How it Works
Cisco
Loading...
S
Loading...
Loading...
Small Business RV220W
Administration Manual
178 pgs2.57 Mb0
Administration Manual
228 pgs2.49 Mb0
Quick Start Manual
2 pgs1.02 Mb0

Cisco Small Business RV220W Administration Manual

Download
Page 1
Cisco Small Business
RV220W Wireless-N Network Security Firewall
ADMINISTRATION
GUIDE
Page 2
© 2011 Cisco Systems, Inc. All rights reserved. 78-19743-01 D0
Page 3
Contents
Chapter 1: Introduction 11
Product Overview 11
Configuring the RV220W 12
Logging In 12
Setting Up the Cisco RV220W Using the Setup Wizard 13
Using the Getting Started Page 13
Features of the User Interface 14
Suggested Next Steps 15
Chapter 2: Configuring Networking 16
WAN Settings for IPv4 16
Configuring the IPv4 WAN Settings 17
PPPoE Profiles for Point-to-Point Protocol over Ethernet Connections 20
Managing PPPoE Profiles 20 Adding and Editing PPPoE Profile Settings 21
LAN Configuration for IPv4 22
IPv4 LAN (Local Network) 22
VLAN Membership 24
Multiple VLAN Subnets 26
Viewing the Multiple VLAN Subnets Table 26 Entering the Multiple VLAN Subnets Properties 26
Static DHCP 28
Advanced DHCP Configuration 29
DHCP Leased Clients 30
Jumbo Frames 30
Routing 31
Routing Mode 31
Routing Table 32
Static Routes 33
Dynamic Routing 35
Port Management 37
Cisco RV220W Administration Guide 3
Managing Static Routes 33 Configuring Static Routes 34
Page 4
Contents
Dynamic DNS 38
IPv6 39
IP Mode 39
IPv6 WAN (Internet) 40
Configuring IPv6 LAN Properties 41
Configuring IPv6 Static Routing 43
Managing IPv6 Static Routes 43 Configuring an IPv6 Static Route 44
Configuring IPv6-to-IPv4 Tunneling 45
Configuring an ISATAP Tunnel 46
Configuring Router Advertisement 46
RADVD Advertisement Prefixes 48
Managing Advertisement Prefixes 48 Adding and Editing Advertisement Prefixes 49
Chapter 3: Configuring the Wireless Network 50
About Wireless Security 50
Wireless Security Tips 51
General Network Security Guidelines 52
Basic Settings 53
Security Settings for Wireless Networks 56
MAC Filtering for Wireless Network Access Control 58
Connected Clients 59
Wi-Fi Multimedia and Quality of Service Settings 60
SSID Schedule for Network Availability 61
Advanced Settings 62
Wireless Distribution System (WDS) 63
Chapter 4: Firewall 64
Cisco RV220W Firewall Features 64
Access Rules 66
Cisco RV220W Administration Guide 4
Setting the Default Outbound Policy and Managing Access Rules 66 Adding and Editing Access Rules 67
Page 5
Changing Access Rule Priorities 71
Contents
Attack Prevention 72
Content Filtering 73
URL Blocking 75
Port Triggering 76
Managing Port Triggering Rules 77 Adding and Editing Port Triggering Rules 77
Port Forwarding 78
Managing Port Forwarding Rules 78
Adding or Editing a Port Forwarding Rule 79
DMZ Host 82
Advanced Firewall Settings 82
One-to-One Network Address Translation (NAT) 83
Managing One-to-One NAT Rules 83 Adding or Editing a One-to-One NAT Rule 84
MAC Address Filtering 85
IP/MAC Address Binding 86
Custom Services 87
Managing Custom Services 87 Adding or Editing a Custom Service 88
Schedules for Firewall Rules and Port Forwarding Rules 89
Managing Schedules 89 Adding or Editing a Schedule 90
Session Settings 91
Internet Group Management Protocol (IGMP) 92
Enabling IGMP and Managing the Allowed Networks Table 92 Adding or Editing the Allowed Networks 93
SIP ALG 93
Firewall Configuration Examples 94
Chapter 5: Cisco ProtectLink Web 98
Getting Started with Cisco ProtectLink Web 98
Global Settings for Approved URLs and Clients 99
Cisco RV220W Administration Guide 5
Page 6
Approved Clients 99
Approved URLs 100
Contents
Web Protection 101
Overflow Control 101
Web Reputation 102
URL Filtering 103
Updating the ProtectLink License 104
Summary 104
Renewal 105
Chapter 6: Configuring Virtual Private Networks (VPNs) and Security 106
Configuring VPNs 107
Basic VPN Setup 109
Configuring Advanced VPN Parameters 111
Managing IKE and VPN Policies 112
Configuring IKE Policies 113
Configuring VPN Policies 117
Configuring VPN Users 122
Configuring VPN Passthrough 124
SSL VPN Server 124
Access Options for SSL VPN 125
Security Tips for SSL VPN 125
Elements of SSL VPN 126
Portal Layouts 126
Managing Portal Layouts 127 Adding or Editing a Portal Layout 127
SSL VPN Policies 129
About SSL VPN Policies 129 Managing SSL VPN Policies 129 Configuring an SSL VPN Policy 130
Resources for SSL VPN 132
Cisco RV220W Administration Guide 6
Managing Resources 132 Configuring a Resource 132
Page 7
SSL VPN Port Forwarding 133
Managing Applications and Host Names for Port Forwarding 133 Configuring a TCP Application for SSL VPN Port Forwarding 134 Configuring Host Name Resolution for Port Forwarding 135
Contents
SSL VPN Tunnel Client Configuration 136
SSL VPN Client 136
Configured Client Routes for Split Tunnel Mode 138
Managing Client Routes 138 Configuring a Client Route 139
Viewing the SSL VPN Client Portal 139
Chapter 7: Configuring Security 141
Using SSL Certificates for Authentication 141
Importing a Trusted Certificate from a File 143
Importing an Active Self Certificate from a File 143
Generating a Certificate Request 144
Viewing a Certificate Request 145
Using the Cisco RV220W With a RADIUS Server 146
Managing RADIUS Server Configurations 146
Adding or Editing a RADIUS Server Configuration 147
