Cisco SA520-K9 Administration Guide
Cisco SA520-K9 - SA 500 Series Security Appliances Manual
 |
UPC - 882658266744
View all Cisco SA520-K9 manuals
Add to My Manuals
Save this manual to your list of manuals |
Cisco SA520-K9 manual content summary:
- Cisco SA520-K9 | Administration Guide - Page 1
ADMINISTRATION GUIDE Cisco Small Business SA500 Series Security Appliances - Cisco SA520-K9 | Administration Guide - Page 2
logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner - Cisco SA520-K9 | Administration Guide - Page 3
23 Changing the Default User Name and Password 23 Backing Up Your Configuration 24 Upgrading the Firmware 24 Common Configuration Scenarios 25 Basic Network Configuration with Internet Access 26 Cisco Smart Business Communications System Configuration 28 Firewall for Controlling Inbound - Cisco SA520-K9 | Administration Guide - Page 4
) 71 QoS Bandwidth Profiles 72 Creating QoS Bandwidth Profiles for WAN Interfaces 72 Traffic Selectors 73 LAN QoS 74 Enabling LAN QoS 74 Port CoS Mapping 75 Port DSCP Mapping 75 DSCP Remarking 75 Dynamic DNS 76 Cisco SA500 Series Security Appliances Administration Guide 4 - Cisco SA520-K9 | Administration Guide - Page 5
Traffic Preliminary Tasks for Firewall Rules Configuring the Default Outbound Policy Configuring a Firewall Rule for Outbound Traffic 77 78 78 80 82 83 83 84 85 85 86 87 88 88 89 91 91 92 95 95 96 98 99 99 101 103 103 104 107 107 Cisco SA500 Series Security Appliances Administration Guide 5 - Cisco SA520-K9 | Administration Guide - Page 6
About VPN Configuring a Site-to-Site VPN Tunnel Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client Configuring the User Database for the IPsec Remote Access VPN Advanced Configuration of IPsec VPN 136 136 137 139 142 144 Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 7
Resources for SSL VPN Configuring SSL VPN Port Forwarding SSL VPN Tunnel Client Configuration Viewing the SSL VPN Client Portal VeriSign™ Identity Protection configuration Configuring VeriSign Identity Protection Managing User Credentials for VeriSign Service Chapter 8: Administration Users Domains - Cisco SA520-K9 | Administration Guide - Page 8
Device Status Device Status Resource Utilization Interface Statistics Port Statistics Wireless Statistics for the SA520W VPN Status IPsec VPN Status SSL VPN Status Quick VPN Status Active Users View Logs Cisco SA500 Series Security Appliances Administration Guide Contents 185 187 188 189 190 193 - Cisco SA520-K9 | Administration Guide - Page 9
Appendix D: Factory Default Settings General Settings Router Settings Wireless Settings Storage Security Settings Appendix E: Where to Go From Here 213 215 215 215 216 216 217 217 220 221 223 224 227 229 229 231 234 237 238 240 Cisco SA500 Series Security Appliances Administration Guide 9 - Cisco SA520-K9 | Administration Guide - Page 10
in the following table. Table 1 Comparison of SA500 Series Security Appliance Models Feature Firewall Performance UTM VPN Performance Connections SA520 200 Mbps 200 Mbps 65 Mbps 15,000 Cisco SA500 Series Security Appliances Administration Guide SA520W 200 Mbps 200 Mbps 65 Mbps 15,000 SA540 300 - Cisco SA520-K9 | Administration Guide - Page 11
or Demarcation Zone, which allows public services such as web servers, without exposing your LAN. • SPEED LED-(Green or Orange) Indicates the traffic rate for the associated port. Off = 10 Mbps, Green = 100 Mbps, Orange = 1000 Mbps. Cisco SA500 Series Security Appliances Administration Guide 11 - Cisco SA520-K9 | Administration Guide - Page 12
• USB Port-Connects the security appliance to a USB device. You can use a USB device to store configuration files for backup and restore operations. NOTE The back panel of the SA520W includes three threaded connectors for the antennas. Cisco SA500 Series Security Appliances Administration Guide 12 - Cisco SA520-K9 | Administration Guide - Page 13
security appliance is level and stable to avoid any hazardous conditions. To place the security appliance on a desktop, install the four rubber feet (included) on the bottom of the security appliance. Place the device on a flat surface. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 14
Getting Started Installation 1 Wall Mounting STEP 1 Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9 inches). Leave 3-4 mm (about 1/8 inch) of the head exposed. Cisco SA500 Series Security Appliances Administration Guide 14 - Cisco SA520-K9 | Administration Guide - Page 15
size, 19-inch (about 48 cm) wide rack. Each security appliance requires 1 rack unit (RU) of space, which is 1.75 inches (44.45 mm) high. ! CAUTION Do not overload the power outlet or circuit when installing multiple devices in a rack. Cisco SA500 Series Security Appliances Administration Guide 15 - Cisco SA520-K9 | Administration Guide - Page 16
device to the WAN port on the back panel. Cisco strongly recommends using Cat5E or better cable. STEP 4 For network devices, connect an Ethernet network cable from the network device to one of the dedicated LAN ports on the back panel. Cisco SA500 Series Security Appliances Administration Guide 16 - Cisco SA520-K9 | Administration Guide - Page 17
, you must be able to connect to the SA500 Series Security Appliances from your administration PC or laptop. You can access the security appliance by using any web browser (such as Microsoft Internet Explorer or Mozilla Firefox). Cisco SA500 Series Security Appliances Administration Guide 17 - Cisco SA520-K9 | Administration Guide - Page 18
the Cisco Configuration Assistant (CCA) t to launch the Configuration Utility if you are using the security appliance with a CCA-supported device, such as the UC500. For more information about CCA, see: www.cisco.com/go/configassist. Cisco SA500 Series Security Appliances Administration Guide 18 - Cisco SA520-K9 | Administration Guide - Page 19
For help with advanced configuration tasks, such as firewall/NAT configuration, optional WAN configuration, DMZ configuration, and VPN setup, click the Getting Started > Advanced link in the start-up box. Getting Started (Basic) Page Cisco SA500 Series Security Appliances Administration Guide 19 - Cisco SA520-K9 | Administration Guide - Page 20
Getting Started Getting Started with the Configuration Utility Getting Started (Advanced) Page 1 Cisco SA500 Series Security Appliances Administration Guide 20 - Cisco SA520-K9 | Administration Guide - Page 21
or contract its contents. Click on the title of a feature or subfeature to open it. The main content of the feature appears in this area. Cisco SA500 Series Security Appliances Administration Guide 21 - Cisco SA520-K9 | Administration Guide - Page 22
Access, page 26. • Optional Port: This port is preset to act as a secondary WAN port. Alternatively, you can configure the Optional port for use as a DMZ port or an extra LAN port. See Scenario 1: Basic Network Configuration with Cisco SA500 Series Security Appliances Administration Guide 22 - Cisco SA520-K9 | Administration Guide - Page 23
STEP 2 In the first row of the table, find the default Administrator account. STEP 3 Click the button in the Edit column. The User Configuration window opens, displaying the default information. STEP 4 Enter the following information: Cisco SA500 Series Security Appliances Administration Guide 23 - Cisco SA520-K9 | Administration Guide - Page 24
the link: Check for updates and download if new STEP 2 When the web page opens, download the latest software. STEP 3 In the Upgrade Firmware section of the Getting Started (Basic) page, click the Install the updated firmware link. Cisco SA500 Series Security Appliances Administration Guide 24 - Cisco SA520-K9 | Administration Guide - Page 25
7: DMZ for Public Websites and Services, page 29 • Scenario 6: Firewall for Controlling Inbound and Outbound Traffic, page 29 • Scenario 9: Site-to-Site Networking and Remote Access, page 31 • Scenario 10: Wireless Networking, page 35 Cisco SA500 Series Security Appliances Administration Guide 25 - Cisco SA520-K9 | Administration Guide - Page 26
your network, make sure that you have upgraded the firmware (see Upgrading the Firmware, page 24) and changed the default Administrator password (see Changing the Default User Name and Password, page 23). Consider the following first steps: 1. Review the WAN configuration and make any changes that - Cisco SA520-K9 | Administration Guide - Page 27
use your security appliance with your Cisco Smart Business Communications System (SBCS), install and configure your UC500. See Scenario 8: Cisco Smart Business Communications System Configuration, page 28. 4. Consider how you want to use the Optional port: • If you need to host public services such - Cisco SA520-K9 | Administration Guide - Page 28
Cisco Smart Business Communications System Configuration You can use the security appliance to protect your Cisco Smart Business . For instructions, refer to the documentation or online Help for the Cisco Configuration Assistant (CCA). Cisco SA500 Series Security Appliances Administration Guide 28 - Cisco SA520-K9 | Administration Guide - Page 29
Zone). This zone acts as a separate network between your private LAN and the Internet. After you configure your DMZ, you can configure the firewall rules that enable traffic to connect only to the services that you specify. Cisco SA500 Series Security Appliances Administration Guide 29 - Cisco SA520-K9 | Administration Guide - Page 30
with Internet Access, page 26. Configuration tasks for this scenario: To start configuring a DMZ, use the links in the DMZ Port section of the Getting Started (Advanced) page. For more information, see Configuring a DMZ, page 61. Cisco SA500 Series Security Appliances Administration Guide 30 - Cisco SA520-K9 | Administration Guide - Page 31
