How it Works
Cisco
Loading...
S
Loading...
Loading...
Small Business Pro SA 540
Administration Manual
244 pgs6.2 Mb0
Administration Manual
241 pgs3.25 Mb0

Cisco QuickVPN - PC, Small Business Pro SA 500 Series, Small Business Pro SA 520, Small Business Pro SA 520W, Small Business Pro SA 540 Administration Manual

Cisco Small Business Pro
SA 500 Series Security Appliances
ADMINISTRATION
GUIDE
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
© 2009 Cisco Systems, Inc. All rights reserved. OL-19114-02
Contents
Chapter 1: Getting Started 10
Feature Overview 10
Device Overview 11
Front Panel 11
Rear Panel 12
Installation 13
Installation Options 13
Hardware Installation 16
Getting Started with the Configuration Utility 18
Connecting to the Configuration Utility 18
Using the Getting Started Pages 20
Navigating Through the Configuration Utility 22
Using the Help System 23
About the Default Settings 24
Basic Tasks 25
Changing the Default User Name and Password 25
Backing Up Your Configuration 26
Upgrading the Firmware 26
Common Configuration Scenarios 27
Basic Network Configuration with Internet Access 28
Cisco Smart Business Communications System Configuration 30
Firewall for Controlling Inbound and Outbound Traffic 31
DMZ for Public Web Sites and Services 32
Configuring ProtectLink Web & Email Security 33
Site-to-Site Networking and Remote Access 33
Wireless Networking 37
Chapter 2: Status 38
Device Status 38
Device Status 38
Port Statistics 41
Wireless Statistics for the SA 520W 41
Cisco SA 500 Series Security Appliances Administration Guide 3
VPN Status 43
IPSec VPN Connection Status 43
SSL VPN Status 44
View Logs Status 46
View All Logs 46
IPSec VPN Logs 47
Policy Enforcement Logs 48
Active Users 48
CDP Neighbor 49
LAN Devices 49
Contents
Chapter 3: Networking 50
Configuring the WAN Connection 50
Viewing the WAN Status 54
Creating PPPoE Profiles 55
Configuring the LAN 56
About the Default LAN Settings 56
Configuring the LAN 57
Viewing the LAN Status 59
DHCP Reserved IPs 60
DHCP Leased Clients 61
Configuring the Optional Port as a LAN Port 61
Configuring the Optional WAN 62
Configuring Auto-Rollover, Load Balancing, and Failure Detection 65
Configuring the Protocol Bindings for Load Balancing 68
Configuring a DMZ 70
Configuring the DMZ Settings 73
DMZ Reserved IPs 75
DMZ DHCP Leased Clients 76
VLAN Configuration 77
Default VLAN Settings 77
Enabling or Disabling VLAN Support 78
Cisco SA 500 Series Security Appliances Administration Guide 4
Contents
Creating VLAN IDs 79
Assigning VLANs to LAN Ports 80
Multiple VLAN Subnets 81
Routing 83
Routing 83
Static Routing 84
Dynamic Routing 85
Port Management 86
Configuring the Ports 87
Configuring SPAN (Port Mirroring) 87
Bandwidth Profiles 88
Creating Bandwidth Profiles 88
Traffic Selectors 90
Dynamic DNS 91
Configuring IPv6 Addressing 92
IP Routing Mode 93
Configuring the IPv6 WAN Connection 94
Configuring the IPv6 LAN 95
IPv6 LAN Address Pools 97
IPv6 Multi LAN 98
IPv6 Static Routing 99
Routing (RIPng) 100
6to4 Tunneling 101
IPv6 Tunnels Status 101
ISATAP Tunnels 102
MLD Tunnels 103
Router Advertisement Daemon (RADVD) 104
Configuring Router Advertisement 104
Adding RADVD Prefixes 105
802.1p 107
Enabling 802.1p 107
802.1p Mapping 107
Cisco SA 500 Series Security Appliances Administration Guide 5
DSCP Remarking 108
Contents
Chapter 4: Wireless Configuration for the SA 520W 109
Configuring an Access Point 109
Step 1: Configuring the Wireless Profiles 110
Profile Advanced Configuration 113
Configuring the QoS Settings for a Wireless Profile 113
Controlling Wireless Access Based on MAC Addresses 114
Step 2: Configuring the Access Points 116
Configuring the Radio 118
Basic Radio Configuration 118
Advanced Radio Configuration 119
Chapter 5: Firewall Configuration 121
Configuring Firewall Rules to Control Inbound and Outbound Traffic 121
