Cisco WS-CE500-24TT Administration Guide
Cisco WS-CE500-24TT - Catalyst Express Switch Manual
 |
UPC - 882658054068
View all Cisco WS-CE500-24TT manuals
Add to My Manuals
Save this manual to your list of manuals |
Cisco WS-CE500-24TT manual content summary:
- Cisco WS-CE500-24TT | Administration Guide - Page 1
ADMINISTRATION GUIDE Cisco Small Business SA500 Series Security Appliances - Cisco WS-CE500-24TT | Administration Guide - Page 2
logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner - Cisco WS-CE500-24TT | Administration Guide - Page 3
Tasks 23 Changing the Default User Name and Password 23 Backing Up Your Configuration 24 Upgrading the Firmware 24 Common Configuration Scenarios 25 Basic Network Configuration with Internet Access 26 Cisco Smart Business Communications System Configuration 28 Firewall for Controlling - Cisco WS-CE500-24TT | Administration Guide - Page 4
About the Default LAN Settings 43 Configuring the LAN 44 Viewing the LAN Status 46 VLAN Configuration 46 DHCP Reserved IPs 52 DHCP Leased Clients 53 Configuring an IGMP Proxy 53 Configuring the Optional Port as a LAN Port 53 Configuring the Optional WAN 54 Configuring Auto-Rollover - Cisco WS-CE500-24TT | Administration Guide - Page 5
Traffic Preliminary Tasks for Firewall Rules Configuring the Default Outbound Policy Configuring a Firewall Rule for Outbound Traffic 77 78 78 80 82 83 83 84 85 85 86 87 88 88 89 91 91 92 95 95 96 98 99 99 101 103 103 104 107 107 Cisco SA500 Series Security Appliances Administration Guide 5 - Cisco WS-CE500-24TT | Administration Guide - Page 6
Prevention System Configuring IPS Configuring the IPS Policy Configuring the Protocol Inspection Settings Configuring Peer-to-Peer Blocking and Instant Messaging 130 131 132 133 134 Chapter 6: Using Cisco ProtectLink Security Services 135 Chapter 7: Configuring VPN About VPN Configuring a Site - Cisco WS-CE500-24TT | Administration Guide - Page 7
Identity Protection Managing User Credentials for VeriSign Service Chapter 8: Administration Users Domains Groups Adding or Editing User Settings Adding or Editing User Login Policies Firmware and Configuration Upgrading Firmware and Working with Configuration Files Maintaining the USB Device Using - Cisco WS-CE500-24TT | Administration Guide - Page 8
Info UPnP Bonjour Configuring Bonjour Associating VLANs Chapter 10: Status Device Status Device Status Resource Utilization Interface Statistics Port Statistics Wireless Statistics for the SA520W VPN Status IPsec VPN Status SSL VPN Status Quick VPN Status Active Users View Logs Cisco SA500 Series - Cisco WS-CE500-24TT | Administration Guide - Page 9
Reports Appendix A: Troubleshooting Internet Connection Date and Time Pinging to Test LAN Connectivity Restoring Factory Default Configuration Settings Appendix B: Standard Services Appendix C: Technical Specifications and Environmental Requirements Appendix D: Factory Default Settings General - Cisco WS-CE500-24TT | Administration Guide - Page 10
• Getting Started with the Configuration Utility • About the Default Settings • Basic Tasks • Common Configuration Scenarios Feature Overview The features SA520 200 Mbps 200 Mbps 65 Mbps 15,000 Cisco SA500 Series Security Appliances Administration Guide SA520W 200 Mbps 200 Mbps 65 Mbps 15,000 - Cisco WS-CE500-24TT | Administration Guide - Page 11
the rear panel. Refer to the following illustrations and descriptions. Front Panel • RESET Button-To reboot the security appliance, push and release the Reset button. To restore the factory default settings, press and hold the Reset button for 5 seconds. • DIAG LED-(Orange) When lit, indicates the - Cisco WS-CE500-24TT | Administration Guide - Page 12
Panel • POWER Switch-Turns the security be configured to allow public access to services such configuration files for backup and restore operations. NOTE The back panel of the SA520W includes three threaded connectors for the antennas. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 13
Getting Started Installation 1 Installation This section guides you through the installation of your security appliance. Refer to the following topics: • ) on the bottom of the security appliance. Place the device on a flat surface. Cisco SA500 Series Security Appliances Administration Guide 13 - Cisco WS-CE500-24TT | Administration Guide - Page 14
Getting Started Installation 1 Wall Mounting STEP 1 Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9 inches). Leave 3-4 mm (about 1/8 inch) of the head exposed. Cisco SA500 Series Security Appliances Administration Guide 14 - Cisco WS-CE500-24TT | Administration Guide - Page 15
) of space, which is 1.75 inches (44.45 mm) high. ! CAUTION Do not overload the power outlet or circuit when installing multiple devices in a rack. Cisco SA500 Series Security Appliances Administration Guide 15 - Cisco WS-CE500-24TT | Administration Guide - Page 16
3 For DSL, a cable modem, or other WAN connectivity devices, connect an Ethernet network cable from the device to the WAN port on the back panel. Cisco strongly recommends using Cat5E or better cable. STEP 4 For network devices, connect an Ethernet network cable from the network device to one of the - Cisco WS-CE500-24TT | Administration Guide - Page 17
installation of the security appliance is complete. Getting Started with the Configuration Utility The Configuration Utility web page is a web based device manager that is used (such as Microsoft Internet Explorer or Mozilla Firefox). Cisco SA500 Series Security Appliances Administration Guide 17 - Cisco WS-CE500-24TT | Administration Guide - Page 18
the following address: 192.168.75.1 This address is the factory default LAN address of the security appliance. If you change this setting in the LAN configuration, you will need to enter the new IP address to connect to the Configuration Utility. STEP 3 When the Security Alert appears, accept or - Cisco WS-CE500-24TT | Administration Guide - Page 19
listed links. • For help with advanced configuration tasks, such as firewall/NAT configuration, optional WAN configuration, DMZ configuration, and VPN setup, click the Getting Started > Advanced -up box. Getting Started (Basic) Page Cisco SA500 Series Security Appliances Administration Guide 19 - Cisco WS-CE500-24TT | Administration Guide - Page 20
Getting Started Getting Started with the Configuration Utility Getting Started (Advanced) Page 1 Cisco SA500 Series Security Appliances Administration Guide 20 - Cisco WS-CE500-24TT | Administration Guide - Page 21
Click a menu item to change to another category. Provides easy navigation through the configurable device features.The main branches expand to provide the subfeatures. Click on the The main content of the feature appears in this area. Cisco SA500 Series Security Appliances Administration Guide 21 - Cisco WS-CE500-24TT | Administration Guide - Page 22
your Internet Service Provider (ISP) and the needs of your business, you might need to modify some of these settings. You can use the Configuration Utility to customize all settings, as needed. Settings of particular interest are described below. For a full list of all factory default settings, see - Cisco WS-CE500-24TT | Administration Guide - Page 23
Access: You can access the Configuration Utility by using a web browser and entering the default IP address of 192.168.75.1. You can log on by entering cisco for the username and cisco for the password. You are strongly encouraged to change the default username and password. You can also change the - Cisco WS-CE500-24TT | Administration Guide - Page 24
box to enable the password fields. • Enter Your Password: Enter the current password. The default password for this new security appliance is cisco. • New Password: Enter a password that contains alphanumeric, '-' or '_' characters. • Confirm Password: Enter the password again. • Idle Timeout: Enter - Cisco WS-CE500-24TT | Administration Guide - Page 25
appliance, consider the following configuration scenarios: • Scenario 1: Basic Network Configuration with Internet Access, page 26 • Scenario 8: Cisco Smart Business Communications System Configuration, page 28 • Scenario 7: DMZ for Public Websites and Services, page 29 • Scenario 6: Firewall - Cisco WS-CE500-24TT | Administration Guide - Page 26
, make sure that you have upgraded the firmware (see Upgrading the Firmware, page 24) and changed the default Administrator password (see Changing the Default User Name and Password, page 23). Consider the following first steps: 1. Review the WAN configuration and make any changes that are needed to - Cisco WS-CE500-24TT | Administration Guide - Page 27
Getting Started Common Configuration Scenarios 1 2. Review the LAN configuration and make any changes that are needed to support your network. The default DHCP and TCP/IP settings should be satisfactory in most cases. However, you can change the subnet address or the default IP address, or assign - Cisco WS-CE500-24TT | Administration Guide - Page 28
, see DHCP Reserved IPs, page 52. 4. Configure a static IP route from the security appliance to the UC 500 data VLANs (192.168.10.x). instructions, refer to the documentation or online Help for the Cisco Configuration Assistant (CCA). Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 29
exception from the default firewall policy, you need to configure firewall rules. NOTE The default WAN and LAN configure your DMZ, you can configure the firewall rules that enable traffic to connect only to the services that you specify. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 30
with Internet Access, page 26. Configuration tasks for this scenario: To start configuring a DMZ, use the links in the DMZ Port section of the Getting Started (Advanced) page. For more information, see Configuring a DMZ, page 61. Cisco SA500 Series Security Appliances Administration Guide 30 - Cisco WS-CE500-24TT | Administration Guide - Page 31
Getting Started Common Configuration Scenarios 1 Scenario 8: Configuring ProtectLink Web & Email Security For added protection against web and email threats, the security appliance supports Cisco ProtectLink Security services. By using these services, your network is protected from email threats - Cisco WS-CE500-24TT | Administration Guide - Page 32