, the security appliance supports Cisco ProtectLink Security services. By using these services, your network is protected from email threats in the Internet "cloud" and web threats in the Cisco security appliance, providing access only to email and websites that are appropriate for your business - Cisco SA520-K9 | Administration Guide - Page 32
you can use other links on the Getting Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration Guide 32 - Cisco SA520-K9 | Administration Guide - Page 33
you can use other links on the Getting Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration Guide 33 - Cisco SA520-K9 | Administration Guide - Page 34
to add your VPN users. Optionally, you can use other links to configure the policies, client settings, routes, and resources for your SSL VPN. For more information, see Configuring SSL VPN for Browser-Based Remote Access, page 154. Cisco SA500 Series Security Appliances Administration Guide 34 - Cisco SA520-K9 | Administration Guide - Page 35
your wireless network right away, you should configure the security settings to protect your network and the data that you transmit. To configure your wireless network, see Chapter 3, "Wireless Configuration for the SA520W." 235237 Cisco SA500 Series Security Appliances Administration Guide 35 - Cisco SA520-K9 | Administration Guide - Page 36
WAN • Configuring a DMZ • VLAN Configuration • Routing • Port Management • QoS Bandwidth Profiles • Dynamic DNS • Configuring IPv6 Addressing To access the Networking pages click Networking from the Configuration Utility menu bar. Cisco SA500 Series Security Appliances Administration Guide 36 - Cisco SA520-K9 | Administration Guide - Page 37
security appliance disconnects from the Internet after a specified period of inactivity (Idle Time). Choose this option if your ISP fees are based on the time that you spend online. If you select option, also enter the Idle Time in minutes Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 38
: Resets the connection weekly on a specific day. If you choose this option, domain names (example: www.cisco.com) to IP addresses. You Default to use the default MTU size, 1500 bytes. Choose Custom if you want to specify another size. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 39
Port > WAN to configure the WAN connection. For more information, see Configuring the Optional WAN, page 54. • If you are having problems with your WAN connection, see the Internet Connection, page 217 in Appendix A, "Troubleshooting Cisco SA500 Series Security Appliances Administration Guide 39 - Cisco SA520-K9 | Administration Guide - Page 40
connection. NOTE If you are having problems with your WAN connection, see the Internet Connection, page 217 in Appendix A, "Troubleshooting." Creating PPPoE Profiles If you have window opens. STEP 2 Click Add to create a new profile. Cisco SA500 Series Security Appliances Administration Guide 40 - Cisco SA520-K9 | Administration Guide - Page 41
an IP alias to the port. STEP 1 Click Networking > WAN > IP Alias. The IP Aliases window opens. Any currently configured WAN IP aliases used by the WAN port appear in the List of IP Aliases table. STEP 2 Click Add to add a new alias. Cisco SA500 Series Security Appliances Administration Guide 41 - Cisco SA520-K9 | Administration Guide - Page 42
name on which the alias is created. • IP Address: The IP address alias added to this WAN port of the router. • Mask: The IPv4 subnet mask. STEP 4 Click Apply to save your changes. The new alias appears in the List of IP Aliases table. Cisco SA500 Series Security Appliances Administration Guide 42 - Cisco SA520-K9 | Administration Guide - Page 43
Clients • Configuring an IGMP Proxy • Configuring the Optional Port as a LAN Port About the Default LAN Settings • By default the LAN of the router is configured in the 192.168.75.0 subnet and the LAN IP address of the router is 192.168.75.1. • By default, the security appliance acts as a Dynamic - Cisco SA520-K9 | Administration Guide - Page 44
IPs, page 52. - DHCP Relay: Choose this option to allow the security appliance to use a DHCP Relay. If you choose this mode, also enter the IP address of the Relay Gateway. • Domain Name (optional): Enter a name for the domain. Cisco SA500 Series Security Appliances Administration Guide 44 - Cisco SA520-K9 | Administration Guide - Page 45
security appliance. Any new DHCP client that joins the LAN is assigned an IP address in this range. The default starting address is 192.168.75.2. The default and secondary Tftp server for your service provider. • WINS Server (Optional): Cisco SA500 Series Security Appliances Administration Guide 45 - Cisco SA520-K9 | Administration Guide - Page 46
example, if you need a guest network for visitors to your site, you can create new VLAN. Any PC that is connected to the specified LAN port is on a separate VLAN and cannot access other VLANs, unless you enable inter VLAN routing. Cisco SA500 Series Security Appliances Administration Guide 46 - Cisco SA520-K9 | Administration Guide - Page 47
following topics: • Default VLAN Settings • Enabling or Disabling VLAN Support • Creating VLAN IDs • Assigning VLANs to LAN Ports Default VLAN Settings By default, the data VLAN - End IP Address: 10.1.1.254 - Subnet Mask: 255.255.255.0 Cisco SA500 Series Security Appliances Administration Guide 47 - Cisco SA520-K9 | Administration Guide - Page 48
you will assign VLAN IDs to ports on the Port VLANs page. STEP 1 Click Networking > VLAN > Available VLANs. The Available VLANs window opens. The default VLAN and any other VLANs appear number, which can be any number from 2 to 4091. Cisco SA500 Series Security Appliances Administration Guide 48 - Cisco SA520-K9 | Administration Guide - Page 49
set of VLANs. The port sends and receives both tagged and untagged data. Untagged data coming into the port is assigned the specified PVID. Data that is sent out of the port from the same PVID is untagged. All other data is tagged. Cisco SA500 Series Security Appliances Administration Guide 49 - Cisco SA520-K9 | Administration Guide - Page 50
port is tagged. Untagged data coming into the port is not forwarded, except for the default VLAN with PVID=1, which is untagged. Trunk mode is recommended if the port is connected to a VLAN-aware switch or router , choose the DHCP mode: Cisco SA500 Series Security Appliances Administration Guide 50 - Cisco SA520-K9 | Administration Guide - Page 51
the Enable DNS Proxy box to allow the VLAN to act as a proxy for all DNS requests and to communicate with the DNS servers of the ISP. When this feature is disabled, all DHCP clients on the VLAN receive the DNS IP addresses of the ISP. Cisco SA500 Series Security Appliances Administration Guide 51 - Cisco SA520-K9 | Administration Guide - Page 52
may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the router and the router, in turn, sends those requests to the DNS servers of STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 52 - Cisco SA520-K9 | Administration Guide - Page 53
Proxy You can configure the router to act as a proxy port for use as a LAN port. STEP 1 Click Networking > Optional Port > Optional Port Mode. The Optional Port Mode window opens. STEP 2 Choose LAN. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 54
port for use as a WAN port: a. Click Networking > Optional Port > Optional Port Mode, or from the Getting Started (Advanced) page, under Secondary WAN Port, click Set Optional Port to WAN. The Optional Port by your service provider: PPTP Cisco SA500 Series Security Appliances Administration Guide 54 - Cisco SA520-K9 | Administration Guide - Page 55
Password: The password Internet service. - Idle Time: The security appliance disconnects names (example: www.cisco.com) to IP addresses. You Default to use the default MTU size, 1500 bytes. Choose Custom if you want to specify another size. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 56
. • Recommended: To configure auto-rollover, load balancing, and failure detection for your ISP links, click Optional Port > WAN Mode. For more information, see Configuring Auto-Rollover, Load Balancing, and Failure Detection, page 57. Cisco SA500 Series Security Appliances Administration Guide 56 - Cisco SA520-K9 | Administration Guide - Page 57
for incoming traffic. To maintain better control of WAN port traffic, consider making the WAN port Internet addresses public and keeping the other one private. Figure 2 shows an example of Dual WAN Ports configured with Load Balancing. Cisco SA500 Series Security Appliances Administration Guide 57 - Cisco SA520-K9 | Administration Guide - Page 58
or Optional WAN. When Auto Failover mode is enabled, the link status of the primary WAN port is checked at regular intervals as defined by the failure detection settings. • Load Balancing: Choose Bindings for Load Balancing, page 60. Cisco SA500 Series Security Appliances Administration Guide 58 - Cisco SA520-K9 | Administration Guide - Page 59
how often, in seconds, the security appliance should run the above configured failure detection method. • Failover after: Specify the number of retries after which failover is initiated. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 59 - Cisco SA520-K9 | Administration Guide - Page 60
WAN Port, click Configure Protocol Bindings (Optional - if WAN Mode set to Load Balancing). The Protocol Bindings window opens. Any existing protocol bindings appear in the List of Available Protocol Bindings table. STEP 2 Click Add. Cisco SA500 Series Security Appliances Administration Guide 60 - Cisco SA520-K9 | Administration Guide - Page 61
