Home » Cisco Manuals » Networking » Cisco SA520-K9 » Manual Viewer

Cisco SA520-K9 Administration Guide - Page 111

Configuring MAC Filtering to Allow or Block Traffic, Configuring IP/MAC Binding to Prevent

UPC - 882658266744

Add to My Manuals
Save this manual to your list of manuals

Page 111 highlights

Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic 4 • You can allow or block traffic from specified MAC addresses. For more information, see Configuring MAC Filtering to Allow or Block Traffic, page 119 • You can associate IP addresses with MAC addresses to prevent spoofing. For more information, see Configuring IP/MAC Binding to Prevent Spoofing, page 128 STEP 1 Click Firewall > Firewall > IPv4 Rules or IPv6 Rules, or for IPv4 rules, you can use the Getting Started (Advanced) page. In the Firewall and NAT Rules section, click Configure Firewall and NAT Rules. The Firewall Rules window opens. Any existing rules appear in the List of Available Firewall Rules table. For IPv4 rules, you can view the list of available rules by zone. Choose the source and destination from the From Zone and To Zone drop-down menu and click Display Rules. STEP 2 To add a rule, click Add. Other options: Click the Edit button to edit an entry. To delete an entry, check the box and then click Delete. To change the status of a rule, check the box and then click Enable or Disable. To select all entries, check the box in the first column of the table heading. The IPv4 Firewall Rules page includes the option to move a rule up, move a rule down, or move it to a specified location in the firewall rules list. For more information, see Prioritizing Firewall Rules, page 113. If you click Add or Edit, the Firewall Rules Configuration window opens. STEP 3 In the Firewall Rule Configuration area, enter the following information: • From Zone: Chose the source of the traffic that is covered by this rule. For an inbound rule, choose INSECURE (WAN) if the traffic is coming from the Internet or choose DMZ if the traffic is coming from a server on your DMZ. • To Zone: For an inbound rule, choose SECURE (LAN) if the traffic is going to the LAN, or choose DMZ if the traffic is going to a server on your DMZ. - If the From Zone is the WAN, the To Zone can be the public DMZ or secure LAN. - If the From Zone is the LAN, then the To Zone can be the public DMZ or insecure WAN. Cisco SA500 Series Security Appliances Administration Guide 111