Configuring 802.1x Port-Based Authentication 148
Chapter 8: Configuring Quality of Service 149
WAN QoS Profiles 149
Profile Binding 151
Managing Profile Binding Rules 151 Configuring a Profile Binding Rule 152
CoS Settings 153
CoS Settings for Traffic Forwarding Queues 153
CoS to DSCP Remarking 154
Chapter 9: Administering Your Cisco RV220W 155
Password Rules for Password Complexity 156
Cisco RV220W Administration Guide 7
Page 8
Contents
Remote Management 157
User Management 158
Domains 158
Managing Domains 159 Configuring a Domain 159
Groups 161
Managing Groups for a Domain 161 Configuring a Group 162
Users 163
Managing Users 163 Configuring a User 164 User Log in Policies 165 User Log in Policies by Client Browser 166 User Log in Policies by IP Address 167
Network Management (SNMP) 169
SNMP Users and Trap Settings 169
Managing User Security Settings and Trap Settings 169 Configuring the User Security Settings for SNMP 170 Configuring SNMP Traps 171
SNMP System Information 171
WAN Traffic Meter 172
Diagnostics 174
Network Tools 174
Capture Packets 176
Logging 176
Logging Policies 176
Managing Logging Policies 177 Configuring a Logging Policy 177
Firewall Logs 178
Remote Logging Configuration 180
Discovery Settings 182
Discovery Settings for Bonjour 182
UPnP Discovery 183
Time Settings 184
Cisco RV220W Administration Guide 8
Page 9
Contents
Backing Up or Restoring a Configuration 185
CSV File Import for User Accounts 186
Creating a CSV File 186
Importing a CSV File 189
Firmware Upgrade 189
Rebooting the Cisco RV220W 190
Restoring the Factory Defaults 190
Chapter 10: Viewing the RV220W Status 192
Viewing the Dashboard 193
Viewing the System Summary 196
Viewing the Wireless Statistics 199
Viewing the IPsec Connection Status 200
Viewing the VPN Client Connection Status 201
Viewing Logs 202
Viewing Available LAN Hosts 202
Viewing the Port Triggering Status 203
Viewing Interface Statistics 203
Viewing Port Statistics 204
Viewing Open Ports 206
Viewing Active Users 206
Viewing the SSL VPN Connection Information Status 207
Appendix A: Installing the Cisco RV220W 209
Getting to Know the Cisco RV220W 209
Front Panel 209
Back Panel 210
Mounting the Cisco RV220W 211
Placement Tips 211
Wall Mounting 211
Cisco RV220W Administration Guide 9
Page 10
Contents
Attaching the Antennas 214
Connecting the Equipment 214
Verifying the Hardware Installation 216
Connecting to Your Wireless Network 217
Appendix B: Using Cisco QuickVPN 218
Overview 218
Before You Begin 218
Installing the Cisco QuickVPN Software 219
Installing from the CD-ROM 219
Downloading and Installing from the Internet 221
Using the Cisco QuickVPN Software 221
Appendix C: Glossary 224
Appendix D: Where to Go From Here 228
Cisco RV220W Administration Guide 10
Page 11
Introduction
This introduction provides information to familiarize you with the product features and help you get started using the web-based Configuration Utility.
Refer to these topics:
1
Product Overview, page11
Configuring the RV220W, page 12
Setting Up the Cisco RV220W Using the Setup Wizard, page 13
Product Overview
Thank you for choosing the Cisco Small Business RV220W Wireless-N Network Security Firewall. The Cisco RV220W is an advanced Internet-sharing network solution for your small business needs. It allows multiple computers in your office to share an Internet connection through both wired and wireless connections.
The RV220W Network Security Firewall delivers high-performance, high security, wired and wireless connectivity—to the Internet, other offices, and employees working remotely—to speed file transfers and help improve the productivity of employees in a small office. Hybrid VPN capabilities, supporting both IP Security (IPsec) and Secure Sockets Layer (SSL) VPN, provide flexibility to connect remote offices as if they were physically attached to the network and extend controlled network access to partners and others. Business-class security and optional cloud-based web threat protection help keep the network and business assets safe.
Cisco RV220W Administration Guide 11
Page 12
Introduction
Configuring the RV220W
Configuring the RV220W
After connecting your equipment, use the web-based Configuration Utility to configure your RV220W.
The Cisco RV220W tries to automatically detect and configure your Internet settings. However, in some cases you might need to manually configure some settings using the Device Manager. At a minimum, you should change the default administrator name and password, and set up wireless security. See these topics for more information about getting started in the Configuration Utility:
Setting Up the Cisco RV220W Using the Setup Wizard
Using the Getting Started Page
Features of the User Interface
1
Suggested Next Steps
NOTE For information about installation, see Appendix A, “Installing the Cisco
RV220W.”
Logging In
STEP 1 Connect a PC to a LAN port of the Cisco RV220W. If DHCP is enabled (the default
setting), your PC becomes a DHCP client of the RV220W and receives an IP address in the 192.168.1.xxx range.
Note: You may need to configure your PC to obtain its IP address from a DHCP server.
STEP 2 Start a web browser on your PC.
STEP 3 In the Address bar, enter the LAN IP address of the RV220W. (default 192.168.1.1).