additional layer of security to the LAN. The public can connect to the services on the DMZ but cannot penetrate the LAN. You should configure your DMZ to include any hosts that must be exposed to the WAN (such as web or email servers). Cisco SA500 Series Security Appliances Administration Guide 61 - Cisco SA520-K9 | Administration Guide - Page 62
LAN Interface 192.168.75.1 DMZ Interface 172.16.2.1 Source Address Translation 209.165.200.225 172.16.2.30 Web Server Private IP Address: 172.16.2.30 Public IP Address: 209.165.200.225 User 192.168.75.10 User 192.168.75.11 235140 Cisco SA500 Series Security Appliances Administration Guide 62 - Cisco SA520-K9 | Administration Guide - Page 63
web server at 172.16.2.30. The firewall rule specifies an external IP address of 209.165.200.226. Internet users can enter the domain name that is associated with the IP address 209.165.200.226, and they are connected to the web server. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 64
white backgrounds. - DHCP Relay: Choose this option to allow the security appliance to use a DHCP Relay. If you choose this mode, also enter the IP address of the Relay Gateway. • Domain Name (optional): Enter a name for the domain. Cisco SA500 Series Security Appliances Administration Guide 64 - Cisco SA520-K9 | Administration Guide - Page 65
address. The default is 24 hours Firewall Rule for Inbound Traffic, page 110. • If you want to reserve certain IP addresses for specified devices, click Optional Port > DMZ Reserved IPs. For more information, see DMZ Reserved IPs, page 66. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 66
page 61. STEP 1 Click Networking > Optional Port > DMZ Reserved IPs, or from the Getting Started (Advanced) page, under DMZ Port, click Configure DMZ DHCP Reserved IPs (Optional). The Address. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 66 - Cisco SA520-K9 | Administration Guide - Page 67
across several devices such as your LAN, and using the other dedicated devices for DMZ. NAT is the default option. • Classic Routing: Choose this option if your ISP has assigned an IP address for each of the computers that you use. Cisco SA500 Series Security Appliances Administration Guide 67 - Cisco SA520-K9 | Administration Guide - Page 68
is enabled. • Private: Determines whether the route can be shared with other routers when RIP is enabled. If it is selected, then the route will not of the gateway router through which the destination host or network can be reached. Cisco SA500 Series Security Appliances Administration Guide 68 - Cisco SA520-K9 | Administration Guide - Page 69
most commonly supported version. - RIP-2 includes all the functionality of RIPv1 plus it supports subnet information. Though the data is sent in RIP-2 format for both RIP-2B and RIP-2M, the mode in which packets are sent is different. Cisco SA500 Series Security Appliances Administration Guide 69 - Cisco SA520-K9 | Administration Guide - Page 70
> Port Management > Port Management. The Port Management window opens. STEP 2 Choose the following options for each port: • Enable: Check this box to enable the port. To disable the port, uncheck the box. By default all ports are enabled. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 71
information: • Do you want to enable Port Mirroring: Check this box to enable port mirroring. • Mirror all LAN Ports to: Choose the LAN port that will monitor all of the other LAN ports. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 71 - Cisco SA520-K9 | Administration Guide - Page 72
2 QoS Bandwidth Profiles You can configure Quality of Service (QoS) Bandwidth Profiles for the WAN and the LAN. For traffic from the secure zone to the insecure zone, QoS is determined by box at the left side of the heading row. Cisco SA500 Series Security Appliances Administration Guide 72 - Cisco SA520-K9 | Administration Guide - Page 73
, check the box and then click Delete. To select all entries in the table, check the box at the left side of the heading row. Cisco SA500 Series Security Appliances Administration Guide 73 - Cisco SA520-K9 | Administration Guide - Page 74
port, choose the type of value to use to classify the traffic. You can choose either DSCP, which is a layer 3 IP field, or CoS, which is a layer 2 Ethernet header field, depending on your requirements. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration - Cisco SA520-K9 | Administration Guide - Page 75
to DSCP. The Remark CoS to DSCP window opens. STEP 2 For each CoS value, use the drop-down list to choose the corresponding DSCP value. Cisco SA500 Series Security Appliances Administration Guide 75 - Cisco SA520-K9 | Administration Guide - Page 76
on the DynDNS website. • Update every 30 days: Check this box to allow the security appliance to update the host information on DynDNS and keep the subscription active after the 30 day trial. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 76 - Cisco SA520-K9 | Administration Guide - Page 77
the security appliance to support IPv6 addressing on the LAN and the Dedicated WAN. NOTE IPv6 is not supported on the Optional port. First Status • ISATAP Tunnels • MLD Tunnels • Configuring Router Advertisement • Adding RADVD Prefixes Cisco SA500 Series Security Appliances Administration Guide 77 - Cisco SA520-K9 | Administration Guide - Page 78
are supported. the device to reboot," click OK to default, when you enable IPv6 mode, your security appliance service provider assigned a fixed (static or permanent) IP address. If you were not assigned a static IP address, choose DHCPv6. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 79
Address: Enter the static IP address that was provided by your Service Provider. • IPv6 Prefix Length: The IPv6 network (subnet) routers. • Stateful Address Auto Configuration: If you choose this option, the security appliance connects Cisco SA500 Series Security Appliances Administration Guide 79 - Cisco SA520-K9 | Administration Guide - Page 80
default setting). If you want the security appliance to act as a DHCP server that dynamically assigns IP addresses to all connected devices, click Enable DHCPv6 Server, and then complete all fields that are highlighted with white backgrounds. Cisco SA500 Series Security Appliances Administration - Cisco SA520-K9 | Administration Guide - Page 81
Deamon (RADVD). For more information, see Router Advertisement Daemon (RADVD), page 88. • If you want to configure the LAN address pools, click IPv6 > IPv6 Address Pools. For more information, see IPv6 LAN Address Pools, page 82. Cisco SA500 Series Security Appliances Administration Guide 81 - Cisco SA520-K9 | Administration Guide - Page 82
IPv6 address. The number of common initial bits in the addresses is set by the prefix length field. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 82 - Cisco SA520-K9 | Administration Guide - Page 83
table, check the box at the left side of the heading row. After you click Add or Edit, the IPv6 Static Route Configuration window opens. Cisco SA500 Series Security Appliances Administration Guide 83 - Cisco SA520-K9 | Administration Guide - Page 84
a neighbor after 180 seconds, the routes learned from the neighbor are considered as unreachable. After another 240 seconds, if no routing update is received, the security appliance remove these routes from the routing table. Cisco SA500 Series Security Appliances Administration Guide 84 - Cisco SA520-K9 | Administration Guide - Page 85
Networking Configuring IPv6 Addressing 2 NOTE RIPng is disabled by default. STEP 1 Click Networking > IPv6 > Routing (RIPng). The Routing (RIPng) window opens. STEP . To open this page, click Networking > IPv6 > IPv6 Tunnels Status. Cisco SA500 Series Security Appliances Administration Guide 85 - Cisco SA520-K9 | Administration Guide - Page 86
router. The endpoint can be the LAN interface (assuming the LAN is an IPv4 network), or a specific LAN IPv4 address. • IPv4 Address: Enter the local end point address if not the LAN IPv4 address. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 87
discovers listeners for a specific multicast group. This protocol the box to enable MLD when this router is in IPv6 mode. Then enter the a link is expected to be lossy. The default value is 2. The minimum value of Robustness Variable Cisco SA500 Series Security Appliances Administration Guide 87 - Cisco SA520-K9 | Administration Guide - Page 88
this option to send router advertisements to all interfaces default is 30 seconds. • RA Flags: Choose one of the following options: - Managed: Choose this option to use the administered/stateful protocol for address auto configuration. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 89
cases where the LAN MTU is not well known. The default is 1500. • Router Lifetime: Enter the lifetime in seconds of the route. The default is 3600 seconds. STEP 3 Click Apply to save your IPv6 Prefix: Specify the IPv6 network address. Cisco SA500 Series Security Appliances Administration Guide 89 - Cisco SA520-K9 | Administration Guide - Page 90
order bits of the address that make up the network portion of the address. • Prefix Lifetime: Enter the maximum number of seconds that the requesting router is allowed to use the prefix. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 90 - Cisco SA520-K9 | Administration Guide - Page 91
the SA520W. It includes the following sections:. • Configuring an Access Point • Configuring the Radio' NOTE The router is configured with default settings customize the security mode, the Quality of Service settings, and the radio. Cisco SA500 Series Security Appliances Administration Guide 91 - Cisco SA520-K9 | Administration Guide - Page 92
