN Server feature allows the
security appliance to act as a head-end device in remote access VPNs. The
server pushes the security policies to remote clients, so that remote clients
have up-to-date policies in place before establishing the connections. The
server can also terminate the VPN tunnels initiated by the clients. This
flexibility allows mobile and remote users to access critical data and
applications on corporate Intranet. See Configuring the Cisco IPSec VPN
Server, page 233.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
232
VPN
Configuring the Cisco IPSec VPN Server
•
Cisco IPSec VPN Client: The Cisco IPSec VPN Client feature minimizes the
configuration requirements at remote locations by allowing the security
appliance to work as a Cisco VPN hardware client to receive the security
policies upon the VPN tunnel from a remote Cisco IPSec VPN Server. See
Configuring the Cisco IPSec VPN Client, page 238.
•
Site-to-Site VPN: The Site-to-Site VPN tunnel connects two routers to
secure traffic between two sites that are physically separated. See
Configuring the Site-to-Site VPN, page 246.
•
SSL VPN: The SSL VPN feature allows remote users to access the
corporate network by using the Cisco AnyConnect VPN Client. Remote
access is provided through a SSL VPN gateway. See Configuring the SSL
VPN, page 257.
•
L2TP: L2TP allows remote clients to use a public IP network to secure
communicate with private corporate network servers. This protocol is
based on the client and server model. See Configuring the L2TP Server,
page 266.
NOTE The security appliance can function as a Cisco IPSec VPN server or as a Cisco
IPSec VPN client, but not both simutaneously. It does not have a default role.
Configuring the Cisco IPSec VPN Server
The Cisco IPSec VPN Server feature allows remote users to establish the IPSec
VPN tunnels to securely access the corporate network resources. It includes the
following sections:
•
Cisco VPN Client Compatibility, page 234
•
Configuring the Group Policies for Cisco IPSec VPN Server, page 235
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
233
8
VPN
Configuring the Cisco IPSec VPN Server
Cisco VPN Client Compatibility
The remote client can be a Cisco device that supports the Cisco IPSec VPN Client
feature (a Cisco VPN hardware client) or a PC running the Cisco VPN Client
software (v4.x or 5.x, a Cisco VPN software client).
Figure 6 IPSec Remote Access with a Cisco VPN Client Software or a Cisco
Device as a Cisco VPN Hardware Client
DNS Server
10.10.10.163
Personal Computer
running Cisco VPN Client software
ISA500
as a Cisco IPSec VPN Server
Internal
network
Inside
10.10.10.0
Outside
Internet
WINS Server
10.10.10.133
Personal Computer
running Cisco VPN Client software
Cisco Device
as a Cisco VPN hardware client
The Cisco VPN Client is an IPSec client software for Windows, Mac, or Linux users.
The Cisco VPN Client is compatible with the following platforms:
•
Windows 7 32-bit (x86) and 64-bit ( x64)
•
Windows Vista 32-bit (x86) and 64-bit ( x64)
•
Windows XP 32-bit (x86) and 64-bit ( x64)
•
Mac OS X 10.5 and 10.6
You can find the software installers for Cisco VPN Client on the CD, or download
the software installers from Cisco.com (A registered CCO account is required to
log into the website). For more information about how to download, install, and
configure the Cisco VPN Client software, see http://www.cisco.com/en/US/
products/sw/secursw/ps2308/index.html.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
234
VPN
Configuring the Cisco IPSec VPN Server
Configuring the Group Policies for Cisco IPSec VPN Server
This section describes how to enable the Cisco IPSec VPN Server feature and
specify the group policies that can be used by the remote clients to establish the
IPSec VPN tunnels.
NOTE The security appliance supports up to 16 group policies for Cisco IPSec VPN
Server.
STEP 1
Click VPN -> Remote User Access -> Cisco IPSec VPN Server.
The Cisco IPSec VPN Server window opens. All existing group policies are listed
in the table.
STEP 2
Click On to enable the Cisco IPSec VPN Server feature and set the security
appliance as a head-end device in remote access VPN, or click Off to disable it.
STEP 3
Specify the group policies that can be used by the remote clients to establish the
IPSec VPN tunnels. To add a group policy, click Add.
Other Options: To edit an entry, click Edit. To delete an entry, click Delete.
After you click Add or Edit, the Cisco IPSec VPN Server - Add/Edit window opens.
STEP 4
In the Basic Settings tab, enter the following information:
•
Group Name: Enter the name for the group policy.
•
WAN Interface: Choose the WAN interface that the traffic passes through
over the IPSec VPN tunnel.
•
Authentication Method: Choose the authentication method.
Preshare: If you choose this option, enter the desired value that the peer
device must provide to establish a connection in the Password field. The
pre-shared key must be entered exactly the same here and on the remote
clients.
Certificate: If you choose this option, choose the local certificate and the
peer certificate for authentication. On the remote clients, the selected
local certificate should be set as the peer certificate, and the selected
peer certificate should be set as the local certificate. If the certificates are
not in the list, go to the Device Management -> Certificate
Management page to import the certificates. See Managing the
Certificates for Authentication, page 310.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
235
8
VPN
Configuring the Cisco IPSec VPN Server
•
•
Mode: The operation mode determines whether the inside hosts relative to
the Cisco VPN hardware client are accessible from the corporate network
over the IPSec VPN tunnel. Specifying a operation mode is mandatory
before making a connection because the Cisco VPN hardware client does
not have a default mode. For more information, see Modes of Operation,
page 240.
Client: Choose this mode for the group policy that is used for both the PC
running the Cisco VPN Client software and the Cisco device that works
as the Cisco VPN hardware client. In client mode, the server can assign
the IP address to the outside interface of remote clients. To define the
pool range for the clients, enter the starting and ending IP addresses in
the Start IP and End IP fields.
NEM: Choose this mode for the group policy that is only used for the
Cisco device that works as the Cisco VPN hardware client. The Cisco
VPN hardware client can obtain a private IP address from a DHCP server
over the IPSec VPN tunnel.
WAN Failover: Click On to enable WAN Failover, or click Off to disable it. If
you enable WAN Failover, the traffic is automatically redirected to the
secondary link when the primary link is down.
NOTE To enable the WAN Failover for Cisco IPSec VPN tunnels, make sure
that the secondary WAN interface was configured and the WAN
redundancy was set to the Loab Balancing or Failover mode.
NOTE The security appliance will automatically update the local WAN
gateway for the VPN tunnel based on the configurations of the backup
WAN link. For this purpose, Dynamic DNS has to be configured
because the IP address will change due to failover, or let the remote
gateway use a dynamic IP address.
STEP 5
In the Zone Access Control tab, you can control the access from the PC running
the Cisco VPN Client software or the private network of the Cisco VPN hardware
client to the zones over IPSec VPN tunnels. Click Permit to permit the access, or
click Deny to deny the access. By default, the access for all zones is permitted.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
236
8
VPN
Configuring the Cisco IPSec VPN Server
NOTE The VPN access rules that are automatically generated by the Zone Access
Control settings will be added to the firewall access rule table with the
priority higher than the default access rules, but lower than the custom
access rules.
STEP 6
In the Mode Config Settings tab, enter the following information:
•
Primary DNS Server: Enter the IP address of the primary DNS server.
•
Secondary DNS Server: Enter the IP address of the secondary DNS server.
•
Primary WINS Server: Enter the IP address of the primary WINS server.
•
Secondary WINS Server: Enter the IP address of the secondary WINS
server.
•
Default Domain: Enter the default domain name.
•
Backup Server 1/2/3: Enter the IP addresses of backup servers. When the
primary server is down, the client can connect to the backup server. The
backup server 1 has the highest priority and the backup server 3 has the
lowest priority.
NOTE The backup servers that you specified on the Cisco IPSec VPN
Server will be sent to the remote clients when initiating the VPN
connection. The remote clients will cache them.
•
Split Tunnel: Click On to enable the split tunneling feature, or click Off to
disable it. Split tunneling allows only the traffic that is specified by the VPN
client routes to corporate resources through the VPN tunnel. If you enable the
split tunneling feature, you need to define the split subnets. To add a subnet,
enter the IP address in the IP filed and and netmask address in the Netmask
filed, and then click Add. To delete a subnet, choose a subnet from the list
and then click Delete.
•
Split DNS: Split DNS directs DNS packets in clear text through the VPN
tunnel to domains served by the corporate DNS. To add a domain, enter the
IP address or domain name in the Domain Name filed and then click Add. To
delete a domain, select it from the list and then click Delete.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
237
8
VPN
Configuring the Cisco IPSec VPN Client
NOTE To use Split DNS, you must also enable the split tunneling feature and
specify the domains. The Split DNS feature supports up to 10
domains.
STEP 7
Click OK to save your settings.
STEP 8
Click Save to apply your settings.
STEP 9
To check the status and statistic information for IPSec VPN tunnels, go to the
Session Status -> VPN Table page. See Monitoring the IPSec VPN Status,
page 269.
Configuring the Cisco IPSec VPN Client
The Cisco IPSec VPN Client feature minimizes the configuration requirements at
remote locations by allowing the security appliance to work as a Cisco VPN
hardware client to receive the security policies upon the VPN tunnel from a remote
Cisco IPSec VPN Server. This solution is ideal for remote offices with little IT
support or for large customer premises equipment (CPE) deployments where it is
impractical to configure multiple remote devices individually.
Figure 7
IPSec Remote Access with a Cisco IPSec VPN Server
DNS Server
10.10.10.163
Cisco Device
as a Cisco IPSec VPN Server
Internal
network
Inside
10.10.10.0
Outside
WINS Server
10.10.10.133
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
Personal Computer
ISA500
as a Cisco IPSec VPN Client
Internet
Personal Computer
Personal Computer
238
VPN
Configuring the Cisco IPSec VPN Client
This section describes how to configure the Cisco IPSec VPN Client feature. It
includes the following topics:
•
Restrictions for Cisco IPSec VPN Client, page 239
•
Benefits of the Cisco IPSec VPN Client Feature, page 239
•
Modes of Operation, page 240
•
General Settings, page 242
•
Configuring the Group Policies for Cisco IPSec VPN Client, page 243
Restrictions for Cisco IPSec VPN Client
The Cisco IPSec VPN Client feature requires that the destination peer is a Cisco
ISA500 Series Integrated Security Appliance that works as the Cisco IPSec VPN
Server, or a Cisco IOS router (such as C871, C1801, C1812, C1841, and C2821) or a
Cisco ASA5500 platform that supports the Cisco IPSec VPN Server feature.
The Cisco IPSec VPN Client feature supports configuration of only one destination
peer. If your application requires multiple VPN tunnels, you must manually
configure the IPSec VPN and Network Address Translation/Peer Address
Translation (NAT/PAT) parameters on both client and server.
NOTE If you set the security appliance as a Cisco VPN hardware client, the VPN tunnels
established by Site-to-Site VPN or Cisco IPSec VPN Server are automatically
disconnected. The Cisco IPSec VPN Client feature allows you to create multiple
group polices to connect different servers but only one group policy can be used
to establish the IPSec tunnel with a specified server.
Benefits of the Cisco IPSec VPN Client Feature
•
Allows dynamic configuration of end-user policy, requiring less manual
configuration by end users and field technicians, thus reducing errors and
further service calls.
•
Allows the provider to change equipment and network configurations as
needed, with little or no reconfiguration of the end-user equipment.
•
Provides for centralized security policy management.
•
Enables large-scale deployments with rapid user provisioning.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
239
VPN
Configuring the Cisco IPSec VPN Client
•
Eliminates the need for end users to purchase and configure external VPN
devices.
•
Eliminates the need for end users to install and configure Cisco VPN Client
software on their PCs.
•
Offloads the creation and maintenance of the VPN connections from the PC
to the router.
•
Reduces interoperability problems between the different PC-based
software VPN clients, external hardware-based VPN solutions, and other
VPN applications.
•
Sets up a single IPsec tunnel regardless of the number of multiple subnets
that are supported and the size of the split-include list.
Modes of Operation
The Cisco VPN hardware client supports two operation modes: Client Mode or
Network Extension Mode (NEM). The operation mode determines whether the
inside hosts relative to the Cisco VPN hardware client are accessible from the
corporate network over the tunnel. Specifying a operation mode is mandatory
before making a connection because the Cisco VPN hardware client does not
have a default mode.
All modes of operation also optionally support split tunneling, which allows secure
access to corporate resources through the VPN tunnel while also allowing Internet
access through a connection to an Internet service provider (ISP) or other
service—thereby eliminating the corporate network from the path for web access.
This section includes the following topics:
•
Client Mode, page 240
•
Network Extension Mode, page 241
Client Mode
Client mode specifies that NAT or PAT be done so that the PCs and other hosts at
the remote end of the VPN tunnel form a private network that does not use any IP
addresses in the IP address space of the desination server. In Client mode, the
outside interface of the Cisco VPN hardware client can be assigned an IP address
by the remote server.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
240
8
VPN
Configuring the Cisco IPSec VPN Client
Figure 7 illustrates the client mode of operation. In this example, the security
appliance provides access to two PCs, which have IP addresses in the 10.0.0.0
private network space. These PCs connect to the Ethernet interface on the
security appliance, and the server assigns an IP address 192.168.101.2 to the
security appliance. The security appliance performs NAT or PAT translation over
the VPN tunnel so that the PCs can access the destination network. When
accessing the remote network 192.168.100.x, the hosts 10.0.0.3 and 10.0.04 will
be translated to 192.168.101.2, but hosts in the remote network 192.168.100.x can
not access the hosts 10.0.0.3 and 10.0.04.
Figure 8
Cisco IPSec VPN Client Connection
192.168.100.x
10.0.0.3
WAN
202.0.0.1
Inside
10.0.0.0
ISA500
as a Cisco IPSec VPN Client
(192.168.101.2)
WAN
203.0.0.1
VPN tunnel
Internet
Cisco Device
as a Cisco IPSec VPN Server
10.0.0.4
Network Extension Mode
Network Extension Mode (NEM) specifies that the PCs and other hosts at the client
end of the VPN tunnel should be given IP addresses that are fully routable and
reachable by the destination network over the tunneled network so that they form
one logical network. PAT is not used, which allows the client PCs and hosts to have
direct access to the PCs and hosts at the destination network. In NEM mode, the
Cisco VPN hardware client obtains a private IP address from a DHCP server over
the VPN tunnel.
Figure 9 illustrates the network extension mode of operation. In this example, the
security appliance acts as a Cisco VPN hardware client, connecting to a remote
Cisco IPSec VPN Server. The hosts attached to the security appliance have IP
addresses in the 10.0.0.0 private network space. The server does not assign an IP
address to the security appliance, and the security appliance does not perform
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
241
8
VPN
Configuring the Cisco IPSec VPN Client
NAT or PAT translation over the VPN tunnel. When accessing the remote network
192.168.100.x, the hosts 10.0.0.3 and 10.0.04 will not be translated, and hosts in
the remote network 192.168.100.x can access the hosts 10.0.0.3 and 10.0.04
directly.
The client hosts are given IP addresses that are fully routable by the destination
network over the tunnel. These IP addresses could be either in the same subnet
space as the destination network or in separate subnets, assuming that the
destination routers are configured to properly route those IP addresses over the
tunnel.
Figure 9
Cisco IPSec VPN Network Extension Connection
192.168.100.x
10.0.0.3
WAN
202.0.0.1
WAN
203.0.0.1
VPN tunnel
Internet
ISA500
as a Cisco IPSec VPN Client
Cisco Device
as a Cisco IPSec VPN Server
10.0.0.4
General Settings
You can enable the Cisco IPSec VPN Client feature, configure the Auto Initiation
Retry settings, or manually connect or disconnect the IPSec VPN tunnels.
STEP 1
Click VPN -> Remote User Access -> Cisco IPSec VPN Client.
The Cisco IPSec VPN Client window opens.
STEP 2
Enter the following information:
•
Cisco IPSec VPN Client Enable: Click On to enable the Cisco IPSec VPN
Client feature and set the security appliance as a Cisco VPN hardware client,
or click Off to disable it.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
242
VPN
Configuring the Cisco IPSec VPN Client
•
STEP 3
Auto Initiation Retry: Click On to enable the Auto Initiation Retry feature, or
click Off to disable it. This feature is used to re-initiate the VPN connection to
the primary server if it does not response during the timeout. When the
primary server can not be connected over the timeout, the client will try to
initiate the VPN connection to the backup servers. If you enable this feature,
enter the following information:
Retry Interval: Specify how often, in seconds, the security appliance
initiates the VPN conection to the primary server. The default is 120
seconds.
Retry Limit: Enter the number of times the security appliance will retry a
connection initiation. The default is 0.
•
Connect: To manually initiate the IPSec VPN connection, check the box of
the group policy you want and then click Connect.
•
Disconnect: To manuall terminate an estalished the IPsec VPN connection,
click Disconnect.
Click Save to apply your settings.
Configuring the Group Policies for Cisco IPSec VPN Client
As a Cisco VPN hardware client, the security appliance will initiate the VPN
connection with a remote Cisco IPSec VPN Server. You can specify up to 16 group
policies used for Cisco IPSec VPN Client to establish the IPSec VPN tunnel.
STEP 1
Click VPN -> Remote User Access -> Cisco IPSec VPN Client.
The Cisco IPSec VPN Client window opens. All existing group policies are listed in
the table.
STEP 2
To add a group policy, click Add.
Other Options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
After click Add or Edit, the Cisco IPSec VPN Client - Add/Edit window opens.
STEP 3
In the Basic Settings tab, enter the following inforamtion:
•
Description: Enter the name for the group policy.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
243
VPN
Configuring the Cisco IPSec VPN Client
•
Server (Remote Address): Enter the IP address of the remote Cisco IPSec
VPN server.
•
Connection on Startup: Click On to establish the connection with the
remote server when your security appliance starts up, or click Off to disable
it. Only one connection can be active on startup.
•
Authentication Method: The client must be properly authenticated before it
can access the remote network. Choose one of the following authentication
methods:
Preshare: If you choose this option, specify the pre-shared key and the
group policy in the following fields.
Password: Enter the desired value, which the peer device must provide
to establish a connection. The pre-shared key must be entered exactly
the same here and on the remote server.
Group Name: Enter the name of the group policy that is defined on the
remote server. Your security appliance will use this group policy to
establish the VPN tunnel with the remote server. The server pushes the
security settings over the IPSec VPN tunnel to the clients.
STEP 4
Certificate: If you choose this option, choose a local certificate and a
peer certificate for authentication. On the remote server, the selected
local certificate should be set as the peer certificate, and the selected
peer certificate should be set as the local certificate. If the certificates are
not in the list, go to the Device Management -> Certificate
Management page to import the certificates. See Managing the
Certificates for Authentication, page 310.
•
Mode: Specify the operation mode before making a connection because the
client does not have a default mode. For more information about the
operation mode, see Modes of Operation, page 240.
•
VLAN: If you choose the NEM mode, specify the VLAN that permits the
access from and to the private network of the remote server.
•
User Name: Enter the user name used by the client to establish a VPN
connection.
•
User Password: Enter the password used by the client to establish a VPN
connection.
In the Zone Access Control tab you can control the access from the zones in your
network to the remote network if you choose the Client mode. Click Permit to
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
244
8
VPN
Configuring the Cisco IPSec VPN Client
permit the access, or click click Deny to deny the access. By default, the access
from all zones to the remote network is permitted.
NOTE The VPN access control rules that are automatically generated by the Zone
Access Control settings will be added to the firewall access rule table with
the priority higher than the default firewall access rules, but lower than the
custom firewall access rules.
STEP 5
In the Advanced Settings tab, enter the following information.
•
Backup Server 1/2/3: You can specify up to three backup servers. When
the primary server is disconnected, your security appliance can initiate the
VPN connection to the backup servers. The backup server 1 has the highest
priority and the backup server 3 has the lowest priority.
NOTE The Cisco VPN hardware client can get the backup servers from the
remote Cisco IPSec VPN server during the tunnel negotiation. The
backup servers specified on the remote Cisco IPSec VPN server have
higher priority than the back servers specified on the Cisco VPN
hardware client. When the primary server is disconnected, firstly try
to connect to the backup servers specified on the Cisco IPSec VPN
server, and then try to connect to the backup servers specified on the
Cisco VPN hardware client.
•
Peer Timeout: Enter the time in minutes that the client retries to connect the
backup server.
STEP 6
Click OK to save your settings.
STEP 7
Click Save to apply your settings.
STEP 8
To check the status and statistic information for IPSec VPN tunnels, go to the
Session Status -> VPN Table page. See Monitoring the IPSec VPN Status,
page 269.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
245
8
VPN
Configuring the Site-to-Site VPN
Configuring the Site-to-Site VPN
The Site-to-Site VPN tunnel connects two routers to secure traffic between two
sites that are physically separated.
Figure 10
Site-to-Site VPN
Internet
Outside
209.165.200.226
ISA500
Site B
ISA500
Inside
10.10.10.0
Inside
10.20.20.0
Printer
Printer
Personal
computers
Personal
computers
235142
Site A
Outside
209.165.200.236
This section describes how to configure a Site-to-Site VPN tunnel. It includes the
following topics:
•
Configuration Tasks to Establish a Site-to-Site VPN, page 246
•
General Site-to-Site VPN Settings, page 247
•
Configuring the IPSec VPN Policies, page 248
•
Configuring the IPSec IKE Policies, page 254
•
Configuring the IPSec Transform Policies, page 256
Configuration Tasks to Establish a Site-to-Site VPN
To establish a Site-to-Site VPN tunnel, complete the following configuration tasks:
•
Add the subnet IP address objects of the local network and remote
network. See Address Management, page 152.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
246
8
VPN
Configuring the Site-to-Site VPN
•
(Optional) Import the certificate for authentication between two peers. Skip
this step if you want to use the pre-shared key for authentication. See
Managing the Certificates for Authentication, page 310.
