Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners.
The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
This chapter provides information to familiarize you with the product features,
guide you through the installation process, and get started by using web-based
Configuration Utility. It includes the following sections:
1
•Product Overview
•Getting to Know the CVR100W
•Installing the CVR100W
•Connecting the CVR100W
•Getting Started with the Configuration
•Changing the Default Administrative Password
•Using the Connection Status Page
•Using the Getting Started Page
•Verifying the Hardware Installation
•Connecting to Your Wireless Network
Product Overview
Thank you for choosing the Cisco CVR100W Wireless-N VPN Router. The
CVR100W provides simple, affordable, secure business-class connectivity to the
Internet for small office/home office (SOHO) and remote professionals.
The CVR100W is an advanced Internet-sharing network solution for your small
business needs. It allows multiple computers in your office to share an Internet
connection through both wired and wireless connections.
The CVR100W provides four full-duplex 10/100 Fast Ethernet LAN interfaces that
can connect up to four devices. You can connect a Cisco Small Business switch to
one of the available ports to expand your network as needed.
Wireless Access Point
The CVR100W’s wireless access point supports the 802.11n standard with MIMO
technology, which multiplies the effective data rate. This technology results in
better throughput and coverage than that provided by 802.11g networks.
Security
The CVR100W implements WPA Personal, WPA Enterprise, WPA2 personal,
WPA2 Enterprise, and WEP Security, along with other security features, such as
SSID broadcast, MAC address filtering, and access control by schedule per SSID.
Firewall and VPN Access
The CVR100W incorporates a Stateful Packet Inspection (SPI)-based firewall with
Denial of Service (DoS) protection, URL filtering, and access control by schedule
to help keep business assets safe.
Up to three client-to-gateway VPN tunnels can be established by using QuickVPN
to allow mobile or remote workers to securely access your corporate resources
through encrypted virtual links. Users connecting through a VPN tunnel are
attached to your company’s network with secure access to files, e-mail, and your
intranet as if they were in the building.
The CVR100W supports site-to-site VPN for a single gateway-to-gateway VPN
tunnel. In this configuration, the CVR100W creates a secure connection to another
VPN-enabled router. For example, you can configure the CVR100W at a branch site
to connect to the router at the corporate site, so that the branch site can securely
access the corporate network. You could have a router like the Cisco RV220W that
supports ten site-to-site VPN tunnels and have a CVR100W at each remote site to
provide secure connectivity.
The CVR100W’s wireless access point supports Wireless Distribution System
(WDS), which allows the wireless coverage to be expanded without wires.
Quality of Service
The CVR100W supports Wi-Fi Multimedia (WMM) and Wi-Fi Multimedia Power
Save (WMM-PS) for quality of service (QoS).
The CVR100W also supports 802.1p, Differentiated Services Code Point (DSCP),
and class of service (CoS) for wired QoS, which can improve the quality of your
network when using delay-sensitive Voice over IP (VoIP) applications and
bandwidth-intensive video streaming applications.
Virtual Networks
The CVR100W supports multiple Service Set Identifiers (SSIDs) for the use of
virtual networks (up to four separate virtual networks), with 802.1q-based VLAN
support for traffic separation.
WANThe WAN (Internet) port is connected to your Internet device,
such as a cable or DSL modem.
LAN (1–4)These ports provide the LAN connection to network devices,
such as PCs, print servers, or switches.
RESETThe RESET button has two functions:
•Reboot: If the CVR100W has problems connecting to
the Internet, press the RESET button for at least one
second but no more than five seconds with a paper clip
or a pencil tip.
•Restore to Factory Defaults: If you are experiencing
extreme problems with the CVR100W and have tried all
other troubleshooting measures, press and hold in the
RESET button for more than five seconds. This reboots
the unit and restores the factory defaults. The settings
that you have previously made to the CVR100W are lost.
12VDCThe 12VDC port is where you connect the supplied power
adapter (12V/0.5 A).
PowerPress this button to power the CVR100W on and off.
Do-Not-Disturb
Mode Light
•Solid green when the Do-Not-Disturb Mode button is
turned on and the CVR100W is operating normally.
•Flashes green when the Do-Not-Disturb Mode button is
turned on, but the Internet connection has problems.
•Off when the Do-Not-Disturb Mode button is turned off.
The CVR100W can be wall-mounted. The wall-mounting hardware is
user-supplied. The ports on the back panel must face either upward or downward
when mounting the CVR100W to a wall.
WARNING Insecure mounting might damage the device or cause injury. Cisco is not
responsible for damages incurred by insecure wall-mounting.
Connecting the CVR100W
1
By default, the wireless module of the CVR100W is enabled. For the initial
configuration, we recommend that you connect to the CVR100W with an Ethernet
cable. Of course, you can also use a wireless connection. To connect the PC to the
CVR100W's wireless network for the first time, use the default SSID name and
pre-shared key that are provided on the product label at the bottom of the
CVR100W. See Connecting to Your Wireless Network for more information.
STEP 1 Power off all equipment, including the cable or DSL modem, the PC that you will
use to connect to the CVR100W, and the CVR100W itself.
STEP 2 Connect the supplied power adapter to the 12VDC port on the back panel of the
CVR100W. Plug the other end of the power adapter into an electrical outlet. Make
sure that the POWER button is turned off.
CAUTION Use only the power adapter that is supplied with the unit. Using a different power
adapter could damage the unit.
STEP 3 Connection one end of an Ethernet cable to your cable or DSL modem. Connect
the other end to the WAN port on the back panel.
STEP 4 Connect one end of a different Ethernet cable to one of the LAN ports on the back
panel. Connect the other end to an Ethernet port on the PC that you will use to run
web-based Configuration Utility.
NOTE Skip this step if you want to connect the PC to the CVR100W through a
STEP 5 Power on all connected devices, including the cable or DSL modem and the PC,
and wait until the connections are active.
STEP 6 Press the POWER button on the back panel to power on the CVR100W.
STEP 7 To connect the PC to your wireless network for the first time, you must configure
the wireless connection using the default SSID name and pre-shared key. See
Connecting to Your Wireless Network for more information.
A sample configuration is illustrated here.
1
Getting Started with the Configuration
The Setup Wizard and web-based Configuration Utility are supported on
Microsoft Internet Explorer 6.0 or later, Mozilla Firefox 3.0 or later, Apple Safari 3.0
or later, and Google Chrome 5.0 or later.
To log in to web-based Configuration Utility and complete the initial configuration
STEP 1 Start a computer that you connected to the CVR100W. The computer becomes a
STEP 2 Launch a web browser and enter 192.168.1.1 in the address bar. This is the
by using the Setup Wizard:
DHCP client of the CVR100W and receives an IP address in the 192.168.1.xxx
range.
default IP address of the CVR100W.
Introduction
Changing the Default Administrative Password
NOTE The CVR100W automatically changes its IP address to 10.10.10.1 when its
default IP address conflicts with another device in your network.
STEP 3 When the login page appears, choose the language that you prefer to use in the
utility, and then enter the username and password.
The default username is cisco. The default password is cisco. Both username and
password are case sensitive.
STEP 4 Click Log In. The Setup Wizard will now launch.
STEP 5 Follow the on-screen prompts to complete the initial configuration. See Running
the Setup Wizard for more information on completing the Setup Wizard
configuration.
For security reasons, you must change the password from its default setting at
your first login. Please write this password down for future reference. A blank
password is not recommended.
1
Passwords should not contain dictionary words from any language or be the
default password. They should contain a mixture of uppercase and lowercase
letters, numbers, and symbols. Passwords must be at least 8 but no more than 64
characters in length.
After the Setup Wizard is complete, the Connection Status page appears. See
Using the Connection Status Page for more information.
Changing the Default Administrative Password
The administrative password protects your CVR100W from unauthorized access.
For security reasons, you must change the password from its default setting at
your first login.
You can change the default administrative password as instructed by the Setup
Wizard (see Running the Setup Wizard) or by following the instructions in the
Configuring Administrator Account Settings section. If you exit the Setup
Wizard without saving your settings at your first login by clicking Exit, the Change
Password window opens.
By default, the password strength enforcement is enabled on the CVR100W. The
Change Password window displays the minimum password complexity
requirements as follows:
The Connection Status page displays the current WAN, LAN, and WLAN status of
the CVR100W.
FieldDescription
WAN
StatusShows whether the WAN port obtains an IP address
successfully or not. If the WAN port is connected to the
Internet, the network addressing mode that you use to
connect to the Internet will be displayed.
IPIP address of the WAN port that is accessible from the
Internet.
1
MaskSubnet mask for the WAN port.
GatewayDefault gateway for the WAN port.
DNSIP addresses for the primary DNS server and the
secondary DNS server.
LAN
HostName of the LAN host that is connected to the
CVR100W.
IPIP address of the connected LAN host.
MACMAC address of the connected LAN host.
WLAN
Wi-Fi PowerShows whether the Wi-Fi signal strength is 100%,
50%, or off.
You can perform the following actions:
•To refresh the data on the screen, click Refresh.
System SummaryClick this link to open the Status > System
Wireless StatusClick this link to open the Status > Wireless
VPN StatusClick this link to open the Status > VPN Status
Other Resources
CVR100W ResourcesClick this link to open the CVR100W Resources
SupportClick this link to visit the Cisco support community.
1
Summary page. See Viewing System Summary.
Statistics page. See Viewing Wireless Statistics.
page. See Viewing VPN Status.
page.
Returning to the Connection Status Page
To return to the Connection Status page, click the Home Page link near the top
right corner of the page.
Changing Your Preferred Language
To change the language that you prefer to use in the web-based Configuration
Utility, select the language from the Language drop-down menu near the top right
corner of the page.