Preliminary Tasks for Firewall Rules 122
Configuring the Default Outbound Policy 125
Configuring a Firewall Rule for Outbound Traffic 126
Configuring a Firewall Rule for Inbound Traffic 129
Prioritizing Firewall Rules 132
Firewall Rule Configuration Examples 133
Using Other Tools to Prevent Attacks, Restrict Access, and Control Inbound Traffic 136
Configuring Attack Checks 136
Configuring MAC Filtering to Allow or Block Traffic 138
Port Triggering 139
Configuring a Port Triggering Rule to Direct Traffic to Specified Ports 140
Viewing the Port Triggering Status 141
Configuring Session Settings to Analyze Incoming Packets 141
Using Other Tools to Control Access to the Internet 142
Configuring Content Filtering to Allow or Block Web Components 143
Configuring Approved URLs to Allow Access to Websites 144
Configuring Blocked URLs to Prevent Access to Websites 145
Cisco SA 500 Series Security Appliances Administration Guide 6
Configuring IP/MAC Binding to Prevent Spoofing 146
SIP 147
Contents
Chapter 6: Intrusion Prevention System 148
Configuring IPS 148
Configuring the IPS Policy 150
Configuring the Protocol Inspection Settings 150
Configuring Peer-to-Peer Blocking and Instant Messaging 151
Chapter 7: Using Cisco ProtectLink Security Services 152
Chapter 8: Configuring VPN 153
About VPN 153
Configuring a Site-to-Site VPN Tunnel 154
Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client 157
Configuring the User Database for the IPSec Remote Access VPN 159
Advanced Configuration of IPSec VPN 161
Viewing the Basic Setting Defaults for IPSec VPN 161
Configuring the IKE Policies for IPSec VPN 162
Configuring the IPSec VPN Policies 166
Configuring SSL VPN for Browser-Based Remote Access 172
Access Options for SSL VPN 173
Security Tips for SSL VPN 173
Elements of the SSL VPN 174
Scenario Step 1: Customizing the Portal Layout 175
Scenario Step 2: Adding the SSL VPN Users 177
Creating the SSL VPN Policies 179
Specifying the Network Resources for SSL VPN 181
Configuring SSL VPN Port Forwarding 182
SSL VPN Tunnel Client Configuration 184
Viewing the SSL VPN Client Portal 187
VeriSign™ Identity Protection configuration 188
Configuring VeriSign Identity Protection 188
Cisco SA 500 Series Security Appliances Administration Guide 7
Managing User Credentials for VeriSign Service 189
Contents
Chapter 9: Administration 191
Users 191
Domains 192
Groups 193
Adding or Editing User Settings 194
Adding or Editing User Login Policies 195
Maintenance 197
Managing Licenses 197
Upgrading Firmware and Working with Configuration Files 199
Maintaining the USB Device 202
Using the Secondary Firmware 203
Diagnostics 204
Measuring and Limiting Traffic with the Traffic Meter 205
Configuring the Time Settings 207
Configuring the Logging Options 208
Local Logging Config 208
IPv6 Logging 209
Remote Logging 210
Logs Facility 211
Managing Certificates for Authentication 212
Configuring RADIUS Server Records 213
Chapter 10: Network Management 215
RMON (Remote Management) 215
CDP 216
SNMP 217
Configuring SNMP 217
Configuring SNMP System Info 218
UPnP 219
Cisco SA 500 Series Security Appliances Administration Guide 8
Contents
Appendix A: Trouble Shooting 220
Internet Connection 220
Date and Time 223
Pinging to Test LAN Connectivity 224
Restoring Factory-Default Configuration Settings 226
Appendix B: Standard Services 227
Appendix C: Technical Specifications and Environmental Requirements 230
Appendix D: Factory Default Settings 233
General Settings 233
Router Settings 235
Wireless Settings 238
Storage 240
Security Settings 242
Appendix E: Where to Go From Here 244
Cisco SA 500 Series Security Appliances Administration Guide 9
Getting Started
This chapter describes the SA 500 and provides scenarios to help you to begin configuring your security appliance to meet the needs of your business.