•
Enable the Site-to-Site VPN feature on your security appliance. See
General Site-to-Site VPN Settings, page 247.
•
Configure the IPSec IKE policies. See Configuring the IPSec IKE Policies,
page 254.
•
Configure the IPSec Transform policies. See Configuring the IPSec
Transform Policies, page 256.
•
Configure the IPSec VPN policies. See Configuring the IPSec VPN
Policies, page 248.
•
Check the box of an enabled IPSec VPN policy, and then click Connect to
initiate the IPSec VPN connection.
•
Check the status and statistic information for IPSec VPN tunnels. See
Monitoring the IPSec VPN Status, page 269.
General Site-to-Site VPN Settings
STEP 1
Click VPN -> Site-to-Site -> IPSec Policies.
The IPSec Policies window opens. All existing IPSec VPN policies are listed in the
table. You can check the following information of an IPSec VPN policy:
•
Name: The name of the IPSec VPN policy.
•
Enable: Shows that the IPSec VPN policy is enabled or disabled.
•
Status: Shows if the IPSec VPN tunnel is connected or disconnected.
•
WAN Interface: The WAN interface that the traffic over the IPSec VPN tunnel
passes through.
•
Peers: The IP address of the remote peer.
•
Zone Access: The zone to which the remote peer can access.
•
Local: The local network of the local peer.
•
Remote: The remote network of the remote peer.
•
Policy: The IKE policy used for the IPSec VPN policy.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
247
8
VPN
Configuring the Site-to-Site VPN
•
Tranform: The tranform policy used for the IPSec VPN policy.
STEP 2
Click On to enable the Site-to-Site VPN feature, or click Off to disable it.
STEP 3
Check the box of an IPSec VPN policy in the Enable column to enable the IPSec
VPN policy, or uncheck the box to disable the policy.
STEP 4
After you enable the Site-to-Site VPN feature, check the box of an enabled IPSec
VPN policy and click Connect to establish the IPSec VPN tunnel.
STEP 5
To terminate a connected VPN tunnel between two peers, check the box and click
Disconnect.
STEP 6
To refresh the status of Site-to-Site VPN, click Refresh.
Configuring the IPSec VPN Policies
The Site-to-Site VPN policy is used to establish the IPSec VPN tunnel between
two peers. The ISA550 and ISA550W supports up to 50 IPSec VPN tunnels. The
ISA570 and ISA570W supports up to 100 IPSec VPN tunnels.
NOTE Before you create an IPSec VPN policy, make sure that the IKE and transform
policies are configured. Then you can apply the IKE and transform policy on the
IPSec VPN policy.
STEP 1
Click VPN -> Site-to-Site -> IPSec Policies.
The IPSec Policies window opens. All existing IPSec VPN policies are listed in the
table.
STEP 2
To add a new IPSec VPN policy, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of the entries and then click Delete
Selection.
After you click Add or Edit, the IPSec Policies - Add/Edit window opens.
STEP 3
In the Basic Settings tab, enter the following information:
•
Description: Enter the name for the IPSec VPN policy.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
248
8
VPN
Configuring the Site-to-Site VPN
•
IPSec Policy Enable: Click On to enable the IPSec VPN policy, or click Off
to create only the IPSec VPN policy. For an enabled IPSec VPN policy, the
VPN tunnel can be connected by manually clicking Connect or be triggered
by traffic.
•
Remote Type: Choose one of the following types for the remote peer:
Static IP: Choose this option if the remote peer uses a static IP address.
Enter the IP address of the remote peer in the Address field.
Dynamic IP: Choose this option if the remote peer uses a dynamic IP
address.
FQDN (Fully Qualified Domain Name): Choose this option to use the
domain name of the remote network, such as vpn.company.com. Enter
the domain name of the remote peer in the Address field.
For the example as illustrated in Figure 10, the remote site, Site B, has a
public IP address of 209.165.200.236. You should choose Static IP for the
type, and enter 209.165.200.236 in the Address field.
•
Authentication Method: Choose the authentication method for the IPSec
VPN policy.
Preshare Key: If you choose this option, enter the desired value that the
peer device must provide to establish a connection. The same preshared key has to be entered on the remote peer device.
Certificate: If you choose this option, choose a local certificate and a
remote certificate for authentication. On the remote clients, the selected
local certificate should be set as the remote certificate, and the selected
remote certificate should be set as the local certificate. If the certificate
is not in the list, go to the Device Management -> Certificate
Management page to import the certificates. See Managing the
Certificates for Authentication, page 310.
•
WAN Interface: Choose the WAN interface that the traffic passes through
over the IPSec VPN tunnel.
•
Local Network: Choose the IP address of the local network. If you want to
configure the zone access control settings for Site-to-Site VPN, choose Any
for the local network.
•
Remote Network: Choose the IP address of the remote network. You must
know the IP address of the remote network before connecting the IPSec
VPN tunnel.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
249
8
VPN
Configuring the Site-to-Site VPN
For the example as illustrated in Figure 10, Site A has a LAN IP address of
10.10.10.0 and Site B has a LAN IP address of 10.20.20.0. When you
configure the Site-to-Site VPN on Site A, the local network is 10.10.10.0 and
the remote network is 10.20.20.0.
If the IP address object is not in the list, choose Create an IP Address to add
a new address object. To maintain the address objects, go to the
Networking -> Address Object Management page. See Address
Management, page 152.
NOTE The security appliance can support multiple subnets for IPSec VPN
tunnel, you may need to select a group address object including
multiple VLANs for local and remote network.
STEP 4
In the Advanced Settings tab, enter the following information:
•
PFS Enable: Click On to enable Perfect Forward Secrecy (PFS) to improve
security, or click Off to disable it. If you enable PFS, a Diffie-Hellman
exchange is performed for every phase-2 negotiation. PFS is desired on the
keying channel of the VPN connection.
•
DPD Enable: Click On to enable Dead Peer Detection (DPD), or click Off to
disable it. DPD is a method of detecting a dead Internet Key Exchange (IKE)
peer. The method uses IPsec traffic patterns to minimize the number of
messages required to confirm the availability of a peer. DPD is used to
reclaim the lost resources in case a peer is found dead and it is also used to
perform IKE peer failover.
If you enable DPD, enter the following information:
Delay Time: Enter the value of delay time in seconds between DPD
sending two keepalive messages for this IPSec VPN connection. The
default is 30 seconds.
Detection Timeout: Enter the value of detection timeout in seconds. If no
response and no traffic over the timeout, declare the peer dead. The
default is 120 seconds.
DPD Action: Choose one of the following actions over the timeout:
Hold: Traffic from local network to remote network can trigger the
security appliance to re-initiate the IPSec VPN tunnel over the timeout.
We recommend that you use Hold when the remote peer uses a static IP
address.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
250
8
VPN
Configuring the Site-to-Site VPN
Clean: Terminates the IPSec tunnel over the timeout. You must manually
re-initiate the IPSec VPN tunnel . We recommend that you use Clean
when the remote peer uses dynamic IP address.
Restart: Re-initiates the IPSec VPN tunnel for three times over the
timeout.
•
Windows Network (NetBios) Broadcasting: Click On to allow access
remote network resources by using its NetBIOS name, for example,
browsing Windows Neighborhood. NetBIOS broadcasting can resolve a
NetBIOS name to a network address. This option allows NetBIOS
broadcasts to travel over the VPN tunnel.
•
Access Control: You can control the incoming traffic from a remote VPN
network to the zones. Click Permit to permit the access, or click Deny to
deny the access. By default, the incoming traffic from the remote network to
all zones is permitted.
NOTE The VPN access rules that are automatically generated by the zone
access control settings will be added in the firewall access rule table
with the priority higher than the default firewall access rules, but
lower than the custom firewall access rules.
•
Apply NAT Policies: Click On to apply the NAT settings for both the local
network and remote network communicating over the VPN tunnel. This
option is particularly useful in cases where both sides of a tunnel use either
the same or overlapping subnets.
Translated Local Network: To translate the local network, select the
translated address object of the local network.
Translated Remote Network: To translate the remote network, select
translated address object of the remote network.
If the IP address object is not in the list, choose Create an IP Address to add
a new address object. To maintain the IP address objects, go to the
Networking -> Address Object Management page. See Address
Management, page 152.
Figure 11 shows a networking example that simulates two merging
companies with the same IP addressing scheme. Two routers are connected
with a VPN tunnel, and the networks behind each router are the same. For
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
251
8
VPN
Configuring the Site-to-Site VPN
one site to access the hosts at the other site, Network Address Translation
(NAT) is used on the routers to change both the source and destination
addresses to different subnets.
Figure 11 Networking example that simulates two merging companies with
the same IP addressing scheme
In this example, when the host 172.16.1.2 at Site A accesses the same IPaddressed host at Site B, it connects to a 172.19.1.2 address rather than to
the actual 172.16.1.2 address. When the host at Site B to accesses Site A, it
connects to a 172.18.1.2 address. NAT on Router A translates any 172.16.x.x
address to look like the matching 172.18.x.x host entry. NAT on Router B
changes 172.16.x.x to look like 172.19.x.x.
NOTE This configuration only allows the two networks to communicate. It
does not allow for Internet connectivity. You need additional paths to
the Internet for connectivity to locations other than the two sites; in
other words, you need to add another router or firewall on each side,
with multiple routes configured on the hosts.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
252
8
VPN
Configuring the Site-to-Site VPN
STEP 5
•
IKE Policy: Choose the IKE policy used for the IPSec VPN tunnel. If the IKE
policy is not in the list, go to the IKE Policies page to create new IKE policies.
See Configuring the IPSec IKE Policies, page 254.
•
Transform: Choose the transform policy used for the IPSec VPN tunnel. If the
transform policy is not in the list, go to the Transform Policies page to create
new transform policies. See Configuring the IPSec Transform Policies,
page 256.
•
Security Time: Enter the lifetime of the IPSec Security Association (SA). The
lifetime of the IPSec SA represents the interval after which the IPSec SA
becomes invalid. The IPSec SA is renegotiated after this interval. The default
is 1 hour.
In the VPN Failover tab, enter the following information:
•
WAN Failover Enable: Click On to enable WAN Failover for the IPSec VPN
connection, or click Off to disable it. If you enable WAN Failover, the backup
WAN interface ensures that VPN traffic rolls over to the backup link
whenever the primary link fails. The security appliance will automatically
update the local WAN gateway for the VPN tunnel based on the
configurations of the backup WAN link. For this purpose, Dynamic DNS has
to be configured because the IP address will change due to failover, or let the
remote gateway use dynamic IP address.
NOTE To enable the WAN Failover for Site-to-Site VPN, make sure that the
secondary WAN interface was configured and the WAN redundancy
was set as the Failover or Load Balancing mode.
•
Redundant Gateway: Click On to enable Redundant Gateway, or click Off to
disable it. If you enable Redundant Gateway, when the connection of remote
gateway is down, the backup connection automatically becomes active. A
backup policy comes into effect only if the primary policy fails.
Select Backup Policy: Choose a policy to act as a backup of this policy.
Failback Time to Switch: Enter the number of seconds that must pass to
confirm that the primary tunnel has recovered from a failure. If the primary
tunnel is up for the specified number of seconds, the security appliance
will switch to the primary tunnel by disabling the backup tunnel.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
253
8
VPN
Configuring the Site-to-Site VPN
NOTE The DPD should be enabled if you want to use the Redundant
Gateway feature for the IPSec VPN connection.
STEP 6
Click OK to save your settings.
STEP 7
Click Save to apply your settings.
NOTE Next Steps:
•
To maintain the IKE policies, click Site-to-Site -> IKE Policies. See
Configuring the IPSec IKE Policies, page 254.
•
To maintain the Tranform policies, click Site-to-Site -> Transform Policies.
See Configuring the IPSec Transform Policies, page 256.
Configuring the IPSec IKE Policies
The Internet Key Exchange (IKE) protocol is a negotiation protocol that includes an
encryption method to protect data and ensure privacy. It is also an authentication
method to verify the identity of devices that are trying to connect to your network.
You can create IKE policies to define the security parameters (such as
authentication of the peer, encryption algorithms, and so forth) to be used for a
VPN tunnel.
NOTE The security appliance supports up to 16 IKE policies.
STEP 1
Click VPN -> Site-to-Site -> IKE Policies.
The IKE Policies window opens. The default and custom IKE policies are listed in
the table.
STEP 2
To add a new IKE policy, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. The
default IKE policy (DefaultIke) can not be edited or deleted.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
254
8
VPN
Configuring the Site-to-Site VPN
After you click Add or Edit, the IKE Policy - Add/Edit window opens.
STEP 3
Enter the following information:
•
Name: Enter an unique name for the IKE policy.
•
Encryption: Choose the algorithm used to negotiate the security
association. There are four algorithms supported by the security appliance:
ESP_3DES, ESP_AES-128, ESP_AES-192, and ESP_AES-256.
•
HASH: Specify the authentication algorithm for the VPN header. There are
two HASH algorithms supported by the security appliance: SHA1 and MD5.
NOTE Ensure that the authentication algorithm is configured identically on
both sides.
•
•
•
Authentication: Specify the authentication method that the security
appliance uses to establish the identity of each IPsec peer.
PRE-SHARE: Uses a simple password based key to authenticate. The
alpha-numeric key is shared with IKE peer. Pre-shared keys do not scale
well with a growing network but are easier to set up in a small network.
RSA-SIG: Uses a digital certificate to authenticate. RSA-SIG is a digital
certificate with keys generated by the RSA signatures algorithm. In this
case, a certificate must be configured in order for the RSA-Signature to
work.
D-H Group: Choose the Diffie-Hellman group identifier, which the two IPsec
peers use to derive a shared secret without transmitting it to eachother. The
D-H Group sets the strength of the algorithm in bits. The lower the DiffieHellman group number, the less CPU time it requires to execute. The higher
the Diffie-Hellman group number, the greater the security.
Group 2 (1024-bit)
Group 5 (1536-bit)
Group 14 (2048-bit)
Lifetime: Enter the number of seconds for the IKE Security Association to
remain valid. The default is 24 hours. As a general rule, a shorter lifetime
provides more secure ISAKMP negotiations (up to a point). However, with
shorter lifetimes, the security appliance sets up future IPsec SAs more
quickly.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
255
8
VPN
Configuring the Site-to-Site VPN
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Configuring the IPSec Transform Policies
A transform policy specifies the algorithms of integrity and encrytion the peers
will use to protect data communications. Two peers must use the same algorithm
to communicate.
NOTE The security appliance supports up to 16 transform policies.
STEP 1
Click VPN -> Site-to-Site -> Transform Policies.
The Transform Policies window opens. The default and custom transform policies
are listed in the table.
STEP 2
To add an IPSec transform policy, click Add.
Other options: To edit an entry, Edit. To delete an entry, click Delete. The default
transform policy (DefaultTrans) can not be edited or deleted.
After you click Add or Edit, the Transform Policy - Add/Edit window opens.
STEP 3
Enter the following information:
•
Name: Enter an unique name for the transform policy.
•
Integrity: Choose the hash algorithm used to ensure the data integrity. It
ensures that a packet comes from where it says it comes from, and that it has
not been modified in transit. The default is ESP_SHA1_HMAC.
ESP_SHA1_HMAC: Authentication with SHA_1 (160-bit).
ESP_MD5_HMAC: Authentication with MD5 (128-bit). MD5 has a smaller
digest and is considered to be slightly faster than SHA_1. A successful
(but extremely difficult) attack against MD5 has occurred; however, the
HMAC variant IKE uses prevents this attack.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
256
8
VPN
Configuring the SSL VPN
•
Encryption: Choose the symmetric encryption algorithm that protects data
transmitted between two IPsec peers. The default is 168-bit Triple DES
(ESP_3DES). The Advanced Encryption Standard supports key lengths of
128, 192, 256 bits.
ESP_3DES: Encryption with 3DES (168-bit).
ESP_AES_128: Encryption with AES (128-bit).
ESP_AES_192: Encryption with AES (192-bit).
ESP_AES_256: Encryption with AES (256-bit).
STEP 4
Click OK to save your settings.
STEP 5
Click Save to apply your settings.
Configuring the SSL VPN
SSL VPN is a flexible and secure way to extend network resources to virtually any
remote user. The security appliance supports the SSL VPN, and interoperates with
the Cisco AnyConnect VPN Client software.
Figure 12 shows an example of SSL VPN. Users can remotely access the network
by using the Cisco AnyConnect VPN Client software. When the VPN tunnel is
established, each user will have an IP address on the internal network, such as
10.10.10.x.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
257
8
VPN
Configuring the SSL VPN
Figure 12
SSL VPN for Remote Access
DNS Server
10.10.10.163
Cisco AnyConnect VPN Client
ISA500
Internal
network
Inside
10.10.10.0
Outside
Internet
Cisco AnyConnect VPN Client
WINS Server
10.10.10.133
Cisco AnyConnect VPN Client
Use the SSL Remote Access pages to configure the SSL VPN gateway, SSL VPN
group policies, and SSL VPN portal. The security appliance supports multiple
concurrent SSL VPN sessions to allow remote users to access the LAN. It includes
the following sections:
•
Elements of the SSL VPN, page 258
•
Configuration Tasks to Establish a SSL VPN Tunnel, page 259
•
Installing the Cisco AnyConnect VPN Client on User’s PC, page 260
•
Importing the Certificates for User Authentication, page 260
•
Configuring the SSL VPN Users, page 260
•
Configuring the SSL VPN Gateway, page 261
•
Configuring the SSL VPN Group Policies, page 263
•
Configuring the SSL VPN Portal, page 266
Elements of the SSL VPN
Several elements work together to support SSL VPN.
•
SSL VPN Users: Create your SSL VPN users. The user groups to which the
SSL VPN users belong must be assigned a specific SSL VPN group policy
to enable the SSL VPN service for the users. See Configuring the SSL VPN
Users, page 260.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
258
8
VPN
Configuring the SSL VPN
•
SSL VPN Group Policies: The default SSL VPN policy
(“SSLVPNDefaultPolicy”) is sufficient for most purposes. As needed, you
can custom new policies to meet specific business needs. See Configuring
the SSL VPN Group Policies, page 263.
•
Cisco AnyConnect VPN Client: The Cisco AnyConnect VPN Client is the
next-generation VPN client, providing remote users with secure VPN
connections to the security appliance.
Configuration Tasks to Establish a SSL VPN Tunnel
You need to complete below configuration tasks to establish a SSL VPN tunnel.
•
Download and install the Cisco AnyConnect VPN Client software on remote
user’s PC. See Installing the Cisco AnyConnect VPN Client on User’s PC,
page 260.
•
Import the SSL VPN certificate to your security appliance used for user
authentication. See Importing the Certificates for User Authentication,
page 260.
•
Enable and configure the SSL VPN gateway on your security appliance.
See Configuring the SSL VPN Gateway, page 261.
•
Define the SSL VPN group policies. See Configuring the SSL VPN Group
Policies, page 263.
•
Add SSL VPN users and user groups, and then specify the SSL VPN group
policy for each SSL VPN user group. See Configuring the SSL VPN Users,
page 260.
•
Launch the Cisco AnyConnect VPN Client on the user’s PC, enter the
gateway IP Address:gateway interface to connect the remote gateway, and
then enter the user name and password to establish a SSL VPN tunnel.
•
Check the status and statistic information of all SSL VPN sessions. See
Monitoring the SSL VPN Status, page 270.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
259
8
VPN
Configuring the SSL VPN
Installing the Cisco AnyConnect VPN Client on User’s PC
You can set up a user’s PC to run the Cisco AnyConnect VPN Client in standalone
mode by installing the client software for the appropriate operating system
directly on the user’s PC. In standalone mode, the user starts the Cisco
AnyConnect VPN Client, and needs to provide the authentication credentials.
The security appliance supports the Cisco AnyConnect VPN Client v2.x and v3.0
(SSL VPN function only). The Cisco AnyConnect VPN Client is compatible with the
following platforms:
•
Windows 7 32-bit (x86) and 64-bit (x64)
•
Windows Vista 32-bit (x86) and 64-bit (x64), including Service Packs 1 and
2 (SP1/SP2)
•
Windows XP SP2+ 32-bit (x86) and 64-bit (x64)
•
Mac OS X 10.5 and 10.6.x
•
Linux Intel (2.6.x kernel)
You can find the software installer on the CD. If you have a CCO account, you can
access the SSL VPN portal to download the software installer from Cisco.com
website. For more information about the SSL VPN portal, see Configuring the SSL
VPN Portal, page 266.
Importing the Certificates for User Authentication
The SSL VPN gateway holds a CA certificate that is presented to the client when
the client first connects to the gateway. The purpose of this certificate is to
authenticate the server. For complete details about importing the certificates, see
Managing the Certificates for Authentication, page 310.
Configuring the SSL VPN Users
The ISA550 and ISA550W supports 25 SSL VPN users. The ISA570 and ISA570W
supports 50 SSL VPN users.
To configure the SSL VPN users and user groups, go to the Users -> Users &
Groups page. You can add all SSL VPN users to one group (such as “ SSL VPN
User Group”). However, if you have multiple SSL VPN group policies for different
SSL VPN users, you must create multiple user groups and specify different SSL
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
260
8
VPN
Configuring the SSL VPN
VPN group policies for them. Specifying a SSL VPN group policy for a user group
can enable the SSL VPN service for all included SSL VPN users. For complete
details about the users and user groups, see Configuring the Users and Groups,
page 275
According to the user login settings specified on your security appliance, the SSL
VPN users can be authenticated by the local database or external AAA server
(such as Active Directory, LDAP, or RADIUS). For complete details about the user
login settings, see Configuring the Users and Groups, page 275 and
Configuring the User Authentication Settings, page 277.
Configuring the SSL VPN Gateway
Use the SSL VPN Configuration page to enable SSL VPN and configure the SSL
VPN gateway settings.