Viewing the Help Files
To view more information about a configuration page, click the Help link near the
top right corner of the page.
Verifying the Hardware Installation
To verify the hardware installation, complete the following tasks:
•Check the light states. They are described in Getting to Know the
•Connect a computer to an available LAN port and verify that you can
connect to a website on the Internet, such as www.cisco.com.
•Configure a device to connect to your wireless network and verify the
wireless network is functional. See Connecting to Your Wireless Network.
Connecting to Your Wireless Network
To connect a device (such as a computer) to your wireless network, configure the
wireless connection on the device with the wireless security information you
configured for the CVR100W using the Setup Wizard.
NOTE If you want to connect a device to your wireless network to do the initial
configuration for the first time, use the default SSID name and pre-shared key are
provided on the product label at the bottom of the CVR100W.
1
The following steps are provided as an example; you may need to configure your
device differently. For instructions that are specific to your device, consult its
documentation.
STEP 1 Open the wireless connection settings window or program for your device.
Your computer may have special software installed to manage wireless
connections, or you may find wireless connections under the Control Panel in the
Network Connections or Network and Internet window. (The location depends
on your operating system.)
STEP 2 Enter the network name (SSID) you chose for your network in the Setup Wizard.
STEP 3 Choose the type of encryption and enter the security key that you specified in the
Setup Wizard.
If you did not enable security (not recommended), leave the wireless encryption
fields that were configured with the security type and passphrase blank.
STEP 4 Verify your wireless connection and save your settings.
STEP 3 To display an interactive view of the back panel of the CVR100W, click Show
Panel View.
The view of the back panel shows you which ports are used (colored in green) and
allows you to click the port to obtain information about the connection.
The port’s connection information includes:
2
•To view a port’s connection information, click the port.
•To refresh the port information, click Refresh.
•To close the port information sheet, click Close.
Summary
TypeType of the port.
InterfaceShows if it is a WAN or a LAN interface.
Link StatusShows if the port is connected or disconnected.
Speed StatusSpeed and duplex settings of the port.
Auto NegotiationShows if the Auto Negotiation is enabled or disabled
on this port.
Statistics
TX FramesNumber of frames transmitted by the port.
RX FramesNumber of frames received by the port.
The Dashboard page displays the following information:
Device Information
System NameUnit name of the CVR100W.
Firmware VersionFirmware version that the CVR100W is currently
To view complete WAN settings, click details. See Configuring WAN Settings
for more information.
MAC AddressMAC address of the WAN port.
IPv4 AddressIPv4 address of the WAN port.
IPv6 AddressIPv6 address of the WAN port (if IPv6 is enabled).
StateShows if the WAN port is active or inactive for routing.
If the WAN port is active for routing, the WAN state
shows “Up.” If the WAN port is inactive for routing, the
WAN state shows “Down.”
NOTE The state “Down” means that the network
detection fails.
Wireless
Displays the status of all four predefined SSIDs. To view complete wireless
settings, click details. See Viewing Wireless Statistics for more information.
Signal StrengthShows if the Wi-Fi signal strength is 100%, 50%, or
cisco-xxxxShows if the predefined SSID is enabled or disabled.
VPN
QuickVPN UsersNumber of QuickVPN users.
Viewing System Summary
The System Summary page displays a summary of the CVR100W’s settings.
To view a summary of system settings:
off.
STEP 1 Choose Status > System Summary.
STEP 2 From the Refresh Rate drop-down menu, choose a refresh rate.
The System Summary page displays the following information:
2
System Information
Firmware VersionFirmware version that the CVR100W is currently
using.
Firmware MD5
Checksum
System Up TimeDuration for which the system has been running.
Current TimeTime of day.
PID VIDProduct ID and version ID of the CVR100W.
IPv4 Configuration
LAN IPLAN address of the CVR100W.
WAN IPWAN address of the CVR100W.
GatewayIP address of default network gateway.
ModeDisplays Gateway if NAT is enabled, or Router.
Message-Digest algorithm used to verify the integrity
of files.
When the WAN port is configured to obtain an IP
address from your ISP using Dynamic Host
Configuration Protocol (DHCP), you can click Release
to release its IP address, or click Renew to obtain a
new IP address.
DNS 1Primary DNS server IP address of the WAN port.
DNS 2Secondary DNS server IP address of the WAN port.
DNS 3Third DNS server IP address of the WAN port.
DDNSShows if the Dynamic DNS (DDNS) is enabled or
disabled.
IPv6 Configuration (if IPv6 address mode is enabled)
Static DHCP BindingCheck to enable Static DHCP Binding for this device.
STEP 2 Click Save to apply your settings.
Viewing Port Statistics
The Port Statistics page displays port statistics.
2
The CVR100W will always assign this IP address to
the device.
To view port statistics:
STEP 1 Choose Status > Port Statistics.
STEP 2 From the Refresh Rate drop-down menu, choose a refresh rate. This causes the
page to re-read the statistics from the CVR100W and refresh the page.
STEP 3 (Optional) By default, byte data is displayed in bytes and other numerical data is
displayed in long form. To show the bytes in kilobytes (KB) and the numerical data
in round-up form, check Show Simplified Statistic Data and click Save.
STEP 4 To reset the port statistics counters, click Clear Counters.
The Port Statistics table displays the data transfer statistics for the WAN, LAN, and
WLAN ports:
InterfaceName of the network interface.
PacketNumber of the received and sent packets through the
interface.
ByteNumber of the received and sent bytes of information
per second.
ErrorNumber of the received and sent packet errors.
DroppedNumber of the received and sent packets that were
MulticastNumber of multicast packets sent over this radio.
CollisionsNumber of signal collisions that occurred on this port.
Viewing Wireless Statistics
2
dropped.
A collision occurs when the port tries to send data at
the same time as a port on another router or computer
that is connected to this port.
The Wireless Statistics page shows a cumulative total of relevant wireless
statistics for the radio on the CVR100W.
To view wireless statistics:
STEP 1 Choose Status > Wireless Statistics.
STEP 2 From the Refresh Rate drop-down menu, choose a refresh rate.
STEP 3 (Optional) By default, byte data is displayed in bytes and other numerical data is
displayed in long form. To show the bytes in kilobytes (KB) and the numerical data
in round-up form, check Show Simplified Statistic Data and click Save.
STEP 4 To reset the wireless statistics counters, click Clear Counters.
The Wireless Statistics table displays the following information:
SSID NameName of the wireless network.
PacketNumber of received and sent wireless packets for
each SSID, and total number of received and sent
wireless packets for all SSIDs.
ByteNumber of received and sent bytes of information for
each SSID, and total number of received and sent
bytes of information for all SSIDs.
ErrorNumber of received and sent packet errors for each
SSID, and total number of received and sent packet
errors for all SSIDs.
DroppedNumber of received and sent packets dropped by
each SSID, and total number of received and sent
packets dropped by all SSIDs.
MulticastNumber of multicast packets sent over each SSID, and
total number of multicast packets sent over all SSIDs.
CollisionsNumber of packet collisions reported to each SSID,
and total number of packet collisions for all SSIDs.
Viewing Guest Network Status
The Guest Network Status page displays information for all wireless guests
connected to the SSID4 of the CVR100W.
Up to ten wireless guests can be allowed to simultaneously connect to the SSID4.
The default value is five. The CVR100W will block the new requests when the
number of the connected guests reaches the limitation. A warning message will
be appeared at this time.
The CVR100W limits the time (two hours) that each guest can be connected to the
SSID4. The guest connection will be terminated over the time limit. You can also
manually terminate the guest connection at any time.
To view guest network status:
STEP 1 Choose Status > Guest Network Status.
The Guest Network Status table displays the following information:
Host NameName of the device connected to the SSID4 of the
StatusShows if the device is connected to the Internet using
STEP 2 To manually disconnect the guest connection, click Disconnect.
Viewing VPN Status
The VPN Status page displays the status of client-to-gateway VPN connections.
To view VPN user connection status:
2
the CVR100W.
STEP 1 Choose Status > VPN Status.
The VPN User Connection Status table displays the following information:
UsernameUsername of the VPN user associated with the
QuickVPN tunnel.
Remote IPIP address of the remote QuickVPN client. This could
be a NAT/Public IP if the client is behind the NAT router.
StatusCurrent status of QuickVPN client. OFFLINE means that
the QuickVPN tunnel is not initiated or established by
the VPN user. ONLINE means that the QuickVPN tunnel,
initiated or established by the VPN user, is active.
Start TimeTime of the VPN user establishing a connection.
End TimeTime of the VPN user ending a connection.
Duration (Seconds)Duration between the VPN user establishing and
ending a connection.
ProtocolProtocol that the user uses, such as QuickVPN.
STEP 2 To manually terminate a VPN session, click Disconnect.
STEP 4 To delete all entries in the table, click Clear Logs.
STEP 5 To save all log messages to your local PC, click Save Logs.
STEP 6 To specify the number of entries to show per log, choose a number from the drop-
down menu.
STEP 7 Use the page navigation buttons to move between log pages.
Viewing IPsec Connection Status
2
The IPSec Connection Status page displays the status of all site-to-site VPN
policies on the CVR100W. These policies are configured on the VPN > Advanced VPN Setup page.
To view the IPsec connection status:
STEP 1 Choose Status > IPSec Connection Status.
STEP 2 From the Refresh Rate drop-down menu, choose a refresh rate. This action
causes the page to reread the status and statistics from the CVR100W and refresh
the page.
STEP 3 (Optional) By default, byte data is displayed in bytes and other numerical data is
displayed in long form. To show the bytes in kilobytes (KB) and the numerical data
in rounded-up form, check Show Simplified Statistic Data and click Save.