Note: If Bonjour is enabled (the default setting), the RV220W advertise its record
information to any browsing device attached to its network. As a result, you run Bonjour or FindIT on your PC to automatically discover the RV220W.
The browser may display a message about the site’s security certificate. The RV220W uses a self security certificate and this message appears because the RV220W is not known to your PC. You can safely click Continue (or the option shown on your particular web browser) to go to the web site.
STEP 4 When the login page appears, enter the user name and password. The default
user name is cisco. The default password is cisco. Passwords are case sensitive.
Cisco RV220W Administration Guide 12
Page 13
Introduction
Configuring the RV220W
STEP 5 Click Log In.
STEP 1 After logging in to the configuration utility, click Run Setup Wizard in the
1
Note: To prevent unauthorized access, use the Administration > User
Management > Users page to configure more secure login credentials as soon as possible.
Setting Up the Cisco RV220W Using the Setup Wizard
With the Cisco RV220W powered on and connected to a PC, use the Setup Wizard to configure the network settings.
To use the Setup Wizard:
navigation tree.
STEP 2 Follow the on-screen instructions to set up the Cisco RV220W.
The Setup Wizard tries to automatically detect and configure your connection. If it cannot, the Setup Wizard asks you for information about your Internet connection. If you do not have the required information, contact your Internet Service Provider (ISP) to obtain it.
During the setup process, the Setup Wizard asks you to enter a new password. To protect your router from unauthorized access, create a new password that is hard to guess. While you are entering the password, the Setup Wizard provides you with instant feedback regarding the strength of the password.
After the Setup Wizard is done configuring the Cisco RV220W, the Getting Started page appears. See Using the Getting Started Page, page 13 for more information.
Using the Getting Started Page
Use the links on the Getting Started page to perform the most common configuration tasks. Click a link to perform a task. After performing a task, be sure to save your new settings. To return to the Getting Started page, click Getting Started in the navigation tree.
Cisco RV220W Administration Guide 13
Page 14
Introduction
Configuring the RV220W
NOTE When you get a new router, be sure to check Cisco.com for firmware updates. Then
1
in the Quick Access section of the Getting Started page, use the Update Device Firmware link to install your new firmware.
The Getting Started page includes these sections:
Initial Settings—These links are for common tasks that most users need to
perform to configure the Cisco RV220W for the first time. Although the default settings are sufficient for many small businesses, you should use these links to review the settings and make changes as needed.
Quick Access—These links are for common tasks that may be applicable
to your network.
Device Status—These links provide access to status information for your
network. After configuring your settings, you should use these links to verify the configuration.
The Other Resources section includes these links:
Support—Click the link to visit the Cisco RV Series Routers page on
Cisco.com. This page provides links to technical documentation, product literature, and other resources.
Forums—Click this link to visit the Cisco Small Business Support
Community on Cisco.com.
To prevent the Getting Started page from showing when the Device Manager is started, check Don’t show this on start-up.
Features of the User Interface
Navigating through the pages
Use the navigation tree in the left pane to open the configuration pages. Click a menu item on the left panel to expand it. Click the menu names displayed underneath to perform an action or view a sub-menu.
Saving your changes
Click Save to save your settings, or click Cancel to reload the page with the current settings. If a page was opened by using an Add or Edit button, you can click Back to return to the referring page.
Cisco RV220W Administration Guide 14
Page 15
Introduction
Configuring the RV220W
1
Viewing the Help files
To view more information about a configuration page, click the Help link near the top right corner of the page.
Suggested Next Steps
Cisco recommends that you change some default settings to provide better security and performance. In addition, you may need to manually configure some settings. A suggested outline of steps follows:
Change the administrator name and password. See Users, page 163.
Change the idle timeout value. The Device Manager, by default, logs you out
after 10 minutes of inactivity. For more information, see User Management,
page 158.
Enable remote management, which is a convenience to you when
configuring the router, and which is required if you want to enable a VPN. See User Management, page 158.
If your connection is not working, or your Internet service requires a login
account and password, see WAN Settings for IPv4, page 16.
If you already have a DHCP server on your network, and you do not want
the Cisco RV220W to act as a DHCP server, see LAN Configuration for
IPv4, page 22.
Configure your wireless network, especially wireless security. See
Chapter 3, “Configuring the Wireless Network.”
Configure your Virtual Private Network (VPN).
- You can quickly set up a Gateway-to-Gateway or Client-to-Gateway
VPN by using the VPN > Basic VPN Setup page. For more information, see Basic VPN Setup, page 109.
- Alternatively, for a simpler VPN setup, you can enable remote
management, configure user accounts, and distribute Cisco QuickVPN to your remote workers. The Cisco QuickVPN software is found on the CD that shipped with your router. Also see Using Cisco QuickVPN,
page 218.
Cisco RV220W Administration Guide 15
Page 16
Configuring Networking
The Networking menu provides access to configuration pages where you can configure your WAN, LAN, and other IPv4 and IPv6 network settings.
Refer to these topics:
WAN Settings for IPv4, page 16
LAN Configuration for IPv4, page 22
2
Routing, page 31
Port Management, page 37
Dynamic DNS, page 38
IPv6, page 39
WAN Settings for IPv4
Use the Networking > WAN menu to set up your Internet connection for your IPv4 network.
Configuring the IPv4 WAN Settings, page 17
PPPoE Profiles for Point-to-Point Protocol over Ethernet Connections,
page 20
NOTE For instructions on configuring your RV220W for an IPv6 network, see the “IPv6”
section on page 39.