Feature Overview, page 10
Installation Options, page13
Hardware Installation, page16
1
Getting Started with the Configuration Utility, page 18
About the Default Settings, page 24
Basic Tasks, page 25
Common Configuration Scenarios, page 27
Feature Overview
The features of the SA 520, SA 520W, and the SA 540 are compared in the following table.
Table 1 Comparison of SA 500 Series Security Appliance Models
Feature SA 520 SA 520W SA 540
Firewall Performance
200 Mbps 200 Mbps 300 Mbps
UTM 200 Mbps 200 Mbps 300 Mbps
VPN Performance
Connections 15,000 15,000 40,000
Cisco SA 500 Series Security Appliances Administration Guide 10
65 Mbps 65 Mbps 85 Mbps
Getting Started
Feature Overview
1
Feature SA 520 SA 520W SA 540
LAN Ports 448
Wireless (802.11n)
IPsec (# seats) Yes (50) Yes (50) Yes (100)
SSL (# seats) Includes 2 seats.
No Yes No
Included (50) With license, up to 25 seats.
Includes 2 seats. With license, up to 25 seats.
Device Overview
Before you begin to use the security appliance, become familiar with the LEDs on the front panel and the ports on the rear panel. Refer to the following illustrations and descriptions.
Front Panel
RESET Button—To reboot the security appliance, push and release the Reset
button. To restore the factory default settings, press and hold the Reset button for 5 seconds.
DIAG LED—(Orange) When lit, indicates the appliance is performing the power-on diagnostics. When off, indicates the appliance has booted properly.
POWER LED—(Green) When lit, indicates the appliance is powered on.
DMZ LED—(Green) When lit, indicates the Optional port is configured as a
Demilitarized Zone or Demarcation Zone, which allows public services such as web servers, without exposing your LAN.
SPEED LED—(Green or Orange) Indicates the traffic rate for the associated port. Off = 10 Mbps, Green = 100 Mbps, Orange = 1000 Mbps.
Cisco SA 500 Series Security Appliances Administration Guide 11
Getting Started
Feature Overview
1
LINK/ACT LED—(Green) When lit, indicates that a connection is being made
through the port. When flashing, the port is active.
WLAN LED—(Green) When lit, indicates that wireless is enabled (SA 520W).
Rear Panel
POWER Switch—Turns the security appliance on or off.
POWER Connector—Connects the security appliance to power using the
supplied power cable.
LAN Ports—Connect computers and other network appliances to the security appliance. The SA 520 and SA 520W have 4 LAN ports. The SA 540 has 8.
OPTIONAL Port—Can be configured to operate as a WAN, LAN, or DMZ port. A DMZ (Demilitarized Zone or Demarcation Zone) can be configured to allow public access to services such as web servers without exposing your LAN.
WAN Port—Connects the security appliance to DSL, a cable modem, or another WAN connectivity device.
USB Port—Connects the security appliance to a USB device. You can use a USB device to store configuration files for backup and restore operations.
NOTE The back panel of the SA 520W includes three threaded connectors for the
antennas.
Cisco SA 500 Series Security Appliances Administration Guide 12
Getting Started
Installation
Installation
1
This section guides you through the installation of your security appliance. Refer to the following topics:
Installation Options, page 13
Hardware Installation, page 16
Installation Options
You can place your security appliance on a desktop, mount it on a wall, or mount it in a rack.
Placement Tips
Ambient Temperature—To prevent the security appliance from
overheating, do not operate it in an area that exceeds an ambient temperature of 104°F (40°C).
Air Flow—Be sure that there is adequate air flow around the device.
Mechanical Loading—Be sure that the security appliance is level and
stable to avoid any hazardous conditions.