In the Active IPSec Security AssociationTab le , the following information for each
site-to-site VPN policy is displayed:
Policy NameName of the VPN policy for which data is displayed.
STEP 4 Click Connect to manually establish a VPN connection, or click Disconnect to
manually terminate an active VPN connection.
2
DurationElapsed time for which the connection is or was active.
PacketReceived (Rx) and transmitted (Tx) packets on the
connection.
ByteReceived (Rx) and transmitted (Tx) bytes on the
connection.
StateState of the connection (for example, active or not
connected).
Viewing CSC Information
The CSC Information page displays the status for all wireless clients that are
associated with the Cisco Simple Connect (CSC) wireless network of the
CVR100W.
To view information for all CSC wireless clients:
STEP 1 Choose Status > CSC Information.
The following information for each CSC wireless client is displayed:
MAC AddressMAC address of the connected wireless client.
Login ModeMethod how the wireless client connects to the CSC
Leave TimeRemaining online time for this wireless client if the
wireless network of the CVR100W.
CVR100W limits the time to access the Internet.
STEP 2 Click Disconnect to manually terminate a CSC wireless connection.
This chapter describes how to configure the CVR100W's network settings. It
includes the following sections:
•Configuring WAN Settings
•Configuring LAN Settings
•Configuring Routing
•Configuring Dynamic DNS
•Configuring IP Mode
•Configuring IPv6
3
Configuring WAN Settings
Configuring WAN properties for an IPv4 network differs depending on which type
of Internet connection that you have.
The Internet Setup page allows you to configure how to connect the WAN
interface to the Internet. The CVR100W supports four types of Internet
connections:
•Configuring Automatic Configuration (DHCP)
•Configuring PPPoE
•Configuring Static IP
•Configuring Optional Settings
Sometimes, you may need to set the MAC address of the CVR100W’s WAN port to
be the same MAC address as your PC’s or some other MAC address.
STEP 2 From the Internet Connection Type drop-down menu, choose Automatic
STEP 3 (Optional) To configure other optional settings, see Configuring Optional
STEP 4 Click Save.
3
Configuring Automatic Configuration (DHCP)
If your Internet Service Provider (ISP) uses the Dynamic Host Control Protocol
(DHCP) to assign you an IP address, you will receive a dynamic IP address that is
newly generated each time you log in.
To configure the DHCP settings:
Configuration - DHCP.
Settings.
Configuring PPPoE
To configure the PPPoE settings:
STEP 1 Choose Networking > WAN > Internet Setup.
STEP 2 From the Internet Connection Type drop-down menu, choose PPPoE.
STEP 3 In the PPPoE Settings area, enter the following information (you may need to
contact your ISP to obtain your PPPoE login information):
UsernameEnter your username assigned to you by the ISP.
PasswordEnter your password assigned to you by the ISP.
Connect on DemandSelect this option if your ISP charges based on the
amount of time that you are connected. When you
select this option, the Internet connection is on only
when traffic is present. If the connection is idle—that
is, no traffic is flowing—the connection is closed. If you
click Connect on Demand, enter the number of
minutes after which the connection shuts off in the
MaxIdle Time field.
Keep AliveWhen you select this option, the Internet connection is
always on.
If you click Keep Alive, enter the number of seconds
that the CVR100W attempts to reconnect after it is
disconnected in the Redial period field.
Authentication TypeChoose the authentication type:
•Auto Negotiation: The server sends a
configuration request specifying the security
algorithm set on it. Then, the CVR100W sends
back authentication credentials with the
security type sent earlier by the server.
•PAP : The CVR100W uses the Password
Authentication Protocol (PAP) to connect to the
ISP.
•CHAP: The CVR100W uses the Challenge
Handshake Authentication Protocol (CHAP)
when connecting with the ISP.
•MS-CHAP or MS-CHAPv2: The CVR100W
uses Microsoft Challenge Handshake
Authentication Protocol when connecting with
the ISP.
STEP 4 (Optional) To configure other optional settings, see Configuring Optional
Settings.
STEP 5 Click Save.
Configuring Static IP
If your ISP assigned you a permanent IP address, perform the following steps to
configure your WAN settings:
STEP 1 Choose Networking > WAN > Internet Setup.
STEP 2 From the Internet Connection Type drop-down menu, choose Static IP.
STEP 3 In the Static IP Settings area, enter the following information:
Sometimes, you may need to set the MAC address of the CVR100W’s WAN port to
be the same MAC address as your PC’s or some other MAC address. This is called
MAC address cloning.
For example, some ISP registers your computer’s NIC card MAC address when
the service is first installed. When you place a router behind the cable modem or
DSL modem, the MAC address from the CVR100W’s WAN port is not recognized
by the ISP.
In this case, to configure your CVR100W to be recognized by the ISP, clone the
MAC address of the WAN port to be the same as your computer’s MAC address.
To configure a MAC address clone:
STEP 1 Choose Networking > WAN > MAC Address Clone.
STEP 2 In the MAC Address Clone field, check Enable to enable MAC address cloning.
STEP 3 Set the MAC address of the CVR100W’s WAN port, do one of the following:
•To set the MAC address of the WAN port to your PC’s MAC address,
click Clone My PC’s MAC.
•To specify a different MAC address, enter it in the MAC Address field.
STEP 5 Open a new browser window and enter the new IP address of the CVR100W to
3
reconnect.
Configuring DHCP
By default, the CVR100W functions as a DHCP server to the hosts on the Wireless
LAN (WLAN) or LAN network, assigns IP addresses, and provides DNS server
addresses.
With DHCP enabled, the CVR100W’s IP address serves as the gateway address to
your LAN. The CVR100W assigns IP addresses to PCs on the LAN from a pool of
addresses. The CVR100W tests each address before it is assigned to avoid
duplicate addresses on the LAN.
By default, the CVR100W assigns an IP address to each host on the LAN from the
default IP address pool (192.168.1.100 to 192.168.1.149). If you need to set any host
with a static IP address, use an IP address from the 192.168.1.2 to 192.168.1.99 IP
address pool. This prevents conflicts with the default IP address pool.
To configure the DHCP settings:
STEP 1 Choose Networking > LAN > LAN Configuration.
STEP 2 (Optional) Select the VLAN that you want to edit from the drop-down menu.
STEP 3 In the DHCP Server field, select one of the following options:
EnableClick this radio button to allow the CVR100W to act as
the DHCP server in the network.
DisableClick this radio button to disable DHCP on the
CVR100W.
If you want another device on your network to be the
DHCP server, or to manually configure the network
settings of all of your PCs, disable DHCP.
DHCP RelayClick this radio button to select DHCP Relay to
configure the CVR100W to act as a relayer of
IP addresses by a different DHCP server.
STEP 4 If you select Enable, enter the following information:
Starting IP AddressEnter the first address in the IP address pool. Any new
DHCP client joining the LAN is assigned an IP address
in this range (the ending IP address in the pool is
determined by the value that you enter in the
Maximum Number of DHCP Users field).
Maximum Number of
DHCP Users
IP Address Range(Read-only) Displays the range of IP addresses
Client Lease timeEnter the duration (in hours) for which IP addresses are
Static DNS 1Enter the IP address of the primary DNS server.
Static DNS 2Enter the IP address of the secondary DNS server.
Static DNS 3Enter the IP address of the tertiary DNS server.
WINSEnter the IP address of the primary WINS server.
STEP 5 If you select DHCP Relay, enter the address of the relay gateway in the Remote
DHCP Server field. The relay gateway transmits DHCP messages between
multiple subnets.
STEP 6 Click Save.
Enter the maximum number of DHCP clients.
available to the DHCP clients.
leased to clients.
Configuring VLAN
A Virtual LAN (VLAN) is a group of endpoints in a network that are associated by
function or other shared characteristics. Unlike LANs, which are usually
geographically based, VLANs can group endpoints without regard to the physical
location of the equipment or users.
To c re a te a V L A N :
STEP 1 Choose Networking > LAN > VLAN Configuration.
VLAN IDEnter the numerical VLAN ID to assign to endpoints in
the VLAN membership. The number that you enter
must be between 4 and 15. VLAN ID 1 is reserved for
the default VLAN, which is used for untagged frames
received on the interface. VLAN ID 2 is reserved
cannot be used. VLAN ID 3 is reserved for the guest
network.
DescriptionEnter a description to identify the VLAN.
Port 1You can associate VLANs on the CVR100W to the LAN
Port 2
Port 3
ports on the device. By default, all 4 ports belong to
VLAN1. You can edit these ports to associate them
with other VLANs.
Port 4
STEP 4 Click Save.
STEP 5 To edit the settings of a VLAN, select the VLAN and click Edit. To delete a selected
VLAN, click Delete. Click Save to apply your changes.
Choose the outgoing frame type for each port:
•Untagged: The port is an untagged member of
the VLAN. Frames of the VLAN are sent
untagged to the port VLAN.
•Tagged: The port is a tagged member of the
VLAN. Frames of the VLAN are sent tagged to
the port VLAN.
•Excluded: The port is currently not a member of
the VLAN. This is the default for all the ports
when the VLAN is first created.
STEP 2 From the VLAN drop-down menu, choose a VLAN number.
STEP 3 Click Add Row.
STEP 4 Enter the following information:
3
Configuring Static DHCP
You can configure the CVR100W to assign a specific IP address to a device with a
specific MAC address.
To configure static DHCP:
DescriptionEnter a description of the client.
IP AddressEnter the IP address of the device.
The assigned IP address should be outside the pool of
the DHCP addresses configured. The DHCP pool is
treated as a generic pool and all reserved IPs should
be outside this pool.