): WPA provides better security than WEP because it uses dynamic key encryption. This standard was implemented as an intermediate measure to replace WEP, pending final completion of the 802.11i standard for WPA2. WPA supports TKIP or Cisco SA500 Series Security Appliances Administration Guide 92 - Cisco SA520-K9 | Administration Guide - Page 93
supports CCMP or CCMP+TKIP encryption (default is CCMP) and PSK/RADIUS authentication. WPA2 is recommended, although some devices may not support this security mode. To protect password. secure than the 128 WEP which has a 104-bit key). Cisco SA500 Series Security Appliances Administration Guide 93 - Cisco SA520-K9 | Administration Guide - Page 94
Wireless Configuration for the SA520W Configuring an Access Point 3 • WEP Passphrase: Choose any alphanumeric phrase (longer than 8 characters for optimal security) and click Generate key Configuring RADIUS Server Records, page 193. Cisco SA500 Series Security Appliances Administration Guide 94 - Cisco SA520-K9 | Administration Guide - Page 95
as needed. You can choose from four Class of Service queues to prioritize the data traffic over the wireless link: • Voice: Highest priority queue, minimum delay. Used typically to send timesensitive data such as Voice over IP (VoIP). Cisco SA500 Series Security Appliances Administration Guide 95 - Cisco SA520-K9 | Administration Guide - Page 96
. Any device can use this access point. MAC Filtering provides additional security, but it also adds to the complexity and maintenance. Be sure to enter each MAC address correctly to ensure that the policy is applied as intended. Cisco SA500 Series Security Appliances Administration Guide 96 - Cisco SA520-K9 | Administration Guide - Page 97
SA520W Configuring an Access Point 3 Before performing this procedure, decide whether you want to enter a list of addresses that will be denied access or a list that will be allowed access. Generally it is easier and more secure . Cisco SA500 Series Security Appliances Administration Guide 97 - Cisco SA520-K9 | Administration Guide - Page 98
from the drop-down list. • Max Associated Clients: Enter the maximum number of clients that can connect to this access point at any time. The default is 8 clients. Cisco SA500 Series Security Appliances Administration Guide 98 - Cisco SA520-K9 | Administration Guide - Page 99
for the SA520W Configuring the Radio 3 • SSID: Specify the Service Set Identifier, or network name, that clients use to connect to the access point. It is a good practice to replace the default SSID with a unique identifier. • Broadcast SSID: Check this box to allow the security appliance to - Cisco SA520-K9 | Administration Guide - Page 100
noise levels for the available channels. • Default Transmit Power: Enter a value in dBm as the default transmitted power level for all APs that use this radio. The default is 20 dBm. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 100 - Cisco SA520-K9 | Administration Guide - Page 101
Wireless Configuration for the SA520W Configuring the Radio 3 Advanced Radio Configuration This page is used to specify advanced configuration with the legacy 802.11 systems operating at 1 and 2 Mbps. The default is Long. Cisco SA500 Series Security Appliances Administration Guide 101 - Cisco SA520-K9 | Administration Guide - Page 102
: Enter the number of times the security appliance will retry a frame transmission that fails. Retries are used for both long and short frames, of size less than or equal to the RTS threshold. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 102 - Cisco SA520-K9 | Administration Guide - Page 103
: web browsing, VoIP, other standard services and also custom services that you define) • Direction of the traffic • Days of the week and times of day • Keywords in a domain name or on a URL of a web page • MAC addresses of devices Cisco SA500 Series Security Appliances Administration Guide 103 - Cisco SA520-K9 | Administration Guide - Page 104
(See Appendix B, "Standard Services.") If you need to configure a firewall rule for a service that is not on the standard list, first you must identify the service by entering a name, specifying the type, and assigning the port range. Cisco SA500 Series Security Appliances Administration Guide 104 - Cisco SA520-K9 | Administration Guide - Page 105
weekend, you could create a schedule named Weekend that is active all day on Saturday and Sunday. For more information about the time settings for your security appliance, see Configuring the Time Settings, page 184. Cisco SA500 Series Security Appliances Administration Guide 105 - Cisco SA520-K9 | Administration Guide - Page 106
Select Schedule drop-down list on the Firewall Rule Configuration page. • Scheduled Days: From the drop-down list, choose All Days or Specific Days. If you choose Specific Days, also check the days for you will add the IP address to. Cisco SA500 Series Security Appliances Administration Guide 106 - Cisco SA520-K9 | Administration Guide - Page 107
This procedure explains how to configure a firewall rule for the following traffic flows: • From the LAN to the WAN • From the LAN to the DMZ • From the DMZ to the WAN For examples, see Firewall Rule Configuration Examples, page 114. Cisco SA500 Series Security Appliances Administration Guide 107 - Cisco SA520-K9 | Administration Guide - Page 108
, see Configuring Blocked URLs to Prevent Access to Websites, page 127. STEP 1 Click Firewall > Firewall > IPv4 Rules or IPv6 Rules, or for IPv4 rules, you can use the Getting Started , the To Zone can be the public DMZ or secure LAN. Cisco SA500 Series Security Appliances Administration Guide 108 - Cisco SA520-K9 | Administration Guide - Page 109
traffic. Each priority level corresponds to a Term of Service (ToS) value. - Normal-Service: ToS=0 (lowest QoS) - Minimize-Cost: ToS=1 - Maximize-Reliability: ToS=2 - Maximize-Throughput: ToS=4 - Minimize-Delay: ToS=8 (highest QoS) Cisco SA500 Series Security Appliances Administration Guide 109 - Cisco SA520-K9 | Administration Guide - Page 110
, page 114. NOTE In addition to configuring firewall rules, you can use the following methods to control inbound traffic: • You can prevent common types of attacks. For more information, see Configuring Attack Checks, page 118. Cisco SA500 Series Security Appliances Administration Guide 110 - Cisco SA520-K9 | Administration Guide - Page 111
MAC Binding to Prevent Spoofing, page 128 STEP 1 Click Firewall > Firewall > IPv4 Rules or IPv6 Rules, or for IPv4 rules, you can DMZ or secure LAN. - If the From Zone is the LAN, then the To Zone can be the public DMZ or insecure WAN. Cisco SA500 Series Security Appliances Administration Guide 111 - Cisco SA520-K9 | Administration Guide - Page 112
IPv4 Firewall service. • Enable Port Forwarding: Check the box to forward traffic to a particular port. • Translate Port Number: If you enabled port forwarding, enter the port number that will be the destination for the forwarded traffic. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 113
Rules. Only the rules for the specified security zones appear. For example: If you choose WAN and LAN from the Zone drop-down menus, only the rules for the WAN to LAN security zones appear. STEP 3 To reorder the rules, click Move. Cisco SA500 Series Security Appliances Administration Guide 113 - Cisco SA520-K9 | Administration Guide - Page 114
Firewall web server. Solution: Create an inbound rule as follows: Parameter From Zone To Zone Service Action Source Hosts Internal IP Address External IP Address Value Insecure (WAN1) DMZ HTTP ALLOW always Any 192.168.5.2 Dedicated WAN Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 115
for CU-SeeMe (an Internet video-conferencing client) are allowed only from a specified range of external IP addresses. Parameter From Zone To Zone Service Value INSECURE (Dedicated WAN/Optional WAN) Secure (LAN) CU-SEEME:UDP Cisco SA500 Series Security Appliances Administration Guide 115 - Cisco SA520-K9 | Administration Guide - Page 116
Firewall Configuration Firewall Rule Configuration Service Action Schedule Source Hosts From To Destination Hosts Value Secure (LAN) INSECURE (Dedicated WAN/Optional WAN) HTTP BLOCK by schedule Weekend Address Range 10.1.1.1 10.1.1.100 Any Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 117
undesired inbound traffic. • Configuring Attack Checks • Configuring MAC Filtering to Allow or Block Traffic • Configuring IP/MAC Binding to Prevent Spoofing • Configuring a Port Triggering Rule to Direct Traffic to Specified Ports Cisco SA500 Series Security Appliances Administration Guide 117 - Cisco SA520-K9 | Administration Guide - Page 118
security appliance from responding to port scans from the WAN. In Stealth Mode, your network is less susceptible to discovery and attacks. • Block TCP Flood: Check this box to drop all invalid TCP packets. This feature protects . Cisco SA500 Series Security Appliances Administration Guide 118 - Cisco SA520-K9 | Administration Guide - Page 119
security appliance to determine that a SYN Flood Intrusion is occurring. This value can range between 1 and 10,000 packets per second. The default and block the rest. STEP 1 Click Firewall > MAC Filtering > MAC Filtering. The Source Cisco SA500 Series Security Appliances Administration Guide 119 - Cisco SA520-K9 | Administration Guide - Page 120
IP/MAC Binding. If the router sees packets with matching IP addresses but inconsistent MAC addresses or vice-versa, it will drop these packets. STEP 1 Click Firewall > MAC Filtering > IP/MAC in the first column of the table heading. Cisco SA500 Series Security Appliances Administration Guide 120 - Cisco SA520-K9 | Administration Guide - Page 121