you can use other links on the Getting Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration Guide 32 - Cisco WS-CE500-24TT | Administration Guide - Page 33
you can use other links on the Getting Started (Advanced) page to review and modify the policies that were created by the Wizard. For more information, see Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client, page 139. Cisco SA500 Series Security Appliances Administration Guide 33 - Cisco WS-CE500-24TT | Administration Guide - Page 34
Started (Advanced) page, click the SSL VPN Portal Layouts link to review the default settings for the user portal. Create new portals for different user groups, if needed. Return to the Getting Started (Advanced) page and click the Configure Users link to add your VPN users. Optionally, you can use - Cisco WS-CE500-24TT | Administration Guide - Page 35
to your network resources. Outside Network Private Network Laptop computer Internet ISP Router SA 500 Printer Personal computer IP IP Phone Configuration tasks for this scenario: 1. The default WAN and LAN settings might be sufficient for your deployment, but consider the steps outlined - Cisco WS-CE500-24TT | Administration Guide - Page 36
WAN • Configuring a DMZ • VLAN Configuration • Routing • Port Management • QoS Bandwidth Profiles • Dynamic DNS • Configuring IPv6 Addressing To access the Networking pages click Networking from the Configuration Utility menu bar. Cisco SA500 Series Security Appliances Administration Guide 36 - Cisco WS-CE500-24TT | Administration Guide - Page 37
Configuring the WAN Connection By default, your security appliance is configured to receive a public IP required to log in • Password: Enter the password required to log in • Secret flat fee for your Internet service. - Idle Time: The Cisco SA500 Series Security Appliances Administration Guide 37 - Cisco WS-CE500-24TT | Administration Guide - Page 38
ISP. • Server IP Address: Enter the IP address of the PPTP, PPPoE, or other server. STEP 3 Enable VLAN Tagging (Applies to PPPoE configurations only). • Enable VLAN Tagging: Check this box to enable a connection on a VLAN tagged WAN interlace. • VLAN ID: Specify the VLAN ID. STEP 4 Reset the PPPoE - Cisco WS-CE500-24TT | Administration Guide - Page 39
that page, click Optional Port > WAN to configure the WAN connection. For more information, see Configuring the Optional WAN, page 54. • If you are having problems with your WAN connection, see the Internet Connection, page 217 in Appendix A, "Troubleshooting." Viewing the WAN Status You can check - Cisco WS-CE500-24TT | Administration Guide - Page 40
release the connection. • If the WAN is configured with a Static IP address, click Disable to disable the connection. NOTE If you are having problems with your WAN connection, see the Internet Connection, page 217 in Appendix A, "Troubleshooting." Creating PPPoE Profiles If you have multiple PPPoE - Cisco WS-CE500-24TT | Administration Guide - Page 41
Password: Enter the password service IP addresses by adding an IP alias to the port. STEP 1 Click Networking > WAN > IP Alias. The IP Aliases window opens. Any currently configured WAN IP aliases used by the WAN port appear in the List of IP Aliases table. STEP 2 Click Add to add a new alias. Cisco - Cisco WS-CE500-24TT | Administration Guide - Page 42
interface name on which the alias is created. • IP Address: The IP address alias added to this WAN port of the router. • Mask: The IPv4 subnet mask. STEP 4 Click Apply to save your changes. The new alias appears in the List of IP Aliases table. Cisco SA500 Series Security Appliances Administration - Cisco WS-CE500-24TT | Administration Guide - Page 43
However, you can use the LAN Configuration page to change these and other settings. • About the Default LAN Settings • Configuring the LAN • Viewing the LAN Status • VLAN Configuration • DHCP Reserved IPs • DHCP Leased Clients • Configuring an IGMP Proxy • Configuring the Optional Port as a LAN Port - Cisco WS-CE500-24TT | Administration Guide - Page 44
Getting Started (Basic) page, under WAN & LAN Connectivity, click LAN Settings. The IPv4 LAN Configuration window opens. STEP 2 In the LAN TCP/IP Setup area, enter this information for your security appliance: • IP address: Enter the LAN IP address for the security appliance. NOTE If you change the - Cisco WS-CE500-24TT | Administration Guide - Page 45
Networking Configuring the LAN 2 • Starting IP Address and Ending IP Address: Enter the range of addresses in the IP address pool for this security appliance. Any new DHCP client that joins the LAN is assigned an IP address in this range. The default starting address is 192.168.75.2. The default - Cisco WS-CE500-24TT | Administration Guide - Page 46
• IP address and subnet mask of the interface • DHCP server mode STEP 2 Click Apply to save your settings. VLAN Configuration The security appliance supports Virtual LANs (VLANs), which allow you to segregate the network into LANs that are isolated from one another. The default configuration - Cisco WS-CE500-24TT | Administration Guide - Page 47
Configuring the LAN 2 This section includes the following topics: • Default VLAN Settings • Enabling or Disabling VLAN Support • Creating VLAN IDs • Assigning VLANs to LAN Ports Default VLAN Settings By default, the data VLAN and the voice VLAN are enabled with the following settings: • Data VLAN - Cisco WS-CE500-24TT | Administration Guide - Page 48
or Disabling VLAN Support By default, VLAN support is enabled. If you do not want VLANs, you can disable VLAN support. STEP 1 Click Networking > VLAN > VLAN Configuration. The VLAN Configuration window opens. STEP 2 To enable VLAN support, check the Enable VLAN box. To disable VLAN support, uncheck - Cisco WS-CE500-24TT | Administration Guide - Page 49
Edit button. STEP 3 In the VLAN Configuration area, enter the following information: • Mode: Choose one of the following options: - Access: The access port is a member of a single VLAN. All data going into and out of the access port is untagged. By default, all VLAN ports are in access mode. Access - Cisco WS-CE500-24TT | Administration Guide - Page 50
data coming into the port is not forwarded, except for the default VLAN with PVID=1, which is untagged. Trunk mode is recommended if the port is connected to a VLAN-aware switch or router. If you choose this option, also configure the VLAN Membership in the lower half of the page. • PVID: If you - Cisco WS-CE500-24TT | Administration Guide - Page 51
is "leased" to a network user. When the time elapses, the user is automatically assigned a new dynamic IP address. The default is 24 hours. STEP 5 In the LAN Proxies section, check the Enable DNS Proxy box to allow the VLAN to act as a proxy for all DNS requests and to communicate with the DNS - Cisco WS-CE500-24TT | Administration Guide - Page 52
left side of the heading row. STEP 3 Enter the IP address and the MAC address of the device that you want to add. Each reserved IP address should be outside the configured DHCP pool addresses. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 52 - Cisco WS-CE500-24TT | Administration Guide - Page 53
WAN or a DMZ, you can configure the Optional port for use as a LAN port. STEP 1 Click Networking > Optional Port > Optional Port Mode. The Optional Port Mode window opens. STEP 2 Choose LAN. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 53 - Cisco WS-CE500-24TT | Administration Guide - Page 54
Configuration area, check the Internet Connection Require a Login box if your ISP requires a login every time you connect to the Internet. • If you checked the box, complete the fields in the ISP Connection Type area. • If you did not check the box, continue complete the fields in the Internet (IP - Cisco WS-CE500-24TT | Administration Guide - Page 55
DNS IP address. Also enter the addresses for the Primary DNS Server and the Secondary DNS Server. STEP 6 If required by your ISP, configure Default to use the default MTU size, 1500 bytes. Choose Custom if you want to specify another size. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 56
. • Recommended: To configure auto-rollover, load balancing, and failure detection for your ISP links, click Optional Port > WAN Mode. For more information, see Configuring Auto-Rollover, Load Balancing, and Failure Detection, page 57. Cisco SA500 Series Security Appliances Administration Guide 56 - Cisco WS-CE500-24TT | Administration Guide - Page 57
the Optional WAN 2 • If you are having problems with your WAN connection, see the Internet Connection, page 217 in Appendix A, "Troubleshooting." Configuring Auto-Rollover, Load Balancing, and Failure Detection If you configured two ISP links, one for the dedicated WAN and one for the optional - Cisco WS-CE500-24TT | Administration Guide - Page 58
Dual WAN Ports with Load Balancing Dual WAN Ports (Load Balancing) SA 500 WAN1 IP yourcompany1.dyndns.org Internet yourcompany2.dyndns.org WAN2 IP 197402 NOTE When configuring load balancing, make sure that you configure both WAN ports with the Connectivity Type set to Keep Connection. If the - Cisco WS-CE500-24TT | Administration Guide - Page 59
how often, in seconds, the security appliance should run the above configured failure detection method. • Failover after: Specify the number of retries after which failover is initiated. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 59 - Cisco WS-CE500-24TT | Administration Guide - Page 60
WAN Port, click Configure Protocol Bindings (Optional - if WAN Mode set to Load Balancing). The Protocol Bindings window opens. Any existing protocol bindings appear in the List of Available Protocol Bindings table. STEP 2 Click Add. Cisco SA500 Series Security Appliances Administration Guide 60 - Cisco WS-CE500-24TT | Administration Guide - Page 61
additional layer of security to the LAN. The public can connect to the services on the DMZ but cannot penetrate the LAN. You should configure your DMZ to include any hosts that must be exposed to the WAN (such as web or email servers). Cisco SA500 Series Security Appliances Administration Guide 61 - Cisco WS-CE500-24TT | Administration Guide - Page 62