Static DHCP assignment means that the DHCP server
assigns the same IP to the defined MAC address every
time the device is connected to the network.
The DHCP server serves the reserved IP address
when the device using the corresponding MAC
address requests an IP address.
MAC AddressEnter the MAC address of the device.
The format for the MAC address is
XX:XX:XX:XX:XX:XX where X is a number from 0 to 9
(inclusive) or an alphabetical letter between A and F
(inclusive).
STEP 5 To edit the settings of a static DHCP client, select the client and click Edit. To
delete a selected DHCP client, click Delete. Click Save to apply your changes.
The CVR100W supports demilitarized zones (DMZ). A DMZ is a subnetwork that is
open to the public but behind the firewall. A DMZ allows you to redirect packets
going to your WAN port IP address to a particular IP address in your LAN.
We recommended that you place hosts that must be exposed to the WAN (such as
web or e-mail servers) in the DMZ network. You can configure firewall rules to
allow access to specific services and ports in the DMZ from both the LAN or WAN.
In the event of an attack on any of the DMZ nodes, the LAN is not necessarily
vulnerable.
You must configure a fixed (static) IP address for the endpoint that you designate
as the DMZ host. You should assign the DMZ host an IP address in the same
subnet as the CVR100W’s LAN IP address, but it cannot be identical to the IP
address given to the LAN interface of this gateway.
To configure DMZ:
STEP 1 Choose Networking > LAN > DMZ Host.
STEP 2 Check Enable to enable DMZ on the network.
STEP 3 From the VLAN drop-down menu, choose the VLAN where DMZ is enabled.
STEP 4 In the Host IP Address field, enter the IP address of the DMZ host.
STEP 5 Click Save.
Configuring Routing
Configuring Operating Mode
To configure the CVR100W’s operating mode:
STEP 1 Choose Networking > Routing.
STEP 2 In the Operating Mode field, select one of the following options:
Gateway(Recommended) Click this radio button to set the
CVR100W to act as a gateway.
Keep this default setting if the CVR100W is hosting
your network’s connection to the Internet.
RouterClick this radio button to set the CVR100W to act as a
router.
Select this option if the CVR100W is on a network with
other routers.
Enabling the Router mode disables NAT (Network
Address Translation) on the CVR100W.
Configuring Dynamic Routing
Routing Information Protocol (RIP) is an Interior Gateway Protocol (IGP) that is
commonly used in internal networks. It allows the router to exchange its routing
information automatically with other routers, and allows it to dynamically adjust its
routing tables and adapt to changes in the network.
Dynamic Routing enables the CVR100W to automatically adjust to physical
changes in the network’s layout and exchange routing tables with the other
routers.
The router determines the network packets’ route based on the fewest number of
hops between the source and the destination.
NOTE RIP is disabled by default on the CVR100W.
To configure dynamic routing:
STEP 1 Choose Networking > Routing.
STEP 2 In the Dynamic Routing area, configure the following settings:
RIPCheck Enable to enable RIP. This allows the CVR100W
You can configure static routes to direct packets to the destination network. A
static route is a pre-determined pathway that a packet must travel to reach a
specific host or network.
Select the RIP Send Packet Version (RIPv1 or RIPv2).
The version of RIP used to send routing updates to
other routers on the network depends on the
configuration settings of the other routers.
It is best to check with your network administrator to
see which version of RIP is supported on your
network.
RIPv2 is backward compatible with RIPv1.
Choose the RIP Receive Packet Version.
Some ISPs require static routes to build your routing table instead of using
dynamic routing protocols. Static routes do not require CPU resources to
exchange routing information with a peer router.
You can also use static routes to reach peer routers that do not support dynamic
routing protocols. Static routes can be used together with dynamic routes.
CAUTION Be careful not to introduce routing loops in your network.
To configure static routing:
STEP 1 Choose Networking > Routing.
STEP 2 In the Static Routing area, choose a route entry from the Route Entries drop-
down menu.
To delete the route entry, click Delete This Entry.
STEP 3 Configure the following settings for the selected route entry:
The routing table displays the following information:
Destination LAN IP(IPv4) IP address of the destination LAN.
Subnet Mask(IPv4) Subnet mask of the destination network.
Gateway(IPv4) IP address of the gateway used for this route.
Interface(IPv4) Physical network interface through which this
route is accessible.
Destination(IPv6) IP address of the destination LAN.
Next Hop(IPv6) IP address of the gateway/router through which
the destination host/network can be reached.
Interface(IPv6) Physical network interface through which this
route is accessible.
Configuring Dynamic DNS
Dynamic DNS (DDNS) is an Internet service that allows routers with varying public
IP addresses to be located using Internet domain names. To use DDNS, you must
set up an account with a DDNS provider, such as oray.org or 3322.org.
The router notifies dynamic DNS servers of changes in the WAN IP address so that
any public services on your network can be accessed by using the domain name.
To configure DDNS:
STEP 1 Choose Networking > Dynamic DNS.
STEP 2 From the DDNS Service drop-down menu, choose Disable to disable this service
or choose the DDNS service to use.
STEP 3 If you do not have a DDNS account, click the URL of the service to visit the
selected DDNS service's website so that you can create an account.
STEP 5 To test the DDNS configuration, click Test Configuration.
3
PasswordEnter the password of the DDNS account.
Host Name(3322.org) Enter the host name of the DDNS server.
Internet IP Address(3322.org) Internet IP address of the CVR100W.
Status(3322.org) Displays the status if the DDNS update has
completed successfully or if the account update
information sent to the DDNS server failed.
Domain Name(oray.org) Displays the domain name of the account.
User Level(oray.org) Displays the user level of the account.
Status(oray.org) Displays the status if the DDNS update has
completed successfully or if the account update
information sent to the DDNS server failed.
STEP 6 Click Save.
Configuring IP Mode
Wide area network configuration properties are configurable for both IPv4 and
IPv6 networks. You can enter information about your Internet connection type and
other parameters.
To select an IP mode:
STEP 1 Choose Networking > IP Mode.
STEP 2 From the IP Mode drop-down menu, choose one of the following options:
LAN:IPv4, WAN:IPv4Choose this option to use IPv4 in the LAN and WAN
ports.
LAN:IPv6, WAN:IPv4Choose this option to use IPv6 in the LAN ports and
IPv4 in the WAN ports.
LAN:IPv6, WAN:IPv6Choose this option to use IPv6 in the LAN and WAN
STEP 3 (Optional) If you are using 6to4 tunneling, which allows IPv6 packets to be
transmitted over an IPv4 network, do the following:
The 6to4 tunneling feature is typically used when a site or end user wants to
connect to the IPv6 Internet using the existing IPv4 network.
STEP 4 Click Save.
Configuring IPv6
Choose this option to use IPv4 and IPv6 in the LAN
ports and IPv4 in the WAN ports.
Choose this option to use IPv4 and IPv6 in the LAN and
WAN por ts .
•Click Show Static 6to4 DNS Entry.
•In the Domain and IP fields, enter up to 5 domain-to-IP mappings.
Configuring IPv6 WAN Settings
Configuring WAN properties for an IPv6 network depends on the type of internet
connection that you have. You can configure the CVR100W to be a DHCPv6 client
of the ISP for this WAN or to use a static IPv6 address provided by the ISP.
Setting the IP Mode
To configure IPv6 WAN settings on your CVR100W, you must first set the IP mode
to LAN:IPv6, WAN:IPv6 or LAN:IPv4+IPv6, WAN:IPv4+IPv6.
STEP 2 In the WAN Connection Type field, click the Static IPv6 radio button.
STEP 3 In the Static IP Address area, enter the following information:
IPv6 AddressEnter the IPv6 address of the WAN port.
IPv6 Prefix LengthEnter the IPv6 prefix length defined by the ISP.
The IPv6 network (subnet) is identified by the initial
bits of the address which are called the prefix.
For example, in the 2001:0DB8:AC10:FE01::
IP address, 2001 is the prefix.
All hosts in the network have identical initial bits for
their IPv6 address; you set the number of common
initial bits in the network’s addresses in this field.
Enter the IPv6 address of the default gateway. This is
the IP address of the server at the ISP that this router
connects to for accessing the Internet.
Configuring Network
Configuring IPv6
STEP 4 Click Save.
3
Static DNS 1Enter the IP address of the primary DNS server on the
ISP’s IPv6 network.
Static DNS 2Enter the IP address of the secondary DNS server on
the ISP’s IPv6 network.
Configuring IPv6 LAN Settings
In the IPv6 mode, the LAN DHCP server is enabled by default (similar to the IPv4
mode). The DHCPv6 server assigns IPv6 addresses from configured address
pools that use the IPv6 prefix length assigned to the LAN.
Setting the IP Mode
To configure IPv6 LAN settings on your CVR100W, you must first set the IP mode
to one of the following modes:
The IPv6 network (subnet) is identified by the initial
bits of the address called the prefix. By default, the
prefix is 64 bits long.
All hosts in the network have the identical initial bits for
their IPv6 address; you set the number of common
initial bits in the network’s addresses in this field.
STEP 2 In the Server Settings (DHCPv6) area, enter the following information to
configure the DHCPv6 settings:
DHCP StatusCheck to enable the DHCPv6 server.
If enabled, the CVR100W assigns an IP address within
the specified range plus additional specified
information to any LAN endpoint that requests DHCPserved addresses.
Domain NameEnter the domain name of the DHCPv6 server.
Server PreferenceEnter the server preference level of this DHCP server.
DHCP advertise messages with the highest server
preference value to a LAN host are preferred over
other DHCP server advertise messages.
The default is 255.
Static DNS 1Enter the IPv6 address of the primary DNS server on
the ISP’s IPv6 network.
