How it Works
Cisco
Loading...
S
Loading...
Loading...
Small Business Pro SA 520W
Administration Manual
241 pgs3.25 Mb0
Administration Manual
244 pgs6.2 Mb0

Cisco Small Business Pro SA 520W, Small Business Pro SA 540, Small Business Pro SA 520 Administration Manual

Cisco Small Business Pro
SA 500 Series Security Appliances
ADMINISTRATION
GUIDE
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
© 2010 Cisco Systems, Inc. All rights reserved. OL-19114-03
Contents
Chapter 1: Getting Started 10
Feature Overview 10
Device Overview 11
Front Panel 11
Rear Panel 12
Installation 13
Installation Options 13
Hardware Installation 16
Getting Started with the Configuration Utility 17
Connecting to the Configuration Utility 17
Using the Getting Started Pages 20
Navigating Through the Configuration Utility 22
Using the Help System 23
About the Default Settings 24
Basic Tasks 25
Changing the Default User Name and Password 25
Backing Up Your Configuration 26
Upgrading the Firmware 26
Common Configuration Scenarios 27
Basic Network Configuration with Internet Access 28
Cisco Smart Business Communications System Configuration 30
Firewall for Controlling Inbound and Outbound Traffic 31
DMZ for Public Web Sites and Services 32
Configuring ProtectLink Web & Email Security 33
Site-to-Site Networking and Remote Access 33
Wireless Networking 37
Chapter 2: Status 38
Device Status 38
Device Status 38
Port Statistics 41
Wireless Statistics for the SA 520W 41
Cisco SA 500 Series Security Appliances Administration Guide 3
VPN Status 43
IPSec VPN Connection Status 43
SSL VPN Status 44
View Logs Status 46
View All Logs 46
IPSec VPN Logs 47
Policy Enforcement Logs 48
Active Users 48
CDP Neighbor 49
LAN Devices 49
Contents
Chapter 3: Networking 50
Configuring the WAN Connection 51
Viewing the WAN Status 54
Creating PPPoE Profiles 55
Configuring the LAN 56
About the Default LAN Settings 56
Configuring the LAN 57
Viewing the LAN Status 59
DHCP Reserved IPs 60
DHCP Leased Clients 61
Configuring the Optional Port as a LAN Port 61
Configuring the Optional WAN 61
Configuring Auto-Rollover, Load Balancing, and Failure Detection 65
Configuring the Protocol Bindings for Load Balancing 68
Configuring a DMZ 69
Configuring the DMZ Settings 72
DMZ Reserved IPs 74
DMZ DHCP Leased Clients 75
VLAN Configuration 75
Default VLAN Settings 76
Enabling or Disabling VLAN Support 77
Cisco SA 500 Series Security Appliances Administration Guide 4
Contents
Creating VLAN IDs 77
Assigning VLANs to LAN Ports 78
Multiple VLAN Subnets 79
Routing 81
Routing 81
Static Routing 82
Dynamic Routing 83
Port Management 85
Configuring the Ports 85
Configuring SPAN (Port Mirroring) 85
Bandwidth Profiles 86
Creating Bandwidth Profiles 87
Traffic Selectors 88
Dynamic DNS 89
Configuring IPv6 Addressing 90
IP Routing Mode 91
Configuring the IPv6 WAN Connection 92
Configuring the IPv6 LAN 93
IPv6 LAN Address Pools 95
IPv6 Multi LAN 96
IPv6 Static Routing 97
Routing (RIPng) 98
6to4 Tunneling 98
IPv6 Tunnels Status 99
ISATAP Tunnels 99
MLD Tunnels 100
Router Advertisement Daemon (RADVD) 101
Configuring Router Advertisement 101
Adding RADVD Prefixes 102
802.1p 104
Enabling 802.1p 104
802.1p Mapping 104
Cisco SA 500 Series Security Appliances Administration Guide 5
DSCP Remarking 105
Contents
Chapter 4: Wireless Configuration for the SA 520W 106
Configuring an Access Point 106
Step 1: Configuring the Wireless Profiles 106
Profile Advanced Configuration 109
Configuring the QoS Settings for a Wireless Profile 110
Controlling Wireless Access Based on MAC Addresses 111
Step 2: Configuring the Access Points 113
Configuring the Radio 114
Basic Radio Configuration 114
Advanced Radio Configuration 116
Chapter 5: Firewall Configuration 118
Configuring Firewall Rules to Control Inbound and Outbound Traffic 118
Preliminary Tasks for Firewall Rules 119