Cisco RV220W Administration Guide 16
Page 17
Configuring Networking
WAN Settings fo r I P v4
NOTE If your service provider requires PPPoE, first configure a PPPoE profile. See PPPoE
STEP 1 In the Internet Connection Type section, choose the type specified by your
2
Configuring the IPv4 WAN Settings
Follow these instructions to configure your Internet connection for your IPv4 network.
Profiles for Point-to-Point Protocol over Ethernet Connections, page 20.
To open this page: In the navigation tree, choose Networking > WAN (Internet) > IPv4 WAN (Internet).
service provider. Then enter the required settings for the selected type.
Automatic Configuration - DHCP—Choose this option if your service
provider gave you a dynamic DHCP connection to the Internet, or your PC receives its IP address from your cable or DSL modem. This address can change. No additional settings are required for this connection type.
Static IP—Choose this option if your service provider gave you an IP
address that does not change. Enter the IP address, mask, default gateway, and DNS server information. The fields are described in the table below this step.
PPPoE—Choose this option if your service provider gave you a Point-to-
Point Protocol over Ethernet (PPPoE) connection to the Internet (used mainly with asymmetric DSL). In the PPPoE section, choose a PPPoE Profile Name. If you have not yet created PPPoE profiles, click the Configure Profile button. For more information, see PPPoE Profiles for Point-to-Point
Protocol over Ethernet Connections, page 20.
PPTP—Choose this option if your service provider gave you a Point-to-Point
Tunneling Protocol (PPTP) connection to the Internet (used in Europe). In the PPTP section, enter your user name, password, and connection type, IP address, and server IP address. Also enable encryption if supported. The fields are described in the table below this step.
L2TP—Choose this option if your service provider gave you a Layer 2
Tunneling Protocol (L2TP) connection to the Internet (used in Europe). In the L2TP section, enter your user name, password, and connection type, IP address, and server IP address. Optionally, enter the secret phrase. The fields are described in the table below this step.
Cisco RV220W Administration Guide 17
Page 18
Configuring Networking
WAN Settings fo r I P v4
2
IP Address or My IP Address
Subnet Mask Enter the subnet mask specified by your service provider.
Default Gateway Enter the IP address of the default gateway specified by
Primary DNS Server, Secondary DNS Server
User Name Enter the user name for your Internet account.
Password Enter the password for your Internet account.
Secret If required by your service provider, enter the secret phrase
MPPE Encryption If your service provider’s PPTP server supports Microsoft
Connection Type Choose the connection type:
Enter the IP address that was assigned to your account.
your service provider.
For domain name resolution, enter the IP address of the DNS servers specified by your service provider. The Primary DNS Server is required for a Static IP connection.
used to log in to the server.
Point-to-Point Encryption (MPPE), check the Enable box.
Server IP Address
Keep Connected—The Internet connection is
always on.
Idle Time—The Internet connection is on only when
traffic is present. If the connection is idle—that is, no traffic is occurring—the connection is closed. You might want to choose this if your ISP charges based on the amount of time that you are connected. If you choose this connection type, enter the number of minutes after which the connection shuts off in the Idle Time field.
Enter the IP address of the PPTP or L2TP server specified by your service provider.
Cisco RV220W Administration Guide 18
Page 19
Configuring Networking
WAN Settings fo r I P v4
STEP 2 In the MTU Size section, choose the MTU Type. (See MTU (Maximum
STEP 3 In the Router MAC Address section, specify the MAC address source. The
2
Transmission Unit) in the glossary.)
Default—Unless a change is required by your ISP, Cisco recommends that
you use the default setting, 1500 bytes.
Custom—If your ISP requires a custom MTU setting, choose Custom and
enter the MTU Size specified by your provider.
RV220W has a unique 48-bit local Ethernet hardware address. In most cases, the RV220W’s default MAC address is used to identify your Cisco RV220W to your ISP. However, you can change this setting if required by your ISP.
Use Default Address (recommended).
Use this computer's MAC—Choose this option to assign the MAC address
of the computer that you are using to configure the RV220W.
Use This MAC—Choose this option if you want to manually enter a MAC
Address that is expected by your ISP. Then enter a MAC Address in the format of XX:XX:XX:XX:XX:XX, where X is a number from 0 through 9 or a letter from A through F.
STEP 4 Click Save to save your settings, or click Cancel to redisplay the page with the
current settings.
Cisco RV220W Administration Guide 19
Page 20
Configuring Networking
WAN Settings fo r I P v4
2
PPPoE Profiles for Point-to-Point Protocol over Ethernet Connections
If you have a Point-to-Point Protocol over Ethernet (PPPoE) connection to the Internet (used mainly with asymmetric DSL), create a PPPoE profile for your PPPoE connection. You can create multiple profiles, which are useful if you connect to the Internet using different service provider accounts.
Managing PPPoE Profiles, page 20
Adding and Editing PPPoE Profile Settings, page 21
Managing PPPoE Profiles
Use the Networking > WAN (Internet) > PPPoE Profiles page to view, add, edit, or delete PPPoE profiles.
To open this page: In the navigation tree, choose Networking > WAN (Internet) > PPPoE Profiles.
Perform these tasks:
To add a profile, click Add. Then enter the settings on the Add/Edit PPPoE
Profile Configuration page. See Adding and Editing PPPoE Profile
Settings, page 21.
To edit a profile, check the box and then click Edit. Then enter the settings on
the Add/Edit PPPoE Profile Configuration page. See Adding and Editing
PPPoE Profile Settings, page 21.
To delete a profile, check the box and then click Delete. To select all profiles,
check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
Cisco RV220W Administration Guide 20
Page 21
Configuring Networking
WAN Settings fo r I P v4
STEP 1 Enter this information:
2
Adding and Editing PPPoE Profile Settings
Use the Add/Edit PPPoE Profile Configuration page to enter the settings for a PPPoE profile.