Static DNS 2Enter the IPv6 address of the secondary DNS server
Enter the duration for which IPv6 addresses are leased
to endpoints on the LAN.
Configuring IPv6 Address Pools
You can define the IPv6 delegation prefix for a range of IPv6 addresses to be
served by the CVR100W’s DHCPv6 server. Using a delegation prefix, you can
automate the process of informing other networking equipment on the LAN of
DHCP information specific for the assigned prefix.
You can configure static routes to direct packets to the destination network. A
static route is a predetermined pathway that a packet must travel to reach a
specific host or network.
Some ISPs require static routes to build your routing table instead of using
dynamic routing protocols. Static routes do not require CPU resources to
exchange routing information with a peer router.
You can also use static routes to reach peer routers that do not support dynamic
routing protocols. Static routes can be used together with dynamic routes. Be
careful not to introduce routing loops in your network.
To create an IPv6 static route:
STEP 2 In the IPv6 Static Routing table, click Add Row.
STEP 3 Enter the following information:
NameEnter the route’s name.
DestinationEnter the IPv6 address of the destination host or net-
work for this route.
Prefix LengthEnter the number of prefix bits in the IPv6 address that
define the destination subnet.
GatewayEnter the IPv6 address of the gateway through which
the destination host or network can be reached.
InterfaceChoose the interface for the route from the
drop-down menu: LAN, WAN, or 6to4.
MetricEnter the priority of the route by choosing a value
between 2 and 15. If multiple routes to the same destination exist, the route with the lowest metric is used.
STEP 5 To edit the settings of a route, select the route and click Edit. To delete a selected
3
ActiveCheck to make the route active.
When you add a route in an inactive state, it gets listed
in the routing table, but is not used by the CVR100W.
You can always activate the route later.
This feature is useful if the network that the route connects to is not available when you added the route.
When the network becomes available, you can enable
the route.
route, click Delete. Click Save to apply your changes.
Configuring Routing (RIPng)
RIP Next Generation (RIPng) is a routing protocol based on the distance vector
(D-V) algorithm. RIPng uses UDP packets to exchange routing information through
port 521.
RIPng uses a hop count to measure the distance to a destination. The hop count is
referred to as metric, or cost. The hop count from a router to a directly-connected
network is 0. The hop count between two directly-connected routers is 1. When
the hop count is greater than or equal to 16, the destination network or host is
unreachable.
By default, the routing update is sent every 30 seconds. If the router receives no
routing updates from a neighbor after 180 seconds, the routes learned from the
neighbor are considered as unreachable. After another 240 seconds, if no routing
update is received, the router removes these routes from the routing table.
IPv6-to-IPv4 tunneling (6-to-4 tunneling) allows IPv6 packets to be transmitted
over an IPv4 network. 6to4 tunneling is typically used when a site or end user
wants to connect to the IPv6 Internet using the existing IPv4 network.
This page displays information about the automatic tunnel set up through the
dedicated WAN interface. The table shows the name of tunnel and the IPv6
address that is created on the device.
STEP 2 Click Refresh to refresh the data on this page.
Configuring Router Advertisement
The Router Advertisement Daemon (RADVD) on the CVR100W listens for router
solicitations in the IPv6 LAN and responds with router advertisements as required.
This is stateless IPv6 auto configuration, and the CVR100W distributes IPv6
prefixes to all nodes on the network.
RADVD StatusCheck Enable to enable RADVD, or check Disable to
disable RADVD.
Advertise ModeSelect one of the following modes:
•Unsolicited Multicast: Select this mode to
send Router Advertisements (RAs) to all
interfaces belonging to the multicast group.
•Unicast Only: Select this mode to restrict
advertisements to well-known IPv6 addresses
only (RAs are sent to the interface belonging to
the known address only).
Advertise IntervalIf you choose Unsolicited Multicast as the advertise
mode, enter the advertise interval (4 to 1800). The
default is 30. The advertise interval is a random value
between the Minimum Router Advertisement Interval
(MinRtrAdvInterval) and Maximum Router
Advertisement Interval (MaxRtrAdvInterval).
MinRtrAdvInterval = 0.33 * MaxRtrAdvInterval
RA FlagsCheck Managed to use the administered/stateful
protocol for address auto configuration.
Check Other to use the administered/stateful protocol
of other, non-address information auto configuration.
Router PreferenceChoose low, medium, or high from the drop-down
menu. The default is medium.
The router preference provides a preference metric for
default routers. The low, medium and high values are
signaled in unused bits in RA messages. This
extension is backward compatible, both for routers
(setting the router preference value) and hosts
(interpreting the router preference value). These values
are ignored by hosts that do not implement router
preference. This feature is useful if there are other
RADVD-enabled devices on the LAN.
MTUEnter the MTU size (0 or 1280 to 1500). The default is
1500 bytes.
The MTU is the size of the largest packet that can be
sent over the network. The MTU is used in RAs to
ensure all nodes on the network use the same MTU
value when the LAN MTU is not well-known.
Router Life TimeEnter the router lifetime value, or the time in seconds
that the advertisement messages exists on the route.
The default is 3600 seconds.
IPv6 PrefixIf you choose Global/Local as the IPv6 prefix type,
enter the IPv6 prefix. The IPv6 prefix specifies the IPv6
network address.
IPv6 Prefix LengthIf you choose Global/Local as the IPv6 prefix type,
enter the prefix length. The prefix length variable is a
decimal value that indicates the number of contiguous,
higher-order bits of the address that make up the network portion of the address.
Prefix LifetimeEnter the prefix lifetime, or the length of time over
which the requesting router is allowed to use the prefix.
To protect your network, change the default wireless network name to a
unique name to distinguish your wireless network from other wireless
networks that may exist around you.
When choosing names, do not use personal information (such as your
Social Security number) because this information may be available for
anyone to see when browsing for wireless networks.
For wireless products such as access points, routers, and gateways, you
are asked for a password when you want to change their settings. These
devices have a default password. The default password is often cisco.
Hackers know these default values and may try to use them to access your
wireless device and change your network settings. To thwart unauthorized
access, customize the device’s password so it is hard to guess.
•Enable MAC address filtering.
Cisco routers and gateways give you the ability to enable MAC address
filtering. The MAC address is a unique series of numbers and letters
assigned to every networking device.
With MAC address filtering enabled, wireless network access is provided
solely for wireless devices with specific MAC addresses. For example, you
can specify the MAC address of each computer in your network so that
only those computers can access your wireless network.
•Enable encryption.
Encryption protects data transmitted over a wireless network. Wi-Fi
Protected Access (WPA/WPA2) and Wired Equivalency Privacy (WEP) offer
different levels of security for wireless communication. Currently, devices
that are Wi-Fi certified are required to support WPA2, but are not required
to support WEP.
A network encrypted with WPA/WPA2 is more secure than a network
encrypted with WEP, because WPA/WPA2 uses dynamic key encryption.
To protect the information as it passes over the airwaves, enable the highest
level of encryption supported by your network equipment.
WEP is an older encryption standard and may be the only option available
on some older devices that do not support WPA.
•Keep wireless routers, access points, or gateways away from exterior walls
B/G-MixedChoose this option if you have Wireless-B and Wireless-G
G/N-MixedChoose this option if you have Wireless-G and Wireless-N
STEP 5 In the Wireless Band Selection field, choose either 20MHz or 20/40MHz as the
wireless bandwidth on your network.
STEP 6 In the Wireless Channel field, choose the wireless channel from the drop-down
menu or choose Auto to let the system determine the optimal channel to use
based on the environmental noise levels for the available channels.
STEP 7 In the AP Management VLAN field, choose VLAN 1 if you are using the default
settings.
If you create additional VLANs, choose a value that corresponds with the VLAN
configured on other switches in the network. This is done for security purposes.
You might need to change the management VLAN to limit access to the
CVR100W’s Configuration Utility.
4
devices in your network.
devices in your network.
STEP 8 (Optional) In the U-APSD (WMM Power Save) field, check Enable to enable the
Unscheduled Automatic Power Save Delivery (U-APSD) feature, also referred to as
WMM Power Save, that allows the radio to conserve power.
U-APSD is a power saving scheme optimized for real-time applications, such as
VoIP, transferring full-duplex data over WLAN. By classifying outgoing IP traffic as
Voice data, these types of applications can increase battery life by approximately
25 percent and minimize transmit delays.
STEP 9 Click Save.
Configuring Wireless Network Settings
The Wireless Table in the Basic Settings page lists the settings of the four
wireless networks supported on the CVR100W.
To configure the settings for a wireless network:
STEP 1 Check the box for the network that you want to configure, and click the Edit button.
For security purposes, we strongly recommend that you configure each SSID with
the highest level of security that is supported by the devices into your wireless
network. You can configure one of the following security modes for the wireless
network:
The WEP security mode offers weak security with a basic encryption method that
is not as secure as WPA. WEP may be required if your network devices do not
support WPA. If you do not have to use WEP, we recommend that you use WPA2.
The WPA-Personal, WPA2-Personal, and the WPA2-Personal Mixed security
modes offer strong security to replace WEP.
•WPA-Personal: WPA is part of the wireless security standard (802.11i)
4
standardized by the Wi-Fi Alliance and was intended as an intermediate
measure to take the place of WEP while the 802.11i standard was being
prepared. WPA-Personal supports Temporal Key Integrity Protocol (TKIP)
and Advanced Encryption Standard (AES) encryption.
•WPA2-Personal: (Recommended) WPA2 is the implementation of the
security standard specified in the final 802.11i standard. WPA2 supports
AES encryption and this option uses Pre-shared Key (PSK) for
authentication.