Section	Page
Getting Started	10
Feature Overview	10
Device Overview	11
Front Panel	11
Rear Panel	12
Installation	13
Installation Options	13
Hardware Installation	16
Getting Started with the Configuration Utility	17
Connecting to the Configuration Utility	18
Using the Getting Started Pages	19
Navigating Through the Configuration Utility	21
Using the Help System	22
About the Default Settings	22
Basic Tasks	23
Changing the Default User Name and Password	23
Backing Up Your Configuration	24
Upgrading the Firmware	24
Common Configuration Scenarios	25
Networking	36
Configuring the WAN Connection	37
Viewing the WAN Status	39
Creating PPPoE Profiles	40
Configuring an IP Alias	41
Configuring the LAN	43
About the Default LAN Settings	43
Configuring the LAN	44
Viewing the LAN Status	46
VLAN Configuration	46
DHCP Reserved IPs	52
DHCP Leased Clients	53
Configuring an IGMP Proxy	53
Configuring the Optional Port as a LAN Port	53
Configuring the Optional WAN	54
Configuring Auto-Rollover, Load Balancing, and Failure Detection	57
Configuring the Protocol Bindings for Load Balancing	60
Configuring a DMZ	61
Configuring the DMZ Settings	64
DMZ Reserved IPs	66
DMZ DHCP Leased Clients	67
Routing	67
Routing	67
Static Routing	68
Dynamic Routing	69
Port Management	70
Configuring the Ports	70
Configuring SPAN (Port Mirroring)	71
QoS Bandwidth Profiles	72
Creating QoS Bandwidth Profiles for WAN Interfaces	72
Traffic Selectors	73
LAN QoS	74
Enabling LAN QoS	74
Port CoS Mapping	75
Port DSCP Mapping	75
DSCP Remarking	75
Dynamic DNS	76
Configuring IPv6 Addressing	77
IP Routing Mode	78
Configuring the IPv6 WAN Connection	78
Configuring the IPv6 LAN	80
IPv6 LAN Address Pools	82
IPv6 Multi LAN	83
IPv6 Static Routing	83
Routing (RIPng)	84
6to4 Tunneling	85
IPv6 Tunnels Status	85
ISATAP Tunnels	86
MLD Tunnels	87
Router Advertisement Daemon (RADVD)	88
Configuring Router Advertisement	88
Adding RADVD Prefixes	89
Wireless Configuration for the SA520W	91
Configuring an Access Point	91
Step 1: Configuring the Wireless Profiles	92
Profile Advanced Configuration	95
Configuring the QoS Settings for a Wireless Profile	95
Controlling Wireless Access Based on MAC Addresses	96
Step 2: Configuring the Access Points	98
Configuring the Radio	99
Basic Radio Configuration	99
Advanced Radio Configuration	101
Firewall Configuration	103
Configuring Firewall Rules to Control Inbound and Outbound Traffic	103
Preliminary Tasks for Firewall Rules	104
Configuring the Default Outbound Policy	107
Configuring a Firewall Rule for Outbound Traffic	107
Configuring a Firewall Rule for Inbound Traffic	110
Prioritizing Firewall Rules	113
Firewall Rule Configuration Examples	114
Using Other Tools to Prevent Attacks, Restrict Access, and Control Inbound Traffic	117
Configuring Attack Checks	118
Configuring MAC Filtering to Allow or Block Traffic	119
Configuring IP/MAC Binding	120
Port Triggering	121
Configuring a Port Triggering Rule to Direct Traffic to Specified Ports	122
Viewing the Port Triggering Status	122
Configuring Session Settings to Analyze Incoming Packets	123
Using Other Tools to Control Access to the Internet	124
Configuring Content Filtering to Allow or Block Web Components	124
Configuring Approved URLs to Allow Access to Websites	126
Configuring Blocked URLs to Prevent Access to Websites	127
Configuring IP/MAC Binding to Prevent Spoofing	128
SIP	129
Intrusion Prevention System	130
Configuring IPS	131
Configuring the IPS Policy	132
Configuring the Protocol Inspection Settings	133
Configuring Peer-to-Peer Blocking and Instant Messaging	134
Using Cisco ProtectLink Security Services	135
Configuring VPN	136
About VPN	136
Configuring a Site-to-Site VPN Tunnel	137
Configuring an IPsec VPN Tunnel for Remote Access with a VPN Client	139
Configuring the User Database for the IPsec Remote Access VPN	142
Advanced Configuration of IPsec VPN	144
Viewing the Basic Setting Defaults for IPsec VPN	144
Configuring the IKE Policies for IPsec VPN	144
Configuring the IPsec VPN Policies	148
Configuring SSL VPN for Browser-Based Remote Access	154
Access Options for SSL VPN	155
Security Tips for SSL VPN	155
Elements of the SSL VPN	156
Scenario Step 1: Customizing the Portal Layout	157
Scenario Step 2: Adding the SSL VPN Users	159
Creating the SSL VPN Policies	160
Specifying the Network Resources for SSL VPN	163
Configuring SSL VPN Port Forwarding	163
SSL VPN Tunnel Client Configuration	165
Viewing the SSL VPN Client Portal	168
VeriSign™ Identity Protection configuration	169
Configuring VeriSign Identity Protection	169
Managing User Credentials for VeriSign Service	170
Administration	171
Users	171
Domains	172
Groups	173
Adding or Editing User Settings	173
Adding or Editing User Login Policies	175
Firmware and Configuration	176
Upgrading Firmware and Working with Configuration Files	176
Maintaining the USB Device	178
Using the Secondary Firmware	180
Diagnostics	180
Measuring and Limiting Traffic with the Traffic Meter	182
Configuring the Time Settings	184
Configuring the Logging Options	185
Local Logging Config	185
IPv6 Logging	187
Remote Logging	188
Logs Facility and Severity	189
Managing Certificates for Authentication	190
Configuring RADIUS Server Records	193
License Management	194
Network Management	197
RMON (Remote Management)	197
CDP	199
SNMP	199
Configuring SNMP	200
Configuring SNMP System Info	200
UPnP	201
Bonjour	202
Configuring Bonjour	202
Associating VLANs	202
Status	204
Device Status	204
Device Status	205
Resource Utilization	207
Interface Statistics	207
Port Statistics	208
Wireless Statistics for the SA520W	208
VPN Status	210
IPsec VPN Status	210
SSL VPN Status	211
Quick VPN Status	212
Active Users	213
View Logs	213
View All Logs	213
IPsec VPN Logs	215
ProtectLink Logs	215
CDP Neighbor	215
LAN Devices	216
Reports	216
Troubleshooting	217
Internet Connection	217
Date and Time	220
Pinging to Test LAN Connectivity	221
Restoring Factory Default Configuration Settings	223
Standard Services	224
Technical Specifications and Environmental Requirements	227
Factory Default Settings	229
General Settings	229
Router Settings	231
Wireless Settings	234
Storage	237
Security Settings	238

Match case Limit results 1 per page

Firewall Configuration

Configuring Firewall Rules to Control Inbound and Outbound Traffic

Cisco SA500 Series Security Appliances Administration Guide

111

•

You can allow or block traffic from specified MAC addresses. For more

information, see

Configuring MAC Filtering to Allow or Block Traffic,

page 119

•

You can associate IP addresses with MAC addresses to prevent spoofing.

For more information, see

Configuring IP/MAC Binding to Prevent

Spoofing, page 128

STEP 1

Click

Firewall

> Firewall > IPv4 Rules

IPv6 Rules

, or for IPv4 rules, you can use

the Getting Started (Advanced) page. In the

Firewall and NAT Rules

section, click

Configure Firewall and NAT Rules

The Firewall Rules window opens. Any existing rules appear in the List of Available

Firewall Rules table.

For IPv4 rules, you can view the list of available rules by zone. Choose the source

and destination from the

From Zone

and

To Zone

drop-down menu and click

Display Rules

STEP 2

To add a rule, click

Add

Other options:

Click the

Edit

button to edit an entry. To delete an entry, check the

box and then click

Delete

. To change the status of a rule, check the box and then

click

Enable

Disable

. To select all entries, check the box in the first column of

the table heading.

The IPv4 Firewall Rules page

includes the option to move a rule up, move a rule

down, or move it to a specified location in the firewall rules list. For more

information, see

Prioritizing Firewall Rules, page 113

If you click

Add

Edit

, the Firewall Rules Configuration window opens.

STEP 3

In the

Firewall Rule Configuration

area, enter the following information:

•

From Zone:

Chose the source of the traffic that is covered by this rule. For an

inbound rule, choose

INSECURE (WAN)

if the traffic is coming from the

Internet or choose

DMZ

if the traffic is coming from a server on your DMZ.

•

To Zone:

For an inbound rule, choose

SECURE (LAN)

if the traffic is going to

the LAN, or choose

DMZ

if the traffic is going to a server on your DMZ.

If the From Zone is the WAN, the To Zone can be the public DMZ or secure

LAN.

If the From Zone is the LAN, then the To Zone can be the public DMZ or

insecure WAN.