500 LAN Interface 192.168.75.1 DMZ Interface 172.16.2.1 Source Address Translation 209.165.200.225 172.16.2.30 Web Server Private IP Address: 172.16.2.30 Public IP Address: 209.165.200.225 User 192.168.75.10 User 192.168.75.11 235140 Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 63
Networking Configuring a DMZ Figure 4 Example DMZ with Two Public IP Addresses www.example.com 2 Internet Public IP Addresses 209.165.200.225 (router) 209.165.200.226 (web server) SA 500 LAN Interface 192.168.75.1 DMZ interface 172.16.2.1 Source Address Translation 209.165.200.226 172.16.2.30 - Cisco WS-CE500-24TT | Administration Guide - Page 64
DMZ settings. The DMZ Configuration window opens. STEP 3 In the DMZ Port Setup area, enter an IP Address and the Subnet Mask for the DMZ port on the internal network. Devices on the DMZ network communicate with the router by using this IP address.The default DMZ IP address of 172.16.2.1 is shown - Cisco WS-CE500-24TT | Administration Guide - Page 65
is "leased" to a network user. When the time elapses, the user is automatically assigned a new dynamic IP address. The default is 24 hours. • Relay Gateway: If you chose DHCP Relay as the DHCP mode, enter the IP address of the relay gateway. STEP 5 In the DMZ Proxies section, check the box to allow - Cisco WS-CE500-24TT | Administration Guide - Page 66
in the table, check the box at the left side of the heading row. After you click Add or Edit, the DMZ Reserved IPs Configuration window opens. STEP 3 Enter the IP Address and the MAC Address. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 66 - Cisco WS-CE500-24TT | Administration Guide - Page 67
, you can configure the security appliance in NAT routing mode or Classic routing mode. By default, NAT is default option. • Classic Routing: Choose this option if your ISP has assigned an IP address for each of the computers that you use. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 68
configure static routes, enter a route name and specify the IP 2 Click Add to add a new static route. Other options: Click , the Static Routing Configuration window opens. STEP IP Address: Enter the IP address of the host or the network that the route leads to. • IP IP Address: Enter the IP address - Cisco WS-CE500-24TT | Administration Guide - Page 69
by default. STEP 1 Click Networking > Routing > Dynamic. The Dynamic Routing (RIP) window opens. STEP 2 In the RIP Configuration area, information. This is the most commonly supported version. - RIP-2 includes all the functionality of RIPv1 plus it supports subnet information. Though the data is - Cisco WS-CE500-24TT | Administration Guide - Page 70
71 Configuring the Ports STEP 1 Click Networking > Port Management > Port Management. The Port Management window opens. STEP 2 Choose the following options for each port: • Enable: Check this box to enable the port. To disable the port, uncheck the box. By default all ports are enabled. Cisco SA500 - Cisco WS-CE500-24TT | Administration Guide - Page 71
Duplex based on the port support. The default is Full Duplex for all ports. • Speed: Choose the port speed. The default setting is 1000 Mbps for all ports. STEP 3 Click Apply to save your settings. Configuring SPAN (Port Mirroring) Port mirroring, sometimes called Switched Port Analyzer, allows the - Cisco WS-CE500-24TT | Administration Guide - Page 72
You can configure Quality of Service (QoS) the page and click Apply. STEP 3 In the WAN Configuration area, specify the Upstream Bandwidth in Kbps and the Downstream Apply to save your settings. STEP 5 Click Add to add a new bandwidth profile. Other options: Click the Edit button to edit an entry - Cisco WS-CE500-24TT | Administration Guide - Page 73
Profiles 2 After you click Add or Edit, the Bandwidth Profile Configuration window opens. STEP 6 Enter the parameters to define a bandwidth profile in the List of Traffic Selectors table. STEP 2 Click Add to add a new traffic selector. Other options: Click the Edit button to edit an entry. To - Cisco WS-CE500-24TT | Administration Guide - Page 74
service that you want, you can configure a custom service through Firewall custom services page. • Traffic Selector Match Type: Choose the method for identifying the host to which the traffic selector will apply. Then enter the IP Address, MAC Address, Port Name, or VLAN quality of service on the - Cisco WS-CE500-24TT | Administration Guide - Page 75
Click Apply to save your settings. DSCP Remarking DSCP is a field in an IP packet that enables different levels of service to be assigned to network traffic. Use the Remark CoS to DSCP page to to choose the corresponding DSCP value. Cisco SA500 Series Security Appliances Administration Guide 75 - Cisco WS-CE500-24TT | Administration Guide - Page 76
static IP, and your WAN connection is configured to use DHCP to get an IP address dynamically, then DDNS allows you to have a virtual static address for your website. To use DDNS, you must setup an Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 76 - Cisco WS-CE500-24TT | Administration Guide - Page 77
Networking Configuring IPv6 Addressing 2 Configuring IPv6 Addressing Internet Protocol Version 6 (IPv6) is a new IP protocol designed to replace IPv4, the Internet protocol that is predominantly deployed and extensively used throughout the world. IPv6 quadruples the number of network address bits - Cisco WS-CE500-24TT | Administration Guide - Page 78
IPv6 WAN Configuration window opens. STEP 2 In the Internet(IPv6) Address area, choose Static IPv6 if your service provider assigned a fixed (static or permanent) IP address. If you were not assigned a static IP address, choose DHCPv6. Cisco SA500 Series Security Appliances Administration Guide 78 - Cisco WS-CE500-24TT | Administration Guide - Page 79
IPv6 Addressing 2 STEP 3 If you are configuring a static address, enter the following information in the Static IP Address area of the page. • IPv6 Address: Enter the static IP address that was provided by your Service Provider. • IPv6 Prefix Length: The IPv6 network (subnet) is identified - Cisco WS-CE500-24TT | Administration Guide - Page 80
, page 82. STEP 1 Click Networking > IPv6 > IPv6 LAN Config. The IPv6 LAN Configuration window opens. STEP 2 In the LAN TCP/IP Settings section, enter the following information: • IPv6 Address: Enter the IPv6 address. The default IPv6 address for the gateway is fec0::1. You can change this 128-bit - Cisco WS-CE500-24TT | Administration Guide - Page 81
number of seconds that IP addresses are leased to clients. The default is 86400, which is 24 hours. STEP 4 Click configure the LAN address pools, click IPv6 > IPv6 Address Pools. For more information, see IPv6 LAN Address Pools, page 82. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 82
can define the IPv6 delegation prefix for a range of IP addresses to be served by the DHCPv6 server. By you click Add or Edit, the IPv6 Address Prefix & Pools Configuration window opens. STEP 3 Enter the following information: • Start Cisco SA500 Series Security Appliances Administration Guide 82 - Cisco WS-CE500-24TT | Administration Guide - Page 83
entries in the table, check the box at the left side of the heading row. After you click Add or Edit, the IPv6 Static Route Configuration window opens. Cisco SA500 Series Security Appliances Administration Guide 83 - Cisco WS-CE500-24TT | Administration Guide - Page 84
routing. This feature allows you to configure the routes even before the destination . • Gateway IP Address: Enter the IP Address of the Protocol - next generation, RFC 2080) is a host is unreachable. By default, the routing update is Cisco SA500 Series Security Appliances Administration Guide 84 - Cisco WS-CE500-24TT | Administration Guide - Page 85
Networking Configuring IPv6 Addressing 2 NOTE RIPng is disabled by default. STEP 1 Click Networking > IPv6 > Routing (RIPng). The Routing (RIPng) window opens. STEP . To open this page, click Networking > IPv6 > IPv6 Tunnels Status. Cisco SA500 Series Security Appliances Administration Guide 85 - Cisco WS-CE500-24TT | Administration Guide - Page 86
Configuring defines the logical ISATAP subnet to configure a tunnel. STEP 1 Click Networking Add or Edit, the ISATAP Tunnel Configuration window opens. STEP 3 Enter the registry, or derive it from RFC 4193. • Local End Point is an IPv4 network), or a specific LAN IPv4 address. • IPv4 Address: - Cisco WS-CE500-24TT | Administration Guide - Page 87
Configuring IPv6 Addressing 2 MLD Tunnels Multicast Listener Discovery (MLD) is an IPv6 protocol that discovers listeners for a specific between General Queries sent by the device. The default value is 125 seconds. By varying the Query Cisco SA500 Series Security Appliances Administration Guide 87 - Cisco WS-CE500-24TT | Administration Guide - Page 88
Interval. MinRtrAdvInterval = 0.33 * MaxRtrAdvInterval. The default is 30 seconds. • RA Flags: Choose one of the following options: - Managed: Choose this option to use the administered/stateful protocol for address auto configuration. Cisco SA500 Series Security Appliances Administration Guide 88 - Cisco WS-CE500-24TT | Administration Guide - Page 89
default is 3600 seconds. STEP 3 Click Apply to save your settings. Adding RADVD Prefixes NOTE Before you can perform this procedure, you must enable RADVD. For more information, see Configuring Prefix: Specify the IPv6 network address. Cisco SA500 Series Security Appliances Administration Guide 89 - Cisco WS-CE500-24TT | Administration Guide - Page 90
Networking Configuring IPv6 Addressing 2 • IPv6 Prefix Length: Enter a decimal value that indicates the number of contiguous, higher that the requesting router is allowed to use the prefix. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 90 - Cisco WS-CE500-24TT | Administration Guide - Page 91
configuration helps you to maintain better control over broadcast and multicast traffic, which affects network performance. For each access point, you can customize the security mode, the Quality of Service settings, and the radio. Cisco SA500 Series Security Appliances Administration Guide 91 - Cisco WS-CE500-24TT | Administration Guide - Page 92