and outgoing ports to open when enabled. See Appendix B, "Standard Services." NOTE Port triggering is not appropriate for servers on the LAN, since the LAN device must make an outgoing connection before an incoming port is opened. Cisco SA500 Series Security Appliances Administration Guide 121 - Cisco SA520-K9 | Administration Guide - Page 122
. The ports are opened dynamically whenever the security appliance detects traffic that matches a port triggering rule. To view this page, click Firewall > Port Triggering > Port Triggering Status. The following information appears: Cisco SA500 Series Security Appliances Administration Guide 122 - Cisco SA520-K9 | Administration Guide - Page 123
(seconds): Inactive non-TCP/UDP sessions are removed from the session table after this duration. This value can range between 0 and 4,294,967 seconds. The default is 60 seconds. Cisco SA500 Series Security Appliances Administration Guide 123 - Cisco SA520-K9 | Administration Guide - Page 124
MAC Binding to Prevent Spoofing Configuring Content Filtering to Allow or Block Web Components The security appliance supports a content filtering option that you can use to block access to Domains, keyword filtering, and so on. Cisco SA500 Series Security Appliances Administration Guide 124 - Cisco SA520-K9 | Administration Guide - Page 125
to store tracking information and browsing habits. Enabling this option filters out cookies from being created by a website. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 125 - Cisco SA520-K9 | Administration Guide - Page 126
See Configuring Content Filtering to Allow or Block Web Components, page 124. STEP 1 Click Firewall > Content Filtering > Approved URLs. The com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp. STEP 5 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 127
See Configuring Content Filtering to Allow or Block Web Components, page 124. STEP 1 Click Firewall > Content Filtering > Blocked URLs. The com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 128
Firewall security feature. Otherwise, choose Disable. NOTE After you enable the logging, you can view these logs by clicking Status on the menu bar, and then clicking View Log > View All Logs. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 129
to enable SIP ALG support or uncheck the box to disable this feature. If this feature is disabled, the router will not allow incoming calls to the UAC (User Agent Client) behind the router. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 129 - Cisco SA520-K9 | Administration Guide - Page 130
logged depending on the administrative settings, but all other traffic is unaffected. Unlike traditional firewalls, an IPS makes access control decisions based on application content, rather than IP address or ports. You can configure IPS to protect network services such as web, instant messaging - Cisco SA520-K9 | Administration Guide - Page 131
in Administration is automatically updated for IPS signature downloads. - Click Update Now to immediately update new signatures if they are available. This option is only active if the Automatically Update Signature box is checked. Cisco SA500 Series Security Appliances Administration Guide 131 - Cisco SA520-K9 | Administration Guide - Page 132
logged, you must configure IPS as the facility. For more information, see Logs Facility and Severity, page 189. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 132 - Cisco SA520-K9 | Administration Guide - Page 133
on this protocol and to log a message upon detection.This option is mostly used for troubleshooting purposes. • Detect and Prevent: Choose this option to check for and prevent attacks on STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 133 - Cisco SA520-K9 | Administration Guide - Page 134
checking for this service. • Detect Only: Choose this option to check for attacks on this service and to log a message upon detection.This option is mostly used for troubleshooting purposes • STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 134 - Cisco SA520-K9 | Administration Guide - Page 135
License Management. After you activate your service, use the links in the navigation pane to configure the ProtectLink services. For more information, see the Cisco ProtectLink Security documentation at: www.cisco.com/go/protectlink. Cisco SA500 Series Security Appliances Administration Guide 135 - Cisco SA520-K9 | Administration Guide - Page 136
, page 137. • Remote Access with a Web Browser: A remote worker uses a web browser to initiate a VPN tunnel to access the available services on the corporate network. See Configuring SSL VPN for Browser-Based Remote Access, page 154. Cisco SA500 Series Security Appliances Administration Guide 136 - Cisco SA520-K9 | Administration Guide - Page 137
another VPN gateway. STEP 3 In the Connection Name and Remote IP Type area, enter the following information: • What is the new connection name?: Enter a name for the connection. The name is used for management and identification purposes. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 138
enter the domain name of the remote network, such as vpn.company.com. Then enter that address or name in the Remote WAN FQDN or IP address than the one specified in the WAN port's configuration. Choose IP Address if you want to enter an Cisco SA500 Series Security Appliances Administration Guide 138 - Cisco SA520-K9 | Administration Guide - Page 139
. The Wizard sets most parameters to defaults as proposed by the VPN Consortium (VPNC), and assumes a pre-shared key, which greatly simplifies setup For information about the VPNC recommendations, see: www.vpnc.org/vpnstandards.html. Cisco SA500 Series Security Appliances Administration Guide 139 - Cisco SA520-K9 | Administration Guide - Page 140
Cisco Small Business Support Service Contract (CON-SBS-SVC2) is required to download the client software. If you don't have one, contact your partner or reseller, or Cisco Support for more information. Figure 6 IPsec VPN Remote Access with a VPN Client DNS Server 10.10.10.163 Security Appliance - Cisco SA520-K9 | Administration Guide - Page 141
in the WAN port's configuration. Choose , such as vpn.company.com. Then enter VPN, page 144. • To review or update the configured VPN policy click IPsec > VPN Policies. For more information, see Configuring the IPsec VPN Policies, page 148. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 142
VPN, page 144. If you are using the using the Cisco VPN Client, see the Application Note located under Technical Documentation at: www.cisco.com/go/sa500resources. STEP 1 Click VPN one of the following options: - Standard IPsec (XAuth) Cisco SA500 Series Security Appliances Administration Guide 142 - Cisco SA520-K9 | Administration Guide - Page 143
VPN Remote Access. • Optionally, review and modify the default settings and policies. See Advanced Configuration of IPsec VPN, page 144. • For Cisco QuickVPN, you also must enable Remote Management. See RMON (Remote Management), page 197. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 144
creates the matching IKE and VPN policies, you can make changes, as needed. Advanced users can create an IKE policy from Add but must be sure to use compatible encryption, authentication, and key-group parameters for the VPN policy. Cisco SA500 Series Security Appliances Administration Guide 144 - Cisco SA520-K9 | Administration Guide - Page 145
Advanced Configuration of IPsec VPN 7 STEP 1 Click VPN > IPsec > IKE Policies. The existing entries appear in the List of IKE Policies table selected as the identifier type, then Main Mode is disabled and Aggressive Mode is applied. Cisco SA500 Series Security Appliances Administration Guide 145 - Cisco SA520-K9 | Administration Guide - Page 146
256. • Authentication Algorithm: Specify the authentication algorithm for the VPN header. There are five algorithms supported by this router: MD5, SHA-1, SHA2-256, SHA2-384 and SHA2- Managing Certificates for Authentication, page 190. Cisco SA500 Series Security Appliances Administration Guide 146 - Cisco SA520-K9 | Administration Guide - Page 147
name for the security appliance to use when connecting to the remote server. The username can include any alphanumeric characters. - Password: Enter the password for the security appliance to use when connecting to the remote server. Cisco SA500 Series Security Appliances Administration Guide 147 - Cisco SA520-K9 | Administration Guide - Page 148
VPN, page 144. STEP 1 Click VPN > IPsec > VPN Policies. The VPN Policies window opens. Two tables are displayed: • List of VPN Policies: Lists all the VPN policies except the backup policies. Auto and Manual List of VPN Policies table. Cisco SA500 Series Security Appliances Administration Guide 148 - Cisco SA520-K9 | Administration Guide - Page 149
the VPN tunnel are manually input for each end point. No third party server or organization is involved. • Select Local Gateway: If you configured the Optional Port for use as a WAN port, choose to failover. See Dynamic DNS, page 76. Cisco SA500 Series Security Appliances Administration Guide 149 - Cisco SA520-K9 | Administration Guide - Page 150
VPN. If you choose this option, also enter the network address and the subnet mask. STEP 5 If you chose Manual Policy for the Policy Type, create an SA (Security Association characters - AES-256: 32 characters - AES-CCM: 16 characters Cisco SA500 Series Security Appliances Administration Guide 150 - Cisco SA520-K9 | Administration Guide - Page 151
VPN Security Association becomes invalid. The SA is renegotiated after this interval. The default example, the lifebyte for a download stream expires frequently if the specifications are generally recommended for advanced users only. Cisco SA500 Series Security Appliances Administration Guide 151 - Cisco SA520-K9 | Administration Guide - Page 152