STEP 1
Click VPN -> SSL Remote Aceess -> SSL VPN Configuration.
The SSL VPN Configuration window opens.
STEP 2
Click On to enable SSL VPN, or click Off to disable SSL VPN. If you enable SSL
VPN, the security appliance is set as the SSL VPN server.
STEP 3
In the Gateway (Mandatory) area, enter the following information:
•
Gateway Interface: Choose the WAN interface that the traffic passes
through over the SSL VPN tunnel.
•
Gateway Port: Enter the port number used for the SSL VPN gateway. By
default, HTTPS or SSL typically operates on port 443. However, the SSL
VPN gateway should be flexible to operate on a user defined port. The SSL
VPN clients need to enter the entire address pair “Gateway IP Address: Port
Number” for connectting purposes.
•
Certificate File: Choose a certificate to authenticate the users who want to
access your network resource through the SSL VPN tunnel. To import the
digital certificates for authentication, go to the Device Management ->
Certificate Management page. See Managing the Certificates, page 311.
•
Client Address Pool: The SSL VPN gateway has a configurable address
pool with maximum size of 255 that is used to allocate IP addresses to the
remote clients. Enter the IP address pool for all remote clients. The client is
assigned an IP address by the SSL VPN gateway.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
261
8
VPN
Configuring the SSL VPN
NOTE Configure an IP address range that does not directly overlap with any
of addresses on your local network.
•
STEP 4
Client Netmask: Enter the IP address of the netmask used for SSL VPN
clients. The Client Address Pool is used with the Client Netmask. If they are
set as follows, then the SSL VPN client will get a VPN address whose range
is from 10.0.0.1 to 10.0.0.254.
Client Address Pool = 10.0.0.0
Client Netmask = 255.255.255.0
•
Client Domain: Enter the domain name used for the SSL VPN clients.
•
Login Banner: When the users successfully log into the SSL VPN gateway,
a configurable login banner is displayed. Enter the message text to display
along with the banner.
In the Gateway (Optional) area, enter the following information:
•
Idle Timeout: Enter the timeout value in seconds that the SSL VPN session
can remain idle.
•
Session Timeout: Enter the timeout value in seconds that a SSL VPN
session can remain connected.
•
Client DPD Timeout: Dead Peer Detection (DPD) allows detection of dead
peers. Enter the DPD timeout for client in this field.
•
Gateway DPD Timeout: Enter the DPD timeout for SSL VPN gateway in this
field.
•
Keep Alive: If you want the SSL VPN server to keep sending a message at
an interval, enter the value of interval in this field.
•
Lease Duration: Enter the amount of time after which the SSL VPN client
must send an IP address lease renewal request to the server.
•
Max MTU: Enter the maximum transmission unit for the session.
•
Rekey Method: Specify the session rekey method (SSL or New Tunnel).
Rekey allows the SSL keys to be renegotiated after the session has been
established.
•
Rekey Interval: Enter the frequency of the rekey in this field.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
262
8
VPN
Configuring the SSL VPN
•
STEP 5
SSL VPN Portal Message: Enter the message that you want to display on
the SSL VPN portal. The SSL VPN portal provides a link to download the
Cisco AnyConnect VPN Client software installer from Cisco.com website.
The CCO account is required to log into the website for downloading. For
more information about the SSL VPN portal, see Configuring the SSL VPN
Portal, page 266.
Click Save to apply your settings.
Configuring the SSL VPN Group Policies
SSL VPN users of the group can establish the SSL VPN tunnels based on the
selected SSL VPN group policy to access your network resources. A SSL VPN
group policy applies to a specific network resource, IP address, or IP address
range on the LAN, or to other SSL VPN services that are supported by the security
appliance.
NOTE The security appliance supports up to 32 SSL VPN goup policies.
STEP 1
Click VPN -> SSL Remote Acess -> SSL VPN Group Policies.
The SSL VPN Group Policies window opens. The default and custom SSL VPN
group policies are listed in the table.
STEP 2
To add a new SSL VPN group policy, click Add.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes and then click Delete Selection. The
default SSL VPN group policy can not be deleted.
After you click Add or Edit, the Group Policy - Add/Edit window opens.
STEP 3
In the Basic Settings tab, enter the following information:
•
Policy Name: Enter the name for the SSL VPN group policy.
•
Primary DNS: Enter the IP address of the primary DNS server.
•
Secondary DNS: Enter the IP address of the secondary DNS server.
•
Primary WINS: Enter the IP address of the primary WINS server.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
263
8
VPN
Configuring the SSL VPN
•
STEP 4
Secondary WINS: Enter the IP address of the secondary WINS server.
In the IE Proxy Settings tab, enter the following information:
The SSL VPN gateway can specify several Microsoft Internet Explorer (MSIE)
proxies for client PCs. If these settings are enabled, IE on the client PC is
automatically configured with these settings:
•
STEP 5
IE Proxy Policy: Choose one of the following IE proxy policies:
None: Allows the browser to use no proxy settings.
Auto: Allows the browser to automatically detect the proxy settings.
Bypass-Local: Allows the browser to bypass the proxy settings that are
configured on the remote user.
•
Address: If you choose Bypass-Local, enter the IP address or domain name
of the MSIE proxy server. It is configured as an IPv4 address or fully qualified
domain name, followed by a colon and port number, for example
xxx.xxx.xxx.xxx:80.
•
Port: Enter the port number of the MSIE proxy server.
•
IE Proxy Exception: If you choose Bypass-Local, enter the IP address or
domain name of an exception host. This option allows the browser not to
send traffic for the given hostname or IP address through the proxy.
In the Split Tunneling Settings area, enter the following information:
Split tunneling permits specific traffic to be carried outside of the SSL VPN tunnel.
Traffic is either included (resolved in tunnel) or excluded (resolved through the
Internet Service Provider or WAN connection). Tunnel resolution configuration is
mutually exclusive. An IP address cannot be both included and excluded at the
same time.
•
Enable Split Tunneling: By default, all of traffic from the SSL VPN clients is
directed through the SSL VPN tunnel. Check this box to enable split tunneling
so that the tunnel is used only for the traffic that is specified by the client
routes.
•
Split Include: Choose one of the following options:
Include Traffic: Allows you to add the client routes on the SSL VPN client
so that only traffic to the destination networks redirected through the SSL
VPN tunnels. To add a client route, enter the destination subnet to which
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
264
8
VPN
Configuring the SSL VPN
a route is added on the SSL VPN client in the Address field and the the
subnet mask for the destination network in the Netmask field, and then
click Add.
•
Exclude Traffic: Allows you to exclude the destination networks on the
SSL VPN client. The traffic to the destination networks is redirected using
the SSL VPN clients native network interface (resolved through the
Internet Service Provider or WAN connection). To add a destination
subnet, enter the destination subnet to which a route is excluded on the
SSL VPN client in the Address field and the the subnet mask for the
excluded destination in the Netmask field, and then click Add.
Exclude LAN: If you choose Exclude Traffic, click True to deny the SSL
VPN clients to access the local LANs over the VPN tunnel, or click False
to allow the SSL VPN clients to access the local LANs over the VPN
tunnel.
Split DNS: Split DNS provides the ability to direct DNS packets in clear text
over the Internet to domains served through an external DNS (serving your
ISP) or through SSL VPN tunnel to domains served by the corporate DNS.
For example, a query for a packet destined for corporate.com would go
through the tunnel to the DNS that serves the private network, while a query
for a packet destined for myfavoritesearch.com would be handled by the
ISP's DNS. By default, this feature is configured on the SSL VPN gateway and
is enabled on the client. To use Split DNS, you must also have Split Tunneling
configured.
To add a domain to the Cisco AnyConnect VPN Client for tunneling packets
to destinations in the private network, end the domian name in the field and
then click Add. To delete a domain, select it from the list and click Delete.
STEP 6
In the Zone-based Firewall Settings area, you can control the access from the
SSL VPN clients to the zones over the SSL VPN tunnels. Click Permit to permit the
access, or click Deny to deny the access. By default, the access for all zones is
permitted.
NOTE The VPN access rules that are automatically generated by the zone-based
firewall settings will be added to the firewall access rule table with the
priority higher than the default firewall ACL rules, but lower than the custom
firewall ACL rules.
STEP 7
Click OK to save your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
265
VPN
Configuring the L2TP Server
STEP 8
Click Save to apply your settings.
Configuring the SSL VPN Portal
User can access the SSL VPN portal via web browser from WAN or LAN side to
download the Cisco AnyConnect VPN Client software installer from Cisco.com
website. The CCO account is required to log into the website for downloading the
software installer.
For example, if the IP address of the SSL VPN gateway is 173.39.202.103, enter
https://173.39.202.103/sslvpn in the address bar to open the SSL VPN portal from
WAN side. Or if the IP address of the default LAN is 192.168.1.1, enter the https://
192.168.1.1/sslvpn in the address bar to open the SSL VPN portal from LAN side.
STEP 1
Click VPN -> SSL Remote Acess -> SSL VPN Portal.
The SSL VPN Portal window opens.
STEP 2
Enter the message that you want to display on the SSL VPN portal.
STEP 3
The SSL VPN portal provides a link to download the Cisco AnyConnect VPN Client
software installer from Cisco.com website. Click Download to open the website
and enter your CCO account to login. Depending on your operating system or
platform, choose the correct installer package.
Configuring the L2TP Server
Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol that allows remote
clients to use the public IP network to securely communicate with private
corporate network servers.
L2TP protocol is based on the client and server model. The security appliance can
terminate the L2TP-over-IPsec connections from incoming Microsoft Windows
2000 and Windows XP clients.
STEP 1
Click VPN -> L2TP Server.
The L2TP Server window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
266
8
VPN
Configuring the L2TP Server
STEP 2
Click On to enable L2TP server, or click Off to disable it.
STEP 3
If you enable L2TP, enter the following information:
•
Listen WAN Interface: Choose the WAN interface on which the L2TP server
listens to accept the incoming L2TP VPN connection.
•
User Name: Enter the user name that all L2TP clients use to access the L2TP
server.
•
Password: Enter the password that all L2TP clients use to access the L2TP
server.
NOTE All L2TP clients use the same user name and password to log into the
L2TP server.
STEP 4
•
MTU: Enter the MTU size in bytes that can be sent over the network (the
range from 128 to 1400 bytes). The default is 1400 bytes.
•
Authentication Method: You can choose either CHAP or PAP, or both to
authenticate to the L2TP clients. Click On to enable CHAP or PAP, or click Off
to disable it.
•
Local Service IP: Enter the IP address of the established PPP link.
•
Address Pool: The L2TP server assigns IP addresses to L2TP clients. Enter
the starting IP address in the Start IP field and the ending IP address in the
End IP field.
•
DNS1 IP: Enter the IP address of the primary DNS server.
•
DNS2 IP: Optionally, enter the IP address of the secondary DNS server.
•
Enable over IPSec: Click On to enable the data encryption over the IPSec
VPN tunnel, or click Off to disable it.
•
Preshare Key: The data encryption over the IPSec VPN tunnel uses a preshared key for authentication. If you enable Enable over IPSec, enter the
desired value, which the L2TP clients must provide to establish a connection.
The pre-shared key must be entered exactly the same here and on the L2TP
clients.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
267
8
VPN
Configuring the VPN Passthrough
Configuring the VPN Passthrough
You need to configure VPN passthrough if there are devices behind the security
appliance that need to set up the VPN tunnels independently, for example, to
connect to another router on the WAN.
STEP 1
Click VPN -> Passthrough.
The Passthrough window opens.
STEP 2
STEP 3
Enter the following information:
•
L2TP: Click On to allow L2TP clients at LAN site to connect to a L2TP server
on Internet, or click Off to disable it.
•
PPTP: Click On to allow the hosts at LAN site to establish a tunnel with a
PPTP server on Internet, click Off to disable it.
•
IPSec: Click On to allow the IPSec traffic to pass through the security
appliance over the IPSec VPN tunnel, or click Off to disable it. The VPN
tunnel can be established by a Site-to-Site VPN session or a Cisco IPSec
VPN session.
Click Save to apply your settings.
Viewing the VPN Status
Use the Session Status pages to view the status and statistic information for IPSec
VPN and SSL VPN sessions, and manually connect or disconnect the VPN tunnels.
It includes the following sections:
•
Monitoring the IPSec VPN Status, page 269
•
Monitoring the SSL VPN Status, page 270
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
268
8
VPN
Viewing the VPN Status
Monitoring the IPSec VPN Status
The VPN Table page displays the status and statistic information for all IPSec VPN
sessions.
STEP 1
Click VPN -> Session Status -> VPN Table.
The VPN Table window opens.
STEP 2
In the Active Sessions tab, all IPSec VPN sessions are listed in the table.
•
Name: The name of the VPN policy that is used for the IPSec VPN session.
•
VPN Type: The connection type of the IPSec VPN session, such as Site-toSite, Cisco IPSec VPN server, or Cisco IPSec VPN client.
•
WAN Interface: The WAN interface that is used for the IPSec VPN session.
•
Remote Gateway: The IP address of the remote gateway for a Site-to-Site
VPN session or the IP address of the remote client for a Cisco IPSec VPN
session.
•
Local Network: The subnet IP address and netmask of your local network.
•
Remote Network: The subnet IP address and netmask of the remote
network.
•
Connect: To manually establish a VPN connection, click Connect.
•
Disconnect: To terminate an active VPN connection, click Disconnect.
NOTE When a VPN policy is in place and enabled, a connection is triggered
by any traffic that matches up with the policy and the VPN tunnel is set
up automatically. However, you can use the Connect or Disconnect
button to manually connect or disconnect the VPN tunnel.
STEP 3
In the IPSec VPN Statistic tab, you can view the statistic information for all active
IPSec VPN sessions:
•
Name: The name of the VPN policy that is used for the IPSec VPN session.
•
VPN Type: The connection type of the IPSec VPN session, such as Site-toSite, Cisco IPSec VPN server, or Cisco IPSec VPN client.
•
WAN Interface: The WAN interface that is used for the IPSec VPN session.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
269
8
VPN
Viewing the VPN Status
•
Remote Gateway: The IP address of the remote gateway for a Site-to-Site
VPN session or the IP address of the remote client for a Cisco IPSec VPN
session.
•
Tx Bytes: The total volume of traffic in Kilobytes transmitted from the VPN
tunnel.
•
Rx Bytes: The total volume of traffic in Kilobytes received from the VPN
tunnel.
•
Tx Pkts: The number of IP packets transmitted from the VPN tunnel.
•
Rx Pkts: The number of IP packets received from the VPN tunnel.
Monitoring the SSL VPN Status
The SSL VPN Monitoring page displays the status and traffic statistic information
of all active SSL VPN sessions.
STEP 1
Click VPN -> Session Status -> SSL VPN Monitoring.
The SSL VPN Monitoring window opens.
STEP 2
STEP 3
In the Active Sessions tab, all active SSL VPN sessions are listed in the table.
•
Session ID: The SSL VPN session ID.
•
User Name: The name of the logged SSL VPN user.
•
Client IP (Actual): The actual IP address used by the SSL VPN client.
•
Client IP (VPN): The virtual IP address of the SSL VPN client assigned by the
SSL VPN gateway.
•
Time Connected: The amount of time since the user first established the
connection.
•
Disconnect: Click Disconnect to terminate an active SSL VPN session and
hence the associated SSL VPN tunnel.
•
Disconnect All: Click Disconnect All to terminate all active SSL VPN
sessions and hence all associated SSL VPN tunnels.
In the SSL VPN Statistics tab, you can see the statistic information for all active
SSL VPN sessions or for a single SSL VPN session.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
270
8
VPN
Viewing the VPN Status
CSTP is a Cisco proprietary protocol for SSL VPN tunneling. “In” means “from the
client” and “Out” means “to the client”. The client is the PC running the Cisco
AnyConnect VPN Client software that connects to the security appliance running
the SSL VPN server.
A CSTP frame is a packet carrying CSTP protocol information. There are two
major frame types, control frames and data frames. Control frames implement
control functions within the protocol. Data frames carry the client data, such as the
tunneled payload.
The following table displays the global statistic information. To clear the global
statistic information, click Clear Global.
Active Users
The number of all connected SSL VPN users.
In CSTP frames
The number of CSTP frames received from all clients.
In CSTP bytes
The total number of bytes in the CSTP frames received
from all clients.
In CSTP data
The number of CSTP data frames received from all clients.
In CSTP control
The number of CSTP control frames received from all
clients.
Out CSTP
frames
The number of CSTP frames sent to all clients.
Out CSTP bytes
The total number of bytes in the CSTP frames sent to all
clients.
Out CSTP data
The number of CSTP data frames sent to all clients.
Out CSTP
control
The number of CSTP control frames sent to all clients.
The Statistic table lists the statistic information for each SSL VPN session. The
following information is displayed for a single SSL VPN session. To clear the
statistic information of the SSL VPN session, click Clear.
Session ID
The SSL VPN session ID.
In CSTP frames
The number of CSTP frames received from the client.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
271
8
VPN
Viewing the VPN Status
In CSTP bytes
The total number of bytes in the CSTP frames received
from the client.
In CSTP data
The number of CSTP data frames received from the client.
In CSTP control
The number of CSTP control frames received from the
client.
Out CSTP
frames
The number of CSTP frames sent to the client.
Out CSTP bytes
The total number of bytes in the CSTP frames sent to the
client.
Out CSTP data
The number of CSTP data frames sent to the client.
Out CSTP
control
The number of CSTP control frames sent to the client.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
272
9
User Management
This chapter describes how to manage the users and user groups, and configure
the user login settings when they try to access your network resources.
•
About the Users and Groups, page 273
•
Configuring the Users and Groups, page 275
•
Configuring the User Authentication Settings, page 277
•
Viewing Active User Sessions, page 287
To access the Users pages, click Users in the left hand navigation pane.
About the Users and Groups
The security appliance maintains the user and user group information in the local
database. The local database supports up to 100 users and 16 user groups. A
user group can include up to 100 users. Any user must be a member of a user
group. It includes the following sections:
•
Available Services for User Groups, page 273
•
Default User and Group, page 274
•
Preempt the Administrators, page 274
Available Services for User Groups
A user can only belong to one user group. The users in the same group shares the
same service policy. A user group has only one service policy. The services
available for a user group include:
•
Web Login: Allows the members of the group to log into the Configuration
Utility through the web brower to view the configurations only or to set all
configurations.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
273
9
User Management
About the Users and Groups
NOTE You cannot disable the web login service or change its web login
service level for the default user group (admin).
•
SSL VPN: Allows the members of the group at the remote site to establish
the SSL VPN tunnels based on the selected SSL VPN group policy to
access your network resources. The Cisco AnyConnect VPN Client must be
installed on the user’s PC.
•
Cisco IPSec VPN: Allows the members of the group at the remote site to
securely access your network resources over the IPSec VPN tunnels.
•
Captive Portal: Allows the wireless users who authenticated successfully
to be directed to a specified web page (portal) before they can access the
Internet. This service only applies to the ISA550W and ISA570W.
NOTE The security appliance can perform the authentications in parallel when
multiple services need to authenticate at the same time.
Default User and Group
The default administrator account (user name: cisco, password: cisco) is an
administrative account that has fully privilege to set the configurations and read
the system status. It does not belong to any user group. To prevent unauthorized
access, you are forced to immediately change the default user name and
password at its first login. See Changing the User Name and Password of the
Default Administrator Account at Your First Login, page 27. The default
administrator account cannot be deleted.
The default user group (admin) is a user group that has the administrative web
login access ability and enables the SSL VPN, Cisco IPSec VPN, and captive
portal (for ISA550W and ISA570W only) services. You cannot delete the default
user group, but can modify its service policy settings.
Preempt the Administrators
If an administrator account was already logged in, when the administrator account
attempts to log in again, a prompted warning message is displayed. Click Yes to
kick off the previous login, or click No to retun to the login screen.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
274
9
User Management
Configuring the Users and Groups
Configuring the Users and Groups
This section describes how to maintain the users and user groups in local
database. It includes the following topics:
•
Configuring Local Users, page 275
•
Configuring Local User Groups, page 276
Configuring Local Users
The local database supports up to 100 users. You can add new accounts for
specific services, such as the SSL VPN and Cisco IPSec VPN services.
STEP 1
Click Users -> Users & Groups.
The Users & Groups window opens. All existing local users are listed in the Local
Users table.
STEP 2
In the Local Users area, click Add to add a user.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add/Edit, the Local User - Add/Edit window opens.
STEP 3
Enter the following information:
•
User: Enter an unique identifier that contains the letters, numbers, or
underline for the user.
•
New Password: Enter the password for the user. Passwords are casesensitive.
NOTE Restrictions for password: The password should contain at least
three types of these character classes: lower case letters, upper case
letters, numbers, and special characters. Do not repeat any character
more than three times consecutively. Do not set the password as the
user name or the reversed user name. The password cannot be set as
“cisco”, “ocsic”, or any variant obtained by changing the capitalization
of letters.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
275
9
User Management
Configuring the Users and Groups
•
New Password Confirm: Enter the password again for confirmation.
•
Group: Choose the user group to which the user belongs.
NOTE For SSL VPN or Cisco IPSec VPN users, you need to enable the
corresponding services for the user groups to which they belongs.
STEP 4
Click OK to save your settings.
Configuring Local User Groups
Groups are used to create a logical grouping of users that share the service
policies. The local database supports up to 16 groups.
STEP 1
Click Users -> Users & Groups.
The Users & Groups window opens. All existing user groups are listed in the
Groups table.
STEP 2
In the Groups area, click Add to add a user group.
Other options: To edit an entry, click Edit. To delete an entry, click Delete. To
delete multiple entries, check the boxes of multiple entries and click Delete
Selection.
After you click Add or Edit, the Group - Add/Edit window opens.
STEP 3
In the Group Settings tab, enter the following information:
•
Name: Enter an unique name that contains the letters, numbers, or underline
for the user group.