Configuring the Default Outbound Policy 122
Configuring a Firewall Rule for Outbound Traffic 122
Configuring a Firewall Rule for Inbound Traffic 125
Prioritizing Firewall Rules 128
Firewall Rule Configuration Examples 129
Using Other Tools to Prevent Attacks, Restrict Access, and Control Inbound Traffic 132
Configuring Attack Checks 133
Configuring MAC Filtering to Allow or Block Traffic 134
Port Triggering 135
Configuring a Port Triggering Rule to Direct Traffic to Specified Ports 136
Viewing the Port Triggering Status 137
Configuring Session Settings to Analyze Incoming Packets 137
Using Other Tools to Control Access to the Internet 138
Configuring Content Filtering to Allow or Block Web Components 139
Configuring Approved URLs to Allow Access to Websites 140
Configuring Blocked URLs to Prevent Access to Websites 141
Cisco SA 500 Series Security Appliances Administration Guide 6
Configuring IP/MAC Binding to Prevent Spoofing 142
SIP 143
Contents
Chapter 6: Intrusion Prevention System 144
Configuring IPS 144
Configuring the IPS Policy 146
Configuring the Protocol Inspection Settings 146
Configuring Peer-to-Peer Blocking and Instant Messaging 147
Chapter 7: Using Cisco ProtectLink Security Services 148
Chapter 8: Configuring VPN 149
About VPN 149
Configuring a Site-to-Site VPN Tunnel 150
Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client 153
Configuring the User Database for the IPSec Remote Access VPN 155
Advanced Configuration of IPSec VPN 157
Viewing the Basic Setting Defaults for IPSec VPN 157
Configuring the IKE Policies for IPSec VPN 157
Configuring the IPSec VPN Policies 161
Configuring SSL VPN for Browser-Based Remote Access 167
Access Options for SSL VPN 168
Security Tips for SSL VPN 168
Elements of the SSL VPN 169
Scenario Step 1: Customizing the Portal Layout 170
Scenario Step 2: Adding the SSL VPN Users 172
Creating the SSL VPN Policies 173
Specifying the Network Resources for SSL VPN 176
Configuring SSL VPN Port Forwarding 176
SSL VPN Tunnel Client Configuration 178
Viewing the SSL VPN Client Portal 181
VeriSign™ Identity Protection configuration 182
Configuring VeriSign Identity Protection 182
Cisco SA 500 Series Security Appliances Administration Guide 7
Managing User Credentials for VeriSign Service 183
Contents
Chapter 9: Administration 184
Users 184
Domains 185
Groups 186
Adding or Editing User Settings 186
Adding or Editing User Login Policies 188
Maintenance 189
Managing Licenses 189
Upgrading Firmware and Working with Configuration Files 192
Maintaining the USB Device 194
Using the Secondary Firmware 196
Diagnostics 196
Measuring and Limiting Traffic with the Traffic Meter 197
Configuring the Time Settings 199
Configuring the Logging Options 201
Local Logging Config 201
IPv6 Logging 202
Remote Logging 203
Logs Facility 204
Managing Certificates for Authentication 206
Configuring RADIUS Server Records 208
Chapter 10: Network Management 210
RMON (Remote Management) 210
CDP 211
SNMP 212
Configuring SNMP 212
Configuring SNMP System Info 213
UPnP 214
Bonjour 215
Cisco SA 500 Series Security Appliances Administration Guide 8
Configuring Bonjour 215
Associating VLANs 215
Contents
Appendix A: Troubleshooting 217
Internet Connection 217
Date and Time 220
Pinging to Test LAN Connectivity 221
Restoring Factory-Default Configuration Settings 223
Appendix B: Standard Services 224
Appendix C: Technical Specifications and Environmental Requirements 227
Appendix D: Factory Default Settings 229
General Settings 229
Router Settings 231
Wireless Settings 234
Storage 236
Security Settings 238
Appendix E: Where to Go From Here 240
Cisco SA 500 Series Security Appliances Administration Guide 9
Getting Started
This chapter describes the SA 500 and provides scenarios to help you to begin configuring your security appliance to meet the needs of your business.