the VPN tunnels, click Status > VPN Status > IPsec Status. For more information, see IPsec VPN Status, page 210. • To view IPsec VPN logs, click Status > View Logs > IPsec VPN Logs. For more information, see IPsec VPN Logs, page 215. Cisco SA500 Series Security Appliances Administration Guide 152 - Cisco SA520-K9 | Administration Guide - Page 153
, change it before you create the policy. Otherwise, the changes will not take affect. STEP 1 Click VPN > IPsec > Dynamic IP Range. The Dynamic IP Range window opens. STEP 2 Enter a Start IP range and End IP range for the IP address. Cisco SA500 Series Security Appliances Administration Guide 153 - Cisco SA520-K9 | Administration Guide - Page 154
access to the following types of services on your network: • Internal websites • Web-enabled applications • NT/Active Directory and FTP file shares • E-mail proxies, including POP3S, IMAP4S, and SMTPS • MS Outlook Web Access • MAPI Cisco SA500 Series Security Appliances Administration Guide 154 - Cisco SA520-K9 | Administration Guide - Page 155
see Elements of the SSL VPN, page 156. • Port Forwarding: Port Forwarding service supports TCP connections between the remote user and the security appliance. A web-based (ActiveX or Java) client is installed on the client machine. The administrator can define the services and applications that are - Cisco SA520-K9 | Administration Guide - Page 156
160. • Port Forwarding: You can configure port forwarding to allow access to a limited set of resources. For example, you may want the SSL VPN users to access the email service only. See Configuring SSL VPN Port Forwarding, page 163. Cisco SA500 Series Security Appliances Administration Guide 156 - Cisco SA520-K9 | Administration Guide - Page 157
page with several features that you can configure: 1. Portal Site Title: appears at the top browser 2. Banner Title 3. Banner Message Configurable Areas of the SSL VPN Portal Layout 1 2 3 Cisco SA500 Series Security Appliances Administration Guide 157 - Cisco SA520-K9 | Administration Guide - Page 158
a layout as the default layout, click the star web pages and data from being stored on the client's web browser cache. • ActiveX web cache cleaner: Check this box to load an ActiveX cache control whenever users login to this SSL VPN portal. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 159
Administration > Users > Users. The List of Users table appears. The User window opens. The default Administrator and Guest users appear in the List of Users table, along with any new users that you add. STEP 2 To add a user, click Add. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 160
policy applies to a specific network resource, IP address, or IP address range on the LAN, or to other SSL VPN services that are supported by the security appliance. By default, a global PERMIT policy (not displayed) is preconfigured over all addresses and over all services and ports. You can create - Cisco SA520-K9 | Administration Guide - Page 161
policy for a specific IP address takes precedence over a policy for a range of addresses that includes this IP address. A policy can be offered to the VPN Tunnel, Port Forwarding, or both. the user from the Available Users list. Cisco SA500 Series Security Appliances Administration Guide 161 - Cisco SA520-K9 | Administration Guide - Page 162
6 Click Apply to save your settings. NOTE Next steps: Enable Remote Management (RMON), if you have not done so previously. If RMON is disabled, SSL VPN access is blocked. See RMON (Remote Management), page 197. Cisco SA500 Series Security Appliances Administration Guide 162 - Cisco SA520-K9 | Administration Guide - Page 163
access to all ports for a give subnet. The following table lists some common applications and corresponding TCP port numbers: TCP Application FTP Data (usually not needed) FTP Control Protocol SMTP (send mail) Port Number 20 21 25 Cisco SA500 Series Security Appliances Administration Guide 163 - Cisco SA520-K9 | Administration Guide - Page 164
: • Local Server IP Address: Enter the IP address of the internal host machine or local server. • TCP Port Number: Enter the port number of the TCP application that enables port forwarding. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 164 - Cisco SA520-K9 | Administration Guide - Page 165
an IP address from the corporate subnet, DNS and WINS settings is automatically created. This feature allows access to services on the private network without any special network configuration on the remote SSL VPN client machine. Cisco SA500 Series Security Appliances Administration Guide 165 - Cisco SA520-K9 | Administration Guide - Page 166
to forward private traffic through the VPN Firewall to the remote SSL VPN client. NOTE As in any IPsec tunnel deployment, the two networks that are joined by the tunnel must use different IP address ranges in their subnets. The security appliance allows Full Tunnel and Split Tunnel support. • Full - Cisco SA520-K9 | Administration Guide - Page 167
, the user should add the LAN subnet as the Destination Network using this page. NOTE You can configure client routes only if Split Tunnel support is enabled on the SSL VPN Client page. See Configuring the SSL VPN Client, page 166. Cisco SA500 Series Security Appliances Administration Guide 167 - Cisco SA520-K9 | Administration Guide - Page 168
heading. The SSL VPN Client Route Configuration Port Forwarding information window opens. The user can click the Launcher icon to connect to the remote servers. • Change Password: The user can click this link to change his or her password. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 169
VIP service during the initial stages of deployment. • VIP Production: Choose this option if you have purchased VeriSign service. The service will use VIP production servers to authenticate your users. c. Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 170
Service Use this page to associate VeriSign tokens with your users. NOTE Your users must be configured in Administration first. See Users, page 171. STEP 1 Click VPN > VeriSign ID Protection . STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 170 - Cisco SA520-K9 | Administration Guide - Page 171
access policies. There are two default accounts. You can change the user name and password for these accounts but you cannot change the user policies. • admin: The administrator account, which has read-write access to all settings. Cisco SA500 Series Security Appliances Administration Guide 171 - Cisco SA520-K9 | Administration Guide - Page 172
created automatically. It has the same name as the domain and is associated with the domain. To edit the group settings, see Groups, page 173. Cisco SA500 Series Security Appliances Administration Guide 172 - Cisco SA520-K9 | Administration Guide - Page 173
See Groups, page 173. NOTE For security, a password should contain no dictionary words from any language, and should include a mixture of uppercase and lowercase letters, numbers, and symbols. The password can be up to 30 characters. Cisco SA500 Series Security Appliances Administration Guide 173 - Cisco SA520-K9 | Administration Guide - Page 174
used, set this value to 0. NOTE Every user is added as a local user with password, and when the user is assigned to an external authentication mechanism based on the group, certain attributes such as the local password are ignored. Cisco SA500 Series Security Appliances Administration Guide 174 - Cisco SA520-K9 | Administration Guide - Page 175
account, or uncheck this box to enable the account. This setting cannot be changed for the default admin account. - Deny Login from WAN Interface: Check this box to prevent the user from to Allow Login only from Defined Addresses. Cisco SA500 Series Security Appliances Administration Guide 175 - Cisco SA520-K9 | Administration Guide - Page 176
the upgrade process at specific points when the flash is being written to can corrupt the flash memory and render the router unusable without a low-level process of restoring the flash firmware (not through the Configuration Utility). Cisco SA500 Series Security Appliances Administration Guide 176 - Cisco SA520-K9 | Administration Guide - Page 177
downloaded to your device and you are prompted to install it. Click OK to close the notification window and then click Upgrade or Upgrade & Factory Reset. - To see if an upgraded version of the firmware is immediately available, click Check Now. Cisco SA500 Series Security Appliances Administration - Cisco SA520-K9 | Administration Guide - Page 178
! Restoring a saved configuration will remove your current settings. Firewall rules, VPN policies, LAN/WAN settings and all other settings will be lost. Back up your settings to ensure that you can restore them later if needed. Cisco SA500 Series Security Appliances Administration Guide 178 - Cisco SA520-K9 | Administration Guide - Page 179
and reset the security appliance to the factory default settings. A progress bar will appear to display the upgrade status. For information about downloading firmware upgrade files, see Upgrading the Firmware, page 24. The router takes several minutes to complete the upgrade. While the upgrade is in - Cisco SA520-K9 | Administration Guide - Page 180
to reboot the router. Using the Secondary Firmware You can use this feature to revert to the previous firmware version that was in use. STEP 1 Click Administration > Firmware & Configuration > Swap Firmware. The Swap Firmware window opens. STEP 2 Click Switch to reboot the security appliance by - Cisco SA520-K9 | Administration Guide - Page 181