To place the security appliance on a desktop, install the four rubber feet (included) on the bottom of the security appliance. Place the device on a flat surface.
Cisco SA 500 Series Security Appliances Administration Guide 13
Getting Started
Installation
1
Wall Mounting
STEP 1 Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9
inches). Leave 3-4 mm (about 1/8 inch) of the head exposed.
Cisco SA 500 Series Security Appliances Administration Guide 14
Getting Started
!
Installation
1
STEP 2 Position the unit so that the wall-mount slots are over the two screws. Slide the unit
down until the screws fit snugly into the wall-mount slots.
Rack Mounting
You can mount the security appliance in any standard size, 19-inch (about 48 cm) wide rack. Each security appliance requires 1 rack unit (RU) of space, which is 1.75 inches (44.45 mm) high.
CAUTION Do not overload the power outlet or circuit when installing multiple devices in a
rack.
Cisco SA 500 Series Security Appliances Administration Guide 15
Getting Started
Installation
1
STEP 1 Remove the four screws from each side of the security appliance.
STEP 2 Place one of the supplied spacers on the side of the security appliance so that the
four holes align to the screw holes. Place a rack mount bracket next to the spacer and reinstall the screws.
NOTE If the screws are not long enough to reattach the bracket with the spacer,
attach the bracket directly to the case without the spacer.
STEP 3 Install the security appliance into a standard rack as shown.
Hardware Installation
Follow these steps to connect the equipment:
STEP 1 Connect the security appliance to power.
STEP 2 If you are installing the SA 520W, screw each antenna onto a threaded connector
on the back panel. Orient each antenna to point upward.
STEP 3 For DSL, a cable modem, or other WAN connectivity devices, connect an Ethernet
network cable from the device to the WAN port on the back panel. Cisco strongly recommends using Cat5E or better cable.
Cisco SA 500 Series Security Appliances Administration Guide 16
Getting Started
Installation
1
STEP 4 For network devices, connect an Ethernet network cable from the network device
to one of the dedicated LAN ports on the back panel.
STEP 5 For a UC 500, connect an Ethernet network cable from the WAN port of the UC 500
to an available LAN port of the security appliance.
NOTE For details about configuring the UC 500 and the security appliance to work
together, see the SA 500 Series Security Appliances Administration Guide on Cisco.com. See the documentation links in the “Where to Go From Here” section of this guide.
STEP 6 Power on the security appliance.
STEP 7 Power on the connected devices. Each LED lights to show an active connection.
A sample configuration is illustrated below.
Congratulations! The installation of the security appliance is complete.
Cisco SA 500 Series Security Appliances Administration Guide 17
Getting Started
Getting Started with the Configuration Utility
Getting Started with the Configuration Utility
The Configuration Utility web page is a web based device manager that is used to provision the SA 500 Series Security Appliances. To use this utility, you must be able to connect to the SA 500 Series Security Appliances from your administration PC or laptop. You can access the router by using any web browser (such as Microsoft Internet Explorer or Mozilla Firefox).
Connecting to the Configuration Utility
STEP 1 Connect your computer to an available LAN port on the back panel of the security
appliance.
STEP 2 Start a web browser, and enter the following address: 192.168.75.1
1
NOTE The above address is the factory default LAN address of the security
appliance. If you change this setting in the LAN configuration, you will need to enter the new IP address to connect to the Configuration Utility.
STEP 3 When the Security Alert appears, accept or install the certificate:
Internet Explorer: Click Ye s to proceed, or click View Certificate for details.
On the Certificate page, click Install the Certificate. Follow the instructions in the Wizard to complete the installation.
Firefox: Click the link to add an exception. Click the Add Exception button.
Click Get Certificate, and then click Confirm Security Exception.
Safari: Click Continue to proceed, or click Show Certificate. On the
Certificate page, click Install the Certificate. Follow the instructions in the Wizard to complete the installation.
Cisco SA 500 Series Security Appliances Administration Guide 18
Getting Started
Getting Started with the Configuration Utility
STEP 4 Enter the default user name and password:
1
Username: cisco
Password: cisco
STEP 5 Click Log In. The Getting Started (Basic) page appears. For more information, see
Using the Getting Started Pages, page 20.