To open this page: From the Networking > WAN (Internet) > PPPoE Profiles page, click Add or select a profile and then click Edit.
Profile Name—Enter a descriptive name to identify the profile (for example,
“ISPOne”).
Username—Enter the user name for accessing your ISP account (for
example,
Password—Enter the password for accessing your ISP account.
john@ISPname.net
).
Authentication Type—Choose one of the following options:
- Auto-negotiate—The server sends a configuration request specifying
the security algorithm set on it. The RV220W then sends back authentication credentials with the security type sent earlier by the server.
- PAP —The RV220W uses Password Authentication Protocol (PAP) when
connecting with the ISP.
- CHAP—The RV220W uses Challenge Handshake Authentication
Protocol (CHAP) when connecting with the ISP.
- MS-CHAP—The RV220W uses Microsoft Challenge Handshake
Authentication Protocol when connecting with the ISP.
- MS-CHAPv2—The RV220W uses Microsoft Challenge Handshake
Authentication Protocol Version 2 when connecting with the ISP.
Connection Type—Choose one of the following options:
- Keep Connected—The Internet connection is always on.
- Idle Time—The Internet connection is on only when traffic is present. If
the connection is idle—that is, no traffic is occurring—the connection is closed. You might want to choose this if your ISP charges based on the amount of time that you are connected. If you choose this connection type, enter the number of minutes after which the connection shuts off in the Idle Time field.
Cisco RV220W Administration Guide 21
Page 22
Configuring Networking
LAN Configuration for IPv4
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
LAN Configuration for IPv4
Use the Network > LAN (Local Network) menu to set up your IPv4 LAN. This menu includes the following options:
IPv4 LAN (Local Network), page 22
VLAN Membership, page 24
Multiple VLAN Subnets, page 26
2
Static DHCP, page 28
Advanced DHCP Configuration, page 29
DHCP Leased Clients, page 30
Jumbo Frames, page 30
NOTE For IPv6 LAN configuration, see Configuring IPv6 LAN Properties, page 41.
IPv4 LAN (Local Network)
For most applications, the default settings are satisfactory. You can make changes to suit your requirements. For example, you may want to make the following types of changes:
DHCP server options: If you want another PC on your network to be the
DHCP server, or if you are manually configuring the network settings of all of your PCs, disable DHCP.
DNS server or WINS server: Instead of using a DNS server, you can use a
Windows Internet Naming Service (WINS) server. A WINS server is the equivalent of a DNS server but uses the NetBIOS protocol to resolve hostnames. The RV220W includes the WINS server IP address in the DHCP configuration when acknowledging a DHCP request from a DHCP client. You can also enable a DNS proxy. When enabled, the RV220W then acts as a proxy for all DNS requests and communicates with the ISP's DNS servers. When disabled, all DHCP clients receive the DNS IP addresses of the ISP.
Cisco RV220W Administration Guide 22
Page 23
Configuring Networking
LAN Configuration for IPv4
STEP 1 In the Network section, keep the default Host Name, or enter a new name to
STEP 2 In the LAN (Local Network) Configuration section, keep the default IP Address
2
IP address range: If machines on your LAN use different IP address ranges
(for example, 172.16.2.0 or 10.0.0.0), you can add aliases to the LAN port to give PCs on those networks access to the Internet. This allows the RV220W to act as a gateway to additional logical subnets on your LAN. You can assign the RV220W an IP address on each additional logical subnet.
To open this page: In the navigation tree, choose Networking > LAN (Local Network) > IPv4 LAN (Local Network).
identify your router. This field allows alpha-numeric characters and the hyphen.
The default host name consists of the word “router” followed by the last 3 bytes of LAN MAC address (in Hex-decimal form). This allows the Cisco FindIT Network Discovery Utility to identify Cisco Small Business devices on the LAN.
and Subnet Mask, or change them as needed for your network.
Note: If you change the LAN IP address, you will need to use the new IP address to launch the configuration utility. You may need to release and renew the IP address of your PC, if using DHCP, or configure a static IP address in the same subnet as the RV220W.
STEP 3 In the DHCP section, choose the DHCP Mode and enter the required settings.
Note: If you need to reserve IP addresses for devices on your network, click the Configure Static DHCP button. For more information, see Static DHCP, page 28.
DHCP Server—Choose this option to allow the Cisco RV220W to
dynamically assign IP addresses to devices in the network. By default, the Cisco RV220W functions as a DHCP server to the hosts on the Wireless LAN (WLAN) or LAN network and assigns IP and DNS server addresses. With DHCP enabled, the RV220W's IP address serves as the gateway address to your LAN. The PCs in the LAN are assigned IP addresses from a pool of addresses. Each address is tested before it is assigned to avoid duplicate addresses on the LAN. If you choose this option, enter this information:
- Domain Name—Enter the domain name for your network (optional).
- Starting and Ending IP Address—Enter the first and last of the
contiguous addresses in the IP address pool. Any new DHCP client joining the LAN is assigned an IP address in this range. You can save part of the range for PCs with fixed addresses. These addresses should be in the same IP address subnet as the RV220W's LAN IP address.
Cisco RV220W Administration Guide 23
Page 24
Configuring Networking
LAN Configuration for IPv4
STEP 4 In the LAN (Local Network) Proxy section, check Enable to enable the Cisco
2
- Primary and Secondary DNS Server—DNS servers map Internet
domain names (for example, www.cisco.com) to IP addresses. Enter the server IP addresses in these fields if you want to use different DNS servers than are specified in your WAN settings.
- Lease time—Enter the duration (in hours) for which IP addresses are
leased to clients.