Profile Configuration area: • Profile Name: For a new profile, enter a unique (alphanumeric) identifier for this wireless profile. For the default replace WEP, pending final completion of the 802.11i standard for WPA2. WPA supports TKIP or Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 93
Configuring an Access Point 3 TKIP+CCMP encryption (default is TKIP) and PSK/RADIUS authentication. This option is a good choice if you need to allow access to devices that do not support to be configured with the same password. • Cisco SA500 Series Security Appliances Administration Guide 93 - Cisco WS-CE500-24TT | Administration Guide - Page 94
List of Available Access Points table. For more information, see Controlling Wireless Access Based on MAC Addresses, page 96. • For RADIUS authentication, configure the RADIUS settings. See Configuring RADIUS Server Records, page 193. Cisco SA500 Series Security Appliances Administration Guide 94 - Cisco WS-CE500-24TT | Administration Guide - Page 95
used if profile is configured with WPA or WPA2 Service queues to prioritize the data traffic over the wireless link: • Voice: Highest priority queue, minimum delay. Used typically to send timesensitive data such as Voice over IP (VoIP). Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 96
each IP DSCP/TOS value, leave Default in the field to apply the selected Default Class of Service, or choose a particular Class of Service to prioritize the traffic. STEP 4 Click Apply to save your settings. Controlling Wireless Access Based on MAC Addresses This page allows you to define specific - Cisco WS-CE500-24TT | Administration Guide - Page 97
access point that you want to edit, and click the button in the Configure MAC Filter column. The MAC Filtering Configuration window opens. STEP 3 To add an address to the MAC Address table, point. All other devices are allowed access. Cisco SA500 Series Security Appliances Administration Guide 97 - Cisco WS-CE500-24TT | Administration Guide - Page 98
Configuring the Access Points Use the Access Point page to configure up to four access points to allow access to your wireless network. For each access point, assign a profile, specify a Service at any time. The default is 8 clients. Cisco SA500 Series Security Appliances Administration Guide 98 - Cisco WS-CE500-24TT | Administration Guide - Page 99
Configuring the Radio 3 • SSID: Specify the Service Set Identifier, or network name, that clients use to connect to the access point. It is a good practice to replace the default a geographic region from the drop-down list of regions. Cisco SA500 Series Security Appliances Administration Guide 99 - Cisco WS-CE500-24TT | Administration Guide - Page 100
noise levels for the available channels. • Default Transmit Power: Enter a value in dBm as the default transmitted power level for all APs that use this radio. The default is 20 dBm. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 100 - Cisco WS-CE500-24TT | Administration Guide - Page 101
page is used to specify advanced configuration settings for the radio. STEP Although a low threshold value consumes more bandwidth and reduces the throughput of the packet, frequent RTS packets can help the network The default is Long. Cisco SA500 Series Security Appliances Administration Guide 101 - Cisco WS-CE500-24TT | Administration Guide - Page 102
for the SA520W Configuring the Radio 3 • Protection Mode: Select RTS/CTS protection if you want the security appliance to perform a RTS/CTS of size less than or equal to the RTS threshold. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 102 - Cisco WS-CE500-24TT | Administration Guide - Page 103
Traffic By default, your firewall prevents inbound access and allows all outbound access. If you want to allow some inbound access or prevent some outbound access, you must configure firewall rules. You can choose how and to whom the rules apply and can specify these settings: • Services or traffic - Cisco WS-CE500-24TT | Administration Guide - Page 104
(See Appendix B, "Standard Services.") If you need to configure a firewall rule for a service that is not on the standard list, first you must identify the service by entering a name, specifying the type, and assigning the port range. Cisco SA500 Series Security Appliances Administration Guide 104 - Cisco WS-CE500-24TT | Administration Guide - Page 105
you click Add or Edit, the Custom Services Configuration window opens. STEP 3 Enter the following information: • Name: Enter a name for this service. • Type: Specify the protocol. - , see Configuring the Time Settings, page 184. Cisco SA500 Series Security Appliances Administration Guide 105 - Cisco WS-CE500-24TT | Administration Guide - Page 106
on your local network. STEP 1 Click Networking > WAN > IP Alias. STEP 2 To add IP Aliases, click Add. STEP 3 Choose the WAN interface from the Interface drop-down menu. This is the interface where you will add the IP address to. Cisco SA500 Series Security Appliances Administration Guide 106 - Cisco WS-CE500-24TT | Administration Guide - Page 107
and Outbound Traffic STEP 4 Click Apply to save your settings. 4 Configuring the Default Outbound Policy The default outbound policy is used whenever there is no specified firewall rule that applies to the source, destination, service, or other characteristics of the outbound traffic. This policy - Cisco WS-CE500-24TT | Administration Guide - Page 108
you can use the Getting Started (Advanced) page. In the Firewall and NAT Rules section, click Configure Firewall and NAT Rules. STEP 2 The Firewall Rules window opens. Any existing rules appear in can be the public DMZ or secure LAN. Cisco SA500 Series Security Appliances Administration Guide 108 - Cisco WS-CE500-24TT | Administration Guide - Page 109
traffic. Each priority level corresponds to a Term of Service (ToS) value. - Normal-Service: ToS=0 (lowest QoS) - Minimize-Cost: ToS=1 - Maximize-Reliability: ToS=2 - Maximize-Throughput: ToS=4 - Minimize-Delay: ToS=8 (highest QoS) Cisco SA500 Series Security Appliances Administration Guide 109 - Cisco WS-CE500-24TT | Administration Guide - Page 110
you can choose whether to associate the public service with the dedicated WAN address, the optional WAN address, or another IP address that your ISP has provided to you. For examples, see Firewall Rule Configuration Examples, page 114. NOTE In addition to configuring firewall rules, you can use the - Cisco WS-CE500-24TT | Administration Guide - Page 111
or Block Traffic, page 119 • You can associate IP addresses with MAC addresses to prevent spoofing. For more information, see Configuring IP/MAC Binding to Prevent Spoofing, page 128 STEP 1 can be the public DMZ or insecure WAN. Cisco SA500 Series Security Appliances Administration Guide 111 - Cisco WS-CE500-24TT | Administration Guide - Page 112
the IP address service. • Enable Port Forwarding: Check the box to forward traffic to a particular port. • Translate Port Number: If you enabled port forwarding, enter the port number that will be the destination for the forwarded traffic. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 113
Configuration Prioritizing Firewall Rules 4 • External IP Address: Select one of the following options to specify the IP address that is exposed to the public: - Dedicated WAN: The public will connect to this service by using the IP Cisco SA500 Series Security Appliances Administration Guide 113 - Cisco WS-CE500-24TT | Administration Guide - Page 114
Rule Configuration Examples Allowing Inbound Traffic to a Web Server Using the WAN IP Address Service Action Source Hosts Internal IP Address External IP Address Value Insecure (WAN1) DMZ HTTP ALLOW always Any 192.168.5.2 Dedicated WAN Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 115
for CU-SeeMe (an Internet video-conferencing client) are allowed only from a specified range of external IP addresses. Parameter From Zone To Zone Service Value INSECURE (Dedicated WAN/Optional WAN) Secure (LAN) CU-SEEME:UDP Cisco SA500 Series Security Appliances Administration Guide 115 - Cisco WS-CE500-24TT | Administration Guide - Page 116
" to define the time period when the rule is in effect. Configure an outbound rule that applies to traffic from marketing group, which has an IP address range of 10.1.1.1 to 10.1.1.100. Parameter From Zone To Zone Service Action Schedule Source Hosts From To Destination Hosts Value Secure (LAN - Cisco WS-CE500-24TT | Administration Guide - Page 117
undesired inbound traffic. • Configuring Attack Checks • Configuring MAC Filtering to Allow or Block Traffic • Configuring IP/MAC Binding to Prevent Spoofing • Configuring a Port Triggering Rule to Direct Traffic to Specified Ports Cisco SA500 Series Security Appliances Administration Guide 117 - Cisco WS-CE500-24TT | Administration Guide - Page 118
Traffic, page 103. - WAN Mode settings that ping specified IP addresses for failure detection. See Configuring Auto-Rollover, Load Balancing, and Failure Detection, page 57. Multicast Packets: Check this box to block multicast packets. Cisco SA500 Series Security Appliances Administration Guide 118 - Cisco WS-CE500-24TT | Administration Guide - Page 119
1 and 10,000 ICMP packets per second. The default is 100 ICMP packets per second. STEP 6 Click Apply to save your settings. Configuring MAC Filtering to Allow or Block Traffic You can below: Choose one of the following options: Cisco SA500 Series Security Appliances Administration Guide 119 - Cisco WS-CE500-24TT | Administration Guide - Page 120
the MAC Filtering Configuration window opens. STEP 4 Enter the MAC Address. STEP 5 Click Apply to save your settings. Configuring IP/MAC Binding IP/MAC Binding allows you to bind IP addresses to the first column of the table heading. Cisco SA500 Series Security Appliances Administration Guide 120 - Cisco WS-CE500-24TT | Administration Guide - Page 121
support the exchange of data. When the exchange is completed, the ports are closed. Port triggering is more flexible than the static port forwarding that you can configure in a firewall rule. Port triggering rules do not have to reference specific LAN IP addresses or IP "Standard Services." NOTE - Cisco WS-CE500-24TT | Administration Guide - Page 122