•
Services: Specify the service policy for the user group. You can enable
multiple services for the user group.
Web Login: Specify the web login policy for the group.
Disable: All members of the group cannot log into the Configuration
Utility through the web browser.
Read Only: All members of the group can only read the system status
after they login. They can not edit any configuration.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
276
User Management
Configuring the User Authentication Settings
Administrator: All members of the group have full privilege to set the
configurations and read the system status.
STEP 4
STEP 5
SSLVPN: Choose a SSL VPN group policy so that all members of the
group at the remote site can establish the SSL VPN tunnels based on the
selected SSL VPN group policy to access your network resources, or
choose Disable to disable it. For more information about the SSL VPN
group policy, see Configuring the SSL VPN Group Policies, page 263.
Cisco IPSec VPN: Click Enable to enable the Cisco IPSec VPN service
so that all members of the group can access the your network resources
over the IPSec VPN tunnels, or click Disable to disable it.
Captive Portal: Click Enable to enable the Captive Portal service, or click
Disable to disable it. If you enable Captive Portal, the wireless members
of the user group who authenticated successfully will be directed to a
specified web page (portal) before they can access the Internet. This
service only applies to the ISA550W and ISA570W.
In the Membership tab, specify the members of the group.
•
To add a member, select the member from the User list and click the right
arrow ->. The members of the groups appear in the Membership list.
•
To delete a member from the user group, select the member from the
Membership list and click the left arrow <-.
Click OK to save your settings.
Configuring the User Authentication Settings
The security appliance provides a mechanism for user level authentication. It
authenticates all users when they attempt to access your network resources in
different zones. Users on the VLANs performs only local tasks, and are not
required to be authenticated by the security appliance.
User level authentication can be performed by using the local database that is
stored on the security appliance, an AAA server ( a variety of AAA server types
are supported, such as RADIUS, Lightweight Directory Access Protocol (LDAP),
Active Directory (AD)), or both.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
277
User Management
Configuring the User Authentication Settings
The local database on the security appliance can support up to 100 users and 16
groups. If you have more than 100 users, you need to use the AAA server for
authentication.
This section includes the following topics:
•
Authentication Methods for User Login, page 278
•
Using Local Database for Authentication, page 279
•
Using RADIUS Server for Authentication, page 279
•
Using Local Database and RADIUS Server for Authentication, page 282
•
Using LDAP for Authentication, page 283
•
Using Local Database and LDAP for Authentication, page 286
•
Configuring the User Session Settings, page 286
Authentication Methods for User Login
The security appliance supports the following authentication methods for user
login.
•
Local Database: Allows you to use the local database for authentication if
the number of users is relatively small. Only the local users in local database
are allowed to access the network resources. See Using Local Database
for Authentication, page 279.
•
RADIUS: Allows you to use the RADIUS server for authentication if you
have more than 100 users. See Using RADIUS Server for Authentication,
page 279.
•
RADIUS + Local Database: Allows you to use both the RADIUS server and
local database for authentication. See Using Local Database and RADIUS
Server for Authentication, page 282.
•
LDAP: Allows you to use the LDAP for authentication if you use an AAA
server such as LDAP and AD to maintain the user and user group
information. See Using LDAP for Authentication, page 283.
•
LDAP + Local Database: Allows you to use both the LDAP and local
database for authentication. See Using Local Database and LDAP for
Authentication, page 286.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
278
User Management
Configuring the User Authentication Settings
Using Local Database for Authentication
Use the local database to authenticate the users when the number of users
accessing the network is less than 100 users. When you use the local database for
authentication, the local database verifies the user name and password
information of the users who try to access the network. Only the valid local users
are allowed to access the network.
STEP 1
Click Users -> Settings.
The User Settings window opens.
STEP 2
In the User Login Settings area, choose Local Database as the authentication
method from the Authentication Method drop-down list.
STEP 3
Click Save to apply your settings.
Using RADIUS Server for Authentication
Use the RADIUS server to authenticate the users when more than 100 users need
to access the network. The security appliance uses the Framed-Filter-ID attribute
to store the user and group information in the RADIUS server, and checks a user’s
credentials by using the Password Authentication Protocol (PAP) authentication
scheme.
If you use RADIUS for user authentication, users must log into the security
appliance using HTTPS in order to encrypt the password. The security appliance
verifies the user name and password information of the users through the RADIUS
server. The RADIUS server returns the authentication result to the security
appliance. For a valid RADIUS user, the security appliance checks its user group
service policy from the local database and permits the access. For a invalid
RADIUS user, the security appliance denies the access.
NOTE The user group service policies can only be configured locally. All user groups on
an AAA server need to be duplicated locally.
STEP 1
Click Users -> Settings.
The User Settings window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
279
User Management
Configuring the User Authentication Settings
STEP 2
In the User Login Settings area, choose RADIUS as the authentication method
from the Authentication Method drop-down list.
STEP 3
Click Configure to configure the RADIUS settings.
The RADIUS Settings window opens.
STEP 4
In the Settings tab, choose the RADIUS group for authentication and configure the
global timeout and retry settings.
•
•
STEP 5
Global RADIUS Settings: Specify the global timeout and retry settings for
the selected RADIUS servers:
RADIUS Server Timeout: Enter the number of seconds that the
connection can exist before re-authentication is required. The default
value is 10 seconds.
Retries: Enter the number of retries for the device to re-authenticate with
the RADIUS server. If the RADIUS server does not respond within the
specified number of retries, the connection is dropped. The default value
is 3.
RADIUS Servers: Choose the RADIUS group index from the drop-down list.
The RADIUS server settings of the selected group are disaplayed. You can
edit these settings here but the settings you specify will replace the default
settings of the selected group. To maintain the RADIUS settings, go to the
Device Management -> RADIUS Settings page. See Configuring the
RADIUS Servers, page 319.
In the RADIUS Users tab, enter the following informaiton:
•
Allow Only Users Listed Locally: Click On to permit only the RADIUS users
also be present in the local database for login, or click Off to disable it.
•
Mechanism for Setting User Group Membership for RADIUS Users:
Select one of the following mechanisms to configure the user group
memberships for RADIUS users:
Use RADIUS Filter-ID: Find the group information by using the FramedFilter-ID attribute from the RADIUS server.
For example, the RADIUS server has three user groups (Group1, Group2,
and Group3) and the local database has two user groups (Group1, and
Group2). The following table displays the user group membership
settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
280
9
User Management
Configuring the User Authentication Settings
Local
Database
Settings
RADIUS Server Settings
User1 in Group1
User1 in Group2
User1 in Group3
User1 in Group1
Group1
Group2
Default Group
User1 in Group2
Group1
Group2
Default Group
User1 does not
exist
Group1
Group2
Default Group
In the above table, if the User1 in the RADIUS server belongs to the
Group1 and the User1 in the local database belongs to the Group2, then
the User1 belongs to the Group1 after passed the RADIUS authentication.
If the User1 in the RADIUS server belongs to the Group3, but the local
database has not the Group3, then the User1 is set to the specified
default group.
Local Configuration Only: Find the user group membership information
from the local database only.
For example, the RADIUS server has three user groups (Group1, Group2,
and Group3) and the local database has two user groups (Group1, and
Group2). The following table displays the user group membership
settings.
Local
Database
Settings
RADIUS Server Settings
User1 in Group1
User1 in Group2
User1 in Group3
User1 in Group1
Group1
Group1
Group1
User1 in Group2
Group2
Group2
Group2
User1 does not
exist
Default Group
Default Group
Default Group
In the above table, if the User1 in the RADIUS server belongs to the
Group1 and the User1 in the local database belongs to the Group2, then
the User1 belongs to the Group2 after passed the RADIUS
authentication. If the User1 doex not exist in the local database, it is set to
the specified default group.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
281
User Management
Configuring the User Authentication Settings
•
Defualt User Group to Which all RADIUS Users Belong: If the group of a
RADIUS user does not exist in the local database, you can set the RADIUS
user to a specific local user group. Choose a local user group as the default
local group to which the RADIUS user belongs.
STEP 6
In the Test tab, enter the user and password credentials in the User and
Password fields to test the configured RADIUS settings. Click the Test button to
verify whether the RADIUS user is valid
STEP 7
Click OK to save your settings.
STEP 8
Click Save to apply your settings.
Using Local Database and RADIUS Server for Authentication
You can use both the local database and RADIUS server to authenticate the users
who try to access the network.
When you use both the local database and RADIUS server for authentication, the
security appliance first verifies the user name and password information of the
users through the RADIUS server. The RADIUS server returns the authentication
result to the security appliance. For a valid RADIUS user, the security appliance
checks its user group service policy from the local database and allows the user
to access the network. For an invalid RADIUS user, then the security appliance
uses the local database to verify the user. For a valid local user, the security
appliance checks its user group service policy from the local database and allows
the user to access the network. For an invalid local user, the security appliance
denies the user to access the network.
STEP 1
Click Users -> Settings.
The User Settings window opens.
STEP 2
In the User Login Settings area, choose RADIUS + Local Database as the
authentication method from the Authentication Method drop-down list .
STEP 3
Click Configure to configure the RADIUS settings for user authentication.
The RADIUS Settings window opens. To configure the RADIUS server settings for
user authentication, see Using RADIUS Server for Authentication, page 279.
STEP 4
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
282
User Management
Configuring the User Authentication Settings
Using LDAP for Authentication
The security appliance can use the LDAP directory for user authentication, with
support for three schemes including Microsoft Active Directory, RFC2798
InterOrgPerson, and RFC2307 Network Information Service.
STEP 1
Click Users -> Settings.
The User Settings window opens.
STEP 2
In the User Login Settings area, choose LDAP as the authentication method from
the Authentication Method drop-down list.
STEP 3
Click Configure to configure the LDAP settings.
The LADP Settings window opens.
STEP 4
In the Settings tab, enter the following information:
•
IP Address: Enter the IP address of the LDAP server that you use for
authentication.
•
Port Number: Enter the number of the listening port used on the LDAP
server. Enter a value from 1 to 65535. The default is 389.
•
Server Timeout: Enter the amount of time in seconds that the security
appliance will wait for a response from the LDAP server before timing out.
•
Login Method: Choose one of the following login methods:
•
Annonymous Login: Choose this option if the LDAP server allows for the
user tree to be accessed anonymously.
Give Login Name or Location in Tree: Choose this option to build the
distinguished name of the user that is used to bind to the LDAP server
from the Primary Domain and User Tree for Login to Server fields in the
Directory tab.
Give Bind Distinguished Name: Choose this option if the destination
name is known. You must provide the destination name explicitly to be
used to bind to the LDAP server.
Login User Name: If you choose Give Login Name or Location in Tree or
Give Bind Distinguished Name as the login method, enter the user name of
the account that can log into the LDAP directory.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
283
User Management
Configuring the User Authentication Settings
STEP 5
•
Login Password: If you choose Give Login Name or Location in Tree or
Give Bind Distinguished Name as the login method, enter the password of
the account that can log into the LDAP server.
•
Protocol Version: Choose either LDAP Version 2 or LDAP Version 3. Most
LDAP directories, including Active Directory, use LDAP Version 3.
In the Schema tab, enter the following information:
•
•
•
STEP 6
LDAP Schema: Choose one of the following schemes:
Microsoft Active Directory
RFC2798 InetOrgPerson
RFC2307 Network Information Service
User Objects: The selected predefined scheme will automatically populate
below fields with their correct values. The fields that are grayed out cannot
be edited, but you can manually specify some editable fields if you have
specific or proprietary LDAP scheme configurations.
Object Class: The object class of the individual user account.
Login Name Attribute: The user name that is used for login
authentication.
Qualified Login Name Attribute: The attribute that sets an alternative
login name for the user in name@domain format.
User Group Membership Attribute: The membership attribute that
contains information about the group to which the user object belongs.
This option is only available for Microsoft Active Directory.
Framed IP Address Attribute: The attribute to retrieve a static IP
address that is assigned to a user in the directory.
User Group Objects: The selected predefined scheme will automatically
populate below fields with their correct values.
Object Class: The name associated with the group of attributes.
Member Attribute: The attribute associated with a member.
In the Directory tab, enter the user direction information in the following fields:
•
Primary Domain: Enter the user domain used by your LDAP implementation.
The domain components all use “dc=”, the domain is formatted as
“dc=ExampleCorporation,dc=com”.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
284
User Management
Configuring the User Authentication Settings
•
User Tree for Login to Server: If you choose Give Login Name or Location
in Tree as the login method in the Setting tab, specify the user tree that is
used to log into the LDAP server.
•
Trees Containing Users: Specify the trees that contain the users commonly
reside in the LDAP directory. To add an entry, click Add. To edit an entry, click
Edit. To delete an entry, click Remove. To modify the location of an entry in
the tree, click Move Up or Move Down buttons.
•
Trees Containing User Groups: Specify the trees that contain the user
groups commonly reside in the LDAP directory. These are only applicable
when there is no user group membership attribute in the scheme's user
object, and are not used with AD. To add an entry, click Add. To edit an entry,
click Edit. To delete an entry, click Remove. To modify the location of an entry
in the tree, click Move Up or Move Down buttons.
NOTE All the above trees are given in the format of disginguished names
(“cn=users, dc=ExampleCorporation,dc=com”).
STEP 7
In the LDAP Users tab, enter the following information:
•
Allow Only Users Listed Locally: Click On to allow only the LDAP users also
be present in the local database to login, or click Off to disable it.
•
Default LDAP User Group: Choose a local user group as the default group
to which the LDAP users belong. If the group of a LDAP user does not exist
in the local database, the LDAP user is set to the specified default local
group.
STEP 8
In the Test tab, enter the user and password credentials in the User and
Password fields to test the configured LDAP settings. Click Test to verify whether
the LDAP user is valid.
STEP 9
Click OK to save your settings.
STEP 10 Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
285
User Management
Configuring the User Authentication Settings
Using Local Database and LDAP for Authentication
You can use both the local database and LDAP to authenticate the users who try to
access to the network.
STEP 1
Click Users -> Settings.
The User Settings window opens.
STEP 2
In the User Login Settings area, choose LDAP + Local Database as the
authentication method from the Authentication Method drop-down list.
STEP 3
Click Configure to configure the LDAP settings for user authentication.
The LDAP Settings window opens. For more information to configure the LDAP
settings, see Using LDAP for Authentication, page 283.
STEP 4
Click Save to apply your settings.
Configuring the User Session Settings
The user session settings are used for the web login service, and are applicable
for all authentication methods.
STEP 1
Click Users -> Settings.
The User Settings window opens.
STEP 2
STEP 3
In the User Session Settings area, enter the following information:
•
Inactivity Timeout: Enter the time in minutes that the user can be logged out
after a predefined inactivity time. The default value is 5 minutes.
•
Login Session Limit for Web Logins: Click On to limit the time that the user
is logged into your security appliance through the web browser, or click Off
to disable it. If you enable this feature, enter the time in minutes in the Login
Session Limit field. The default value is 10 minutes.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
286
9
User Management
Viewing Active User Sessions
Viewing Active User Sessions
Use the Active Sessions page to view the status for all active user sessions, and
manually terminate the active user sessions.
STEP 1
Click Users -> Active Sessions.
The Active Sessions window opens. All active user sessions are listed in the table.
You can view the following user session information:
STEP 2
•
User Name: The name of the logged user.
•
Address Information: The host IP address from which the user accessed
the security appliance.
•
Login Method: How the user logs into the security appliance, such as web
login, SSL VPN, or Cisco IPSec VPN.
•
Session Duration: How long the user logged into the security appliance.
To terminate an active user session, click Logout.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
287
10
Device Management
This chapter describes how to maintain the configurations and firmwares, manage
the security license and digital certificates, and configure other features to help
maintain the security appliance.
•
Remote Management, page 289
•
Administration, page 290
•
SNMP, page 292
•
Configuration Management, page 294
•
Firmware Management, page 297
•
Log Management, page 302
•
Managing the Security License, page 307
•
Managing the Certificates for Authentication, page 310
•
Configuring the Email Alert Settings, page 316
•
Configuring the RADIUS Servers, page 319
•
Configuring the Time Zone, page 320
•
Device Discovery, page 321
•
Diagnosing the Device, page 324
•
Measuring and Limiting Traffic with the Traffic Meter, page 328
•
Configuring the ViewMaster, page 330
•
Configuring the CCO Account, page 331
•
Configuring the Device Properties, page 332
•
Configuring the Debug Settings, page 332
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
288
10
Device Management
Remote Management
To access the Device Management pages, click Device Management in the left
hand navigation pane.
Remote Management
You can access the Configuration Utility from the LAN side by using the security
appliance’s LAN IP address and HTTP, or from the WAN side by using the security
appliance’s WAN IP address and HTTPS (HTTP over SSL) or HTTP.
Use the Remote Management page to configure the remote management settings
so that you can access the Configuration Utility from a remote WAN network. The
security appliance allows remote management securely by using HTTPS or HTTP,
i.e. https://xxx.xxx.xxx.xxx:8080.
IMPORTANT: When you enable the remote management, the security appliance
is accessible to anyone who knows its IP address. Since a malicious WAN user
can reconfigure the security appliance and misuse it in many ways, we highly
recommend that you change the user name and password of the default
administrator account (cisco) before continuing.
STEP 1
Click Device Management -> Remote Management.
The Remote Management window opens.
STEP 2
Enter the following information:
•
Remote Management: Click On to enable remote management by using
HTTPS, or click Off to disable it. We recommend that you use HTTPS for
securely remote management.
•
HTTPS Listen Port Number: If you enable remote management by using
HTTPS, enter the port number to be listened on. By default, the listened port
for HTTPs is 8080.
•
HTTP Enable: Click On box to enable remote management by using HTTP,
or click Off to disable it.
•
HTTP Listen Port Number: If you enable remote management by using
HTTP, enter the port number to be listened on. By default, the listened port
for HTTP is 80.
•
Access Type: Choose the level of permission for remote management:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
289
10
Device Management
Administration
•
STEP 3
All IP Addresses: Any IP address from a remote WAN network can
access the Configuration Utility.
Single Address: Only the specified remote host can access the
Configuration Utility. Enter the IP address of the remote host in the IP
Address field.
Network Range: Only the hosts in the specified remote network can
access the Configuration Utility. Enter the starting IP address in the From
field and the ending IP address in the To field.
Remote SNMP: Click On to enable SNMP for the remote connection, or click
Off to disable SNMP. Enabling SNMP allows remote users to use SNMP to
manage the device from WAN side.
Click Save to apply your settings.
Administration
Use the Administration page to modify the user name and password of the default
adminstrator account, and configure the user session settings. It includes the
following topics:
•
Changing the User Name and Password for the Default Administrator
Account, page 290
•
Configuring the User Session Settings, page 291
Changing the User Name and Password for the Default
Administrator Account
To prevent unauthorized access, you are forced to immediately change the default
user name and password of the default administrator account at its first login. This
page provides another approach to modify its user name and password, but not
for the first login.
STEP 1
Click Device Management -> Administration.
The Administration window opens.
STEP 2
In the Administrator name & password area, enter the following information:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
290
10
Device Management
Administration
•
User Name: Enter a new user name that contains the letters, numbers, or
underline for the default administrator account.
•
Current Password: Enter the current password for the default administrator
account. The default password is cicso.
•
New Password: Enter a new password for the default administrator account.
Passwords are case-sensitive.
NOTE Restrictions for password: The password should contain at least
three types of these character classes: lower case letters, upper case
letters, numbers, and special characters. Do not repeat any character
more than three times consecutively. Do not set the password as the
user name or the reversed user name. The password cannot be set as
“cisco”, “ocsic”, or any variant obtained by changing the capitalization
of letters.
•
STEP 3
Confirm New Password: Enter the new password again for confirmation.
Click Save to apply your settings.
Configuring the User Session Settings
The user session settings are used for the web login service, and are applicable
for all authentication methods.
STEP 1
Click Device Management -> Administration.
The Administration window opens.
STEP 2
In the Session Settings area, enter the following information:
•
Inactivity Timeout: Enter the time in minutes that the user can be inactive
before the session is disconnected. out after a predefined inactivity time.
The default value is 5 minutes.
•
Enable Login Session Limit for Web Logins: Click On to limit the time that
the user is logged into your security appliance through the web browser. If
you enable this feature, enter the time in minutes in the Login session limit
field. The default value is 10 minutes.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
291
10
Device Management
SNMP
•
STEP 3
Web Server SSL Certificate: Choose the certificate to authenticate the
users who try to access the Configuration Utility through the web browser
by using HTTPS. By default, the web authentication server uses the default
certificate for authentication. If you choose an imported certificate for
authentication, the web authentication server restarts to load the selected
certificate.
Click Save to apply your settings.
SNMP
Simple Network Management Protocol (SNMP) is a network protocol used over
User Datagram Protocol (UPD) that lets you monitor and manage the security
appliance from a SNMP manager. SNMP provides a remote means to monitor and
control the network devices, and to manage the configurations, statistics
collection, performance, and security.
STEP 1
Click Device Management -> SNMP.
The SNMP window opens.
STEP 2
Click On to enable SNMP, or click Off to disable SNMP. By default, SNMP is
disabled.
STEP 3
If you enable SNMP, specify the SNMP version. By default, SNMP V1&V2 is
selected.
•
SNMP V1&V2: SNMP version 1 (SNMPv1) is the initial implementation of the
SNMP protocol. SNMPv1 is widely used and is the network management
protocol in the Internet community. SNMP version 2 (SNMPv2), revises
version 1 and includes improvements in the areas of performance, security,
confidentiality, and manager-to-manager communications.
•
SNMP V3: SNMPv3 is defined by RFC 3411–RFC 3418. SNMPv3 primarily
adds security and remote configuration enhancements to SNMP. SNMPv3
provides important security features:
Confidentiality: Encryption of packets to prevent snooping by an
unauthorized source.