•WPA2-Personal Mixed: Allows both WPA and WPA2 clients to connect
simultaneously using PSK authentication. The personal authentication is the
PSK that is an alphanumeric passphrase shared with the wireless peer.
The WPA-Enterprise, WPA2-Enterprise, and the WPA2-Enterprise Mixed
security modes allow you to use RADIUS server authentication.
•WPA-Enterprise: Allows you to use WPA with RADIUS server
authentication.
•WPA2-Enterprise: Allows you to use WPA2 with RADIUS server
authentication.
•WPA2-Enterprise Mixed: Allows both WPA and WPA2 clients to connect
simultaneously using RADIUS authentication.
To configure the security settings for a SSID:
STEP 1 In the Wireless Table (Wireless > Basic Settings), check the SSID that you want
STEP 3 From the Security Mode menu, choose a security mode and specify the
corresponding settings. The following table lists the security settings for different
security modes.
Disabled
If you choose this option, any wireless device that is in range can connect to the
SSID. This is the default setting but not recommended.
This mode means that any data transferred to and from the SSID is not
encrypted. This security mode can be useful during initial network configuration
or for problem solving, but it is not recommended for regular use on the internal
network because it is not secure.
WEP
4
Authentication TypeChoose Open System or Shared Key if your network
administrator recommends this setting. If you are
unsure, select the default option (Open System).
In both cases, the wireless client must provide the
correct shared key (password) to access the wireless
network.
EncryptionChoose the encryption type:
•10/64-bit (10 hex digits): Provides a 40-bit key.
•26/128-bit (26 hex digits): Provides a 104-bit
key, which offers stronger encryption, making
the key more difficult to crack. We recommend
128-bit encryption.
Passphrase(Optional) Enter an alphanumeric phrase (longer than
eight characters for optimal security) and click
Generate to generate four unique WEP keys in the
Key1-4 fields below.
If you want to provide your own key, enter it directly in
the Key 1 field (recommended). The length of the key
should be 5 ASCII characters (or 10 hexadecimal
characters) for 64-bit WEP and 13 ASCII characters (or
26 hexadecimal characters) for 128-bit WEP. Valid
hexadecimal characters are 0 to 9 and A to F.
Key RenewalEnter the duration of time (600 to 7200 seconds)
STEP 4 Click Save.
STEP 5 Click Back to go back to the Basic Settings page.
Configuring MAC Address Filtering
You can use MAC address filtering to permit or deny access to the wireless
network based on the MAC (hardware) address of the requesting device. For
example, you can enter the MAC addresses of a set of computers and only allow
those computers to access the network. You can configure MAC address filtering
for each network or SSID.
4
between key renewals. The default value is 3600.
To configure MAC address filtering:
STEP 1 In the Wireless Table (Wireless > Basic Settings), check the SSID that you want
to configure.
STEP 2 Click Edit MAC Filtering. The Wireless MAC Filtering page opens.
STEP 3 In the Wireless MAC Filtering field, check Enable to enable MAC address filtering
for this SSID.
STEP 4 In the Connection Control field, choose the type of access to the wireless
network:
•Prevent: Select this option to prevent devices with the MAC addresses
listed in the MAC Address Table from accessing the wireless network. This
option is selected by default.
•Permit: Select this option to allow devices with the MAC addresses listed in
the MAC Address Table to access the wireless network.
STEP 5 To show computers and other devices on the wireless network, click Show Client
List.
STEP 6 If you want to add a device in the client list to the MAC Address Table, check the
box in the Save to MAC Address Filter List column and click Add to MAC to add
the selected device to the MAC Address Table.
STEP 8 Click Back to go back to the Basic Settings page.
Configuring Time of Day Access
To further protect your network, you can restrict access to it by specifying when
users can access the network.
To configure Time of Day Access:
STEP 1 In the Wireless Table (Wireless > Basic Settings), check the SSID that you want
to configure.
STEP 2 Click Time of Day Access. The Time of Day Access page opens.
STEP 3 In the Active Time field, check Enable to enable Time of Day Access.
4
STEP 4 In the Start Time and Stop Time fields, specify the time of day period when
access to the network is allowed.
STEP 5 Click Save.
STEP 6 Click Back to go back to the Basic Settings page.
Configuring Guest Net
The SSID4 (default name: cisco-guest) is used for guest access. The guests can
access the Internet through this SSID and the internal network security would not
be affected.
To configure the Guest Net settings:
STEP 1 In the Wireless Table (Wireless > Basic Settings), check SSID 4.
STEP 2 Click Edit Guest Net. The Guest Net Settings page appears.
STEP 3 In the Guest Password field, enter an alphanumeric phrase (8 to 63 ASCII
characters or 64 hexadecimal digits).
STEP 4 Check Hide Password to show the password in ciphertext.
STEP 5 In the Lease Time field, set the guest least time. (Range: 1 to 9999 minutes,
STEP 6 In the Total Guest Allowed field, set the maximum number of the guest
connections allowed.
STEP 7 Click Save.
STEP 8 Click Back to go back to the Basic Settings page.
Configuring Cisco Simple Connect
Cisco Simple Connect (CSC) provides a safe and convenient way for CSCenabled devices to connect with a Wi-Fi access point by simply touching the RFiD
or scanning the QR code of the CSC card. Cisco Simple Connect makes
accessing wireless access points simple and allows you to expand more business
applications. See Using Cisco Simple Connect for more information.
4
By default, Cisco Simple Connect (CSC) is disabled on the CVR100W. You can set
one of the SSIDs (SSID1, SSID2, or SSID3) of the CVR100W as the CSC wireless
access point. The wireless clients that are associated with the CSC wireless
access point can only access the Internet through the CVR100W.
When configuring Cisco Simple Connect, note the following:
•Only SSID1, SSID2, or SSID3 can be set as the CSC wireless access point.
•Enabling Cisco Simple Connect on a SSID does not affect the normal
operation of other SSIDs.
•SSID1 must be set as the CSC wireless access point when WDS is enabled
on the CVR100W.
•The VLAN to which the CSC wireless access point is mapped cannot be
the same as the VLANs of other SSIDs. You must assign a different VLAN to
the CSC wireless access point.
•When enabling Cisco Simple Connect on a SSID, the CVR100W
automatically saves the current settings of the SSID before the CSC
settings are applied on the SSID, and restores the saved settings after CSC
is disabled on the SSID.
•By default, the CSC wireless access point is automatically named as Cisco-
Simple-Connect when enabling Cisco Simple Connect for the first time. The
wireless security mode, SSID broadcast, and SSID Isolation are disabled on
the CSC wireless access point. For security purposes, we strongly
recommend that you configure the CSC wireless access point with the
STEP 2 In the Wireless Table, check the SSID that you want to configure and click Edit.
STEP 3 Check the Enable SSID box to enable this SSID.
STEP 4 Check the CSC box to enable Cisco Simple Connect on this SSID.
STEP 5 Select a VLAN from the VLAN drop-down menu to which all traffic from the CSC
wireless network is mapped. The VLAN that is associated with the CSC wireless
network cannot be the same as the VLANs of other SSIDs.
4
highest level of security that is supported by the devices into your wireless
network.
STEP 6 (Optional) Configure the following settings for the CSC wireless access point:
•SSID Name: Enter a unique name for the CSC wireless access point. By
default, the name of the CSC wireless access point is set to Cisco-SimpleConnect after you enable Cisco Simple Connect for the first time.
Generally, you can enter the SSID name that is provided on your CSC Simple
card in this field. If you want to customize the name of the CSC wireless
access point, enter a new SSID name in this field.
NOTE When you customize a new name of the CSC wireless access
point, you are asked to regenerate and print the QR code of the CSC card.
See Customizing Your QR Code for more information.
•Security Mode: By default, the security mode of the CSC wireless access
point is disabled. You can modify its security settings by clicking Edit Security Mode. For security purposes, we strongly recommend that you
configure the CSC wireless access point with the highest level of security
that is supported by the devices into your wireless network.
Generally, you can choose WPA or WPA2 as the security mode and enter the
security key that is provided on your CSC card. If you want to customize the
security key of the CSC wireless access point, enter a new security key. See
Configuring Wireless Security for more information.
NOTE When you customize a new security key of the CSC wireless
access point, you are asked to regenerate and print the QR code of the
CSC card. See Customizing Your QR Code for more information.
•MAC Filter: By default, MAC address filtering is disabled on the CSC
•Time of Day Access: By default, Time of Day Access is disabled on the CSC
•SSID Broadcast, WMM, and SSID Isolation: By default, these features are
STEP 7 Click Save.
STEP 8 Click Edit CSC to limit the time to access the Internet for all associated CSC
wireless clients.
4
wireless access point. You can enable this feature and configure the
corresponding settings by clicking Edit MAC Filter. See Configuring MAC
Address Filtering for more information.
wireless access point. You can enable this feature and configure the
corresponding settings by clicking Time of Day Access. See Configuring
Time of Day Access for more information.
enabled on the CSC wireless access point. See Configuring Wireless
Network Settings for more information.
STEP 9 Enter the following information:
SSID NameDisplays the current name of the CSC wireless access
point. By default, it is named as Cisco-Simple-Connect
after Cisco Simple Connect is enabled for the first time.
Security ModeDisplays the current security mode used on the CSC
wireless access point. By default, the security mode is
disabled on the CSC wireless access point.
Security KeyDisplays the current security key of the CSC wireless
access point.
Show PasswordCheck the box to display the password in plaintext.
Access Network
Time
STEP 10 Click Save.
See Connecting to CSC Wireless Network for more information about how to
connect to the CSC wireless network and get the authority to access the Internet.
Enter a value from 0 to 1440 seconds. The default
value is 0, which means that there is no limit.