You can use the Cisco Configuration Assistant to launch the Configuration Utility if you are using the security appliance with a CCA-supported device, such as the UC 500. For more information about CCA, see: www.cisco.com/go/configassist.
Cisco SA 500 Series Security Appliances Administration Guide 19
Getting Started
Getting Started with the Configuration Utility
Using the Getting Started Pages
The Getting Started pages provide help with common configuration tasks.
Find a task that you need to perform, and then click a link to get started.
Proceed in order through the listed links.
To return to the Getting Started (Basic) page at any time, click the Getting
Started button in the menu bar.
For help with advanced configuration tasks, such as firewall/NAT
configuration, optional WAN configuration, DMZ configuration, and VPN setup, click the Getting Started > Advanced link in the navigation pane, and click the links to perform the tasks that you want to complete.
If you want to prevent the Getting Started (Basic) page from appearing
automatically after you log in, check the Don’t show this on start-up box at
1
Figure1 Getting Started (Basic) Page
Cisco SA 500 Series Security Appliances Administration Guide 20
Getting Started
Getting Started with the Configuration Utility
Figure 2 Getting Started (Advanced) Page
1
Cisco SA 500 Series Security Appliances Administration Guide 21
Getting Started
Getting Started with the Configuration Utility
Navigating Through the Configuration Utility
Use the menu bar and the navigation tree to perform tasks in the Configuration Utility.
Figure 3 Menu Bar and Navigation Tree
1
1. Menu Bar : Click an item in the menu bar at the top of the page to choose a
module of the Configuration Utility.
2. Navigation Tree: Top-level links are indicated by arrows. Click a top-level link to open a list of options. Then click a link in the list to open a page where you can review or modify the configuration.
Cisco SA 500 Series Security Appliances Administration Guide 22
Getting Started
Getting Started with the Configuration Utility
Using the Help System
The Configuration Utility includes detailed Help files for all configuration tasks. To view a Help page, click the Help link in the top right corner of the screen. A new window appears with information about the page that you are currently viewing.
Figure 4 Help Link
Figure 5 Sample Help Screen
1
Cisco SA 500 Series Security Appliances Administration Guide 23
Getting Started
About the Default Settings
About the Default Settings
The SA 500 Series Security Appliances are pre-configured with settings that allow you to start using the device with minimal changes needed. Depending on the requirements of your Internet Service Provider (ISP) and the needs of your business, you might need to modify some of these settings. You can use the Configuration Utility to customize all settings, as needed.
Settings of particular interest are described below. For a full list of all factory default settings, see Appendix D, “Factory Default Settings.”
IPv4 Addressing: By default, the security appliance is in IPv4 Only mode. If
you want to use IPv6 addressing, first enable IPv6 mode and then configure your IPv6 WAN and your IPv6 LAN. See Configuring IPv6 Addressing,
page 92.
1
WAN Configuration: By default, the security appliance is configured to
obtain an IP address from your ISP by using Dynamic Host Configuration Protocol (DHCP). If your ISP assigned a static IP address, you will need to configure it. In addition, if your ISP requires a login every time that you connect to the Internet, you will need to enter the account information. You can change other WAN settings as well. For more information, see Scenario
1: Basic Network Configuration with Internet Access, page 28.
LAN Configuration: By default, the LAN interface acts as a DHCP server for
all connected devices. For most deployment scenarios, the default DHCP and TCP/IP settings of the security appliance should be satisfactory. However, you can change the subnet address, or the default IP address of the security appliance. You can assign static IP addresses to connected devices rather than allowing the security appliance to act as a DHCP server. For more information, see Scenario 1: Basic Network Configuration with
Internet Access, page 28.
Optional Port: This port is preset to act as a secondary WAN port.
Alternatively, you can configure the Optional port for use as a DMZ port or an extra LAN port. See Scenario 1: Basic Network Configuration with
Internet Access, page 28 or Scenario 4: DMZ for Public Web Sites and Services, page 32.