Output page. The report includes up to 30 "hops" (intermediate routers) between this security appliance and the destination. Click Back to return to the Diagnostics page. to stop the capture. To download the report, click Download. Cisco SA500 Series Security Appliances Administration Guide 181 - Cisco SA520-K9 | Administration Guide - Page 182
direction (Download Only or Both) selected above. • Increase This Month's Limit: If the monthly traffic limit has been reached and you need to temporarily increase the limit, check this option and type in the amount of the increase. Cisco SA500 Series Security Appliances Administration Guide 182 - Cisco SA520-K9 | Administration Guide - Page 183
counter immediately. - Specific Time: Choose this downloaded through this interface. Amount of traffic, in Megabytes, that passed through this interface in both directions. Average volume of traffic that passed through this interface. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 184
addresses of up to four custom NTP servers. The default NTP Server settings are as follows: - 0.ciscosb.pool.ntp.org - 1.ciscosb.pool.ntp.org - 2.ciscosb.pool.ntp.org - 3.ciscosb.pool.ntp.org STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 184 - Cisco SA520-K9 | Administration Guide - Page 185
directed to the router are logged. • Other Event Logs: Choose the other types of events to be logged. - Source MAC Filter: If checked, logs packets matched due to source MAC filtering. Uncheck to disable source MAC filtering logs. Cisco SA500 Series Security Appliances Administration Guide 185 - Cisco SA520-K9 | Administration Guide - Page 186
DMZ to LAN source and destination. Logging for individual firewall rules should be enabled. Enable logging for firewall rules matching WAN to DMZ source and destination. Logging for individual firewall rules should be enabled. Cisco SA500 Series Security Appliances Administration Guide 186 - Cisco SA520-K9 | Administration Guide - Page 187
to block SSH traffic from the LAN to the WAN. The firewall rule also must allow logging. For more information, see Configuring Firewall Rules to Control Inbound and Outbound Traffic, page 103. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 187 - Cisco SA520-K9 | Administration Guide - Page 188
and enter the user account name and password. To disable authentication, select None. • Respond to Identd from SMTP Server: Check this box to configure the router to respond to an IDENT request from from the Status > View Logs pages. Cisco SA500 Series Security Appliances Administration Guide 188 - Cisco SA520-K9 | Administration Guide - Page 189
(level 3) Error conditions. Syslog definition is LOG_ERR. Warning (level 4) Warning conditions. Syslog definition is LOG_WARNING. Notification (level 5) Normal but significant condition. Syslog definition is LOG_NOTICE. Cisco SA500 Series Security Appliances Administration Guide 189 - Cisco SA520-K9 | Administration Guide - Page 190
as VeriSign, Thawte and other organizations. Digital Certificates are used by this router during the Internet Key Exchange (IKE) authentication phase as an alternative : The date after which the certificate becomes invalid. Cisco SA500 Series Security Appliances Administration Guide 190 - Cisco SA520-K9 | Administration Guide - Page 191
certificate. Enter the registered business name or official company download the router's certificate (.pem file), click the Download button under the Download Settings area. STEP 3 To request a certificate from the CA, click Generate CSR. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 192
than one subject field, enter each subject separated by a comma. For example: CN=hostname.domain.com, ST=CA, C=USA • Hash Algorithm: Algorithm used by the certificate. Choose between MD5 and next to the certificate you just created. Cisco SA500 Series Security Appliances Administration Guide 192 - Cisco SA520-K9 | Administration Guide - Page 193
Server IP Address: Enter the IP address of the authenticating Radius Server. • Authentication Port: Enter the port number on the Radius server that is used to send the Radius traffic. • server. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 193 - Cisco SA520-K9 | Administration Guide - Page 194
key, click the Upgrade to 50 Seats link on the License Management page. • For the SA520 and SA520W models, you can increase the seat count from 2 users to 25 users. To add seats, you must purchase an SSL VPN license from Cisco at: www.cisco.com/ go/license. ProtectLink Services (Web/Gateway and - Cisco SA520-K9 | Administration Guide - Page 195
. - Free Trial: Download a trial license from Cisco.com. - Renew: Renew your existing license if your license is about to expire or has already expired. - Upgrade to 25 Seats: Upgrade the license to enable users. (Only applies to the SA520 and SA520W) - Upgrade to 50 Seats: Upgrade the license to - Cisco SA520-K9 | Administration Guide - Page 196
fields, click Validate License. Click Back to return to the License Management page. b. To install and activate a ProtectLink Web/Gateway or Endpoint license, click Install and follow the steps provided on the Install License page. Cisco SA500 Series Security Appliances Administration Guide 196 - Cisco SA520-K9 | Administration Guide - Page 197
, the router is accessible to anyone who knows its IP address. Since a malicious WAN user can reconfigure the router and misuse it in many ways, it is highly recommended that you change the admin and guest passwords before continuing. Cisco SA500 Series Security Appliances Administration Guide 197 - Cisco SA520-K9 | Administration Guide - Page 198
the PC given remote management permissions • Port Number: Displays the port number used for the remote connection. • Remote SNMP Enable: Check the box to enable SNMP for the remote connection. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 198 - Cisco SA520-K9 | Administration Guide - Page 199
Enabling CDP is not recommended on the Dedicated WAN port and the Optional ports because they are connected to insecure networks. STEP 1 security. The router supports the SNMPv2c protocol version and can send traps to a specified community. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 200
• Port: Enter the SNMP trap port of security appliance. • SysLocation: The physical location of the security appliance. • SysName: A name given for easy identification of the security appliance. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 201
: This is the period (in seconds) of how often this router will broadcast its UPnP information to all devices within range. • discarded. Small values will limit the UPnP broadcast range. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 201 - Cisco SA520-K9 | Administration Guide - Page 202
will only be visible to the hosts belonging to the associated VLANs. By default, LAN/Default-VLAN is the broadcasting domain. STEP 3 Click Apply to add the VLAN. The VLAN associated to the service appears in the List of VLANs table. Cisco SA500 Series Security Appliances Administration Guide 202 - Cisco SA520-K9 | Administration Guide - Page 203
Network Management Bonjour 9 To dissociate the VLAN from the service, check the box next the appropriate VLAN and click Delete. . Cisco SA500 Series Security Appliances Administration Guide 203 - Cisco SA520-K9 | Administration Guide - Page 204
This chapter describes how view the status of your router. It includes the following sections: • Device Status • VPN Status • Active Users • View Logs • CDP • Interface Statistics • Port Statistics • Wireless Statistics for the SA520W Cisco SA500 Series Security Appliances Administration Guide 204 - Cisco SA520-K9 | Administration Guide - Page 205
of logs in each level is displayed. Routing Mode Displays the routing mode of the router (NAT or Classical routing), WAN Mode Displays the WAN configuration mode of the router (Single WAN port, Autorollover, or Load Balancing). Cisco SA500 Series Security Appliances Administration Guide 205 - Cisco SA520-K9 | Administration Guide - Page 206
. Site to Site VPN All Tunnels Number of active Site-to-Site VPN tunnels and the total number of configured Site-to-Site VPN tunnels. Remote Access VPN SSL Users Number of active SSL users. IPsec Users Number of IPsec users. Cisco SA500 Series Security Appliances Administration Guide 206 - Cisco SA520-K9 | Administration Guide - Page 207
and then click Start to restart the automatic refresh using the specified poll interval. Enables the automatic page refresh. Disables the automatic page refresh feature. Cisco SA500 Series Security Appliances Administration Guide 207 - Cisco SA520-K9 | Administration Guide - Page 208
configured on it. The counters are reset when the device is rebooted. Radio Statistics The radio can have multiple virtual access points configured and active concurrently. This table indicates cumulative statistics for the radio. Cisco SA500 Series Security Appliances Administration Guide 208 - Cisco SA520-K9 | Administration Guide - Page 209
to the access point. Number of transmitted/received (tx/rx) packets dropped by the access point. Number of multicast packets sent over this access point. Cisco SA500 Series Security Appliances Administration Guide 209 - Cisco SA520-K9 | Administration Guide - Page 210
place and is enabled, a connection is triggered by any traffic that matches the policy, and the VPN tunnel is set up automatically. However, you can use the Connect/ Disconnect button to manually connect or disconnect the VPN tunnel. Cisco SA500 Series Security Appliances Administration Guide 210 - Cisco SA520-K9 | Administration Guide - Page 211