Frame BurstCheck Enable to enable this feature to provide your
wireless networks with greater performance,
depending on the manufacturer of your wireless
products. If you are not sure how to use this option,
keep the default (enabled).
WMM No
Acknowledgement
Check Enable to enable this feature. Enabling WMM No
Acknowledgement can result in more efficient
throughput, but higher error rates in a noisy Radio
Frequency (RF) environment. Default setting is
disabled.
Basic RateThe Basic Rate setting is not the rate of transmission
4
but a series of rates at which the Services Ready
Platform can transmit.
The CVR100W advertises its basic rate to the other
wireless devices in your network, so they know which
rates will be used.
The Services Ready Platform will also advertise that it
will automatically select the best rate for transmission.
The default setting is Default, when the CVR100W can
transmit at all standard wireless rates (1-2 Mbps, 5.5
Mbps, 11 Mbps, 18 Mbps, 24 Mbps, and so on). In
addition to B and G speeds, the CVR100W supports
N speeds.
Other options are 1-2 Mbps, for use with older wireless
technology, and All, when the CVR100W can transmit
at all wireless rates.
The Basic Rate is not the actual rate of data
transmission. If you want to specify the CVR100W’s
rate of data transmission, configure the Transmission
Rate setting.
Transmission RateThe rate of data transmission should be set depending
on the speed of your wireless network.
You can select from a range of transmission speeds, or
you can select Auto to have the CVR100W
automatically use the fastest possible data rate and
enable the Auto-Fallback feature.
Auto-Fallback will negotiate the best possible
connection speed between the CVR100W and a
wireless client. The default is Auto.
N Transmission RateThe rate of data transmission should be set depending
CTS Protection ModeThe CVR100W will automatically use CTS (Clear-To-
4
on the speed of your Wireless-N networking.
You can select from a range of transmission speeds, or
you can select Auto to have the CVR100W
automatically use the fastest possible data rate and
enable the Auto-Fallback feature.
Auto-Fallback will negotiate the best possible
connection speed between the CVR100W and a
wireless client. The default is Auto.
Send) Protection Mode when your Wireless-N and
Wireless-G devices are experiencing severe problems
and are not able to transmit to the CVR100W in an
environment with heavy 802.11b traffic.
This function boosts the CVR100W’s ability to catch all
Wireless-N and Wireless-G transmissions but will
severely decrease performance. The default is Auto.
Beacon IntervalThe Beacon Interval value indicates the frequency
interval of the beacon. A beacon is a packet broadcast
by the CVR100W to synchronize the wireless network.
Enter a value between 40 and 3500 milliseconds. The
default value is 100.
DTIM IntervalThis value, between 1 and 255, indicates the interval of
the Delivery Traffic Indication Message (DTIM). A DTIM
field is a countdown field informing clients of the next
window for listening to broadcast and multicast
messages.
When the CVR100W has buffered broadcast or
multicast messages for associated clients, it sends the
next DTIM with a DTIM Interval value. Its clients hear
the beacons and awaken to receive the broadcast and
multicast messages. The default value is 1.
RTS ThresholdIf you encounter inconsistent data flow, enter only
This value specifies the maximum size for a packet
before data is fragmented into multiple packets. If you
experience a high packet error rate, you may slightly
increase the Fragmentation Threshold.
Setting the Fragmentation Threshold too low may
result in poor network performance. Only minor
reduction of the default value is recommended. In most
cases, it should remain at its default value of 2346.
minor reductions. The default value of 2347 is
recommended.
If a network packet is smaller than the preset Request
to Send (RTS) threshold size, the RTS/Clear to Send
(CTS) mechanism will not be enabled. The Services
Ready Platform sends RTS frames to a particular
receiving station and negotiates the sending of a data
frame.
After receiving an RTS, the wireless station responds
with a CTS frame to acknowledge the right to begin
transmission.
STEP 3 Click Save.
Configuring WDS
A Wireless Distribution System (WDS) is a system that enables the wireless
interconnection of access points in a network. It allows a wireless network to be
expanded using multiple access points without the need for a wired backbone to
link them.
To establish a WDS link, the CVR100W and other remote WDS peers must be
configured in the same wireless network mode, wireless channel, wireless band
selection, and encryption types (None and WEP).
•If the client device has a WPS PIN number, enter the PIN number and click
•If the client device requires a PIN number from the router, use the number
After you configure WPS, the following information appears at the bottom of the
WPS page: Wi-Fi Protected Setup Status, Network Name (SSID), and Security.
The status of the WPS light on the front panel provides information about the WPS
operation.
4
Register. After configuration is completed, click OK.
Refer to your client device or its documentation for further instructions.
listed in item 3 on the WPS page.
WPS Successfully
Started
WPS During StartupWPS light flashes (0.5 Hz) for 30 seconds.
WPS Errors
Occurred
WPS Session
Overlap
WPS Enabled or
Disabled
WPS light turns on for 120 seconds.
WPS light flashes (1 Hz) for 30 seconds.
WPS light flashes (0.1 Hz) in one second and turns off
next second for 120 seconds.
This chapter describes how to configure the firewall settings. It includes the
following sections:
•CVR100W Firewall Features
•Configuring Basic Firewall Settings
•Managing Firewall Schedules
•Configuring Service Management
•Configuring Access Control
•Configuring Single Port Forwarding
5
•Configuring Port Range Forwarding
•Configuring Port Range Triggering
CVR100W Firewall Features
Access Rules
You can secure your network by creating and applying rules that the CVR100W
uses to selectively block and allow inbound and outbound Internet traffic. You then
specify how and to what devices the rules apply. To do so, you must define the
following:
•Services or traffic types (examples: web browsing, VoIP, other standard
services and also custom services that you define) that the CVR100W
should allow or block.
•Direction for the traffic by specifying the source and destination of traffic.
•Schedules as to when the CVR100W should apply rules.
•Keywords (in a domain name or on a URL of a webpage) that the CVR100W
should allow or block.
•MAC addresses of devices whose inbound access to your network that the
CVR100W should block.
•Port triggers that signal the CVR100W to allow or block access to specified
services as defined by port number.
You can, for example, establish restricted-access policies based on time-of-day,
web addresses, and web address keywords. You can block Internet access by
applications and services on the LAN, such as chat rooms or games. You can block
just certain groups of PCs on your network from being accessed by the WAN.
Inbound (WAN to LAN) rules restrict access to traffic entering your network,
selectively allowing only specific outside users to access specific local resources.
By default, all access from the insecure WAN side is blocked from accessing the
secure LAN, except in response to requests from the LAN. To allow outside
devices to access services on the secure LAN, you must create a firewall rule for
each service.
If you want to allow incoming traffic, you must make the CVR100W's WAN port IP
address known to the public. This is called “exposing your host.” How you make
your address known depends on how the WAN ports are configured; for the
CVR100W, you may use the IP address if a static address is assigned to the WAN
port, or if your WAN address is dynamic, a DDNS (Dynamic DNS) name can be
used.
Outbound (LAN to WAN) rules restrict access to traffic leaving your network,
selectively allowing only specific local users to access specific outside resources.
The default outbound rule is to allow access from the secure zone (LAN) to
insecure WAN. To block hosts on the secure LAN from accessing services on the
outside (insecure WAN), you must create a firewall rule for each service.
Port forwarding is used to redirect traffic from the Internet from one port on the
WAN to another port on the LAN. Common services are available or you can define
a custom service and associated ports to forward.
CAUTION Port forwarding is not appropriate for servers on the LAN, since there is a
dependency on the LAN device making an outgoing connection before incoming
ports are opened.
Some applications require that, when external devices connect to them, they
receive data on a specific port or range of ports in order to function properly. The
CVR100W must send all incoming data for that application only on the required
port or range of ports.
5
The CVR100W has a list of common applications and games with corresponding
outbound and inbound ports to open. You can also specify a port forwarding rule
by defining the type of traffic (TCP or UDP) and the range of incoming and
outgoing ports to open when enabled.
Configuring Basic Firewall Settings
To configure basic firewall settings:
STEP 1 Choose Firewall > Basic Settings.
STEP 2 Configure the following firewall settings:
DoS ProtectionCheck Enable to enable Denial of Service (DoS)
protection.
Block WAN RequestCheck Enable to block ping requests to the CVR100W
Check Enable to enable multicast passthrough for
IPv4.
Check Enable to enable IGMP proxy immediate leave.
Configuring Firewall
Configuring Basic Firewall Settings
5
IPv4 Multicast
Snooping
UPnPCheck Enable to enable Universal Plug and Play
Allow Users to
Configure
Allow Users to
Disable Internet
Access
Block JavaCheck to block Java applets.
Check Enable to enable IGMP Snooping.
(UPnP).
(UPnP) Check to allow UPnP port-mapping rules to be
set by users who have UPnP support enabled on their
computers or other UPnP enabled devices. If disabled,
the CVR100W does not allow application to add the
forwarding rule.
(UPnP) Check to allow users to disable Internet
access.
Java applets are small programs embedded in web
pages that enable dynamic functionality of the page. A
malicious applet can be used to compromise or infect
computers.
Enabling this setting blocks Java applets from being
downloaded. Click Auto to automatically block Java, or
click Manual Port and enter a specific port on which
to block Java.
Block CookiesCheck to block cookies.
Cookies are used to store session information by
websites that usually require login. However, several
websites use cookies to store tracking information and
browsing habits.
Enabling this option filters out cookies from being
created by a website. Click Auto to automatically
block cookies, or click Manual Port and enter a
specific port on which to block cookies.
NOTE Many websites require that cookies be accepted in
order for the site to be accessed properly. Blocking cookies
can cause many websites to not function properly.