Wireless Network (SA 520W only): The SA 520W is configured with an
access point named AP1, which has the default network name of Cisco_1. The access point is enabled by default. The security profile has Open security and identifies itself to all wireless devices that are in range. These settings make it easy for you to begin using your wireless network.
Cisco SA 500 Series Security Appliances Administration Guide 24
Getting Started
Basic Tasks
Basic Tasks
1
However, for security purposes, it is strongly recommended that you configure the profile with the appropriate security settings. See Scenario 7:
Wireless Networking, page 37.
Administrative Access: You can access the Configuration Utility by using a
web browser and entering the default IP address of 192.168.75.1. You can log on by entering cisco for the username and cisco for the password. You are strongly encouraged to change the default username and password. You can also change the default Idle Timeout setting. The default setting requires logging in again after 10 minutes of inactivity. For more information about these settings, see Changing the Default User Name and
Password, page 25.
It is strongly recommended that you complete the following basic tasks before you begin configuring your security appliance.
Changing the Default User Name and Password
To prevent unauthorized access, immediately change the user name and password for the default Administrator account.
STEP 1 In the User Administration section of the Getting Started (Basic) page, click
Change Default Admin Password And Add Users.
The Users page appears.
STEP 2 In the first row of the table, find the default Administrator account.
STEP 3 Click the button in the Edit column. The User Configuration page appears,
displaying the default information.
STEP 4 Enter the following information:
User Name: Enter a unique identifier for the user. It can include any
alphanumeric characters.
First Name: Enter the user’s first name.
Last Name: Enter the user’s last name.
Cisco SA 500 Series Security Appliances Administration Guide 25
Getting Started
Basic Tasks
1
NOTE The User Type and Group cannot be changed for this account.
Check to Edit Password: Check this box to enable the password fields.
Enter Your Password: Enter the current password. The default password
for this new security appliance is cisco.
New Password: Enter a password that contains alphanumeric, ‘—’ or ‘_’
characters.
Confirm Password: Enter the password again.
Idle Timeout: Enter the time in minutes that the user can be inactive before
the login expires. You can enter any value from 0 to 999.
STEP 5 Click Apply to save your settings, or click Reset to revert to the saved settings.
Backing Up Your Configuration
At any point during the configuration process, you can back up your configuration. Later, if you make changes that you want to abandon, you easily can easily revert to a saved configuration. For more information, see Upgrading Firmware and
Working with Configuration Files, page 199.
Upgrading the Firmware
Before you do any other tasks, you should upgrade your firmware to ensure that you are using the latest version. You can upgrade from a file stored on your computer, your network, or a USB key.
STEP 1 In the Upgrade Firmware section of the Getting Started (Basic) page, click the link:
Check for updates and download if new
STEP 2 When the web page appears, download the latest software.
NOTE You also can find new firmware for the SA 500 Series Security Appliances at
the following website: www.cisco.com/go/sa500software
Cisco SA 500 Series Security Appliances Administration Guide 26
Getting Started
Common Configuration Scenarios
STEP 3 In the Upgrade Firmware section of the Getting Started (Basic) page, click the
Install the updated firmware link.
The Firmware & Configuration (Network) page appears.
STEP 4 In the Firmware Upgrade area, click Browse. Find the file that you downloaded.
STEP 5 Click Upload.
NOTE Wait while the firmware is upgraded.
1
1. Do NOT close the browser window.
2. Do NOT go online.
3. Do NOT turn off or power-cycle the router.
4. Do NOT shutdown the computer.
The router will take several minutes to complete the upgrade. While the upgrade is in progress, the Test LED on the front panel of the router is lit. When the upgrade is complete, the router automatically restarts.