Feature Overview
Installation Options
Hardware Installation
1
Getting Started with the Configuration Utility
About the Default Settings
Basic Tasks
Common Configuration Scenarios
Feature Overview
The features of the SA 520, SA 520W, and the SA 540 are compared in the following table.
Table 1 Comparison of SA 500 Series Security Appliance Models
Feature SA 520 SA 520W SA 540
Firewall Performance
200 Mbps 200 Mbps 300 Mbps
UTM 200 Mbps 200 Mbps 300 Mbps
VPN Performance
Connections 15,000 15,000 40,000
Cisco SA 500 Series Security Appliances Administration Guide 10
65 Mbps 65 Mbps 85 Mbps
Getting Started
Feature Overview
1
Feature SA 520 SA 520W SA 540
LAN Ports 448
Wireless (802.11n)
IPsec (# seats) Yes (50) Yes (50) Yes (100)
SSL (# seats) Includes 2 seats.
No Yes No
Included (50) With license, up to 25 seats.
Includes 2 seats. With license, up to 25 seats.
Device Overview
Before you begin to use the security appliance, become familiar with the LEDs on the front panel and the ports on the rear panel. Refer to the following illustrations and descriptions.
Front Panel
RESET Button—To reboot the security appliance, push and release the
Reset button. To restore the factory default settings, press and hold the Reset button for 5 seconds.
DIAG LED—(Orange) When lit, indicates the appliance is performing the
power-on diagnostics. When off, indicates the appliance has booted properly.
POWER LED—(Green) When lit, indicates the appliance is powered on.
DMZ LED—(Green) When lit, indicates the Optional port is configured as a
Demilitarized Zone or Demarcation Zone, which allows public services such as web servers, without exposing your LAN.
SPEED LED—(Green or Orange) Indicates the traffic rate for the associated
port. Off = 10 Mbps, Green = 100 Mbps, Orange = 1000 Mbps.
Cisco SA 500 Series Security Appliances Administration Guide 11
Getting Started
Feature Overview
1
LINK/ACT LED—(Green) When lit, indicates that a connection is being
made through the port. When flashing, the port is active.
WLAN LED—(Green) When lit, indicates that wireless is enabled
(SA 520W).
Rear Panel
POWER Switch—Turns the security appliance on or off.
POWER Connector—Connects the security appliance to power using the
supplied power cable.
LAN Ports—Connect computers and other network appliances to the
security appliance. The SA 520 and SA 520W have 4 LAN ports. The SA 540 has 8.
OPTIONAL Port—Can be configured to operate as a WAN, LAN, or DMZ
port. A DMZ (Demilitarized Zone or Demarcation Zone) can be configured to allow public access to services such as web servers without exposing your LAN.
WAN Port—Connects the security appliance to DSL, a cable modem, or
another WAN connectivity device.
USB Port—Connects the security appliance to a USB device. You can use a
USB device to store configuration files for backup and restore operations.
NOTE The back panel of the SA 520W includes three threaded connectors for the
antennas.
Cisco SA 500 Series Security Appliances Administration Guide 12
Getting Started
Installation
Installation
1
This section guides you through the installation of your security appliance. Refer to the following topics:
Installation Options, page 13
Hardware Installation, page 16
Installation Options
You can place your security appliance on a desktop, mount it on a wall, or mount it in a rack.
Placement Tips
Ambient Temperature—To prevent the security appliance from
overheating, do not operate it in an area that exceeds an ambient temperature of 104°F (40°C).
Air Flow—Be sure that there is adequate air flow around the device.
Mechanical Loading—Be sure that the security appliance is level and
stable to avoid any hazardous conditions.
To place the security appliance on a desktop, install the four rubber feet (included) on the bottom of the security appliance. Place the device on a flat surface.