the page to either start or stop connections. Status > VPN Status > SSL VPN Status User Name IP Address Tunnel Specific Fields Local ppp interface Peer PPP Interface IP Tx Packets user, the tunnel specific fields will have no values. Cisco SA500 Series Security Appliances Administration Guide 211 - Cisco SA520-K9 | Administration Guide - Page 212
Stop button and use Start to restart automatic refresh. Click to enable automatic page refresh feature. Click Stop to disable the automatic page refresh feature. Cisco SA500 Series Security Appliances Administration Guide 212 - Cisco SA520-K9 | Administration Guide - Page 213
Users This page lists the administrator and SSL VPN users who are currently the host from which the user accessed the Router. Timestamp of when the user first logged into the Router. Terminates an active user's session and the . Cisco SA500 Series Security Appliances Administration Guide 213 - Cisco SA520-K9 | Administration Guide - Page 214
Displays logs for ProtectLink Gateway and Endpoint services. VPN Displays IKE and SSL VPN related logs. Firewall Displays logs related to firewall rules, attacks, and content filtering. to the email addresses that you configured in Cisco SA500 Series Security Appliances Administration Guide 214 - Cisco SA520-K9 | Administration Guide - Page 215
discovered. For more information about CDP Global Configuration, see CDP, page 199. Status > CDP Neighbor Device Id Local Port Displays the device identifier advertised by the neighbor Interface on which the neighbor was discovered. Cisco SA500 Series Security Appliances Administration Guide 215 - Cisco SA520-K9 | Administration Guide - Page 216
Interface ID The number of minutes a device has been connected. The type of device, R-Router, T-Switch Bridge, S-Switch, HHost, I-IGMP, r-repeater. Platform name of the neighboring the period of time in which the data was collected. Cisco SA500 Series Security Appliances Administration Guide 216 - Cisco SA520-K9 | Administration Guide - Page 217
. Close the browser and launch it again. STEP 6 Ensure that you are using the correct login information. The factory default login name is cisco and the password is cisco. Ensure that CAPS LOCK is off when entering this information. Cisco SA500 Series Security Appliances Administration Guide 217 - Cisco SA520-K9 | Administration Guide - Page 218
power to the cable or DSL modem. STEP 4 When the modem LEDs indicate that it has resynchronized with the ISP, reapply power to the security appliance. If the security appliance still cannot obtain an ISP address, see the next symptom. Cisco SA500 Series Security Appliances Administration Guide 218 - Cisco SA520-K9 | Administration Guide - Page 219
Troubleshooting Internet Connection A Symptom: The security appliance account information as specified by the ISP (User Name, Password, and Secret, if applicable). • Does your ISP checks security appliance to be its TCP/IP gateway. Cisco SA500 Series Security Appliances Administration Guide 219 - Cisco SA520-K9 | Administration Guide - Page 220
does not automatically adjust for Daylight Savings Time. Recommended action: STEP 1 Click Administration > Time Zone. STEP 2 Check or uncheck Automatically adjust for Daylight Savings Time. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 220 - Cisco SA520-K9 | Administration Guide - Page 221
: • Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC. • Verify that the IP address for the security appliance and PC are correct and on the same subnet. Cisco SA500 Series Security Appliances Administration Guide 221 - Cisco SA520-K9 | Administration Guide - Page 222
to the MAC address of just a single PC connected to that modem. If this is the case, configure your firewall to clone or spoof the MAC address from the authorized PC. For more information, see Configuring the WAN Connection, page 37. Cisco SA500 Series Security Appliances Administration Guide 222 - Cisco SA520-K9 | Administration Guide - Page 223
effective. After a restore to factory defaults, the following settings apply: • LAN IP address: 192.168.75.1 • Username: cisco • Password: cisco • DHCP server on LAN: enabled • WAN port configuration: Get configuration via DHCP Cisco SA500 Series Security Appliances Administration Guide 223 - Cisco SA520-K9 | Administration Guide - Page 224
Services The security appliance is configured with the following list of standard services that are available for port forwarding and firewall configuration. If you want to configure a port forwarding rule or a firewall rule for a service that is not on this list, you can create a custom service - Cisco SA520-K9 | Administration Guide - Page 225
Standard Services ICMP-TYPE-6 ICMP-TYPE-7 ICMP-TYPE-8 ICMP-TYPE-9 ICMP-TYPE-10 ICMP-TYPE-11 ICMP-TYPE-13 ICQ IMAP2 IMAP3 IRC NEWS NFS NNTP PING POP3 PPTP RCMD REAL-AUDIO REXEC RLOGIN RTELNET RTSP:TCP RTSP:UDP SFTP SMTP SNMP:TCP Cisco SA500 Series Security Appliances Administration Guide B 225 - Cisco SA520-K9 | Administration Guide - Page 226
Standard Services SNMP:UDP SNMP-TRAPS:TCP SNMP-TRAPS:UDP SQL-NET SSH:TCP SSH:UDP STRMWORKS TACACS TELNET TFTP VDOLIVE B Cisco SA500 Series Security Appliances Administration Guide 226 - Cisco SA520-K9 | Administration Guide - Page 227
Technical Specifications and Environmental Requirements Feature Standards Physical Interfaces Operating Temperature SA520 SA520W • DMZ port • 1 X RJ-45 connector for WAN port • 1 X USB connector for USB 2.0 32 to 104ºF (0 to 40ºC) Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 228
Specifications and Environmental Requirements C Feature SA520 SA520W 2.5A MAX 2.5A MAX 2.5A Transmit (TX) N/A Power (default) 11dBm N/A Physical Specifications Form Factor 1 RU, 19-in. rack-mountable 1 RU, 19 ) 5.14 lb Cisco SA500 Series Security Appliances Administration Guide 228 - Cisco SA520-K9 | Administration Guide - Page 229
Savings enable Time Date and Time - Protocol NTP Date and Time - Time Zone Pacific Time (US & Canada) DDNS disable HTTP Remote Access enable HTTPS Remote Access enable SNMP - Trusted Peer IP address SNMP Agent disable Cisco SA500 Series Security Appliances Administration Guide 229 - Cisco SA520-K9 | Administration Guide - Page 230
Factory Default Settings General Settings D Feature Setting SNMP Version SNMP V1 & Cisco Discovery Protocol enabled on LAN / disabled on WAN port Bonjour enabled on LAN / disabled on WAN port UPnP disable Radius Server Port 1812 Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 231
Factory Default Settings Router Settings Router Settings Feature VLAN - Voice, Name VLAN - Voice, VLAN Number (802.1q tagged packets) VLAN - Voice, IP Product Tab DHCP Server 192.168.x.50 192.168.x.254 255.255.255.0 1440 enable Cisco SA500 Series Security Appliances Administration Guide D 231 - Cisco SA520-K9 | Administration Guide - Page 232
Factory Default Settings Router Settings D Feature HTTPS Remote Access WAN1 IP address assignment WAN1 - MTU WAN1- Outgoing Traffic Bandwidth Limit / disable on DMS VLAN disable IPv4 Only Automatic enable 192.168.10.0 255.255.255.0 Cisco SA500 Series Security Appliances Administration Guide 232 - Cisco SA520-K9 | Administration Guide - Page 233
Factory Default Settings Router Settings Feature Setting IPSec - Signaling Authentication IKE with PSK - Keying Mode Description Attribute DH Group 2 (1024 bit) IPSec - Signaling Authentication SHA1 - Phase 2 - Hash Algorithm Cisco SA500 Series Security Appliances Administration Guide D 233 - Cisco SA520-K9 | Administration Guide - Page 234
Factory Default Settings Wireless Settings Feature IPSec - Signaling Authentication - Phase 2 - Lifetime in Seconds IPSec Pass Mask (Failover when no DHCP Server Available) 255.255.255.0 VLAN - Data, Name (optional) Data VLAN Cisco SA500 Series Security Appliances Administration Guide D 234 - Cisco SA520-K9 | Administration Guide - Page 235
/ Multicast Rate Limit Multicast traffic rate per radio Setting cisco-data disable disable 0 1812 3600 Disabled enabled Mixed (802.11b,g,n) Auto disabled All 100 ms 2 ms 2347 2346 100% disabled disabled disabled disabled 50pps auto Cisco SA500 Series Security Appliances Administration Guide D 235 - Cisco SA520-K9 | Administration Guide - Page 236
, 7ms (AIFS) Minimum contention window 4 queues = 3ms, 7ms, 15ms, 15ms Maximum Burst 4 queues - 1.5ms, 3ms, 0ms, 0ms Maximum contention window 4 queues = 7ms, 15ms, 15ms, 15ms Cisco SA500 Series Security Appliances Administration Guide 236 - Cisco SA520-K9 | Administration Guide - Page 237
Cisco Small Business FTP Server Allow Anonymous Access disable Allow Anonymous File Upload disable Allow Anonymous File Download enable Maximum Anonymous Transfer 0 Rate (0 - unlimited) in KB/s Disconnect Idle Sessions 5 minutes Cisco SA500 Series Security Appliances Administration Guide - Cisco SA520-K9 | Administration Guide - Page 238
packets/sec) Setting Disabled Disabled Disabled on WAN Inbound Deny / Outbound Allow Disabled Enable Enable Enable Enable Enable Enable 128 max/sec 15 packets/sec Cisco SA500 Series Security Appliances Administration Guide 238 - Cisco SA520-K9 | Administration Guide - Page 239
Factory Default Settings Security Settings Feature ICMP Flood (ICMP packets/sec) Setting 100 packets/sec D Cisco SA500 Series Security Appliances Administration Guide 239 - Cisco SA520-K9 | Administration Guide - Page 240
SA500 Technical Documentation Cisco Small Business www.cisco.com/go/sa500resources Cisco Partner Central for Small www.cisco.com/web/partners/sell/smb Business (Partner Login Required) Cisco Small Business Home www.cisco.com/smb Cisco SA500 Series Security Appliances Administration Guide 240
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
 |
 |
Cisco Small Business
SA500 Series Security Appliances
ADMINISTRATION
GUIDE