DHCP Relay—Choose this option to enable the relay gateway to transmit
DHCP messages from a DHCP server on another subnet. Then enter the address of the DHCP server in the Remote DHCP Server field.
None—Use this to disable DHCP on the Cisco RV220W. If you want another
device on your network to be the DHCP server, or if you are manually configuring the network settings of all of your PCs, disable DHCP.
RV220W to act as a proxy for all DNS requests and to communicate with the ISP's DNS servers.
STEP 5 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
VLAN Membership
Use the Networking > LAN (Local Network) > VLAN Membership page to enable, create, and manage VLAN (Virtual LAN)s. The router is configured with a default VLAN, VLAN 1, and all devices are members.
Up to four new VLANs can be created. The configured VLANs are listed in the
VLAN Membership Table.
To open this page: Choose Networking > LAN (Local Network) > VLAN
Membership.
Cisco RV220W Administration Guide 24
Page 25
Configuring Networking
LAN Configuration for IPv4
STEP 1 Check the VLAN Enable box to enable the creation and management of additional
STEP 2 Perform these tasks:
2
VLANs. To disable this feature, uncheck the box.
To add a new VLAN, click Add Row. Then enter these settings:
- VLAN ID—Enter a numerical VLAN ID that will be assigned to endpoints
in the VLAN membership. The VLAN ID can range from 2 to 4094. VLAN ID 1 is reserved for the default VLAN, which is used for untagged frames received on the interface, and VLAN ID 4092 is reserved and cannot be used. After a new VLAN entry is saved, the VLAN ID cannot be changed.
- Description—Enter a short description to identify this VLAN.
- Inter VLAN Routing—Check the box to enable routing between this and
other VLANS, or uncheck the box to disable this feature.
- Device Management—Check the box to enable this feature, or uncheck
the box to disable it. This setting determines whether or not clients can access the Cisco RV220W Configuration Utility on this VLAN. To prevent access to this utility from this VLAN, disable this feature.
- Port 1-4—For each of the ports, choose one of the following options:
- Tagged—Used when connecting to switches carrying multiple VLANs.
- Untagged—Access ports connecting to end devices like printers and
workstations.
To change the settings for an existing VLAN, check the box and then click
Edit. To select all VLANs, check the box in the heading row. Then edit the settings as described above.
To delete a VLAN, check the box and then click Delete. To select all VLANs,
check the box in the heading row. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
STEP 3 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Cisco RV220W Administration Guide 25
Page 26
Configuring Networking
LAN Configuration for IPv4
2
Multiple VLAN Subnets
When you create a VLAN, a subnet is created automatically for the VLAN. You can then further configure the subnet properties, including the IP address, the subnet mask, and the DHCP settings.
Viewing the Multiple VLAN Subnets Table, page 26
Entering the Multiple VLAN Subnets Properties, page 26
Viewing the Multiple VLAN Subnets Table
To open this page: In the navigation tree, choose Networking > LAN (Local Network) > Multiple VLAN Subnets.
VLANs are listed in the table. The information includes the IP address, the subnet mask, the DHCP mode (DHCP Server or DHCP Relay), and the DNS Proxy Status (Enabled or Disabled).
To edit the VLAN subnet properties, check the box and then click Edit. Then enter the settings on the Edit Multiple VLAN Subnet page. See Entering the Multiple
VLAN Subnets Properties, page 26.
Entering the Multiple VLAN Subnets Properties
To open this page: Choose Edit on the Networking > LAN (Local Network) > Multiple VL AN Subnets page.
STEP 1 In the LAN (Local Network) Configuration section, keep the default IP Address
and Subnet Mask, or change them as needed for your network.
Note: If you change the LAN IP address of VLAN 1, you will need to use the new IP address to launch the configuration utility. You may need to release and renew the IP address of your PC, if using DHCP, or configure a static IP address in the same subnet as the RV220W.
STEP 2 In the DHCP section, choose the DHCP Mode and enter the required settings.
Note: If you need to reserve IP addresses for devices on your network, click the Configure Static DHCP button. For more information, see Static DHCP, page 28.
DHCP Server—Choose this option to allow the Cisco RV220W to
dynamically assign IP addresses to devices in the VLAN subnet. By default, the Cisco RV220W functions as a DHCP server to the hosts in the subnet. If you choose this option, enter this information:
- Domain Name—Enter the domain name for the VLAN subnet (optional).
Cisco RV220W Administration Guide 26
Page 27
Configuring Networking
LAN Configuration for IPv4
2
- Starting and Ending IP Address—Enter the first and last of the
contiguous addresses in the IP address pool for this subnet. Any new DHCP client joining the LAN is assigned an IP address in this range. You can save part of the range for PCs with fixed addresses. These addresses should be in the same IP address subnet as the VLAN IP address that you specified above.
- Primary and Secondary DNS Server—DNS servers map Internet
domain names (for example, www.cisco.com) to IP addresses. Enter the server IP addresses in these fields if you want to use different DNS servers than are specified in your WAN settings.
- Lease time—Enter the duration (in hours) for which IP addresses are
leased to clients.
DHCP Relay—Choose this option to enable the relay gateway to transmit
DHCP messages between multiple subnets. Then enter the address of the relay gateway in the Relay Gateway field.
None—Use this to disable DHCP on the VLAN subnet. If you want another
device on your network to be the DHCP server for devices on the VLAN subnet, or if you are manually configuring the network settings of all of your computers, disable DHCP.
STEP 3 In the LAN (Local Network) Proxy section, check Enable to enable the VLAN
subnet to act as a proxy for all DNS requests and to communicate with the ISP's DNS servers.
STEP 4 Click Save to save your settings, or click Cancel to reload the page with the
current settings. If you are connected to the Cisco RV220W by the LAN port that is a member of this VLAN, the system reboots and connects you to the RV220W using its new IP address.