Integrity: Message integrity to ensure that a packet has not been
tampered with in transit.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
292
10
Device Management
SNMP
STEP 4
STEP 5
STEP 6
Authentication: Verifies that the message is from a valid source.
After you enable SNMP and select the SNMP version, enter the following
information:
•
System Contact: Enter the name of the contact person for your security
appliance.
•
Device: Enter the device name for easy identification of your security
appliance.
•
System Location: Enter the physical location of your security appliance.
•
Security User Name: Enter the name of the administrator account with the
ability to access and manage the SNMP MIB objects. This is only available
for SNMPV3.
•
Authentication Password: Enter the password of the administrator account
for authentication (the minimum length of password is 8 charactors). This is
only available for SNMPV3.
•
Encrypted Password: Enter the password for data encryption (the minimum
length of password is 8 charactors). This is only available for SNMPV3.
•
SNMP Engine ID: Displays the engine ID of the SNMP entity. The engine ID
is used as an unique identification between two SNMP entities. This is only
available for SNMPV3.
To enable the SNMP Trap, enter the following information:
•
SNMP Read-Only Community: Enter the read-only community used to
access the SNMP entity.
•
SNMP Read-Write Community: Enter the read-write community used to
access the SNMP entity.
•
Trap Community: Enter the community that the remote trap receiver host
receives the traps or notifications sent by the SNMP entity.
•
SNMP Trusted Host: Enter the IP address or host name of the host trusted
by the SNMP entity. The trusted host can access the SNMP entity. Entering
0.0.0.0 in this filed allows any host to access the SNMP entity.
•
Trap Receiver Host: Enter the IP address or the host name of the remote
host that is used to receive the SNMP traps.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
293
10
Device Management
Configuration Management
Configuration Management
You can perform the following tasks to maintain the configurations:
•
Save the current settings used on your security appliance. See Saving your
Current Configurations, page 294.
•
Restore your settings from a saved configuration file. See Restoring your
Settings from a Saved Configuration File, page 295.
•
Revert to the factory default settings. See Reverting to the Factory
Default Settings, page 296.
Saving your Current Configurations
You can save your current settings as a configuration file on the local PC or on a
USB device if applicable.
NOTE When saving the configurations to a file, the security license and self-certificates
will not be saved in the file.
STEP 1
Click Device Management -> Firmware and Configuration -> Configuration.
The Configuration window opens.
STEP 2
To save the current settings on your local PC, perform the following steps:
a. In Backup/Restore Settings area, click Backup after the Save A Copy of
Current Settings option. The Encryption window opens.
b. You can optionally encrypt the configurations for security purposes. If you do
not encrypt the configurations, click OK.
c. If you want to encrypt the configurations, check the Encrypt box and enter the
password in the Key field, and then click OK.
d. Locate where to save the configuration file, and then click Save.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
294
10
Device Management
Configuration Management
STEP 3
To backup the current settings on a USB device, perform the following steps:
a. Insert the USB device into the USB interface on the back panel of your security
appliance. The USB device is automatically mounted once you insert it.
b. In the USB -> Mount/Unmount area, make sure that the USB Driver Status
shows as “UP” when you use the USB device to manage the configurations.
c. In the USB -> Backup/Restore Settings area, click Backup after the Save A
Copy of Current Settings option. The Encryption window opens.
d. You can optionally encrypt the configurations for security purposes. If you do
not encrypt the configurations, click OK.
e. If you want to encrypt the configurations, check the Encrypt box and enter the
password in the Key field, and then click OK.
f.
After you click OK, your current settings are saved as a configuration file on the
root folder of the USB device.
Restoring your Settings from a Saved Configuration File
You can restore the settings from a saved configuration file on your local PC or on
a USB device if applicable.
STEP 1
Click Device Management -> Firmware and Configuration -> Configuration.
The Configuration window opens.
STEP 2
To restore the settings from a saved configuration file on your local PC, perform
the following steps:
a. In Backup/Restore Settings -> Restore Saved Settings From File area, click
Browse to select a saved configuration file from your local PC, and then click
Restore.
b. If the selected configurantion file is encrpted, the Encryption window opens.
Enter the password in the Key field, and then click OK.
c. The security appliance automatically reboots with the saved settings of the
selected configuration file.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
295
10
Device Management
Configuration Management
STEP 3
To restore the settings from a saved configuration file on a USB device, perform
the following steps:
a. Insert the USB device into the USB interface on the back panel of your security
appliance. The USB device is automatically mounted once you insert it.
b. In the USB -> Mount/Unmount area, make sure that the USB Driver Status
shows as “UP” when you use the USB device to manage the configurations.
c. In the USB -> Select the upgrade file from your dard dick area, all saved
configuration files located on the USB device appears in the list. Select a
configuration file, and then click Restore.
d. If the configurantion file is encrpted, the Encryption window opens. Enter the
password in the Key field, and then click OK.
e. The security appliance automatically reboots with the saved settings of the
selected configuration file.
Reverting to the Factory Default Settings
To revert your security appliance to the factory default settings, you can press and
hold the RESET button on the back panel for minimal three seconds, or use the
Revert to Factory Default Settings feature.
CAUTION The Revert To Factory Default Settings operation will wipe out the current settings
used on your security appliance (including the imported certificates). We
recommmend that you save the current settings before reverting to the factory
default settings.
STEP 1
Click Device Management -> Firmware and Configuration -> Configuration.
The Configuration window opens.
STEP 2
In the Backup/Restore Settings -> Revert To Factory Default Settings area,
click Default.
STEP 3
The security appliance automatically reboots with the factory default settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
296
10
Device Management
Firmware Management
Firmware Management
You can perform the following tasks to maintain the firmwares.
•
View the firmware status. See Viewing the Firmware Information,
page 297.
•
Check periodically for new firmwares. See Checking for New Firmwares,
page 298.
•
Upgrade the firmware. See Upgrading the Firmware, page 299.
•
Switch to the secondary firmware through the Configuration Utility. See
Using the Secondary Firmware, page 300.
•
Auto fall back to the secondary firmware. See Firmware Auto Fall Back
Mechanism, page 301
•
Use the Rescue mode to recover the system. See Using the Rescue Mode
to Recover the System, page 302
•
Reboot the security appliance. See Rebooting the Security Appliance,
page 302.
CAUTION During a firmware upgrade, do NOT try to go online, turn off the device, shut down
the PC, remove the cable, or interrupt the process in anyway until the operation is
complete. This process should take several minutes or so including the reboot
process. Interrupting the upgrade process at specific points when the flash is
being written to can corrupt the flash memory and render the security appliance
unusable.
Viewing the Firmware Information
STEP 1
Click Device Management -> Firmware and Configuration -> Firmware.
The Firmware window opens.
STEP 2
The Network -> Status area, the following firmare information is displayed:
•
Primary Firmware Version: The version of the primary firmware that you are
using.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
297
10
Device Management
Firmware Management
STEP 3
•
Secondary Firmware Version: The version of the secondary firmware that
you used previously.
•
Link to Release Note: Click the link to find the release notes for all available
firmwares.
•
Time At Which Last Query was made: The time at which last query for the
new firmware was made.
•
Latest Image Available: The latest version of the available firmware on the
IDA server after your query. This option will not display anything if the
firmware currently used on your security appliance is the lastest one.
If a newer version than your current one is available, you can perform one of the
following actions:
•
To upgrade the firmware and keep using the current settings, click Upgrade.
When the operation is complete, the security appliance automatically
reboots with the previous settings that were in use.
•
To upgrade the firmware and revert to the factory default settings, click
Upgrade & Factory Reset. When the operation is complete, the security
appliance automatically reboots with the factory default settings.
Checking for New Firmwares
The security appliance uses a built-in IDA client to query and upgrade the
firmware. The IDA client connects to Cisco’s IDA sever through the Internet. This
feature requires an active WAN connection.
STEP 1
Click Device Management -> Firmware and Configuration -> Firmware.
The Firmware window opens.
STEP 2
In the Network -> Check For New Firmware & Download area, enter the
following information to check new firmware from the IDA server periodically.
•
Check Periodically: Check this box to automatically check for new
firmwares on a weekly basis.
•
User Name: Displays the user name of your registered CCO account to log
into the IDA server for downloading the new firmware. To configure the CCO
account, go to the Device Management -> CCO Account page. See
Configuring the CCO Account, page 331.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
298
10
Device Management
Firmware Management
STEP 3
Click Save to save your settings.
STEP 4
Click Check Now to immediately check whether new firmware is available on the
IDA server.
If a new firmware is available, the version of the new firmware is displayed in the
Latest Image Available area.
Upgrading the Firmware
You can manually upgrade the firmware from your local PC or a USB device.
STEP 1
Click Device Management -> Firmware and Configuration -> Firmware.
The Firmware window opens.
STEP 2
To manually upgrade the firmware from your local PC, perform the following steps:
a. In the Network -> Firmware Upgrade area, click Browse to locate and select
the firmware image from your local PC.
b. To upgrade the firmware and keep using the current settings, click Upgrade.
When the operation is complete, the security appliance automatically reboots
with the previous settings that were in use.
c. To upgrade the firmware and revert to the factory default settings, click
Upgrade & Factory Reset. When the operation is complete, the security
appliance automatically reboots with the factory default settings.
STEP 3
To upgrade the firmware through a USB device, perform the following steps:
a. Insert the USB device with the firmware files into the USB interface on the back
panel of your security appliance. The USB device is automatically mounted
after you inserted it.
b. In the USB -> Mount/Unmount area, check the mounting status of the USB
device. Make sure that the USB Driver Status shows as “UP” when you use the
USB device to manage the firmware.
c. In the USB -> Backup/Restore Settings area, all firmware images located on
the USB device appears in the list.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
299
10
Device Management
Firmware Management
•
To upgrade the firmware and keep using the current settings, select a
firmware image from the list and then click Upgrade. When the operation is
complete, the security appliance automatically reboots with the previous
settings you used.
•
To upgrade the firmware and revert to the factory default settings, select a
firmware image from the list and then click Upgrade & Factory Reset. When
the operation is complete, the security appliance automatically reboots with
the factory default settings.
NOTE Wait while the firmware is upgrading.
1. Do NOT close the browser window.
2. Do NOT go online.
3. Do NOT turn off or power-cycle the security appliance.
4. Do NOT shutdown the computer.
5. Do NOT remove the cable.
Using the Secondary Firmware
If the primary firmware is not stable, you can manually set the secondary firmware
that was in use as the primary firmware. The original primary firmware will then
become the secondary firmware. After you switch to the secondary firmware, the
security appliance reboots with the saved settings. At this time, we recommend
that you revert your security appliance to the factory default settings.
CAUTION Do not try to swap the firmware if the secondary firmware is not present. Doing so
can cause the security appliance to not boot up.
STEP 1
Click Device Management -> Firmware and Configuration -> Firmware.
The Firmware window opens.
STEP 2
In the Swap Image area, click Switch to switch the secondary firmware to the
primary firmware.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
300
10
Device Management
Firmware Management
After you switch to the secondary firmware, the security appliance automatically
reboots with the saved settings.
Firmware Auto Fall Back Mechanism
The security appliance includes two firmware images in the same NAND flash to
provide an Auto Fall Back mechanism so that the security appliance can
automatically switch to the secondary firmware when the primary firmware
occurs a CRC (Cyclic Redundancy Check) Error or cannot boot up successfully for
five times.
The Auto Fall Back mechanism operates as follows:
1. When the security appliance tries to boot up with the primary firmware, the
Bootloader checks the CRC of the primary firmware.
2. If the primary firmware occurs a CRC Error or a Boot Failure, the Bootloader will
switch to the secondary firmware and check the CRC for the secondary
firmware.
•
CRC Error: An error that the firmware cannot pass the CRC validation.
Downloading an incomplete firmware or incompletely writing the firmware
to the flash may cause the CRC error.
•
Boot Failure: A failure that the firmware cannot boot up successfully for five
times. Booting up successfully means that the system boots to the login
shell.
3. If the secondary firmware occurs a CRC Error or a Boot Failure, the Rescue
mode starts up. In the Rescue mode, the security appliance works as a TFTP
server. You can use a TFTP client to upload a firmware image to upgrade. The IP
address of the TFTP server is 192.168.1.1. For more information about the
Rescue mode, see Using the Rescue Mode to Recover the System,
page 302.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
301
10
Device Management
Log Management
Using the Rescue Mode to Recover the System
When the system booting problem or device error occurs, or the system has a
problem, the POWER/SYS LED lights amber color. Follow these procedures to
start up the Rescue mode directly and then recover the system.
STEP 1
Press and hold the RESET button on the back panel of your security appliance for
minimal three seconds and turn on the power switch simutaneously, the Rescue
mode starts up.
STEP 2
In the Rescue mode, the security appliance works as a TFTP server. You can use a
TFTP client to upload the firmware image to upgrade. The IP address of the TFTP
server is 192.168.1.1.
STEP 3
The security appliance will upgrade the firmware after you uploaded the image.
This process should take several minutes or so including the reboot process.
During firmware upgrade, do NOT try to go online, turn off the device, shut down
the PC, interrupt the process, or remove the cable in anyway until the operation is
complete.
When the POWER/SYS lights green color, the system operates normally.
Rebooting the Security Appliance
STEP 1
Click Device Management -> Firmware and Configuration -> Firmware.
The Firmware window opens.
STEP 2
In the Reboot area, click Reboot to reboot the security appliance.
Log Management
The security appliance maintains the event logs for tracking potential security
threats. Use the Loggings pages to view the event logs, configure the log settings
and log facilities. It includes the following sections:
•
Configuring the Log Settings, page 303
•
Configuring the Log Facilities, page 305
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
302
10
Device Management
Log Management
•
Viewing the Logs, page 306
Configuring the Log Settings
STEP 1
Click Device Management -> Loggings -> Log Settings.
The Log Settings window opens.
STEP 2
STEP 3
STEP 4
In the Log Settings area, enter the following information:
•
Log: Click On to enable the Log feature, or click Off to disable it.
•
Log Buffer Size: If you enable the Log feature, specify the size of the local
log buffer. The default value is 409600 bytes.
In the System Logs area, specify the types of system events to be logged.
•
All Unicast Traffic: Click On to log all unicast packets directed to the
security appliance. By default, all unicast packets are not logged.
•
All Broadcast/Multicast Traffic: Click On to log all broadcast or multicast
packets directed to the security appliance. By default, all broadcast or
multicast packets are not logged.
In the Email Alert area, specify the syslogs to be sent on schedule.
•
Email Alert: Shows if the Syslog Email is enabled or disabled.
•
From Email Address: The email address of the SMTP email account to send
the logs.
•
Send to Email Address: The email address of the SMTP email account to
receive the logs.
•
SMTP Server: The IP address or Internet name of the SMTP server.
•
SMTP Authentication: Shows if the SMTP authentication is enabled or
disabled.
NOTE The above email account settings for Syslog Email are read only. To
enable the Syslog Email feature and configure the email account
settings, click the link or go to the Device Management -> Email Alert
Settings page. See Configuring the Email Alert Settings, page 316.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
303
10
Device Management
Log Management
•
Mail Subtitle: Enter the subtitle that is displayed in the email. For example, if
you set the device name as the subtitle, the receiver of the alert email can
recognize quickly what device the logs or alerts are coming from.
•
Severity: Choose the severity level of the syslogs that you want to send.
Severity Levels
Description
Emergency (level
0, highest severity)
System unusable. Syslog definition is LOG_EMERG.
Alert (level 1)
Immediate action needed. Syslog definition is
LOG_ALERT.
Critical (level 2)
Critical conditions. Syslog definition is LOG_CRIT.
Error (level 3)
Error conditions. Syslog definition is LOG_ERR.
Warning (level 4)
Warning conditions. Syslog definition is
LOG_WARNING.
Notification (level
5)
Normal but significant conditions. Syslog definition
is LOG_NOTICE.
Information (level
6)
Informational messages only. Syslog definition is
LOG_INFO.
Debug (level 7,
lowest severity)
Debugging messages. Syslog definition is
LOG_DEBUG.
For example: If you select Critical, all log messages listed under the Critical,
Emergency, and Alert categories are sent.
•
Send Email Logs on Schedule: Specify the schedule to send the syslogs.
Unit: Choose the period of time that you want to send the syslogs.
Hourly: Sends the syslogs on an hourly basis.
Daily: Sends the syslogs at specific time of every day. If you choose this
option, specify the time to send the syslogs in the Time field.
Weekly: Sends the syslogs on a weekly basis. If you choose this option,
specify the day of the week in the Day field and the time in the Time field.
Day: If syslogs are sent on a weekly basis, choose the day of the week
Time: Choose the time of day when syslogs should be sent.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
304
10
Device Management
Log Management
STEP 5
In the Remote Logs area, specify the logs to be saved to a remote syslog server.
•
Remote Logs: Click On to save the syslogs to the specified remote syslog
server, or click Off to disable it.
•
Syslog Server: Enter the IP address of the remote syslog server that runs a
syslog daemon.
•
Severity: Choose the severity level of the logs that you want to save to the
remote syslog server.
For example: If you select Critical, the log messages listed under the Critical,
Emergency, and Alert categories are saved to the remote syslog server.
STEP 6
In the Local Log area, specify the logs to be saved to the local syslog daemon.
•
Severity: Choose the severity level of the logs that you want to save to the
local syslog daemon.
For example: If you select Critical, all log messages listed under the Critical,
Emergency, and Alert categories are saved to the local syslog daemon.
STEP 7
Click Save to apply your settings.
Configuring the Log Facilities
A variety of events can be captured and logged for review. These logs can be
saved to the local syslog daemon or to a specified remote syslog server, or be
emailed to a specified email address.
To save the logs that are generated by the log facilities, you first need to enable
the Log feature, set the log buffer size, and specify the Email Alert, Remote Log,
and Local Log settings.
STEP 1
Click Device Management -> Loggings -> Logs Facility.
The Log Facility window opens. The supported log facilities are listed in the table.
STEP 2
Specify the actions for the logs generated by the log facilities:
•
Email Alert: Check the box at the left side of the Email Alert heading to
enable the email alert setting for all log facilities, or check the box for a log
facility to enable the email alert settings for the selected log facility.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
305
10
Device Management
Log Management
If you enable this feature, the logs that belong to the selected facilities and
match up with the specified severity level for Email Alert can be sent to the
specified email address.
•
Remote Log: Check the box at the left side of the Remote Log heading to
enable the remote log settings for all log facilities, or check the box of a log
facility to enable the remote log settings for the selected log facility.
If you enable this feature, the logs that belong to the selected facilities and
match up with the specified severity level for Remote Log can be saved to
the specified remote syslog server.
•
Local Log: Check the box at the left side of the Local Log heading to enable
the local log settings for all log facilities, or check the box of a log facility to
enable the local log settings for the selected log facility.
If you enable this feature, the logs that belong to the selected facilities and
match up with the specified severity level for Local Log can be saved to the
local syslog daemon.
NOTE For more information about the Email Alert, Remote Log, and Local Log
settings, see Configuring the Log Settings, page 303.
NOTE The logs that belong to the unselected log facilities, or the logs that
belong to the selected log facilities but cannot match up with the
specified severity settings will be dropped.
STEP 3
Click Save to apply your settings.
Viewing the Logs
Use the View Logs page to view the syslogs for the specified severity level, the
log facility, or the source and destination IP address.
STEP 1
Click Device Management -> Loggings -> View Logs.
The View Logs window opens.
STEP 2
Specify the logs to be viewed:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
306
10
Device Management
Managing the Security License
•
Log Severity: Choose the log severity level to filter the logs.
For example: If you select Critical, all logs listed under the Critical,
Emergency, and Alert categories can be viewed.
•
Log Facility: Choose the log facility to filter the logs. All logs that belong to
the selected facility and match up with the specified severity settings can be
viewed.
•
Source IP: Enter the source IP address to filter the logs. All logs that match
up with this source IP address can be viewed.
•
Destination IP: Enter the destination IP address to filter the logs. All logs that
match up with this destination IP address can be viewed.
STEP 3
Click Query.
STEP 4
The query outputs are displayed in the Logs table. The logs can be sorted by
clicking the cellheading in the table. By default, the logs are sorted by the time.
For example, if you click Severity, the logs are sorted by the severity level in
ascending sequence. Double click Severity, the logs are sorted by the severity
level in descending sequence.
STEP 5
You can specify how many logs are displayed in the table per page. If one page
cannot show all logs, use the navigation buttons to switch among the pages.
STEP 6
Click the >> button and then click Clear All Local Logs to clean up all logs saved
in the local syslog daemon.
Managing the Security License
Use the License Management page to manage the security license. The security
license is valid for one year or three years depending on the bundle type. The
security services that provide protection against worms, attacks, and malware are
activated by the security license. It includes the following sections:
•
Checking the License Status, page 308
•
Renewing the Security License, page 309
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
307
10
Device Management
Managing the Security License
Checking the License Status
STEP 1
Click Device Management -> License Manaagement.
The License Management window opens. The following information of the
security license is displayed.
STEP 2
•
Feature: The security license name.
•
Status: The security license status. The security license cannot be
transferred or revoked once it is licensed.
•
Seats Available: The number of SSL VPN users supported by the security
license. The ISA550 and ISA550W supports 25 SSL VPN users. The ISA570
and ISA570W supports 50 SSL VPN users.
•
Expiration: The date on which the security license expires, in MM/DD/YYYY
format. For example: 12/31/2012.
To check the device credential information, click Device Credentials.
The Device Credentials window opens. The device credential information is
requested by Cisco sales or support for licensing purpose.
STEP 3
Click Email Alert Settings, the Email Alert Settings window opens.
You can see the following settings of the License Expiration Alert. We recommend
that you enable the License Expiration Alert feature so that the system can send an
alert email to remind the user to renew the security license before it expires.
•
Email Alert: Shows if the License Expiration Alert feature is enabled or
disabled.