Cisco SA 500 Series Security Appliances Administration Guide 13
Getting Started
Installation
1
Wall Mounting
STEP 1 Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9
inches). Leave 3-4 mm (about 1/8 inch) of the head exposed.
Cisco SA 500 Series Security Appliances Administration Guide 14
Getting Started
!
Installation
1
STEP 2 Position the unit so that the wall-mount slots are over the two screws. Slide the unit
down until the screws fit snugly into the wall-mount slots.
Rack Mounting
You can mount the security appliance in any standard size, 19-inch (about 48 cm) wide rack. Each security appliance requires 1 rack unit (RU) of space, which is 1.75 inches (44.45 mm) high.
CAUTION Do not overload the power outlet or circuit when installing multiple devices in a
rack.
Cisco SA 500 Series Security Appliances Administration Guide 15
Getting Started
Installation
1
STEP 1 Remove the four screws from each side of the security appliance.
STEP 2 Place one of the supplied spacers on the side of the security appliance so that the
four holes align to the screw holes. Place a rack mount bracket next to the spacer and reinstall the screws.
NOTE If the screws are not long enough to reattach the bracket with the spacer, attach the
bracket directly to the case without the spacer.
STEP 3 Install the security appliance into a standard rack as shown.
Hardware Installation
Follow these steps to connect the equipment:
STEP 1 Connect the security appliance to power.
STEP 2 If you are installing the SA 520W, screw each antenna onto a threaded connector
on the back panel. Orient each antenna to point upward.
STEP 3 For DSL, a cable modem, or other WAN connectivity devices, connect an Ethernet
network cable from the device to the WAN port on the back panel. Cisco strongly recommends using Cat5E or better cable.
STEP 4 For network devices, connect an Ethernet network cable from the network device
to one of the dedicated LAN ports on the back panel.
Cisco SA 500 Series Security Appliances Administration Guide 16
Getting Started
Getting Started with the Configuration Utility
STEP 5 If you are using a UC 500, connect an Ethernet network cable from the WAN port of
the UC 500 to an available LAN port of the security appliance.
STEP 6 Power on the security appliance.
STEP 7 Power on the connected devices. Each LED lights to show an active connection.
A sample configuration is illustrated below.
1
Congratulations! The installation of the security appliance is complete.
Getting Started with the Configuration Utility
The Configuration Utility web page is a web based device manager that is used to provision the SA 500 Series Security Appliances. To use this utility, you must be able to connect to the SA 500 Series Security Appliances from your administration PC or laptop. You can access the router by using any web browser (such as Microsoft Internet Explorer or Mozilla Firefox).
Connecting to the Configuration Utility
STEP 1 Connect your computer to an available LAN port on the back panel of the security
appliance.
Cisco SA 500 Series Security Appliances Administration Guide 17
Getting Started
Getting Started with the Configuration Utility
STEP 2 Start a web browser, and enter the following address: 192.168.75.1
This address is the factory default LAN address of the security appliance. If you change this setting in the LAN configuration, you will need to enter the new IP address to connect to the Configuration Utility.
STEP 3 When the Security Alert appears, accept or install the certificate:
Internet Explorer: Click Ye s to proceed, or click View Certificate for details.
On the Certificate page, click Install the Certificate. Follow the instructions in the Wizard to complete the installation.
Firefox: Click the link to add an exception. Click the Add Exception button.
Click Get Certificate, and then click Confirm Security Exception.
Safari: Click Continue to proceed, or click Show Certificate. On the
Certificate page, click Install the Certificate. Follow the instructions in the Wizard to complete the installation.
1
STEP 4 Enter the default user name and password:
Username: cisco
Password: cisco
Cisco SA 500 Series Security Appliances Administration Guide 18
Getting Started
Getting Started with the Configuration Utility
STEP 5 Click Log In. The Getting Started (Basic) page appears. For more information, see
Using the Getting Started Pages, page 20.
You can use the Cisco Configuration Assistant to launch the Configuration Utility if you are using the security appliance with a CCA-supported device, such as the UC 500. For more information about CCA, see: www.cisco.com/go/configassist.
1
Cisco SA 500 Series Security Appliances Administration Guide 19
Getting Started
Getting Started with the Configuration Utility
Using the Getting Started Pages
The Getting Started pages provide help with common configuration tasks.