the first column of the table heading. After you click Add or Edit, the Port Triggering Configuration window opens. STEP 3 In the Port Triggering Rule area, enter the following information: • Status. The following information appears: Cisco SA500 Series Security Appliances Administration Guide 122 - Cisco WS-CE500-24TT | Administration Guide - Page 123
destined to the LAN IP address can flow through the security appliance. • Time Remaining: This field displays the time for which the port will remain open when there is no activity on that port. The time is reset when there is activity on the port. Configuring Session Settings to Analyze Incoming - Cisco WS-CE500-24TT | Administration Guide - Page 124
Approved URLs to Allow Access to Websites • Configuring Blocked URLs to Prevent Access to Websites • Configuring IP/MAC Binding to Prevent Spoofing Configuring Content Filtering to Allow or Block Web Components The security appliance supports a content filtering option that you can use to - Cisco WS-CE500-24TT | Administration Guide - Page 125
Configuration the HTTP ports on which content filtering will act. The default port is 80. If your networking using an external security gap. For example, if connections to a specific IP address are blocked by a firewall rule, the Cisco SA500 Series Security Appliances Administration Guide 125 - Cisco WS-CE500-24TT | Administration Guide - Page 126
the first column of the table heading. After you click Add or Edit, the Approved URL Configuration window opens. STEP 4 Enter the following information: • URL: Enter the domain name or keywords STEP 5 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 126 - Cisco WS-CE500-24TT | Administration Guide - Page 127
Keyword: Choose this option to block access to any website with a domain name that contains the configured keyword. For example, if you enter yahoo for the URL, then your users are prevented STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 127 - Cisco WS-CE500-24TT | Administration Guide - Page 128
IP MAC Binding Configuration window opens. STEP 3 Enter the following information: • Name: Enter a name for this IP/MAC binding. • MAC Address: Enter the MAC address. • IP Address: Enter the IP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 128 - Cisco WS-CE500-24TT | Administration Guide - Page 129
Configuration NOTE SIP-ALG should be enabled when voice devices such as the UC 500 or SIP phones are connected to the network behind the security appliance. SIP ALG window opens. STEP 2 Check the box to enable SIP ALG support or uncheck the box to disable this feature. If this feature is disabled - Cisco WS-CE500-24TT | Administration Guide - Page 130
: • Configuring IPS • Configuring the IPS Policy • Configuring the Protocol Inspection Settings • Configuring Peer-to-Peer Blocking and Instant Messaging To access the IPS pages click IPS from the Configuration Utility menu bar. Cisco SA500 Series Security Appliances Administration Guide 130 - Cisco WS-CE500-24TT | Administration Guide - Page 131
NOTE The Cisco username and password details once applied are applicable to all other services on the router which use them. For example, the Cisco username and login used in Administration is automatically updated for IPS signature downloads. - Click Update Now to immediately update new signatures - Cisco WS-CE500-24TT | Administration Guide - Page 132
Intrusion Prevention System Configuring the IPS Policy 5 - Click Reset to revert to the previous settings. • Manual Signature Updates: To manually update the latest signature file, click the Cisco.com link to obtain the file and download it to your computer. Browse to the location of the signature - Cisco WS-CE500-24TT | Administration Guide - Page 133
, a message is logged and a preventative action is taken. For IPS messages to be logged, you must configure IPS as the facility. For more information, see Logs Facility and Severity, page 189 STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 133 - Cisco WS-CE500-24TT | Administration Guide - Page 134
.This option is mostly used for troubleshooting purposes • Detect and Prevent: Choose this option to check for and prevent attacks for this service. Upon detection, a message is logged and a preventative action is taken. For IPS messages to be logged, you must configure IPS as the facility. For more - Cisco WS-CE500-24TT | Administration Guide - Page 135
License Management. After you activate your service, use the links in the navigation pane to configure the ProtectLink services. For more information, see the Cisco ProtectLink Security documentation at: www.cisco.com/go/protectlink. Cisco SA500 Series Security Appliances Administration Guide 135 - Cisco WS-CE500-24TT | Administration Guide - Page 136
, page 137. • Remote Access with a Web Browser: A remote worker uses a web browser to initiate a VPN tunnel to access the available services on the corporate network. See Configuring SSL VPN for Browser-Based Remote Access, page 154. Cisco SA500 Series Security Appliances Administration Guide 136 - Cisco WS-CE500-24TT | Administration Guide - Page 137
500 Inside 10.20.20.0 Site B Printer Personal computers Personal computers Printer 235142 The VPN Wizard helps you to set up an IPsec VPN tunnel. The Wizard sets most parameters to defaults as proposed by the VPN Consortium (VPNC), and assumes a pre-shared key, which greatly simplifies setup - Cisco WS-CE500-24TT | Administration Guide - Page 138
the IP address of the remote LAN. For the example illustrated in Figure 5, the remote site, Site B, has a LAN IP address of 10.20.20.0. • Remote LAN Subnet Mask: Enter the associated subnet mask for the above entered subnet IP Address. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 139
. The Wizard sets most parameters to defaults as proposed by the VPN Consortium (VPNC), and assumes a pre-shared key, which greatly simplifies setup For information about the VPNC recommendations, see: www.vpnc.org/vpnstandards.html. Cisco SA500 Series Security Appliances Administration Guide 139 - Cisco WS-CE500-24TT | Administration Guide - Page 140
cisco.com/go/ ciscovpnclient. For Windows, select Cisco VPN Client v5.x. For Mac OS, select Cisco VPN Client v4.x. NOTE A 3-year Cisco Small Business Support Service In the Connection Name and Remote IP Type area, enter the following information: • What is the new connection name?: Enter a name for - Cisco WS-CE500-24TT | Administration Guide - Page 141
Remote WAN's IP Address or Internet Configuring the IKE Policies for IPsec VPN, page 144. • To review or update the configured VPN policy click IPsec > VPN Policies. For more information, see Configuring the IPsec VPN Policies, page 148. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 142
review or update the configured IKE policy, click IPsec > IKE Policies. For more information, see Configuring the IKE Policies for IPsec VPN, page 144. • To configure Cisco VPN Client, see the Application Note located under Technical Documentation at: www.cisco IPsec User Configuration window opens. - Cisco WS-CE500-24TT | Administration Guide - Page 143
Remote Access. • Optionally, review and modify the default settings and policies. See Advanced Configuration of IPsec VPN, page 144. • For Cisco QuickVPN, you also must enable Remote Management. See RMON (Remote Management), page 197. Cisco SA500 Series Security Appliances Administration Guide 143 - Cisco WS-CE500-24TT | Administration Guide - Page 144
review and modify the settings that are created by the VPN Wizard. • Viewing the Basic Setting Defaults for IPsec VPN • Configuring the IKE Policies for IPsec VPN • Configuring the IPsec VPN Policies Viewing the Basic Setting Defaults Cisco SA500 Series Security Appliances Administration Guide 144 - Cisco WS-CE500-24TT | Administration Guide - Page 145
VPN Advanced Configuration of IPsec table heading. After you click Add or Edit, the IKE Policy Configuration window opens. STEP 3 In the General area, enter the following Mode. NOTE If you choose Main Mode, then you must use an IP address as the identifier type for both the Local device and the Remote - Cisco WS-CE500-24TT | Administration Guide - Page 146
VPN header. There are five algorithms supported by this router: MD5, SHA-1, SHA2-256, SHA2-384 and SHA2-512. NOTE Ensure that the authentication algorithm is configured identically on both sides. • Authentication Method: Select Pre-shared key for a simple password based key. Selecting RSA-Signature - Cisco WS-CE500-24TT | Administration Guide - Page 147
Database (default choice Configuration Utility. If you choose this option, be sure to add the users on the IPsec Users page. See Configuring Password: Enter the password for the security appliance to use when connecting to the remote server. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 148
all the VPN policies except the backup policies. Auto and Manual policies are included. • List of back up Policies: Lists all the policies that are configured as a backup policy. These policies are created when you create a new IKE policy and select the Enable Redundant Gateway option. The policy - Cisco WS-CE500-24TT | Administration Guide - Page 149
update the local WAN gateway for the tunnel based on the optional WAN link configuration. For this type of configuration, Dynamic DNS has to be configured because the IP address will change due to failover. See Dynamic DNS, page 76. Cisco SA500 Series Security Appliances Administration Guide 149 - Cisco WS-CE500-24TT | Administration Guide - Page 150
key of the outbound policy. The length of the keys depends on the chosen algorithm: - DES: 8 characters - 3DES: 24 characters - AES-128: 16 characters - AES-192: 24 characters - AES-256: 32 characters - AES-CCM: 16 characters Cisco SA500 Series Security Appliances Administration Guide 150 - Cisco WS-CE500-24TT | Administration Guide - Page 151
renegotiated after this interval. The default value is 3600 seconds. - for outbound traffic. When using a lifetime configured in kilobytes (also known as lifebyte) along specifications are generally recommended for advanced users only. Cisco SA500 Series Security Appliances Administration Guide 151 - Cisco WS-CE500-24TT | Administration Guide - Page 152