Cisco RV220W Administration Guide 27
Page 28
Configuring Networking
LAN Configuration for IPv4
STEP 1 Perform one of these tasks:
2
Static DHCP
You can configure a static IP Address and MAC Address for a known computer or device on the LAN network from the LAN Interface menu.
To open this page: In the navigation tree, choose Networking > LAN (Local Network) > Static DHCP. Or from the Networking > LAN (Local Network) > IPv4
LAN (Local Network) page, click Configure Static DHCP.
To reserve a static IP address for a client, click Add. Then enter the settings,
as described below.
- IP Address—Enter the IP address of the device. This address should be
outside the DHCP address range specified on the Networking > LAN (Local Network) > IPv4 LAN (Local Network) page. The DHCP server will serve the reserved IP address only to the device with the corresponding MAC address.
- MAC Address—Enter the MAC address of the device, without
punctuation. The punctuation is added automatically, using the following format: XX:XX:XX:XX:XX:XX where X is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive).
To edit an entry, check the box and then click Edit. To select all entries, check
the box in the heading row. Then enter the settings, as described above.
To delete an entry, check the box and then click Delete. To select all entries,
check the box in the heading row.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings. After saving or canceling, you can add, edit, or delete other entries.
Cisco RV220W Administration Guide 28
Page 29
Configuring Networking
LAN Configuration for IPv4
STEP 1 In the Automatic Configuration Download section, configure automatic download
2
Advanced DHCP Configuration
You can configure the Cisco RV220W to download a configuration file from a TFTP server by using Option 66, Option 67, and Option 160. You also can associate different client devices with different configuration files. When you reboot the router, it will download the specified files.
To open this page: Choose Networking > LAN (Local Network) > Advanced DHCP Configuration.
of configuration files:
Check Enable to enable downloading of configuration files. Uncheck the box
to disable this feature.
Choose the TFTP Server Type:
- Host Name—Choose this option to identify the server by its host name.
Enter the host name of the TFTP server in the TFTP server host name field.
- Address—Choose this option to identify the server by its IP address.
Enter the IP address in the TFTP Server IP field.
STEP 2 Click Save to enable the downloads, or click Cancel to reload the page with the
current settings.
Note: The mapping table is available only if you enabled Automatic Configuration Download and saved the settings.
STEP 3 In the DHCP Client Device vs. Configuration File Mapping Table, perform these
tasks:
To specify a configuration file for a device that is not listed, click Add. Then
enter the settings, as described below.
- IP Address—Enter the IP address of the device. This address should be
outside the DHCP address range specified on the Networking > LAN (Local Network) > IPv4 LAN (Local Network) page. The DHCP server will serve the reserved IP address only to the device with the corresponding MAC address.
- MAC Address—Enter the MAC address of the device, without
Cisco RV220W Administration Guide 29
punctuation. The punctuation is added automatically, using the following format: XX:XX:XX:XX:XX:XX where X is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive).
Page 30
Configuring Networking
LAN Configuration for IPv4
STEP 4 Click Save to save the settings, or click Cancel to reload the page with the current
2
- Configuration Filename—Enter the filename of the configuration file to
use for the device with the specified MAC address.
To edit an entry, check the box and then click Edit. Then enter the settings,
as described above.
To delete an entry, check the box and then click Delete.
settings. After this step, you can add, edit, or delete other entries.
DHCP Leased Clients
Use the Networking > LAN (Local Network) > DHCP Leased Client page to view the endpoints that are receiving IP addresses from the Cisco RV220W’s DHCP server.
To open this page: In the navigation tree, choose Networking > LAN (Local Network) > DHCP Leased Client.
The endpoints are listed by IP address and MAC address. You cannot edit this list.
Jumbo Frames
Use the Jumbo Frames page to allow devices to send frames within the LAN containing up to 9,000 bytes of data per frame. A standard Ethernet frame contains 1,500 bytes of data.
To open this page: Choose Networking > LAN (Local Network) > Jumbo Frames.
STEP 1 Check the Enable box to enable this feature. Uncheck the box to disable it.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Cisco RV220W Administration Guide 30
Page 31
Configuring Networking
Routing
Routing
2
Use the Networking > Routing menu to configure the following features:
Routing Mode, page 31
Routing Table, page 32
Static Routes, page 33
Dynamic Routing, page 35
Routing Mode
The Cisco RV220W provides two different routing modes: Gateway (NAT) and Router.
To open this page: In the navigation tree, choose Networking > Routing > Routing Mode.
STEP 1 Choose one of the following options:
Gateway (NAT)—If your ISP has assigned you a single IP address, select
this option to use Network Address Translation (NAT) to allow devices in your private network to share your public IP address.
Router—This routing mode, “classical routing,” is used if your ISP has
assigned you multiple IP addresses so that you have an IP address for each endpoint on your network. You must configure either static or dynamic routes if you use this type of routing. See Static Routes, page 33, or
Dynamic Routing, page 35.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Cisco RV220W Administration Guide 31
Page 32
Configuring Networking
Routing
2
Routing Table
Use the Networking > Routing > Routing Table page to view routing information your network.
To open this page: In the navigation tree, choose Networking > Routing > Routing Table.
To display the IPv4 or IPv6 routing table, click the corresponding Display button.
IPv4 Routing Information
Destination—Destination host/network IP address for which this route is
added.
Gateway—The ga teway us ed for th is route.
Genmask—The netmask for the destination network.
Flags—For debugging purpose only; possible flags include:
- U—Route is up.
- H—Target is a host.
- G—Use gateway.
- R—Reinstate route for dynamic routing.
- D—Dynamically installed by daemon or redirect.