Find a task that you need to perform, and then click a link to get started.
Proceed in order through the listed links.
For help with advanced configuration tasks, such as firewall/NAT
configuration, optional WAN configuration, DMZ configuration, and VPN setup, click the Getting Started > Advanced link in the navigation pane, and click the links to perform the tasks that you want to complete.
To return to the Getting Started (Basic) page at any time, click the Getting
Started button in the menu bar.
To prevent the Getting Started (Basic) page from appearing automatically
after you log in, check the Don’t show this on start-up box at
1
Figure1 Getting Started (Basic) Page
Cisco SA 500 Series Security Appliances Administration Guide 20
Getting Started
Getting Started with the Configuration Utility
Figure 2 Getting Started (Advanced) Page
1
Cisco SA 500 Series Security Appliances Administration Guide 21
Getting Started
Getting Started with the Configuration Utility
Navigating Through the Configuration Utility
Use the menu bar and the navigation tree to perform tasks in the Configuration Utility.
Figure 3 Menu Bar and Navigation Tree
1
1. Menu Bar : Click an item in the menu bar at the top of the page to choose a
module of the Configuration Utility.
2. Navigation Tree: Top-level links are indicated by arrows. Click a top-level link to open a list of options. Then click a link in the list to open a page where you can review or modify the configuration.
Cisco SA 500 Series Security Appliances Administration Guide 22
Getting Started
Getting Started with the Configuration Utility
Using the Help System
The Configuration Utility includes detailed Help files for all configuration tasks. To view a Help page, click the Help link in the top right corner of the screen. A new window appears with information about the page that you are currently viewing.
Figure 4 Help Link
Figure 5 Sample Help Screen
1
Cisco SA 500 Series Security Appliances Administration Guide 23
Getting Started
About the Default Settings
About the Default Settings
The SA 500 Series Security Appliances are pre-configured with settings that allow you to start using the device with minimal changes needed. Depending on the requirements of your Internet Service Provider (ISP) and the needs of your business, you might need to modify some of these settings. You can use the Configuration Utility to customize all settings, as needed.
Settings of particular interest are described below. For a full list of all factory default settings, see Appendix D, “Factory Default Settings.”
IPv4 Addressing: By default, the security appliance is in IPv4 Only mode. If
you want to use IPv6 addressing, first enable IPv6 mode and then configure your IPv6 WAN and your IPv6 LAN. See Configuring IPv6 Addressing,
page 90.
1
WAN Configuration: By default, the security appliance is configured to
obtain an IP address from your ISP by using Dynamic Host Configuration Protocol (DHCP). If your ISP assigned a static IP address, you will need to configure it. In addition, if your ISP requires a login every time that you connect to the Internet, you will need to enter the account information. You can change other WAN settings as well. For more information, see Scenario
1: Basic Network Configuration with Internet Access, page 28.
LAN Configuration: By default, the LAN interface acts as a DHCP server for
all connected devices. For most deployment scenarios, the default DHCP and TCP/IP settings of the security appliance should be satisfactory. However, you can change the subnet address, or the default IP address of the security appliance. You can assign static IP addresses to connected devices rather than allowing the security appliance to act as a DHCP server. For more information, see Scenario 1: Basic Network Configuration with
Internet Access, page 28.
Optional Port: This port is preset to act as a secondary WAN port.
Alternatively, you can configure the Optional port for use as a DMZ port or an extra LAN port. See Scenario 1: Basic Network Configuration with
Internet Access, page 28 or Scenario 7: DMZ for Public Web Sites and Services, page 32.
Wireless Network (SA 520W only): The SA 520W is configured with an
access point named AP1, which has the default network name of Cisco_1. The access point is enabled by default. The security profile has Open security and identifies itself to all wireless devices that are in range. These settings make it easy for you to begin using your wireless network.
Cisco SA 500 Series Security Appliances Administration Guide 24
Getting Started
Basic Tasks
Basic Tasks
1
However, for security purposes, it is strongly recommended that you configure the profile with the appropriate security settings. See Scenario
10: Wireless Networking, page 37.