initiator or both. 4. The XAuth configuration should be None or IPsec Host. 5. The policy should be Gateway only, not client. • Failback time to switch from back-up to primary: Enter more information, see IPsec VPN Logs, page 215. Cisco SA500 Series Security Appliances Administration Guide 152 - Cisco WS-CE500-24TT | Administration Guide - Page 153
Apply to save your settings. Configuring a Dynamic IP Range The IP address is defined by the Dynamic IP Range and is automatically set by default. However, you can use the Dynamic IP Range page to manually specify a starting and ending range for the IP address. The Dynamic IP Range is used by IPsec - Cisco WS-CE500-24TT | Administration Guide - Page 154
save your settings. 7 Configuring SSL VPN for Browser When the tunnel is established, each user will have an IP address on the internal network, such as 10.10.10 can use SSL VPN to provide access to the following types of services on your network: • Internal websites • Web-enabled applications • NT - Cisco WS-CE500-24TT | Administration Guide - Page 155
with pre-configured access/policy privileges. At this point a IP address and DNS server address from the security appliance. To create a VPN tunnel, see Elements of the SSL VPN, page 156. • Port Forwarding: Port Forwarding service supports Cisco SA500 Series Security Appliances Administration Guide 155 - Cisco WS-CE500-24TT | Administration Guide - Page 156
you can review the default settings configure port forwarding to allow access to a limited set of resources. For example, you may want the SSL VPN users to access the email service only. See Configuring SSL VPN Port Forwarding, page 163. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 157
enters a URL. The browser displays a login page with several features that you can configure: 1. Portal Site Title: appears at the top browser 2. Banner Title 3. Banner Message Configurable Areas of the SSL VPN Portal Layout 1 2 3 Cisco SA500 Series Security Appliances Administration Guide 157 - Cisco WS-CE500-24TT | Administration Guide - Page 158
default layout, click the star (*) button. To view a portal layout, click the hyperlink in the Portal URL column. After you click Add or Edit, the Portal Layout Configuration . For example, enter instructions or information about the Cisco SA500 Series Security Appliances Administration Guide 158 - Cisco WS-CE500-24TT | Administration Guide - Page 159
Repeat as needed to add more portal layouts. NOTE Next step (required) Configure the SSL VPN Users. Proceed to the next section Scenario Step 2: default Administrator and Guest users appear in the List of Users table, along with any new users that you add. STEP 2 To add a user, click Add. Cisco - Cisco WS-CE500-24TT | Administration Guide - Page 160
SSL VPN Policies give configured SSL users access to services and network resources. A policy applies to a specific network resource, IP address, or IP address range on the LAN, or to other SSL VPN services that are supported by the security appliance. By default, a global PERMIT policy (not - Cisco WS-CE500-24TT | Administration Guide - Page 161
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access 7 • When two policies are in conflict, a more specific policy takes precedence over a general policy. For example, a policy for a specific IP address takes precedence over a policy for a range of addresses that includes this IP - Cisco WS-CE500-24TT | Administration Guide - Page 162
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access 7 STEP 5 In the SSL VPN Policy area, enter the following information: • Apply Policy to: Choose to apply the policy to a Network Resource, an IP address, an IP 197. Cisco SA500 Series Security Appliances Administration Guide 162 - Cisco WS-CE500-24TT | Administration Guide - Page 163
are services or groups of LAN IP addresses that are used to easily create and configure SSL Service: Choose one of the supported SSL VPN services to associate with this resource. STEP 4 Click Apply to save your settings. Configuring Cisco SA500 Series Security Appliances Administration Guide 163 - Cisco WS-CE500-24TT | Administration Guide - Page 164
Services 3389 VNC (virtual network computing) 5900 or 5800 Adding a TCP Application Configuration for Port Forwarding TCP Application Configuration of Configured Applications for Port Forwarding • List of Configured Host Configured : • Local Server IP Address: Enter the IP address of the internal - Cisco WS-CE500-24TT | Administration Guide - Page 165
an IP address from the corporate subnet, DNS and WINS settings is automatically created. This feature allows access to services on the private network without any special network configuration on the remote SSL VPN client machine. Cisco SA500 Series Security Appliances Administration Guide 165 - Cisco WS-CE500-24TT | Administration Guide - Page 166
private networks, thereby allowing access control over specific LAN services. Configuring the SSL VPN Client STEP 1 Click VPN > SSL VPN Client > SSL VPN Client. The SSL VPN Client window opens. STEP 2 Enter the following information: • Enable Split Tunnel Support: Check this box to enable Split - Cisco WS-CE500-24TT | Administration Guide - Page 167
, the user should add the LAN subnet as the Destination Network using this page. NOTE You can configure client routes only if Split Tunnel support is enabled on the SSL VPN Client page. See Configuring the SSL VPN Client, page 166. Cisco SA500 Series Security Appliances Administration Guide 167 - Cisco WS-CE500-24TT | Administration Guide - Page 168
in the first column of the table heading. The SSL VPN Client Route Configuration window opens. STEP 3 Enter the following information: • Destination Network: Enter Password: The user can click this link to change his or her password. Cisco SA500 Series Security Appliances Administration Guide 168 - Cisco WS-CE500-24TT | Administration Guide - Page 169
VPN VeriSign™ Identity Protection configuration 7 NOTE 1. The Change Password section is available only for users who Protection service, go to: www.cisco.com/go/viptoken. Configuring VeriSign Identity Protection STEP 1 Click VPN > VeriSign ID Protection > VIP Configuration. The VIP Configuration - Cisco WS-CE500-24TT | Administration Guide - Page 170
file. The password encrypts the private key provided in the certificate and is required to decrypt and use it. b. Click Upload to upload the certificate. Managing User Credentials for VeriSign Service Use this page to associate VeriSign tokens with your users. NOTE Your users must be configured in - Cisco WS-CE500-24TT | Administration Guide - Page 171
access policies. There are two default accounts. You can change the user name and password for these accounts but you cannot change the user policies. • admin: The administrator account, which has read-write access to all settings. Cisco SA500 Series Security Appliances Administration Guide 171 - Cisco WS-CE500-24TT | Administration Guide - Page 172
default. To enable the account, edit the User Login Policies. See Adding or Editing User Login Policies, page 175. • SSL VPN: An SSL VPN account, which allows access to the services specified in the SSL VPN configuration , page 173. Cisco SA500 Series Security Appliances Administration Guide 172 - Cisco WS-CE500-24TT | Administration Guide - Page 173
service as the default timeout setting configure the groups. See Groups, page 173. NOTE For security, a password should contain no dictionary words from any language, and should include a mixture of uppercase and lowercase letters, numbers, and symbols. The password can be up to 30 characters. Cisco - Cisco WS-CE500-24TT | Administration Guide - Page 174
User Configuration window opens. The Users Configuration window password fields. - Enter Your Password: Enter your password, as a security check before you can change a password. - New Password: Enter a password that contains alphanumeric, '-' or '_' characters. - Confirm Password: Enter the password - Cisco WS-CE500-24TT | Administration Guide - Page 175
You cannot configure these settings for the system default users, be changed for the default admin account. - Deny changed for the default admin account. • IP Address: Click the third button in the Edit User IP Address window opens, enter the following information: - In the User Policy By Source IP - Cisco WS-CE500-24TT | Administration Guide - Page 176
to perform the following tasks: • Upgrade the firmware version and check for new availability. • Backup custom configuration settings for later restoration. • Restore your saved settings from a backup file or revert to the factory default settings. • Reboot the security appliance. IMPORTANT! During - Cisco WS-CE500-24TT | Administration Guide - Page 177
: - Upload: Check this option to upgrade the firmware. - Upload & Factory Reset: Check this option to upgrade your firmware and reset your security appliance to the default settings. If you choose not to upgrade, you are reminded that a new firmware is available every 24 hours. You can also view the - Cisco WS-CE500-24TT | Administration Guide - Page 178
To manually upgrade your firmware, click Browse, locate and select the configuration file, and then click Upload. When the operation is completed, the security appliance restarts automatically with the new settings. - To upgrade your firmware and reset your security appliance to the factory default - Cisco WS-CE500-24TT | Administration Guide - Page 179
the file, or Upload & Factory Reset to upload the file and reset the security appliance to the factory default settings. A progress bar will appear to display the upgrade status. For information about downloading firmware upgrade files, see Upgrading the Firmware, page 24. The router takes several - Cisco WS-CE500-24TT | Administration Guide - Page 180
use this feature to revert to the previous firmware version that was in use. STEP 1 Click Administration > Firmware & Configuration > Swap Firmware. The Swap Firmware window opens. STEP 2 Click Switch to reboot the security appliance by using the secondary firmware image. NOTE Do not try swap images - Cisco WS-CE500-24TT | Administration Guide - Page 181