•
From Email Address: The email address to send the compressed file.
•
Send to Email Address: The email address to receive the compressed file.
•
SMTP Server: The IP address of the SMTP server.
•
SMTP Authentication: Shows if the SMTP authentication is enabled or
disabled. If you enable SMTP authentication, the user name and password
are required to login the SMTP server.
•
Alert When it is: The number of days before the license expires to send the
alert message.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
308
10
Device Management
Managing the Security License
NOTE To send the alert email for license expiration events, you first need to
enable the License Expiration Alert feature and configure the email
account settings in the Email Alert Setting page. Click the link or go
to the Device Management -> Email Alert Settings page to do this.
See Configuring the Email Alert Settings, page 316.
Renewing the Security License
Perform the following steps to renew the security license before it expires.
STEP 1
Contact your Cisco reseller to purchase a new license.
STEP 2
Launch the the Configuration Utility and login, go to the Device Management ->
License Manaagement page.
STEP 3
Click Renew.
The Install License window opens.
STEP 4
The license can be a license code (PAK) or a license file downloaded from
cisco.com. Choose the license type from the License Type drop-down list:
•
•
License Code (PAK) from cisco.com: Automatically retrieves and installs
the license on the security appliance from the Cisco server. If you choose
this option, enter the following credential information. These credentials are
required to authenticate to the Cisco server.
License Code: Enter the license code (PAK).
Cisco.com Login: Enter the user name of your CCO account to log into
Cisco.com.
Cisco.com Password: Enter the password of your CCO account to log
into Cisco.com.
Email Address: Enter the registered email address to receive the PAK.
License File Download from cisco.com: Installs the security license that
was previously downloaded to your PC. If you choose this option, click
Browse to locate and select the license file from your PC.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
309
Device Management
Managing the Certificates for Authentication
10
NOTE Make sure that the security appliance is set to the current time, or the
license will not install properly.
STEP 5
After you finish entering the information in the required fields, click Validate
License.
After the license is renewed, the expiration date of the security license is updated
immediately.
Managing the Certificates for Authentication
Use the Certificate Management page to manage the certificates for
authentication. It includes the following sections:
•
Viewing the Certificate Status, page 310
•
Managing the Certificates, page 311
Viewing the Certificate Status
STEP 1
Click Device Management -> Certificate Management.
The Certificate Management window opens. All existing certificates are listed in
the table. The following certificate information is displayed:
•
Certificate: The certificate name.
•
Type: The certificate type. The security appliance supports three types of
certificates: Certificate Signing Request (CSR), Local Certificate, and CA
Certificate.
Certificate Signing Request (CSR): A certificate request generated by
your security appliance that needs to be sent to the Certificate Authority
(CA) for signing. CSR contains all the information required to create your
digital certificate.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
310
10
Device Management
Managing the Certificates for Authentication
STEP 2
Local Certificate: The local certificate is issued by a trusted CA, and is
involved in the applications like remote management and SSL VPN. To
use a local certificate, you must first request a certificate from the CA and
then import the certificate on your security appliance.
CA Certificate: The CA certificate is issed by intermediate CAs, such as
GoDaddy or VeriSign. The CA certificate is used to verify the validity of
certificates generated and signed by the CA.
Click the Detail button to view the detailed certificate information.
Certificate
Types
CA Certificate
or Local
Certificate
Certification
Signing
Request (CSR)
Details
•
Name: Name used to identify this certificate.
•
Issuer: Name of the CA that issued the
certificate.
•
Subject: Name which other organizations will
see as the holder (owner) of this certificate.
•
Serial Number: Serial number maintained by
the CA and used for identification purposes.
•
Valid From: Date from which the certificate is
valid.
•
Expires On: Date on which the certificate
expires. It is advisable to renew the certificate
before it expires.
•
Name: Name used to identify this CSR.
•
Subject: Name which other organizations will
see as the holder (owner) of this certificate.
Managing the Certificates
Perform the following tasks to manage different types of certificates:
•
To export a local certificate or a CSR to your PC, check the box and click
Download. See Exporting the Certificates to Local PC, page 312.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
311
Device Management
Managing the Certificates for Authentication
10
•
To export a local certificate or a CSR to a mounted USB device, check the
box and click Export to USB. See Exporting the Certificates to a USB
Device, page 313.
•
To import a CA certificate or a local certificate from your PC, click Import.
See Importing the Certificates from Your Local PC, page 313.
•
To import a CA certificate or a local certificate from a mounted USB device,
click Import from USB. See Importing the Certificates from a Mounted
USB Device, page 314.
•
To import a signed certificate for a CSR from your PC, click Upload. See
Importing the Signed Certificate for CSR from Your Local PC, page 314.
•
To generate a CSR, click New Signing Request. See Generating New
Certificate Signing Requests, page 315.
•
To delete a certificate or a CSR, check the box and click Delete.
•
To delete multiple entries, check the boxes of multiple entires and click
Delete Selection.
Exporting the Certificates to Local PC
You can export a local certificate or a CSR to your local PC. The CA certificate is
not allowed to export.
STEP 1
Click Device Management -> Certificate Management.
The Certificate Management window opens.
STEP 2
To export a local certificate or a CSR to your local PC, click Download.
•
If you are downloading a CSR, the Download Certificate Signing Request
window opens. Click Download, the certificate file will be saved in .PEM
format.
•
If you are downloading a local certificate, the Download Certificate window
opens. Enter the certificate management password in the Enter Export
Password field, and then click Download. The certificate file will be saved
in .p12 format.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
312
Device Management
Managing the Certificates for Authentication
10
Exporting the Certificates to a USB Device
To export a local certificate or a CSR to a USB device, you first need to insert the
USB device into the USB interface on the back panel of your security appliance.
The USB device is automatically mounted once you insert it. The CA certificate is
not allowed to export.
STEP 1
Click Device Management -> Certificate Management.
The Certificate window opens.
STEP 2
To export a local certificate or a CSR to the USB device, click Export to USB.
•
If you are downloading a CSR, the Export Certificate Signing Request to USB
window opens. Click Export. The CSR file will be saved on the mounted USB
device in .PEM format.
•
If you are downloading a local certificate, the Export Certificate to USB
window opens. Enter a password in the Enter Export Password field to
protect the certificate file and then click Export. The certificate file will be
saved on the mounted USB device in .p12 format.
Importing the Certificates from Your Local PC
You can import a local or CA certificate from your local PC.
STEP 1
Click Device Management -> Certificate Management.
The Certificate window opens.
STEP 2
To import a local or CA certificate from your local PC, click Import.
The Import Certificates window opens.
STEP 3
Enter the following information:
•
Import a local end-user certificate with private key from a PKCS#12
(.p12) encoded file: If you choose this option, enter the certificate name in
the Certificate Name field and the protection password in the Import
Password field, click Browse to locate and select a local certificate file from
your local PC, and then click Import.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
313
Device Management
Managing the Certificates for Authentication
•
10
Import a CA certificate from a PEM (.pem or .crt) encoded file: If you
choose this option, click Browse to locate and select a CA certificate file
from your local PC, and then click Import.
Importing the Certificates from a Mounted USB Device
To import local or CA certificates from a USB device, you first need to insert the
USB device into the USB interface on the back panel of your security appliance.
The USB device is automatically mounted once you insert it.
STEP 1
Click Device Management -> Certificate Management.
The Certificate window opens.
STEP 2
To import a local or CA certificate from the USB device, click Import from USB.
The Import Certificates window opens. All available local certificates and CA
certificates appear in the list.
STEP 3
Check the box of the certificate file, enter the certificate name in the Certificate
Name field and the protection password in the Import Password field, and then
click Import.
Importing the Signed Certificate for CSR from Your Local PC
You can upload a signed certificate for a CSR from your local PC.
STEP 1
Click Device Management -> Certificate Management.
The Certificate window opens.
STEP 2
To import a signed certificate for CSR from your local PC, click Upload.
The Upload Certificate window opens.
STEP 3
Click Browse to locate and select the signed certificate file for the CSR from your
local PC, and then click Upload.
NOTE The signed certificate file should be PEM(.pem or .crt) encoded.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
314
Device Management
Managing the Certificates for Authentication
10
Generating New Certificate Signing Requests
STEP 1
Click Device Management -> Certificate Management.
The Certificate Management window opens.
STEP 2
Click New Signing Request to generate a new certificate signing request.
The Generate Certificate Signing Request window opens.
STEP 3
STEP 4
Enter the following information:
•
Certificate Alias: Enter an alias name for the certificate.
•
Country Name: Choose the country from the drop-down list.
•
State or Province Name: Enter the state or province name of your location.
•
Locality Name: Enter the address of your location.
•
Organization Name: Enter your organization name.
•
Organization Unit Name: Enter your department name.
•
Common Name: Enter the common name for the certificate.
•
E-mail Address: Enter your email address.
•
Subject Distinguished Name: After you enter the above information, the
Distinguished Name (DN) is created in this field.
•
Subject Key Type: Displays the signature algorithm (RSA) used to sign the
certificate. RSA is a public key cryptographic algorithm used for encrypting
data.
•
Subject Key Size: Choose the length of the signature: 502 bits, 1024 bits, or
2048 bits.
Click Generate to create a certificate signing request file.
After you generate a certificate signing request file, you need to export the CSR
file to your local PC for submission to a Registration or CA. The CSR file will be
saved in .PEM format. You can change the file name that you download as needed.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
315
10
Device Management
Configuring the Email Alert Settings
Configuring the Email Alert Settings
Use the Email Alert Settings page to centrally configure how to send the alert
messages to the operator or administrator for specific events or behaviors that
may impact the performance, operation, and security of your security appliance,
or for debugging purposes.
STEP 1
Click Device Management -> Email Alert Settings.
The Email Alert Settings window opens.
STEP 2
Enter the following information:
•
SMTP Server: Enter the IP address or Internet name of the SMTP server.
•
SMTP Authentication: If the SMTP server requires authentication before
accepting the connections, click On to enable SMTP authentication. Users
need to provide the SMTP account information for authentication.
•
Account: Enter the user name of the SMTP email account.
•
Password: Enter the password of the SMTP email account.
•
From Email Address: Enter the email address to send the alert messages.
•
To Email Address: Enter the email address to receive the alert messages.
This email address is used to receive all alert emails for all categories. If you
want the alert emails for different categories to be sent to different email
accounts, uncheck the box of Use this address for all alert, and then
separately specify the email address to receive the alert messages for each
category in the To Email Address column.
•
Category: The security appliance sends the alert messages if events or
behaviors for the specific category are detected. To enable the email alert
settings for a category, check the Enable box and then configure the
corresponding settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
316
10
Device Management
Configuring the Email Alert Settings
Alert
Category
Description
Configurations
WAN UP/
DOWN
Alert
Sends an alert email if the
WAN interface link is UP or
DOWN.
To Email Address: Enter
the email address to
receive the alert messages.
Alert Interval: Specify how
often in minutes the
security appliance sends
the alert messages for
WAN down or up events.
IPSec
Alert
Sends an alert email if the
IPSec VPN tunnel
negotiation fails.
To Email Address: Enter
the email address to
receive the alert messages.
IPS Alert
Sends an alert email if an
attack is detected over the
specified email alert
threshold for IPS categories
or IM and P2P applications.
To Email Address: Enter
the email address to
receive the alert messages.
You first need to enable the
IPS service and specify the
email alert thresholds for
the IM and P2P Blocking
feature and/or the IPS
Policy and Protocol
Inspection feature. See
Intrusion Prevention
Service, page 214.
Firmware
Upgrade
Alert
Sends an alert email if a
new firmware is found after
automatically checking the
firmware.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
To Email Address: Enter
the email address to
receive the alert messages.
317
10
Device Management
Configuring the Email Alert Settings
Alert
Category
Description
Configurations
License
Expiration
Alert
Sends an alert email at x
days before the security
license expires. x is
configurable.
To Email Address: Enter
the email address to
receive the alert messages.
Sends an alert email if the
CPU utilization is higher
than the threshold.
To Email Address: Enter
the email address to
receive the alert messages.
CPU
Overload
Alert
Alert When it is: Enter the
number of days before the
license expires to send the
alert message.
CPU Threshold Setting:
Enter the threshold value of
CPU utilization.
Debug
Support
Sends the debug support
package (*.zip) that is
generated by the System
Diagnostics settings for
debugging purposes.
To Email Address: Enter
the email address to
receive the alert messages.
To specify the contents to
be compressed in a file in
the zip format, see System
Diagnostics, page 327.
Anti-Virus
Alert
Sends an alert email if virus
is detected.
You first need to enable the
Anti-Virus service and
specify the protocols to
scan for viruses. For more
information, see Anti-Virus,
page 220.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
To Email Address: Enter
the email address to
receive the alert messages.
Alert Interval: Specify how
often, in minutes, the
security appliance sends
the alert messages for virus
events.
318
10
Device Management
Configuring the RADIUS Servers
Alert
Category
Description
Configurations
Syslog
Email
Send the syslog messages
on schedule to the
specified email receiver.
To Email Address: Enter
the email address to
receive the alert messages.
To specify the syslogs to be
sent, see Configuring the
Log Settings, page 303.
STEP 3
Click Save to apply your settings.
Configuring the RADIUS Servers
Use the RADIUS Servers page to configure the RADIUS servers that are used to
authenticate the users who try to access your network resources. A RADIUS
group includes a primary RADIUS server and a backup RADIUS server. The
security appliance predefines three RADIUS groups.
STEP 1
Click Device Management -> RADIUS Servers.
The RADIUS Servers window opens. All predefined RADIUS groups are listed in
the table.
STEP 2
To edit the settings of the predefined RADIUS group, click Edit in the
Configuration column.
After you click Edit, the RADIUS Group - Edit window opens.
STEP 3
Enter the following information:
•
Primay RADIUS Server IP: Enter the IP address of the primary RADIUS
server.
•
Primay RADIUS Server Port: Enter the port number on the primary RADIUS
server that is used to send the RADIUS traffic. The default is 1812.
•
Primay RADIUS Server Pre-shared Key: Enter the pre-shared key that is
configured on the primary RADIUS server.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
319
10
Device Management
Configuring the Time Zone
•
Secondary RADIUS Server IP: Enter the IP address of the secondary
RADIUS server.
•
Secondary RADIUS Server Port: Enter the port number on the secondary
RADIUS server that is used to send the RADIUS traffic. The default is 1812.
•
Secondary RADIUS Server Pre-shared Key: Enter the pre-shared key that
is configured on the secondary RADIUS server.
STEP 4
Click OK to save your settings.
STEP 5
Repeat the above steps to edit the settings for other RADIUS groups if needed.
STEP 6
Click Save to apply your settings.
Configuring the Time Zone
Use the Time Zone / Clock Settings page to manually configure the time zone and
clock settings, or to dynamically synchronize the time zone and clock settings with
the Network Time Protocol (NTP) server.
STEP 1
Click Device Management -> TimeZone / Clock Settings.
The Time Zone and Clock Settings window opens.
STEP 2
Click Manual to manually set the date and time. Enter the values in the Date and
Time fields.
STEP 3
Click Dynamic to automatically synchronize the date and time with the NTP
server:
•
Date/Time: Choose the time zone relative to Greenwich Mean Time (GMT).
•
Automatically Adjust for Daylight Savings Time: Click On to automatically
adjust the time for Daylight Savings Time, or click Off to disable it.
•
Use Default NTP Servers: Click this option to use the default Network Time
Protocol (NTP) server.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
320
10
Device Management
Device Discovery
STEP 4
•
Use Custom NTP Servers: Click this option to use a custom NTP server.
Enter the IP addresses or domain names of up to two custom NTP servers in
the Server 1 Name/IP Address and Server 2 Name/IP Address fields. The
Server 1 is the primary NTP server and the Server 2 is the secondary NTP
server.
•
Current Time: The current date and time sychronized with the configured
NTP server.
Click Save to apply your settings.
Device Discovery
The security appliance supports the following tools to discover the devices:
•
UPnP, page 321
•
Bonjour, page 322
•
CDP, page 323
•
LLDP, page 324
UPnP
UPnP (Universal Plug and Play) allows for automatic discovery of devices that can
communicate with your security appliance. The UPnP Portmap table displays the
port mapping entries of the UPnP-enabled devices that accessed your security
appliance.
STEP 1
Click Device Management -> Discovery -> UPnP.
The UPnP window opens.
STEP 2
Enter the following information:
•
UPnP: Click On to enable UPnP, or click Off to disable UPnP. If UPnP is
disabled, the security appliance will not allow for automatic device
configuration.
•
LAN: Choose an existing VLAN to which the UPnP information is
broadcasted and listened on.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
321
10
Device Management
Device Discovery
•
Advertisement Period: Enter the value in seconds of how often the security
appliance broadcasts its UPnP information to all devices within range. The
default value is 1800 seconds.
•
Advertisement Time to Live: Enter the value expressed in hops for each
UPnP packet. This is the number of steps a packet is allowed to propagate
before being discarded. Small values will limit the UPnP broadcast range.
The default value is 4.
STEP 3
Click Save to apply your settings.
STEP 4
After you enable UPnP, the information in the UPnP Portmap table will be refreshed
immediately. Or click Refresh to manually refresh the UPnP records in the table.
Bonjour
Bonjour is a service advertisement and discovery protocol. Bonjour only
advertises the default services configured on the security appliance when
Bonjour is enabled.
STEP 1
Click Device Management -> Discovery -> Bonjour.
The Bonjour window opens.
STEP 2
In the Bonjour Configuration area, click On to enable Bonjour, or click Off to
disable it. If you enable Bonjour, all default services are enabled.
STEP 3
In the Enabled Default Service area, the default enabled services are displayed.
The default services include CSCO-SB, HTTP, and HTTPS.
STEP 4
In the VLAN Association area, you can associate the VLANs for the default
services. The default services will only be visible to the hosts that belong to the
associated VLANs.
STEP 5
•
Choose a VLAN from the Available VLANs drop-down list and then click
Apply. The VLANs associated to the default services are listed in the table.
•
To dissociate the VLANs from the default services, check the boxes next to
the appropriate VLANs and click Delete.
•
Click Reset to revert to the default settings.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
322
10
Device Management
Device Discovery
CDP
Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all
Cisco manufactured equipment. Each CDP enabled device sends periodic
messages to a multicast address and also listens to the periodic messages sent
by others in order to learn about neighboring devices and determine the status of
these devices. Use the CDP page to configure the settings to control CDP.
NOTE Enabling CDP is not recommended on the dedicated WAN port and the
configurable ports because they are connected to insecure networks.
STEP 1
Click Device Management -> Discovery -> CDP.
The CDP window opens.
STEP 2
In the CDP Configuration area, enter the following information:
•
CDP: Choose one of the following options:
Enable All: Enables CDP on all ports supported by the security
appliance.
Disable All: Disables CDP on all ports supported by the security
appliance.
Per Port: Configures CDP on selective ports.
•
CDP Timer: Enter the value of the time interval between two successive
CDP packets sent by the security appliance.
•
CDP Hold Timer: The hold timer is the amount of time the information sent
in the CDP packet should be cached by the device which receives the CDP
packet, after which the information is expires.
STEP 3
In the Enable CDP area, click On to enable CDP on each interface, or click Off to
disable CDP. This is required if you choose Per Port from the CDP drop-down list.
STEP 4
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
323
10
Device Management
Diagnosing the Device
LLDP
The Link Layer Discovery Protocol (LLDP) enables network managers to
troubleshoot and enhance network management by discovering and maintaining
network topologies over multi-vendor environments. LLDP discovers network
neighbors by standardizing methods for network devices to advertise themselves
to other systems, and to store discovered information.
LLDP enables a device to advertise its identification, configuration, and
capabilities to neighboring devices that store the data in a Management
Information Base (MIB). The network management system models the topology of
the network by querying these MIB databases.
STEP 1
Click Device Management -> Discovery -> LLDP.
The LLDP window opens.
STEP 2
Click On to enable LLDP, or click Off to disable it. If you enable LLDP, the LLDP
neighbors are listed in the LLDP Neighbor table.
STEP 3
To view the detail of a LLDP neighbor, check the box and click Details.
STEP 4
To refresh the information in the LLDP Neighbor table, click Refresh.
STEP 5
Click Save to apply your settings.
Diagnosing the Device
Use the Diagnostics pages to access the configurations of the security appliance
and to monitor the overall network health. The following tools are supported to
diagnose your network.
•
Ping, page 325
•
Tracert, page 325
•
DNS Lookup, page 326
•
Packet Capture, page 326
•
System Diagnostics, page 327
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
324
10
Device Management
Diagnosing the Device
NOTE These features require an active WAN connection.
Ping
Use the Ping page to test the connectivity between the security appliance and a
connected device on the network.
STEP 1
Click Device Management -> Diagnostics -> Ping.
The Ping window opens.
STEP 2
STEP 3
Enter the following information:
•
IP or URL Address: Enter the IP address or URL to ping.
•
Packet Size: Enter the packet size in the range of 32 to 65500 bytes to ping.
The security appliance will send the packet with the specified size to the
destination.
•
Ping Time: Enter the times to ping. The security appliance will send the
packet for specific times to check the connectivity with the destination IP
address.
Click Start Ping to ping the IP address or the URL, or click Stop Ping to stop
pinging.
Tracert
Use the Tracert page to view the route between the security appliance and a
destination.
STEP 1
Click Device Management -> Diagnostics -> Tracert.
The Tracert window opens.
STEP 2
Enter the following inforamtion:
•
IP or URL Address: Enter the IP address or URL of the destination.
•
Max Hops: Choose the maximum hop number.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
325
10
Device Management
Diagnosing the Device
STEP 3
Click Start Traceroute to trace the route of the IP address or URL, or click Stop
Traceroute to stop tracing.
DNS Lookup
Use the DNS Lookup page to retrieve the IP address of any server on the Internet.