Block ActiveXCheck to block ActiveX content. Similar to Java
applets, ActiveX controls are installed on a Windows
computer while running Internet Explorer. A malicious
ActiveX control can be used to compromise or infect
computers.
Enabling this setting blocks ActiveX applets from
being downloaded. Click Auto to automatically block
ActiveX, or click Manual Port and enter a specific port
on which to block ActiveX.
Block ProxyCheck to block proxy servers. A proxy server (or
proxy) allows computers to route connections to other
computers through the proxy, thus circumventing
certain firewall rules.
For example, if connections to a specific IP address
are blocked by a firewall rule, the requests can be
routed through a proxy that is not blocked by the rule,
rendering the restriction ineffective.
STEP 3 Click Save.
Managing Firewall Schedules
You can create firewall schedules to apply firewall rules on specific days or at
specific times of the day.
To create a schedule:
STEP 1 Choose Firewall > Schedule Management.
STEP 2 Click Add Row.
Enabling this feature blocks proxy servers. Click Auto
to automatically block proxy servers, or click Manual Port and enter a specific port on which to block proxy
servers.
STEP 3 In the Schedule Name field, enter a unique name to identify the schedule.
STEP 4 Under Scheduled Days, select whether you want the schedule to apply to all days
or specific days. If you choose Specific Days, check the boxes next to the days
you want to include in the schedule.
STEP 5 Under Scheduled Time of Day, select the time of day that you want the schedule
to apply. You can choose either All Times or Specific Times. If you choose
Specific Times, enter the start and end times.
STEP 6 Click Save.
STEP 7 Click Back to go back to the Schedule Management page.
STEP 8 To edit an entry, select the entry and click Edit. Make your changes, then click
Save.
5
Configuring Service Management
When you create a firewall rule, you can specify a service that is controlled by the
rule. Common types of services are available for selection, and you can create
your own custom services.
The Service Management page allows you to create custom services against
which firewall rules can be defined. Once defined, the new service appears in the
list of Services Ta bl e .
To create a custom service:
STEP 1 Choose Firewall > Service Management.
STEP 2 Click Add Row.
STEP 3 In the Service Name field, enter the service name for identification and
management purposes.
STEP 4 In the Protocol field, choose the Layer 4 protocol that the service uses from the
STEP 5 In the Start Port field, enter the first TCP or UDP port of the range that the service
uses.
STEP 6 In the End Port field, enter the last TCP or UDP port of the range that the service
uses.
STEP 7 Click Save.
STEP 8 To edit an entry, select the entry and click Edit. Make your changes, then click
Save.
Configuring Access Control
5
Default Access Control Policy
You can configure the default access control policy for the traffic that is directed
from the secure network (LAN) to the non-secure network (dedicated WAN/
optional).
To configure the default access control policy:
STEP 1 Choose Firewall > Access Control > Default Access Control Policy.
STEP 2 Choose Allow or Deny.
STEP 3 Click Save.
Configuring Access Rules
All configured access rules on the CVR100W are displayed in the Access Rules
Ta bl e .
To create an access rule:
STEP 1 Choose Firewall > Access Control > Access Rules.
STEP 2 Click Add Row.
STEP 3 In the Connection Type field, choose the source of originating traffic:
STEP 7 In the Source IP field, select the users to which the access rule applies:
STEP 8 In the Destination IP field, select the users to which the access rule applies:
5
•Telnet SSL
•Voice (SIP)
(Optional) Click Configure Services to go to the Service Management page to
configure the services before applying access rules to them.
•Any: The rule applies to traffic originating on any host in the local network.
•Single Address: The rule applies to traffic originating on a single IP address
in the local network. Enter the address in the Start IP field.
•Address Range: The rule applies to traffic originating from an IP address
located in a range of addresses. Enter the starting IP address in the Start IP
field, and the ending IP address in the Finish field.
•Any: The rule applies to traffic originating on any host in the local network.
•Single Address: The rule applies to traffic originating on a single IP address
in the local network. Enter the address in the Start IP field.
•Address Range: The rule applies to traffic originating from an IP address
located in a range of addresses. Enter the starting IP address in the Start IP
field, and the ending IP address in the Finish field.
STEP 9 In the Log field, specify whether the packets for this rule should be logged.
To log details for all packets that match this rule, choose Always from the dropdown menu. For example, if an outbound rule for a schedule is selected as Always block, for every packet that tries to make an outbound connection for that service,
a message with the packet's source address and destination address (and other
information) is recorded in the log.
Enabling logging may generate a significant volume of log messages and is
recommended for debugging purposes only.
Choose Never to disable logging.
STEP 10 In the QoS Priority field, assign a priority to IP packets of this service.
The priorities are defined by QoS Level: (1 (lowest), 2, 3, 4 (highest)).
STEP 11 In the Rule Status field, check to enable the new access rule.
STEP 13 Click Back to go back to the Access Rules page.
STEP 1 Choose Firewall > Access Control > Internet Access Rules.
5
Configuring Internet Access Rules
The CVR100W supports several options for blocking Internet access. You can
block all Internet traffic, block Internet traffic to certain PCs or endpoints, or block
access to Internet sites by specifying keywords to block. If these keywords are
found in the site's name (for example, web site URL or newsgroup name), the site is
blocked.
To create a Internet access rule:
STEP 2 Click Add Row.
STEP 3 In the Rule Status field, check Enable to enable the Internet access rule.
STEP 4 In the Enter Policy Name filed, enter a policy name for identification and
management purposes.
STEP 5 From the Action drop-down menu, choose the type of access restriction that you
need:
•Block All: Block all Internet traffic.
•Block URL: Block Internet traffic to specified Internet sites.
•Block All by Schedule: Blocks all types of traffic according to a schedule.
•Block URL by Schedule: Blocks the specified Internet sites according to a
schedule.
STEP 6 If you choose Block All by Schedule or Block URL by Schedule, choose a
schedule from the Schedule drop-down menu.
(Optional) Click Configure Schedules to go to the Schedule Management page to
configure the services before applying the Internet access rules to them.
STEP 7 Apply the Internet access rule to specific PCs. Address filtering allows you to
In the Apply Access Policy to the Following PCs table, click Add Row.
From the Type drop-down menu, choose how to identify the PC (by MAC address,
by IP address, or by providing a range of IP addresses).
In the Value field, depending on what you chose in the previous step, enter one of
the following:
•MAC address (xx:xx:xx:xx:xx:xx) of the PC to which the Internet access rule
•The IP address of the PC to which the Internet access rule applies.
•The starting and ending IP addresses to block (for example, 192.168.1.2 to
STEP 8 In the Website Blocking table, click Add Row.
From the Type drop-down menu, choose how to block a website (by specifying
the URL or by specifying a keyword that appears in the URL).
5
applies.
192.168.1.30).
In the Value field, enter the URL or keyword used to block the website.
For example, to block the example.com URL, choose URL Address from the dropdown menu and enter example.com in the Value field. To block a URL that has the
keyword “example” in the URL, choose Keyword from the drop-down menu and
enter example in the Value field.
STEP 9 Click Save.
STEP 10 Click Back to go back to the Internet Access Rules page.
Configuring Single Port Forwarding
To add a single port forwarding rule:
STEP 1 Choose Firewall > SinglePort Forwarding. A pre-existing list of applications is
displayed.
STEP 2 In the Service Name field, enter the name of the service to configure port
forwarding for.
STEP 3 In the External Port field, enter the port number that triggers this rule when a
Port triggering allows devices on the LAN or DMZ to request one or more ports to
be forwarded to them. Port triggering waits for an outbound request from the LAN/
DMZ on one of the defined outgoing ports, and then opens an incoming port for
that specified type of traffic.
Port triggering is a form of dynamic port forwarding while an application is
transmitting data over the opened outgoing or incoming ports. Port triggering
opens an incoming port for a specific type of traffic on a defined outgoing port.
Port triggering is more flexible than static port forwarding (available when
configuring firewall rules) because a rule does not have to reference a specific
LAN IP or IP range. Ports are also not left open when not in use, thereby providing
a level of security that port forwarding does not offer.
To add a port triggering rule:
5
STEP 1 Choose Firewall > Port Range Triggering.
STEP 2 In the Service Name field, enter the name of the service to configure port
triggering for.
STEP 3 In the Triggered Range fields, enter the port number or range of port numbers that
will trigger this rule when a connection request from outgoing traffic is made. If the
outgoing connection uses only one port, enter the same port number in both
fields.
STEP 4 In the Forwarded Range fields, enter the port number or range of port numbers
used by the remote system to respond to the request it receives. If the incoming
connection uses only one port, then specify the same port number in both fields.
STEP 5 In the Enable field, check the box to enable the rule.
This chapter describes how to configure Virtual Private Networks (VPNs) that
allow remote workers to access your network resources. It includes the following
sections:
•VPN Tunnel Types
•Configuring VPN Clients
•Configuring Basic VPN Setup
•Configuring Advanced VPN Setup
•Managing Certificates
•Configuring VPN Passthrough
6
VPN Tunnel Types
A VPN provides a secure communication channel (tunnel) between two gateway
routers or a remote worker and a gateway router. You can create different types of
VPN tunnels, depending on the needs of your business.
Remote Access with Cisco QuickVPN
For quick setup with basic VPN security settings, distribute the Cisco QuickVPN
software to your users, who can then securely access your network resources.
Use this option if you want to simplify the VPN setup process. You do not have to
configure VPN policies. Remote users can connect securely with the Cisco
QuickVPN client and an Internet connection.
1. Add the users in the VPN > VPN Clients page. See Configuring VPN Clients.
2. Instruct users to obtain the free Cisco QuickVPN software from Cisco.com, and
install it on their computers. For more information, see Using Cisco QuickVPN.