the destination. Click Back to return to the Diagnostics page. • DNS Lookup: To retrieve the IP address of any server on the Internet, type the Internet Name in the text box and then capture. To download the report, click Download. Cisco SA500 Series Security Appliances Administration Guide 181 - Cisco WS-CE500-24TT | Administration Guide - Page 182
volume of traffic going from this interface. You also can configure the security appliance to place a restriction on the volume one of the following options: - No Limit: The default option, where no limits on data transfer are imposed. Cisco SA500 Series Security Appliances Administration Guide 182 - Cisco WS-CE500-24TT | Administration Guide - Page 183
: Choose this option and then click Apply to reset the counter immediately. - Specific Time: Choose this option if you want the is restarted. The email is sent to the address configured in the Logging section, if logging is enabled. See Cisco SA500 Series Security Appliances Administration Guide 183 - Cisco WS-CE500-24TT | Administration Guide - Page 184
IP addresses of up to four custom NTP servers. The default NTP Server settings are as follows: - 0.ciscosb.pool.ntp.org - 1.ciscosb.pool.ntp.org - 2.ciscosb.pool.ntp.org - 3.ciscosb.pool.ntp.org STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 185
and Policy Enforcement Logs, see Active Users, page 213. Local Logging Config You can configure the router to log events such as unicast or broadcast traffic passing through the router, . Uncheck to disable source MAC filtering logs. Cisco SA500 Series Security Appliances Administration Guide 185 - Cisco WS-CE500-24TT | Administration Guide - Page 186
Administration Configuring the Logging Options 8 - Output Blocking Event Log: If checked, the device displays logs for packets blocked by the ProtectLink service. - Bandwidth Limit: If for individual firewall rules should be enabled. Cisco SA500 Series Security Appliances Administration Guide 186 - Cisco WS-CE500-24TT | Administration Guide - Page 187
Configuring when the Default Outbound Policy This example assumes that your default outbound policy is "Block Always see Configuring Firewall Rules useful when the Default Outbound Policy is This example assumes that your default outbound policy is "Allow Configuring Firewall Rules to Control Inbound and Outbound - Cisco WS-CE500-24TT | Administration Guide - Page 188
configure Server Address: Enter the IP address or Internet Name password. To disable authentication, select None. • Respond to Identd from SMTP Server: Check this box to configure by Schedule area, configure the following settings configured so that you can use the Send Log function from the Status - Cisco WS-CE500-24TT | Administration Guide - Page 189
IP address or the Internet name of the server in the SysLog Server field. STEP 6 Click Apply to save your settings. Logs Facility and Severity A variety of events can be captured and logged for review Syslog definition is LOG_NOTICE. Cisco SA500 Series Security Appliances Administration Guide 189 - Cisco WS-CE500-24TT | Administration Guide - Page 190
the certificate is issued. • Issuer Name: The name of the CA that issued the certificate. • Expiry Time: The date after which the certificate becomes invalid. Cisco SA500 Series Security Appliances Administration Guide 190 - Cisco WS-CE500-24TT | Administration Guide - Page 191
download the router's certificate (.pem file), click the Download button under the Download Settings area. STEP 3 To request a certificate from the CA, click Generate CSR. Cisco SA500 Series Security Appliances Administration Guide 191 - Cisco WS-CE500-24TT | Administration Guide - Page 192
) used to sign the certificate. • Signature Key Length: Length of the signature, either 512 or 1024. • (Optional) IP Address, Domain Name, and Email Address b. Click Generate. A new certificate request is created and added to the Certification Signing Request (CSR) table. To view the request, click - Cisco WS-CE500-24TT | Administration Guide - Page 193
Add or Edit, the Radius Server Configuration window opens. STEP 3 Enter the following information: • Authentication Server IP Address: Enter the IP address of the authenticating Radius Server. STEP 4 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 193 - Cisco WS-CE500-24TT | Administration Guide - Page 194
spyware, viruses and other malware. IPS (Intrusion Prevention System) Provides protection against worms, attacks, and malware. This license is valid for one year. For more information about IPS, see Configuring IPS, page 131. Cisco SA500 Series Security Appliances Administration Guide 194 - Cisco WS-CE500-24TT | Administration Guide - Page 195
Advanced) page, under Intrusion Prevention System (IPS), click Install License. The License Management system automatically updates the seat count and expiration date every 24 hours based on changes made to the licensing server. However Cisco SA500 Series Security Appliances Administration Guide 195 - Cisco WS-CE500-24TT | Administration Guide - Page 196
option, enter your PAK ID and Cisco.com username and password. These credentials are required for the device to authenticate to the Cisco server. Make sure that the security appliance is set to the current time, or the license will not install properly. See Configuring the Time Settings, page 184 - Cisco WS-CE500-24TT | Administration Guide - Page 197
, the router is accessible to anyone who knows its IP address. Since a malicious WAN user can reconfigure the router and misuse it in many ways, it is highly recommended that you change the admin and guest passwords before continuing. Cisco SA500 Series Security Appliances Administration Guide 197 - Cisco WS-CE500-24TT | Administration Guide - Page 198
By default, Remote management is disabled. To enable WAN access to the configuration GUI check default password. - IP Address Range: If this option is selected, enter the From: starting IP address for the allowed range and To: ending IP Cisco SA500 Series Security Appliances Administration Guide 198 - Cisco WS-CE500-24TT | Administration Guide - Page 199
a remote means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security. The router supports the SNMPv2c protocol version and can send traps to a specified community. Cisco SA500 Series Security Appliances Administration Guide 199 - Cisco WS-CE500-24TT | Administration Guide - Page 200
the first column of the table heading. The SNMP Configuration window opens. STEP 3 Enter the following information: • IP Address: Enter the IP Address of the SNMP manager or trap agent. . STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 200 - Cisco WS-CE500-24TT | Administration Guide - Page 201
to Live: This is expressed in hops for each UPnP packet. This is the number of steps a packet is allowed to propagate before being discarded. Small values will limit the UPnP broadcast range. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 201 - Cisco WS-CE500-24TT | Administration Guide - Page 202
will only be visible to the hosts belonging to the associated VLANs. By default, LAN/Default-VLAN is the broadcasting domain. STEP 3 Click Apply to add the VLAN. The VLAN associated to the service appears in the List of VLANs table. Cisco SA500 Series Security Appliances Administration Guide 202 - Cisco WS-CE500-24TT | Administration Guide - Page 203
Network Management Bonjour 9 To dissociate the VLAN from the service, check the box next the appropriate VLAN and click Delete. . Cisco SA500 Series Security Appliances Administration Guide 203 - Cisco WS-CE500-24TT | Administration Guide - Page 204
• VPN Status • Active Users • View Logs • CDP Neighbor • LAN Devices • Reports To access the Status pages click Status from the Configuration Utility menu bar. Device Status The Device Status section consist of the following pages: • Device Status • Resource Utilization • Interface Statistics • Port - Cisco WS-CE500-24TT | Administration Guide - Page 205
of logs in each level is displayed. Routing Mode Displays the routing mode of the router (NAT or Classical routing), WAN Mode Displays the WAN configuration mode of the router (Single WAN port, Autorollover, or Load Balancing). Cisco SA500 Series Security Appliances Administration Guide 205 - Cisco WS-CE500-24TT | Administration Guide - Page 206
Server, or Relay. WAN Interface IP Address IP address for the primary (dedicated) interface has an IP. Optional Port (WAN/DMZ/LAN) IP address IP address of the IP. Access Points (only applies to SA 520W) Shows how many access points are configured of configured Site-to-Site VPN tunnels. - Cisco WS-CE500-24TT | Administration Guide - Page 207
CPU idle, and CPU waiting for IO. Displays the memory status of system Poll Interval Start Stop Number of IP packets leaving the port. Number of port has been active. The uptime will be reset to zero when the security appliance or the Cisco SA500 Series Security Appliances Administration Guide 207 - Cisco WS-CE500-24TT | Administration Guide - Page 208
(switch). configured on it. The counters are reset when the device is rebooted. Radio Statistics The radio can have multiple virtual access points configured and active concurrently. This table indicates cumulative statistics for the radio. Cisco SA500 Series Security Appliances Administration Guide - Cisco WS-CE500-24TT | Administration Guide - Page 209
Dropped Multicast Name of the access point. Radio number on which the access point is configured. Number of transmitted/received (tx/rx) wireless packets on the access point. Number of multicast packets sent over this access point. Cisco SA500 Series Security Appliances Administration Guide 209 - Cisco WS-CE500-24TT | Administration Guide - Page 210
IKE or VPN policy. Displays the IP address of the remote VPN gateway or client. Data transmitted in Kilobytes. Number of IP packets transmitted. Displays the current status button to manually connect or disconnect the VPN tunnel. Cisco SA500 Series Security Appliances Administration Guide 210 - Cisco WS-CE500-24TT | Administration Guide - Page 211