Administrative Access: You can access the Configuration Utility by using a
web browser and entering the default IP address of 192.168.75.1. You can log on by entering cisco for the username and cisco for the password. You are strongly encouraged to change the default username and password. You can also change the default Idle Timeout setting. The default setting requires logging in again after 10 minutes of inactivity. For more information about these settings, see Changing the Default User Name and
Password, page 25.
We strongly recommend that you complete the following basic tasks before you begin configuring your security appliance.
Changing the Default User Name and Password
To prevent unauthorized access, immediately change the user name and password for the default Administrator account.
STEP 1 In the User Administration section of the Getting Started (Basic) page, click
Change Default Admin Password And Add Users.
The Users page appears.
STEP 2 In the first row of the table, find the default Administrator account.
STEP 3 Click the button in the Edit column. The User Configuration page appears,
displaying the default information.
STEP 4 Enter the following information:
User Name: Enter a unique identifier for the user. It can include any
alphanumeric characters.
First Name: Enter the user’s first name.
Last Name: Enter the user’s last name.
The User Type and Group cannot be changed for this account.
Cisco SA 500 Series Security Appliances Administration Guide 25
Getting Started
Basic Tasks
1
Check to Edit Password: Check this box to enable the password fields.
Enter Your Password: Enter the current password. The default password
for this new security appliance is cisco.
New Password: Enter a password that contains alphanumeric, ‘—’ or ‘_’
characters.
Confirm Password: Enter the password again.
Idle Timeout: Enter the time in minutes that the user can be inactive before
the login expires. You can enter any value from 0 to 999.
STEP 5 Click Apply to save your settings, or click Reset to revert to the saved settings.
Backing Up Your Configuration
At any point during the configuration process, you can back up your configuration. Later, if you make changes that you want to abandon, you easily can easily revert to a saved configuration. For more information, see Upgrading Firmware and
Working with Configuration Files, page 192.
Upgrading the Firmware
Before you do any other tasks, you should upgrade your firmware to ensure that you are using the latest version. You can upgrade from a file stored on your computer, your network, or a USB key.
STEP 1 In the Upgrade Firmware section of the Getting Started (Basic) page, click the
link: Check for updates and download if new
STEP 2 When the web page appears, download the latest software.
You also can find new firmware for the SA 500 Series Security Appliances at the at: www.cisco.com/go/sa500software
STEP 3 In the Upgrade Firmware section of the Getting Started (Basic) page, click the
Install the updated firmware link.
The Firmware & Configuration (Network) page appears.
STEP 4 In the Firmware Upgrade area, click Browse. Find the file that you downloaded.
Cisco SA 500 Series Security Appliances Administration Guide 26
Getting Started
Common Configuration Scenarios
STEP 5 Click Upload.
NOTE Wait while the firmware is upgraded.
1. Do NOT close the browser window.
2. Do NOT go online.
3. Do NOT turn off or power-cycle the router.
4. Do NOT shutdown the computer.
The router will take several minutes to complete the upgrade. While the upgrade is in progress, the Test LED on the front panel of the router is lit. When the upgrade is complete, the router automatically restarts.
Common Configuration Scenarios
1
The SA 500 Series Security Appliances can be deployed to address the security concerns of your business. As you get started using your security appliance, consider the following configuration scenarios:
Scenario 1: Basic Network Configuration with Internet Access, page 28
Scenario 8: Cisco Smart Business Communications System
Configuration, page 30
Scenario 7: DMZ for Public Web Sites and Services, page 32
Scenario 6: Firewall for Controlling Inbound and Outbound Traffic,
page 31
Scenario 9: Site-to-Site Networking and Remote Access, page 33
Scenario 10: Wireless Networking, page 37
Cisco SA 500 Series Security Appliances Administration Guide 27
Getting Started
235234
Personal
computer
Internet
Access Device
Laptop
computer
Printer
Private Network
SA 500
Outside Network
Internet
Common Configuration Scenarios
Scenario 1: Basic Network Configuration with Internet Access
1
In a basic deployment for a small business, the security appliance enables communication between the devices on the private network and also allows computers to access the Internet. With the default settings, the security appliance gets its WAN address dynamically from the ISP. All devices on the LAN receive their IP addresses dynamically from the security appliance. All devices have access to the Internet, but no inbound traffic is allowed from the Internet to any LAN devices.