STEP 1
Click Device Management -> Diagnostics -> DNS Lookup.
The DNS Lookup window opens.
STEP 2
Enter the IP address or domain name that you want to look up in the IP Address or
Domain Name field.
STEP 3
Click Run Lookup to query the server on the Internet. If the host or domain name
exists, you will see a response with the IP address.
STEP 4
Click Cleanup Result to clean up the querying result.
Packet Capture
Use the Packet Capture page to capture all packets that pass through a selected
interface.
STEP 1
Click Device Management -> Diagnostics -> Packet Capture.
The Packet Capture window opens.
STEP 2
Choose the network that you want to capture the packets from the Select
Network drop-down list.
STEP 3
Click Start to start capturing the packets, click Stop to stop capturing, or click
Download to download the captured packets.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
326
10
Device Management
Diagnosing the Device
System Diagnostics
Use the Collect Diagnostics page to compress the contents like configuration files,
syslog files, and system status data into one file in the zip format, and send the
compressed file to the specified email account for system diagnosis. You can set a
password to protect the compressed file for security purposes.
STEP 1
Click Device Management -> Diagnostics -> Collect Diagnostics.
The Collect Diagnostics window opens.
STEP 2
STEP 3
STEP 4
In the Content area, choose the contents that you want to use for diagnosing the
system. The selected files are compressed into one file in the zip format.
•
Configuration File: Click On to compress the configuration files for system
diagnosis.
•
Syslog File: Click On to compress the syslog files for system diagnosis.
•
System Status: Click On to compress the system status data for system
diagnosis.
In the Password Protection area, you can set a password to secure the
compressed file.
•
Password Protection: Click On to enable password protection, or click Off
to disable it.
•
Password: If you enable the password protection, enter the password in this
field.
In the Email area, the email account settings for sending the compressed file are
displayed.
•
Email Alert: Shows if the Debug Support Alert feature is enabled or
disabled.
•
From Email Address: The email address to send the compressed file.
•
Send to Email Address: The email address to receive the compressed file.
•
SMTP Server: The IP address of the SMTP server.
•
SMTP Authentication: Shows if the SMTP authentication is enabled or
disabled. If you enable SMTP authentication, the user name and password
are required to log into the SMTP server.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
327
Device Management
Measuring and Limiting Traffic with the Traffic Meter
10
NOTE To send the compressed file for system diagnosis, you first need to
enable the Debug Support Alert feature and configure the email
account settings in the Email Alert Setting page. Click the link or go
to the Device Management -> Email Alert Settings page to do this.
See Configuring the Email Alert Settings, page 316.
STEP 5
Click Save to apply your settings.
STEP 6
Click Send Now to send the compressed file to the specified email address
immediately.
Measuring and Limiting Traffic with the Traffic Meter
Traffic Meter allows you to measure and limit the traffic routed by the security
appliance. You can enable the traffic meter settings for both primary WAN and
secondary WAN (if applicable).
STEP 1
Click Device Management -> Traffic Meter -> Primary WAN Settings.
The Primary WAN Settings window opens.
NOTE To configure the traffic meter settings for the secondary WAN if applicable,
click Device Management -> Traffic Meter -> Secondary WAN Settings.
STEP 2
In the Enable Traffic Meter area, enter the following information:
•
Enable Traffic Metering: Click On to enable the traffic metering on the
primary WAN port, or click Off to disable it. Enabling this feature on the
primary port will keep a record of the volume of traffic going from this
interface.
•
Traffic Limit Type: Specify the restriction on the volume of data being
transferred through the primary WAN port.
No Limit: The default option, where no limits on data transfer are
imposed.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
328
Device Management
Measuring and Limiting Traffic with the Traffic Meter
STEP 3
Download Only: Limits the amount of download traffic. Enter the
maximum allowed data in Megabytes that can be downloaded for a given
month in the Monthly Limit field. Once the limit is reached, no traffic is
allowed from the WAN side.
Both Directions: Calculates the traffic for both upload and download
directions. The traffic limit entered into the Monthly Limit field is shared
by both upload and download traffic. For example, for a 1 GB limit, if a 700
MB file is downloaded then the remaining 300 MB must be shared
between both upload and download traffic. The amount of traffic
downloaded will reduce the amount of traffic that can be uploaded and
vice-versa.
•
Monthly Limit: Enter the volume limit that is applicable for this month. This
limit will apply to the type of direction (Download Only or Both Direction)
selected above.
•
Increase this month limit by: Click On to temporarily increase the limit if the
monthly traffic limit has been reached, or click Off to disable it. If you enable
this feature, enter the amount of the increase in this field.
•
This Month Limit: The data transfer limit applicable for this month that is the
sum of the values in the Monthly Limit field and the Increase this month
limit by field.
In the Traffic Counter area, enter the following information:
•
•
STEP 4
10
Traffic Counter: Specify the action to be taken on the traffic counter.
Restart Now: Choose this option and then click Save to reset the counter
immediately.
Specific Time: Choose this option if you want the counter to restart at a
specified date and time, then enter the time in hours (HH) and minutes
(MM) and select the day of the month in the Reset Time field.
Send email report before restarting counter: Click On to send an email
report before the traffic counter is reset, or click Off to disable it. This feature
requires that you enable the Email Alert feature in the Log Settings page. See
Log Management, page 302.
In the When Limit is Reached area, specify the action when the traffic limit is
reached.
•
Traffic Block Status: Choose one of the following options:
Block All Traffic: Blocks all traffic through the WAN interface when the
traffic limit is reached.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
329
10
Device Management
Configuring the ViewMaster
•
STEP 5
STEP 6
Block All Traffic Except Email: Blocks all traffic except email through the
WAN interface when the traffic limit is reached.
Send email alert: Click On to send an alert email to the specific email
account when the traffic limit is reached, or click Off to disable it. This feature
requires that you enable the Email Alert feature in the Log Settings page. See
Log Management, page 302.
In the Internet Traffic Statistics area, the following information is displayed if you
enable the traffic metering:
Start Date/Time
The date on which the traffic meter was started or the last
time when the traffic counter was reset.
Outgoing Traffic
Volume
The volume of traffic in Megabytes that was uploaded
through this interface.
Incoming Traffic
Volume
The volume of traffic in Megabytes that was downloaded
through this interface.
Average per day
The average volume of traffic that passed through this
interface.
% of Standard
Limit
The amount of traffic in percent that passed through this
interface against the monthly limit.
% of this
Month’s Limit
The amount of traffic in percent that passed through this
interface against this month’s limit (if the month’s limit has
been increased).
Click Save to apply your settings.
Configuring the ViewMaster
ViewMaster is a network monitoring and management protocol. If you enable
ViewMaster, the devices accept the HTTP or HTTPS connections with the Local
Management Agent that is embodied in the security appliance.
STEP 1
Click Device Management -> ViewMaster.
The ViewMaster window opens.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
330
10
Device Management
Configuring the CCO Account
STEP 2
Click On to enable ViewMaster, or click Off to disable it. By default, ViewMaster is
enabled.
STEP 3
Click Save to apply your settings.
Configuring the CCO Account
Use the CCO Account page to configure your registered CCO account. The CCO
account is used to log into Cisco.com for specific services. For example, if you
want to download the IPS signatures or automatically update the IPS signatures,
you are required to provide the CCO account information.
To register a CCO account on the Cisco.com, go to https:// tools.cisco.com/RPF/
register/register.do.
STEP 1
Click Device Management -> CCO Account.
The CCO Account window opens.
STEP 2
STEP 3
Enter the following information:
•
User Name: Enter the name of your registered CCO account.
•
Current Password: Enter the current password of your registered CCO
account.
•
New Password: Enter a new password for the CCO account.
•
Confirm New Password: Enter the new password again for confirmation.
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
331
10
Device Management
Configuring the Device Properties
Configuring the Device Properties
Use the Device Properties page to configure the host name and domain name to
identify your security appliance on the network.
STEP 1
Click Device Management -> Device Properties.
The Device Properties window opens.
STEP 2
STEP 3
Enter the following information:
•
Host Name: Enter the host name of your security appliance, which is
displayed on the network to identify your device.
•
Domain Name: Enter an unique domain name to identify your network.
Click Save to apply your settings.
Configuring the Debug Settings
Use the Debug Setting page to enable the SSH version 2 server for debugging
purposes.
STEP 1
Click Device Management -> Debug Setting.
The Debug Setting window opens.
STEP 2
Click On to enable the SSH version 2 server for debugging, or click Off to disable
it.
This feature allows the engineers to use an unique console root password to log
into the security appliance for debugging operation. The root password expires in
24 hours, so you need to ask for a new password once it expires.
STEP 3
To set the root password for remote support, enter the password in the Remote
Support Password field.
STEP 4
Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
332
A
Troubleshooting
This chapter describes how to fix some common issues when you are using the
security appliance. It includes the following sections:
•
Internet Connection, page 333
•
Date and Time, page 336
•
Pinging to Test LAN Connectivity, page 337
•
Restoring Factory Default Settings, page 339
Internet Connection
Symptom:
You cannot access the Configuration Utility from a PC on your LAN.
Recommended Actions:
STEP 1 Check the Ethernet connection between the PC and the security appliance.
STEP 2 Ensure that the IP address of your PC is on the same subnet as the security
appliance. If you are using the recommended addressing scheme, your PC’s
address should be in the range 192.168.1.100 to 192.168.1.200.
STEP 3 Check the IP address of your PC. If the PC cannot reach a DHCP server, some
versions of Windows and MacOS generate and assign an IP address. These autogenerated addresses are in the range of 169.254.x.x. If your IP address is in this
range, check the connection from the PC to the security appliance and reboot your
PC.
STEP 4 If your IP address has changed and you don’t know what it is, reset the security
appliance to the factory default settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
333
A
Troubleshooting
Internet Connection
If you do not want to reset to factory default settings and lose your configuration,
reboot the security appliance and use a packet sniffer (such as Ethereal™) to
capture packets sent during the reboot. Look at the ARP packets to locate the LAN
interface address.
STEP 5 Launch your web browser and ensure that Java, JavaScript, or ActiveX is enabled.
If you are using Internet Explorer, click Refresh to ensure that the Java applet is
loaded. Close the browser and launch it again.
STEP 6 Ensure that you are using the correct login information. The factory default login
name is cisco and the password is cisco. Ensure that CAPS LOCK is off when
entering this information.
Symptom:
The security appliance does not save my configuration changes.
Recommended Actions:
STEP 1 When entering configuration settings, click OK or Save before moving to another
page or tab; otherwise your changes are lost.
STEP 2 Click Refresh or Reload in the browser, which will clear a cached copy of the old
configuration.
Symptom:
The security appliance cannot access the Internet.
Possible Cause: If you use dynamic IP addresses, your security appliance is not
requesting an IP address from the ISP.
Recommended Actions:
STEP 1 Launch your browser and determine if you can connect to an external site such as
www.cisco.com.
STEP 2 Launch the Configuration Utility.
STEP 3 Click Status -> Dashboard in the left hand navigation pane.
STEP 4 In the WAN Interface area, find the WAN1 Address. If 0.0.0.0 is shown, your
security appliance has not obtained an IP address from your ISP. See the next
symptom.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
334
A
Troubleshooting
Internet Connection
Symptom:
The security appliance cannot obtain an IP address from the ISP.
Recommended Actions:
STEP 1 Turn off power to the cable or DSL modem.
STEP 2 Turn off the security appliance.
STEP 3 Wait 5 minutes, and then reapply power to the cable or DSL modem.
STEP 4 When the modem LEDs indicate that it has resynchronized with the ISP, reapply
power to the security appliance. If the security appliance still cannot obtain an ISP
address, see the next symptom.
Symptom:
The security appliance still cannot obtain an IP address from the ISP.
Recommended Actions:
STEP 1 Click Networking -> WAN in the left hand navigation pane.
STEP 2 Click Edit.
The WAN - Add/Edit window opens.
STEP 3 Ask your ISP the following questions:
•
What type of network addressing mode is required for your Internet
connection? In the IPv4 tab, choose the correct ISP connection type in the
IP Address Assignment drop-down list, and then enter the account
information as specified by the ISP.
•
Is your ISP expecting you to login from a particular Ethernet MAC address?
If yes, in the IPv4 tab, choose Use the following MAC address from the
MAC Address Source drop-down list, and then enter the required MAC
address in the MAC Address field.
Symptom: The security appliance can obtain an IP address, but PC is unable to
load Internet pages.
Recommended Actions:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
335
A
Troubleshooting
Date and Time
STEP 1 Ask your ISP for the addresses of its designated DNS servers. Configure your PC
to recognize those addresses. For details, see your operating system
documentation.
STEP 2 On your PC, configure the security appliance to be its TCP/IP gateway.
Date and Time
Symptom:
Date shown is January 1, 2000.
Possible Cause: The security appliance has not yet successfully reached a
network Time Server (NTS).
Recommended Actions:
STEP 1 If you have just configured the security appliance, wait at least 5 minutes, click
Device Management -> Time Zone / Clock Settings in the left hand navigation
pane.
STEP 2 Review the settings for the date and time.
STEP 3 Verify your Internet access settings.
Symptom:
The time is off by one hour.
Possible Cause: The security appliance does not automatically adjust for
Daylight Savings Time.
Recommended Actions:
STEP 1 Click Device Management -> Time Zone / Clock Settings in the left hand
navigation pane.
STEP 2 Click On to enable the Automatically adjust for Daylight Savings Time feature.
STEP 3 Click Save to apply your settings.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
336
A
Troubleshooting
Pinging to Test LAN Connectivity
Pinging to Test LAN Connectivity
Most TCP/IP terminal devices and security appliances contain a ping utility that
sends an ICMP echo-request packet to the designated device. The device
responds with an echo reply. Troubleshooting a TCP/IP network is made very easy
by using the ping utility in your PC or workstation.
This section includes the following topics:
•
Testing the LAN Path from Your PC to Your Security Appliance,
page 337
•
Testing the LAN Path from Your PC to a Remote Device, page 338
Testing the LAN Path from Your PC to Your Security
Appliance
STEP 1 On your PC, click the Windows Start button, and then click Run.
STEP 2 Type ping  where  is the IP address of the security
appliance. Example: ping 192.168.1.1.
STEP 3 Click OK.
STEP 4 Observe the display:
•
If the path is working, you see this message sequence:
Pinging  with 32 bytes of data
Reply from : bytes=32 time=NN ms TTL=xxx
•
If the path is not working, you see this message sequence:
Pinging  with 32 bytes of data
Request timed out
STEP 5 If the path is not working, test the physical connections between the PC and the
security appliance:
•
If the LAN port LED is off, verify that the corresponding link LEDs are lit for
your network interface card and for any hub ports that are connected to your
workstation and security appliance.
STEP 6 If the path is still not up, test the network configuration:
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
337
A
Troubleshooting
Pinging to Test LAN Connectivity
•
Verify that the Ethernet card driver software and TCP/IP software are
installed and configured on the PC.
•
Verify that the IP addresses for the security appliance and PC are correct
and on the same subnet.
Testing the LAN Path from Your PC to a Remote Device
STEP 1 On your PC, click the Windows Start button, and then click Run.
STEP 2 Type ping -n 10  where -n 10 specifies a maximum of 10 tries and
 is the IP address of a remote device such as your ISP’s DNS server.
Example: ping -n 10 10.1.1.1.
STEP 3 Click OK and then observe the display (see the previous procedure).
STEP 4 If the path is not working, do the following:
•
Check that the PC has the IP address of your security appliance is listed as
the default gateway. (If the IP configuration of your PC is assigned by DHCP,
this information is not visible in your PC’s Network Control Panel.)
•
Verify that the network (subnet) address of your PC is different from the
network address of the remote device.
•
Verify that the cable or DSL modem is connected and functioning.
•
Call your ISP and go through the questions listed in The security appliance
cannot obtain an IP address from the ISP.
•
Ask your ISP if it rejects the Ethernet MAC addresses of all but one of your
PCs. Many broadband ISPs restrict access by allowing traffic from the MAC
address of only your broadband modem. Some ISPs additionally restrict
access to the MAC address of just a single PC connected to that modem. If
this is the case, configure your security appliance to clone or spoof the MAC
address from the authorized PC. See Configuring the WAN, page 101.
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
338
A
Troubleshooting
Restoring Factory Default Settings
Restoring Factory Default Settings
To restore the factory default settings, take one of the following actions:
•
Launch the Configuration Utility and login. Click Device Management ->
Firmware and Configuration -> Configuration in the left hand navigation
pane. In the Backup/Restore Settings area, click Default.
•
Or press and hold the RESET button on the back panel of your security
appliance for about 3 seconds, until the LED lights and then blinks. Release
the button and wait for the security appliance to reboot. If the security
appliance does not restart automatically; manually restart it to make the
default settings effective.
After a restore to factory defaults, the following settings apply:
•
LAN IP address: 192.168.1.1
•
Username: cisco
•
Password: cisco
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
339
B
Technical Specifications and Environmental
Requirements
Feature
ISA550
ISA550W
ISA570
ISA570W
Standards-Safety
UL 60950-1
UL 60950-1
UL 60950-1
UL 60950-1
CAN/CSA-C22.2
No. 60950-1
CAN/CSA-C22.2
No. 60950-1
CAN/CSA-C22.2
No. 60950-1
CAN/CSA-C22.2
No. 60950-1
EN 60950-1
EN 60950-1
EN 60950-1
EN 60950-1
IEC 60950-1
IEC 60950-1
IEC 60950-1
IEC 60950-1
AS/NZS 60950-1
AS/NZS 60950-1
AS/NZS 60950-1
AS/NZS 60950-1
47CFR FCC Part
15B
47CFR FCC Part
15B
47CFR FCC Part
15B
47CFR FCC Part
15B
Industry Canada
ICES-003
Industry Canada
ICES-003
Industry Canada
ICES-003
Industry Canada
ICES-003
EN55022
EN 301 489-01
EN55022
EN 301 489-01
EN55024
EN 301 489-17
EN55024
EN 301 489-17
EN61000-3-2
EN55024
EN61000-3-2
EN55024
EN61000-3-3
EN61000-3-2
EN61000-3-3
EN61000-3-2
CISPR22
EN61000-3-3
CISPR22
EN61000-3-3
CISPR24
CISPR22
CISPR24
CISPR22
AS/NZS CISPR22
CISPR24
AS/NZS CISPR22
CISPR24
Standards-EMC
AS/NZS CISPR22
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
AS/NZS CISPR22
340
B
Technical Specifications and Environmental Requirements
Feature
ISA550
ISA550W
ISA570
ISA570W
Standards-Radio
47 CFR Part 15C
47 CFR Part 15C
47 CFR Part 15C
47 CFR Part 15C
Industry Canada
RSS-210
Industry Canada
RSS-210
Industry Canada
RSS-210
Industry Canada
RSS-210
EN 300.328
EN 300.328
EN 300.328
EN 300.328
FCC OET-65,
Supplement C
FCC OET-65,
Supplement C
FCC OET-65,
Supplement C
FCC OET-65,
Supplement C
RSS-102
RSS-102
RSS-102
RSS-102
EN50385
EN50385
EN50385
EN50385
2X RJ-45
connectors for
LAN port
2 X RJ-45
connectors for
LAN port
4 X RJ-45
connectors for
LAN port
4 X RJ-45
connectors for
LAN port
1 X RJ-45
connector for WAN
port
1 X RJ-45
connector for WAN
port
1 X RJ-45
connector for WAN
port
1 X RJ-45
connector for WAN
port
4 X RJ-45
connector for LAN,
WAN or DMZ port
4 X RJ-45
connector for LAN,
WAN or DMZ port
5 X RJ-45
connector for LAN,
WAN or DMZ port
5 X RJ-45
connector for LAN,
WAN or DMZ port
1 X USB connector
for USB 2.0
1 X USB connector
for USB 2.0
1 X USB connector
for USB 2.0
1 X USB connector
for USB 2.0
1 X Power switch
1 X Power switch
1 X Power switch
1 X Power switch
Standards-RF
Exposure
Physical
Interfaces
2 X external
antennas
2 X external
antennas
Operating
Temperature
32 to 104°F (0 to
40°C)
32 to 104°F (0 to
40°C)
32 to 104°F (0 to
40°C)
32 to 104°F (0 to
40°C)
Storage
Temperature
-4 to 158°F (-20 to
70°C)
-4 to 158°F (-20 to
70°C)
-4 to 158°F (-20 to
70°C)
-4 to 158°F (-20 to
70°C)
Operating
Humidity
10 to 90 percent
relative humidity,
non-condensing
10 to 90 percent
relative humidity,
non-condensing
10 to 90 percent
relative humidity,
non-condensing
10 to 90 percent
relative humidity,
non-condensing
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
341
B
Technical Specifications and Environmental Requirements
Feature
ISA550
ISA550W
ISA570
ISA570W
Storage Humidity
5 to 95 percent
relative humidity,
non-condensing
5 to 95 percent
relative humidity,
non-condensing
5 to 95 percent
relative humidity,
non-condensing
5 to 95 percent
relative humidity,
non-condensing
Normal Voltagess:
100 to 240 VAC
Normal Voltagess:
100 to 240 VAC
Normal Voltagess:
100 to 240 VAC
Normal Voltagess:
100 to 240 VAC
Voltage Variation
Range: 90 to 264
VAC
Voltage Variation
Range: 90 to 264
VAC
Voltage Variation
Range: 90 to 264
VAC
Voltage Variation
Range: 90 to 264
VAC
Normal Frequency:
50 to 60 Hz
Normal Frequency:
50 to 60 Hz
Normal Frequency:
50 to 60 Hz
Normal Frequency:
50 to 60 Hz
Frequency
Variation Range:
47 Hz to 63 Hz
Frequency
Variation Range:
47 Hz to 63 Hz
Frequency
Variation Range:
47 Hz to 63 Hz
Frequency
Variation Range:
47 Hz to 63 Hz
Output Voltage
Regulation
11.4 V to 12.6 V
11.4 V to 12.6 V
11.4 V to 12.6 V
11.4 V to 12.6 V
Output Current
MAX 2.5 A
MAX 2.5 A
MAX 1.667 A
MAX 1.667 A
Internal Power Supply
Voltage Range
Input Frequency
Range
Physical Specifications
Form Factor
1 RU, 19-inch rackmountable
1 RU, 19-inch rackmountable
1 RU, 19-inch rackmountable
1 RU, 19-inch rackmountable
Dimensions
(H x W x D)
1.73 x 12.1 x 7.30
inches (44 x 308 x
185.5 mm)
1.73 x 12.1 x 7.30
inches (44 x 308 x
185.5 mm)
1.73 x 12.1 x 7.30
inches (44 x 308 x
185.5 mm)
1.73 x 12.1 x 7.30
inches (44 x 308 x
185.5 mm)
Antennas add
approximately 1.24
inches (31.6 mm)
to depth.