Status > VPN Status > SSL VPN Status User Name IP Address Tunnel Specific Fields Local ppp interface Peer PPP Interface IP Tx Packets Tx Dropped Packets Tx Bytes (KB) Rx by the user, the tunnel specific fields will have no values. Cisco SA500 Series Security Appliances Administration Guide 211 - Cisco WS-CE500-24TT | Administration Guide - Page 212
the IPsec User associated with the QuickVPN tunnel. Displays the IP address of the remote QuickVPN client. This could be NAT/Public IP if the client is behind the NAT router. Displays the to disable the automatic page refresh feature. Cisco SA500 Series Security Appliances Administration Guide 212 - Cisco WS-CE500-24TT | Administration Guide - Page 213
IP address Login Time Disconnect A unique identifier for the user. A group to which the logged-in user belongs. IP level and facility type. For information about configuring the logs, see Configuring the Logging Options, page 185. STEP Cisco SA500 Series Security Appliances Administration Guide 213 - Cisco WS-CE500-24TT | Administration Guide - Page 214
to wireless. IPS Displays logs generated by the Intrusion Prevention System (IPS). ProtectLink Displays logs for ProtectLink Gateway and Endpoint services. VPN Displays IKE sent to the email addresses that you configured in Cisco SA500 Series Security Appliances Administration Guide 214 - Cisco WS-CE500-24TT | Administration Guide - Page 215
configured on the Firewall Logs & E-mail page (under Administration menu) before clicking Send Log. CDP Neighbor The Cisco Discovery Protocol (CDP) provides information about other devices that are connected to this device and that support the CDP protocol. The page displays information specific - Cisco WS-CE500-24TT | Administration Guide - Page 216
Switch, HHost, I-IGMP, r-repeater. Platform name of the neighboring device. Interface identifier of the neighbor. LAN Devices The LAN Devices page displays all the hosts that are connected to the LAN network. For each device, the page displays the IP Reset Data to reset the values to 0. NOTE - Cisco WS-CE500-24TT | Administration Guide - Page 217
reset the security appliance to the factory default settings (including firewall IP address 192.168.75.1). If you do not want to reset to factory default settings and lose your configuration . The factory default login name is cisco and the password is cisco. Ensure that CAPS LOCK is off - Cisco WS-CE500-24TT | Administration Guide - Page 218
Troubleshooting Internet Connection A Symptom: The security appliance does not save my configuration changes. Recommended action: STEP 1 When entering configuration settings, click Apply before ISP address, see the next symptom. Cisco SA500 Series Security Appliances Administration Guide 218 - Cisco WS-CE500-24TT | Administration Guide - Page 219
of its designated Domain Name System (DNS) servers. Configure your PC to recognize those addresses. For details, see your operating system documentation. STEP 2 On your PC, configure the security appliance to be its TCP/IP gateway. Cisco SA500 Series Security Appliances Administration Guide 219 - Cisco WS-CE500-24TT | Administration Guide - Page 220
action: STEP 1 If you have just configured the security appliance, wait at least 5 minutes, click Administration > Time Zone. STEP 2 Review the settings for the date and time. Savings Time. STEP 3 Click Apply to save your settings. Cisco SA500 Series Security Appliances Administration Guide 220 - Cisco WS-CE500-24TT | Administration Guide - Page 221
the network configuration: • Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC. • Verify that the IP address for the security appliance and PC are correct and on the same subnet. Cisco SA500 Series Security Appliances Administration Guide 221 - Cisco WS-CE500-24TT | Administration Guide - Page 222
10 specifies a maximum of 10 tries and is the IP address of a remote device such as your service provider's DNS server. Example: ping -n 10 • Check that the PC has the IP address of your firewall is listed as the default gateway. (If the IP configuration of your PC is assigned by DHCP - Cisco WS-CE500-24TT | Administration Guide - Page 223
restart automatically; manually restart it to make the default settings effective. After a restore to factory defaults, the following settings apply: • LAN IP address: 192.168.75.1 • Username: cisco • Password: cisco • DHCP server on LAN: enabled • WAN port configuration: Get configuration via DHCP - Cisco WS-CE500-24TT | Administration Guide - Page 224
list, you can create a custom service for that purpose. See Creating Custom Services, page 104. ANY AIM BGP BOOTP_CLIENT BOOTP_SERVER CU-SEEME:UDP CU-SEEME:TCP DNS:UDP DNS:TCP FINGER FTP HTTP HTTPS ICMP-TYPE-3 ICMP-TYPE-4 ICMP-TYPE-5 Cisco SA500 Series Security Appliances Administration Guide 224 - Cisco WS-CE500-24TT | Administration Guide - Page 225
Standard Services ICMP-TYPE-6 ICMP-TYPE-7 ICMP-TYPE-8 ICMP-TYPE-9 ICMP-TYPE-10 ICMP-TYPE-11 ICMP-TYPE-13 ICQ IMAP2 IMAP3 IRC NEWS NFS NNTP PING POP3 PPTP RCMD REAL-AUDIO REXEC RLOGIN RTELNET RTSP:TCP RTSP:UDP SFTP SMTP SNMP:TCP Cisco SA500 Series Security Appliances Administration Guide B 225 - Cisco WS-CE500-24TT | Administration Guide - Page 226
Standard Services SNMP:UDP SNMP-TRAPS:TCP SNMP-TRAPS:UDP SQL-NET SSH:TCP SSH:UDP STRMWORKS TACACS TELNET TFTP VDOLIVE B Cisco SA500 Series Security Appliances Administration Guide 226 - Cisco WS-CE500-24TT | Administration Guide - Page 227
Technical Specifications and 1 X USB Connector for USB • 1 X USB Connector for USB 2.0 2.0 • 1 X Power switch • 1 X Power switch • 3 X external antennas 32 to 104ºF (0 to 40ºC) 32 to 104ºF (0 to 40 104ºF (0 to 40ºC) Cisco SA500 Series Security Appliances Administration Guide 227 - Cisco WS-CE500-24TT | Administration Guide - Page 228
(TX) N/A Power (default) 11dBm N/A Physical Specifications Form Factor 1 RU, 19-in. rack-mountable 1 RU, 19-in. rack-mountable 1 RU, 19-in. rackmountable Dimensions (H x W x Weight (with 4.91 lb 5.15 Power Supply) 5.14 lb Cisco SA500 Series Security Appliances Administration Guide 228 - Cisco WS-CE500-24TT | Administration Guide - Page 229
Factory Default Settings General Settings Feature Setting Host Name Model number Device Name Model number Administrator Username cisco Administrator Password cisco enable SNMP - Trusted Peer IP address SNMP Agent disable Cisco SA500 Series Security Appliances Administration Guide 229 - Cisco WS-CE500-24TT | Administration Guide - Page 230
Factory Default Settings General Settings D Feature Setting SNMP Version SNMP V1 & V2c, System Logging - Log System Errors enable System Logging - Configuration enable Changes Email Server Requires Authentication disable Cisco Discovery Protocol enabled on LAN / disabled on WAN port - Cisco WS-CE500-24TT | Administration Guide - Page 231
Factory Default Settings Router Settings Router Settings Feature VLAN - Voice, Name VLAN - Voice, VLAN Number (802.1q tagged packets) VLAN - Voice, IP Address VLAN - Voice, IP Address Distribution VLAN - Voice, Start IP Address VLAN - Voice, End IP Address VLAN - Voice, Subnet Mask VLAN - Data, - Cisco WS-CE500-24TT | Administration Guide - Page 232
Factory Default Settings Router Settings D Feature HTTPS Remote Access WAN1 IP address assignment WAN1 - MTU WAN1- Outgoing Traffic Bandwidth Limit Allow ICMP echo replies (good for validating connectivity) HTTPS Remote Access WAN2 IP address assignment WAN2 - MTU WAN2- Outgoing Traffic Bandwidth - Cisco WS-CE500-24TT | Administration Guide - Page 233
Factory Default Settings Router Settings Feature Setting IPSec - Signaling Authentication IKE with PSK - Keying Group Description Attribute DH Group 2 (1024 bit) IPSec - Signaling Authentication SHA1 - Phase 2 - Hash Algorithm Cisco SA500 Series Security Appliances Administration Guide D 233 - Cisco WS-CE500-24TT | Administration Guide - Page 234
(Management) DHCP Client VLAN - Data, IP Address (Failover See Product Tab when no DHCP Server Available) VLAN - Data, Subnet Mask (Failover when no DHCP Server Available) 255.255.255.0 VLAN - Data, Name (optional) Data VLAN Cisco SA500 Series Security Appliances Administration Guide D 234 - Cisco WS-CE500-24TT | Administration Guide - Page 235
Factory Default Settings Wireless Settings Feature SSID Name SSID Broadcast Wireless Isolation ( / Multicast Rate Limiting Broadcast / Multicast Rate Limit Multicast traffic rate per radio Setting cisco-data disable disable 0 1812 3600 Disabled enabled Mixed (802.11b,g,n) Auto disabled All 100 - Cisco WS-CE500-24TT | Administration Guide - Page 236
Setting MAC Authentication Default Action Permit Load Balancing Mode disabled 802.1d Spanning tree mode on wired / WDS link disabled Country or Band code for Radio such as FCC, ETSI etc. Depends on SKU Channel Bandwidth 40Mhz Maximum associations 200 supported Antenna Selection - Cisco WS-CE500-24TT | Administration Guide - Page 237
Factory Default Settings Storage Storage D Feature Setting VLAN - Data, IP Address Assignment (Management) DHCP Client VLAN - Data, IP Address (Failover See Product Tab when no DHCP Server Available) VLAN Sessions 5 minutes Cisco SA500 Series Security Appliances Administration Guide 237 - Cisco WS-CE500-24TT | Administration Guide - Page 238
Factory Default Settings Security Settings D Feature Disconnect Stalled Sessions Maximum Connections per IP Address Default File Creation Attributes (Group Read/Write, Everyone Read/Write Enable Enable 128 max/sec 15 packets/sec Cisco SA500 Series Security Appliances Administration Guide 238 - Cisco WS-CE500-24TT | Administration Guide - Page 239
Factory Default Settings Security Settings Feature ICMP Flood (ICMP packets/sec) Setting 100 packets/sec D Cisco SA500 Series Security Appliances Administration Guide 239 - Cisco WS-CE500-24TT | Administration Guide - Page 240
www.cisco.com/support (Log in required) Cisco Small Business Support and Resources Phone Support Contacts www.cisco.com/go/smallbizhelp www.cisco.com/go/sbsc Software Quick VPN Software www.cisco.com/go/qvpn Cisco VPN Client www.cisco.com/go/ciscovpnclient SA500 Firmware Downloads www.cisco
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
 |
 |
Cisco Small Business
SA500 Series Security Appliances
ADMINISTRATION
GUIDE