Configuration tasks for this scenario:
The default configuration is sufficient for many small businesses, and you might not need to change any of the WAN or LAN settings. However, depending on the requirements of your ISP, as well your preferences for your LAN configuration, you can make changes, as needed.
NOTE Before you configure your network, make sure that you have upgraded the
firmware (see Upgrading the Firmware, page 26) and changed the default Administrator password (see Changing the Default User Name and Password,
page 25).
Consider the following first steps:
1. Review the WAN configuration and make any changes that are needed to set up your Internet connection.
In the WAN & LAN Connectivity section of the Getting Started (Basic) page, click the WAN settings link. For more information, see Configuring
the WAN Connection, page 51.
Cisco SA 500 Series Security Appliances Administration Guide 28
Getting Started
Common Configuration Scenarios
2. Review the LAN configuration and make any changes that are needed to support your network. The default DHCP and TCP/IP settings should be satisfactory in most cases. However, you can change the subnet address or the default IP address, or assign static IP addresses to your devices.
In the WAN & LAN Connectivity section of the Getting Started (Basic) page, click the LAN Settings link. For more information, see Configuring the LAN,
page 56.
3. If you are going to use your security appliance with your Cisco Smart Business Communications System (SBCS), install and configure your UC 500.
See Scenario 8: Cisco Smart Business Communications System
Configuration, page 30.
4. Consider how you want to use the Optional port:
If you need to host public services such as web sites, you will need a DMZ.
1
For more information, see Scenario 7: DMZ for Public Web Sites and
Services, page 32. For information about using the optional port as an extra
LAN port, see Configuring the Optional Port as a LAN Port, page 61.
If you have two ISP links and do not need a DMZ, you can use the Optional
port as a secondary WAN port to provide backup connectivity or load balancing. To configure the port, use the links in the Secondary WAN Port section of the Getting Started (Advanced) page. For more information, see
Configuring the Optional WAN, page 61.
If you do not need a DMZ or a secondary WAN, you can use the Optional
port as an extra LAN port. For more information, see Configuring the
Optional Port as a LAN Port, page 61.
5. If you want to allow inbound access from the Internet, or if you want to restrict some types of outbound traffic to the Internet, configure your firewall rules.
See Scenario 6: Firewall for Controlling Inbound and Outbound Traffic,
page 31.
6. Consider whether you need to allow access to your network from remote sites or remote workers.
See Scenario 9: Site-to-Site Networking and Remote Access, page 33.
7. Consider whether you need to enable features such as logging or remote access to the configuration utility. See Configuring the Logging Options,
page 201 and RMON (Remote Management), page 210.
Cisco SA 500 Series Security Appliances Administration Guide 29
Getting Started
235235
Personal
computer
Internet
Access Device
Laptop
computer
Printer
Private Network
SA 500
UC500
IP Phone
Outside Network
Internet
IP
Common Configuration Scenarios
Scenario 8: Cisco Smart Business Communications System Configuration
You can use the security appliance to protect your Cisco Smart Business Communications System network.
1
Configuration tasks for this scenario:
1. Configure the WAN and LAN settings for your security appliance, as needed.
2. Connect a cable from the WAN port of the UC 500 to an available LAN port of
3. If you want to assign a static IP address to the UC 500 or other LAN devices,
4. Configure a static IP route from the security appliance to the UC 500 data
See Scenario 1: Basic Network Configuration with Internet Access,
page 28.
the security appliance.
With the default configuration, the security appliance acts as a DCHP server that assigns IP addresses in the range of 192.168.75.x. IP Phones are assigned IP addresses in the address range 10.1.1.x/24.
click the DHCP Reserved IPs link under WAN & LAN Connectivity on the Getting Started (Basic) page. For more information, see DHCP Reserved IPs,
page 60.
VLANs (192.168.10.x). For more information, see Static Routing, page 82.
Cisco SA 500 Series Security Appliances Administration Guide 30
Loading...
+ 211 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use