Weight (with
Power Supply)
1.20 kg (3.22 lb)
1.26 kg (3.38 lb)
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
Antennas add
approximately 1.24
inches (31.6 mm)
to depth.
1.3 kg (3.48 lb)
1.36 kg (3.64 lb)
342
C
Factory Default Settings
This chapter provides the factory default settings for the primary features
available on your security appliance and the predefined service and address
objects. It includes the following setions:
•
Device Management, page 343
•
User Management, page 346
•
Networking, page 347
•
Wireless, page 352
•
VPN, page 353
•
Security Services, page 356
•
Firewall, page 357
•
Reports, page 359
•
Default Service Objects, page 360
•
Default Address Objects, page 363
Device Management
Features
Settings
Remote Management
enable
Remote Managaement by
using HTTPS
enable
Access Type
All IP Address
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
343
C
Factory Default Settings
Device Management
Features
Settings
Listened Port Numer for
HTTPS
8080
Remote Managaement by
using HTTP
enable
Listened Port Numer for
HTTP
80
Remote SNMP
enable
Firmware Check Periodically
disable
Ping Time
Maximum Hops for Tracert
System Diagnostics
disable
Password Protection
disable
Syslog Settings
disable
Logs Facility
Email Alert
Kernel, System
Remote Log
Kernel, System
Local Log
Kernel, System
Time Zone and Clock Settings
Dynamic
Date/Time
GMT+00:00) Edinburgh, London
Automatically Adjust for
Daylight Savings Time
disable
Use Default NTP Servers
enable
Maximum Certificate Number
128
SNMP
disable
SNMP Versions
SNMP V1 & V2, SNMP V3
Default SNMP Version
SNMP V1 & V2
UPnP
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
disable
344
C
Factory Default Settings
Device Management
Features
Settings
Bonjour
disable
CDP
disable
CDP Timer
60 (5 to 900)
CDP Hold Timer
180 (10 to 255)
LLDP
disable
Traffic Meter-Primary WAN
Settings
disable
Traffic Meter-Secondary WAN
Settings
disable
ViewMaster
enable
RADIUS Groups
RADIUS Server Port
1812
SMTP Authentication
disable
Email Alert Settings
disable
WAN UP/DOWN Alert
disable
IPSec Alert
disable
Firmware Upgrade Alert
disable
License Expiration Alert
disable
CPU Overload Alert
disable
Debug Support
disable
Anti-Virus Alert
disable
Syslog Email
disable
Debug Support
disable
Host Name
Router
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
345
C
Factory Default Settings
User Management
User Management
Feature
Settings
Default User Group
admin
Services for Default Group
Web Login: Administrator
SSLVPN: SSLVPNDefaultPolicy
EzVPN: enable
Captive Portal: enable
Default Administrator Account
User Name: cisco
Password: cisco
Available User Login
Authentication Methods
Local Database
RADIUS
RADIUS+Local Database
LDAP
LDAP+Local Database
Default User Login
Authentication Method
Local Database
RADIUS Settings for
Authentication
RADIUS Server Index
RADIUS Server Timeout
10 seconds
Retries
RADIUS Users Settings
Allow Only Users Listed
Locally
disable
Mechanism for setting user
group memberships for
RADIUS users
Use RADIUS Filter-ID
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
346
C
Factory Default Settings
Networking
Feature
Default User Group to which
all RADIUS Users Belong
Settings
None
LDAP Settings for Authentication
Port number
389
Login Method
Anonymous login
Protocol Version
LDAP version3
LDAP Schemas
Microsoft Active Directory
RFC2789 InetOrgPerson
RFC2307 Network Information Service
LDAP Users, Allow Only
Users Listed Locally
disable
LDAP Users, Default LDAP
User Group
None
User Session Settings
Inactivity timeout
5 minutes
Login Session Limit for Web
Logins
disable
Networking
Feature
Settings
IPv4/IPv6 Routing Mode
IPv4 only
Physical Interface Number for
ISA550 and ISA550W
Dedicated WAN Port
Dedicated LAN Ports
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
347
C
Factory Default Settings
Networking
Feature
Settings
Configurable Ports
Physical Interface Number for
ISA570 and ISA570W
10
Dedicated WAN Port
Dedicated LAN Ports
Configurable Ports
WAN Interfaces
WAN1-IP Address
Assignment
DHCPC
WAN1-MTU
Auto
WAN1-MTU Value
1500
WAN1-Zone Mapping
WAN
Port-Based Access Control
disable
Default Setting for WAN
Redundancy
Equal load balancing (Round robin)
Default Settings for Weighted
Loading Balancing
Weighted By PercentageWAN1
50%
Weighted By PercentageWAN2
50%
Weighted By Link
Bandwidth-WAN1
1 (1 to 1000)
Weighted By Link
Bandwidth-WAN2
1 (1 to 1000)
Default Settings for WAN Failover
Auto Failover To
WAN1
Preempt Delay Timer
5 (3 to 30)
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
348
C
Factory Default Settings
Networking
Feature
Settings
VLANs
Maximum number of VLANs
32
DEFAULT VLAN
VID=1
IP Address=192.168.1.1
Subnet=255.255.255.0
Mapped Zone=LAN
Spanning Tree=disable
DHCP Pool Settings=DHCP Server
DHCP Pool-Start IP =192.168.1.100
DHCP Pool-End IP:1=192.168.1.200
Lease Time=1 day
Default Gateway=192.168.1.1
GUEST VLAN
VID=2
IP Address=192.168.2.1
Subnet=255.255.255.0
Mapped Zone=GUEST
Spanning Tree=disable
DHCP Pool Settings=DHCP Server
DHCP Pool-Start IP =192.168.2.100
DHCP Pool-End IP:1=192.168.2.200
Lease Time=1 day
Default Gateway=192.168.2.1
Zones
Maximum number of Zones
32
Predefined Zones
WAN, LAN, DMZ, VPN, GUEST, SSLVPN,
VOICE
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
349
C
Factory Default Settings
Networking
Feature
Settings
Routing
Routing Mode
disable
Static Routing
disable
Dynamic Routing (RIP)
disable
RIP Version
Default
Policy-based Routing
disable
WAN QoS
disable
WAN Bandwidth Uptream
Settings
WAN1 Upstream limit=0 (0 to 1000000)
WAN QoS Queue Settings
WAN1 Queueing Method=SP
WAN2 Upstream limit=0 (0 to 1000000)
WAN2 Queueing Method=SP
Maximum number of Traffic
Selectors
256
Maximum number of Traffic
Selectors associated with
one WAN QoS Policy Profile
64
LAN QOS
disable
LAN Queueing Method
SP
Classification Method
DSCP for all ports
Mapping Cos to Queue
Mapping all CoS values to Queue4
Mapping DSCP to Queue
Mapping all DSCP values to Queue4
Default CoS
All Port Defaut CoS=0
All Port Trust mode=Trust
WLAN QoS
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
disable
350
C
Factory Default Settings
Networking
Feature
Mapping CoS to Queue
Settings
CoS 0=Queue3
CoS 1=Queue4
CoS 2=Queue4
CoS 3=Queue3
CoS 4=Queue2
CoS 5=Queue2
CoS 6=Queue1
CoS 7=Queue1
Mapping DSCP to Queue
DSCP 000xxx=Queue3
DSCP 001xxx=Queue4
DSCP 010xxx=Queue4
DSCP 011xxx=Queue3
DSCP 100xxx=Queue2
DSCP 101xxx=Queue2
DSCP 110xxx=Queue1
DSCP 111xxx=Queue1
Service Management
Maximum number of Group
Service Objects
64
Maximum number of
Service Objects
256
Address Management
Maximum number of Group
Address Objects
64
Maximum number of
Address Objects
512
VRRP
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
disable
351
C
Factory Default Settings
Wireless
Feature
Settings
IGMP Proxy
disable
IGMP Snooping
enable
IGMP Version (Default)
IGMP V3
Feature
Settings
Wireless
Basic Radio
enable
Wireless Network Mode
802.11b/g/n mixed
Wireless Channel
Auto
Bandwidth Channel
Lower
U-APSD
disable
SSID Isolation (between
SSIDs)
disable
Default SSIDs
enable
Default SSIDs
cisco-data, cisco-guest, cisco3,
cisco4
SSID Broadcast for All
SSIDs
enable
Station Isolation (between
clients)
disable
Security Mode for All SSIDs
Open
WMM for All SSIDs
disable
Connection Control (MAC
Address Filtering)
disable
Advanced Radio Settings
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
352
C
Factory Default Settings
VPN
Feature
Settings
Guart Interval
Long (800ns)
CTS Protection Mode
disabled
Beacon Interval
100 ms
DTIM Interval
2 ms
RTS Threshold
2347
Fragmentation Threshold
2346
Power Output
100%
Wi-Fi Protected Setup (WPS)
disable
Rogue AP Detection
disable
Captive Portal
disable
VPN
Feature
Settings
Site-to-Site VPN
disable
Site-to-Site VPN policies
Maxinum number of Site-toSite VPN policies
100 for ISA570 and ISA570W, and 50 for
ISA550 and ISA550W
PFS
enable
DPD
enable
DPD Delay Time
30 (10 to 300)
DPD Detection Timeout
120 (120 to 1800)
DPD Action
Hold
Authentication Method
Pre-shared Key
Remote Type
Static IP
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
353
C
Factory Default Settings
VPN
Feature
Settings
Net BIOS Broadcast
disable
WAN Failover
disable
Redundant Gateway
disable
Security time
1 hour
IKE policies
Maximum number of IKE
policies
16
Hash
SHA1
Authenication
Pre-shared Key
D-H Group
group_5
Encryption
AES256
Lifetime
24 hours
Transform policies
Maximum number of
Transform policies
16
Integrity
ESP_MD5_HMAC
Encryption
ESP_3DES
Cisco IPSec VPN Server
disable
Maximum number of group
policies
16
WAN Failover
disable
Authentication Method
Pre-shared Key
Network Mode
Client mode
Zone-based Access Control
Permit
Split Tunnel
disable
Cisco IPSec VPN Client
disable
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
354
C
Factory Default Settings
VPN
Feature
Settings
Maximum number of group
policies
16
Auto Initiation Retry
disable
Retry Interval
120 (120 to 1800)
Retry Limit
0 (0 to 16)
Connection on Startup
disable
Authentication Method
Pre-shared Key
Network Mode
Client mode
Zone-based Access Control
Permit
SSL VPN
disable
Gateway Interface
WAN1
Gateway Port
443
Certificate File
default
Idle Timeout
2100
Session Timeout
43200
Client DPD Timeout
300
Gateway DPD Timeout
300
Keep Alive
30
Lease Duration
43200
Max MTU
1406
Rekey Method
SSL
Rekey Interval
3600
Maximum number of SSL
VPN group policies
32
L2TP Server
Listen WAN Interface
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
enable
WAN1
355
C
Factory Default Settings
Security Services
Feature
Settings
User Name
cisco
Password
cisco
MTU
1400 (128 to 1400)
CHAP
enable
PAP
enable
Enable over IPSec
disable
IPSec Passthrough
enable
PPTP Passthrough
enable
L2TP Passthrough
enable
Security Services
Feature
Settings
Intrusion Prevention Service
disable
Automatically Update
Signatures
disable
Select which zone to block
intrusion
WAN zone
Anti-Virus
disable
Select which zone to scan
for viruses
WAN zone
Maximum Scan
Compression File Size
Web URL Filter
Policy to zone mapping for
all predefined zones and
new zones
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
disable
Default_Profile
356
C
Factory Default Settings
Firewall
Feature
Settings
Block or permit web
components (Proxy, Java,
ActiveX, and Cookies)
permit
HTTP Port for Filtering
80
Web Reputation Filter
disable
Reputation Threshold
Conservative
Custom Threshold
-5
Action when Web Repuation
Filter services are
unavailable
All all web traffic until Web Repuation
Filter services are restored
Email Reputation Filter
disable
Reputation Threshold
Conservative
Custom Spam Threshold
-5
Custom Suspect Spam
Threshold
-3
Action for SPAM
BLOCK
Action for SUPECT SPAM
TAG
Action when Email
Reputation Filter services
are unavailable
All all web traffic until Email Reputation
Filter services are restored
Network Reputation
disable
Features
Settings
Firewall
Default firewall rules
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
Prevent all inbound traffic and allow
all outbound traffic
357
C
Factory Default Settings
Firewall
Features
Maximum number of custom
firewall rules
Settings
100
NAT
Dynamic PAT
enable
Maximum number of Static
NAT rules
128
Maximum number of Port
Forwarding rules
15
Maximum number of Port
Triggering rules
15
Maximum number of
Advanced NAT rules
16
Session Settings
Maximum number of
Connections
60000 (1000 to 60000)
TCP Timeout
1200 (5 to 3600)
UDP Timeout
180 (5 to 3600)
Attack Protection
Block Ping WAN interface
enable
Enable Stealth Mode
disable
Block TCP Flood (Threshold:
200 per seconds)
disable
Block UDP Flood (Threshold:
200 per seconds)
disable
Block ICMP Notification
enable
Block Fragmented Packets
disable
Block Muticast Packets
disable
SYN Flood Detect Rate
[max/sec]
0 (0 to 65535)
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
358
C
Factory Default Settings
Reports
Features
Settings
Echo Storm [ping pkts./sec]
0 (0 to 65535)
ICMP Flood [ICMP pkts./sec]
0 (0 to 65535)
Application Level Gateway
enable
SIP ALG
enable
H.323 ALG
enable
Content Filtering
disable
HTTP port for content
filtering
80
Permit or block web
components (Proxy, Java,
ActiveX, Cookies)
permit
MAC Filtering
disable
Maximum number of MAC
Filtering rules
100
Maximum number of
IP&MAC Binding rules
100
Reports
Feature
Settings
IP Bandwidth Report
disable
Service Bandwidth Report
disable
TopN Web Report
disable
WAN Bandwidth Report
disable
Security Service Reports
Network Reputation Report
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
enable
359
C
Factory Default Settings
Default Service Objects
Feature
Settings
IM and P2P Blocking Report
disable
IPS Policy Protocol and
Inspection Report
disable
Web Security Blocked
Report
disable
Email Security Blocked
Report
disable
Anti-Virus Report
disable
Default Service Objects
Service Name
Protocol
Port
Start
Port End
Remarks
AIM-CONNECT
TCP
4443
4443
Direct connect
AIM-CHAT
TCP
5190
5190
File transfer and
chat
BGP
TCP
179
179
BOOTP_client
UDP
68
68
BOOTP_server
UDP
67
67
CU-SEEME
TCP/UDP
7648
7652
DNS
TCP/UDP
53
53
FINGER
TCP
79
79
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
Server control
port:7648
Client contact
port:7649
Data stream over
UDP port: 7648 to
7652, 24032, and
more.
360
C
Factory Default Settings
Default Service Objects
Service Name
Protocol
Port
Start
Port End
Remarks
FTP-DATA
TCP
20
20
Data transfer
FTP-CONTROL
TCP
21
21
Control command,
keep using the port
21 for FTP server
when you public it
on the Internet or
use the active mode
for ????21???
public?????????21?
??????active mode
?not passive?
HTTP
TCP
80
80
HTTPS
TCP
443
443
ICMP-TYPE-0
ICMP
ICMP-TYPE-3
ICMP
ICMP-TYPE-4
ICMP
ICMP-TYPE-5
ICMP
ICMP-TYPE-6
ICMP
ICMP-TYPE-7
ICMP
ICMP-TYPE-8
ICMP
ICMP-TYPE-9
ICMP
ICMP-TYPE-10
ICMP
ICMP-TYPE-11
ICMP
ICMP-TYPE-13
ICMP
ICQ
TCP
5190
5190
IMAP
TCP
143
143
IMAP2
TCP
143
143
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
Alternate host
address
361
C
Factory Default Settings
Default Service Objects
Service Name
Protocol
Port
Start
Port End
IMAP3
TCP
220
220
IRC
TCP
6660
6660
NEWS
TCP
144
144
NFS
UDP
2049
2049
NNTP
TCP
119
119
POP3
TCP
110
110
PPTP
TCP
1723
1723
L2TP
UDP
1701
1701
RCMD
TCP
512
512
REAL-AUDIO
TCP
7070
7070
REXEC
TCP
512
512
RLOGIN
TCP
513
513
RTELNET
TCP
107
107
RTSP
TCP/UDP
554
554
SFTP
TCP
115
115
SMTP
TCP
25
25
SNMP
TCP/UDP
161
161
SNMP-TRAPS
TCP/UDP
162
162
SQL-NET
TCP
1521
1521
SSH
TCP/UDP
22
22
STRMWORKS
UDP
1558
1558
TACACS
TCP
49
49
TELNET
TCP
23
23
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
Remarks
De facto port: 6660
to 6669
NNTP over SSL
uses the port 563.
362
C
Factory Default Settings
Default Address Objects
Service Name
Protocol
Port
Start
Port End
TELNET
Secondary
TCP
8023
8023
TELNET SSL
TCP
992
992
TFTP
UDP
69
69
RIP
UDP
520
520
IKE
UDP
500
500
ISAKMP
UDP
500
500
SHTTPD
TCP
8080
8080
SHTTPDS
TCP
443
443
IDENT
TCP
113
113
VDOLIVE
TCP
7000
7000
SSH
TCP/UDP
22
22
SIP
TCP/UDP
5060
5060
DHCP
UDP
67
67
ESP
IP
(Protocol
50)
IPSEC-UDPENCAP
UDP
4500
4500
Remarks
Default Address Objects
Address Name
Type
Start IP
End IP
WAN1_IP
Host
192.168.100.100
192.168.100.100
WAN1_GW
Host
192.168.100.1
192.168.100.1
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
363
C
Factory Default Settings
Default Address Objects
Address Name
Type
Start IP
End IP
WAN1_DNS1
Host
192.168.100.1
192.168.100.1
WAN1_DNS2
Host
0.0.0.0
0.0.0.0
WAN1_NETWORK
Host
0.0.0.0
0.0.0.0
DEFAULT_IP
Host
192.168.1.1
192.168.1.1
DEFAULT_GW
Host
192.168.1.1
192.168.1.1
DEFAULT_DNS1
Host
192.168.1.1
192.168.1.1
DEFAULT_DNS2
Host
192.168.1.1
192.168.1.1
DEFAULT_WINS1
Host
192.168.1.1
192.168.1.1
DEFAULT_WINS2
Host
192.168.1.1
192.168.1.1
DEFAULT_NETWORK
Network
192.168.1.0
192.168.1.255
GUEST_IP
Host
192.168.2.1
192.168.2.1
GUEST_GW
Host
192.168.2.1
192.168.2.1
GUEST_DNS1
Host
192.168.2.1
192.168.2.1
GUEST_DNS2
Host
192.168.2.1
192.168.2.1
GUEST_WINS1
Host
192.168.2.1
192.168.2.1
GUEST_WINS2
Host
192.168.2.1
192.168.2.1
GUEST_NETWORK
Network
192.168.2.0
192.168.2.255
DEFAULT_DHCP_POO
Range
192.168.1.100
192.168.1.200
GUEST_DHCP_POOL
Range
192.168.2.100
192.168.2.200
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
364
D
Where to Go From Here
Cisco provides a wide range of resources to help you and your customers obtain
the full benefits of the Cisco ISA500 Series Integrated Security Appliance.
Where to Go From Here
Support
Cisco Small Business
Support Community
www.cisco.com/go/smallbizsupport
Cisco Small Business
Support and Resources
www.cisco.com/go/smallbizhelp
Phone Support Contacts
www.cisco.com/go/sbsc
Firmware Download
www.cisco.com/go/isa500software
Product Documentation
Cisco ISA500 Series
Integrated Security
Appliance Technical
Documentation
www.cisco.com/go/isa500resources
Cisco Small Business
Cisco Partner Central
for Small Business (Partner
Login Required)
www.cisco.com/web/partners/sell/smb
Cisco Small Business Home
www.cisco.com/smb
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
365

Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : Yes
Encryption                      : Standard V2.3 (128-bit)
User Access                     : Print, Extract, Print high-res
Page Mode                       : UseOutlines
XMP Toolkit                     : 3.1-701
Creator Tool                    : FrameMaker 8.0
Modify Date                     : 2011:05:27 14:42:13+08:00
Create Date                     : 2011:05:23 09:31:31Z
Metadata Date                   : 2011:05:27 14:42:13+08:00
Format                          : application/pdf
Title                           : shiner_admin_guide.book
Creator                         : chaoqima
Producer                        : Acrobat Distiller 9.4.2 (Windows)
Document ID                     : uuid:0f3b9866-fa7e-4f4f-a5f4-dee0ef81962a
Instance ID                     : uuid:3be1d16d-32df-4d69-a113-308d2aed4e49
Page Count                      : 371
Author                          : chaoqima
EXIF Metadata provided by EXIF.tools
FCC ID Filing: MXF-ISA570

Navigation menu