Common Configuration Scenarios
The SA 500 Series Security Appliances can be deployed to address the security concerns of your business. As you get started using your security appliance, consider the following configuration scenarios:
Scenario 1: Basic Network Configuration with Internet Access, page 28
Scenario 2: Cisco Smart Business Communications System
Configuration, page 30
Scenario 4: DMZ for Public Web Sites and Services, page 32
Scenario 3: Firewall for Controlling Inbound and Outbound Traffic,
page 31
Scenario 6: Site-to-Site Networking and Remote Access, page 33
Scenario 7: Wireless Networking, page 37
Cisco SA 500 Series Security Appliances Administration Guide 27
Getting Started
Common Configuration Scenarios
Scenario 1: Basic Network Configuration with Internet Access
Outside Network
1
Laptop
computer
Private Network
Internet
Internet
Access Device
SA 500
Printer
Personal
computer
In a basic deployment for a small business, the security appliance enables communication between the devices on the private network and also allows computers to access the Internet. With the default settings, the security appliance gets its WAN address dynamically from the ISP. All devices on the LAN receive their IP addresses dynamically from the security appliance. All devices have access to the Internet, but no inbound traffic is allowed from the Internet to any LAN devices.
Configuration tasks for this scenario:
The default configuration is sufficient for many small businesses, and you might not need to change any of the WAN or LAN settings. However, depending on the requirements of your ISP, as well your preferences for your LAN configuration, you can make changes, as needed.
235234
NOTE Before you configure your network, make sure that you have upgraded the
firmware (see Upgrading the Firmware, page 26) and changed the default Administrator password (see Changing the Default User Name and Password,
page 25).
Cisco SA 500 Series Security Appliances Administration Guide 28
Getting Started
Common Configuration Scenarios
Consider the following first steps:
1. Review the WAN configuration and make any changes that are needed to set up your Internet connection.
In the WAN & LAN Connectivity section of the Getting Started (Basic) page, click the WAN settings link. For more information, see Configuring the WAN
Connection, page 50.
2. Review the LAN configuration and make any changes that are needed to support your network. The default DHCP and TCP/IP settings should be satisfactory in most cases. However, you can change the subnet address or the default IP address, or assign static IP addresses to your devices.
In the WAN & LAN Connectivity section of the Getting Started (Basic) page, click the LAN Settings link. For more information, see Configuring the LAN,
page 56.
1
3. If you are going to use your security appliance with your Cisco Smart Business Communications System (SBCS), install and configure your UC 500.
See Scenario 2: Cisco Smart Business Communications System
Configuration, page 30.
4. Consider how you want to use the Optional port:
If you need to host public services such as web sites, you will need a DMZ.
For more information, see Scenario 4: DMZ for Public Web Sites and
Services, page 32. For information about using the optional port as an extra
LAN port, see Configuring the Optional Port as a LAN Port, page 61.
If you have two ISP links and do not need a DMZ, you can use the Optional
port as a secondary WAN port to provide backup connectivity or load balancing. To configure the port, use the links in the Secondary WAN Port section of the Getting Started (Advanced) page. For more information, see
Configuring the Optional WAN, page 62.
If you do not need a DMZ or a secondary WAN, you can use the Optional
port as an extra LAN port. For more information, see Configuring the
Optional Port as a LAN Port, page 61.
5. If you want to allow inbound access from the Internet, or if you want to restrict some types of outbound traffic to the Internet, configure your firewall rules.
See Scenario 3: Firewall for Controlling Inbound and Outbound Traffic,
page 31.
Cisco SA 500 Series Security Appliances Administration Guide 29
Getting Started
235235
Personal
computer
Internet
Access Device
Laptop
computer
Printer
Private Network
SA 500
UC500
IP Phone
Outside Network
Internet
IP
Common Configuration Scenarios
6. Consider whether you need to allow access to your network from remote sites or remote workers.
See Scenario 6: Site-to-Site Networking and Remote Access, page 33.
7. Consider whether you need to enable features such as logging or remote access to the configuration utility.
See the following topics:
Configuring the Logging Options, page 208
RMON (Remote Management), page 215
Scenario 2: Cisco Smart Business Communications System Configuration
1
You can use the security appliance to protect your Cisco Smart Business Communications System network.
Configuration tasks for this scenario:
See Scenario 1: Basic Network Configuration with Internet Access,
page 28.
1. Configure the WAN and LAN settings for your security appliance, as needed.
2. Connect a cable from the WAN port of the UC 500 to an available LAN port of the security appliance.
Cisco SA 500 Series Security Appliances Administration Guide 30
Loading...
+ 214 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use