- M—Modified from routing daemon or redirect.
- A—Installed by
- C—Cache entry.
- !—Reject route.
Metric—The distance to the target (usually counted in hops).
Ref—Number of references to this route.
Use—Count of lookups for the route. Depending on the use of -F and -C, this
is either route cache misses (-F) or hits (-C).
addrconf
.
Iface—Interface to which packets for this route will be sent.
Cisco RV220W Administration Guide 32
Page 33
Configuring Networking
Routing
2
IPv6 Routing Information
Destination—Destination host/network IP address for which this route is
added.
Next Hop—IP address of the gateway/router through which the destination
host/network can be reached.
Static Routes
You can configure a static routing to direct packets to the destination network. Static routes can be used together with dynamic routes. Be careful not to introduce routing loops in your network.
Managing Static Routes, page 33
Configuring Static Routes, page 34
Managing Static Routes
Use the Networking > Routing > Static Routes page to view, add, edit, and delete static routes.
To open this page: In the navigation tree, choose Networking > Routing > Static Routes.
Perform these tasks:
To add a new route, click Add. Then enter the settings on the Add / Edit
Static Route Configuration page. For more information, see Configuring
Static Routes, page 34.
To edit a route, check the box, and then click Edit. Then enter the settings on
the Add / Edit Static Route Configuration page. For more information, see
Configuring Static Routes, page 34.
To delete a route, check the box, and then click Delete. When the
confirmation message appears, click OK to continue with the deletion, or otherwise, click Cancel.
Cisco RV220W Administration Guide 33
Page 34
Configuring Networking
Routing
STEP 1 Enter this information:
2
Configuring Static Routes
Use the Add / Edit Static Route Configuration page to configure a static route.
To open this page: From the Network > Routing > Static Routes page, click Add or select a route and then click Edit.
Route Name—Enter a name to identify this routing in the Static Route table.
Active—If a route is to be immediately active, check Enable. If Enable is not
checked, the route is added in an inactive state. It will be listed in the routing table, but will not be used by the RV220W. The route can be enabled later. This feature is useful if the network that the route connects to is not available when you add the route. When the network becomes available, the route can be enabled.
Private—Check the Enable box to mark this route as private, which means
that it will not be shared in a Routing Information Protocol (RIP) broadcast or multicast. Uncheck this box if the route can be shared with other routers when RIP is enabled.
Destination IP Address—Enter the IP address of the destination host or
network to which the route leads. For a standard Class C IP domain, the network address is the first three fields of the Destination LAN IP; the last field should be zero.
IP subnet mask—Enter the IPv4 Subnet Mask for the destination host or
network. For Class C IP domains, the Subnet Mask is 255.255.255.0.
Interface—Choose the physical network interface through which this route
is accessible (WAN, LAN, or a VLAN you have created).
Gateway IP Address—Enter the IP Address of the gateway through which
the destination host or network can be reached. If this router is used to connect your network to the Internet, then your gateway IP is the router's IP address. If you have another router handling your network's Internet connection, enter the IP address of that router instead.
Metric—Enter a value between 2 and 15 to define the priority of the route. If
multiple routes to the same destination exist, the route with the lowest metric is chosen.
Cisco RV220W Administration Guide 34
Page 35
Configuring Networking
Routing
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
NOTE RIP is disabled by default on the Cisco RV220W.
2
current settings. Click Back to return to the Network > Routing > Static Routes page.
Dynamic Routing
Use the Networking > Routing > Dynamic Routing page to enable and configure Routing Information Protocol (RIP). RIP is an Interior Gateway Protocol (IGP) that is commonly used in internal networks. When RIP is enabled, the Cisco RV220W can exchange its routing information automatically with other routers and can dynamically adjust its routing tables to adapt to changes in the network.
To open this page: In the navigation tree, choose Networking > Routing > Dynamic Routing.
STEP 1 In the RIP Configuration section, enter these settings:
RIP Direction—Choose one of the following options:
- None—The RV220W neither broadcasts its route table nor does it
accept any RIP packets from other routers and RV220Ws. This option disables RIP.
- In Only—The RV220W accepts RIP information from other routers and
RV220Ws, but does not broadcast its routing table.
- Out Only—The RV220W broadcasts its routing table periodically but
does not accept RIP information from other routers and RV220Ws.
- Both—The RV220W both broadcasts its routing table and also
processes RIP information received from other routers and RV220Ws.
RIP Version—Choose one of the following options:
- Disabled—RIP is not used.
- RIP-1—This is a class-based routing version that does not include subnet
information. RIP-1 is the most commonly supported version.
- RIP-2B—This version broadcasts data in the entire subnet.
- RIP-2M—This version sends data to multicast addresses.
Cisco RV220W Administration Guide 35
Page 36
Configuring Networking
Routing
STEP 2 For RIP v2, in the Authentication for RIP v2 section, check or uncheck the Enable
STEP 3 If you enabled RIP v2 authentication, enter the following first and second key
2
box to enable or disable authentication. This section of the page is available only if you chose In, Out, or Both for the RIP Direction and either RIP-2B or RIP-2M for the RIP Version.
RIP v2 authentication forces authentication of RIP packets before routes are exchanged with other routers. It acts as a security feature because routes are exchanged only with trusted routers in the network. RIP authentication is disabled by default. You can enter two key parameters so that routes can be exchanged with multiple routers and RV220Ws present in the network. The second key also acts as a failsafe when authorization with first key fails.
parameters, as described below. This section of the page is available only if you enabled RIP v2 Authentication.
MD5 Key ID—Input the unique MD-5 key ID used to create the
Authentication Data for this RIP v2 message.
MD5 Authentication Key—Input the authentication key for this MD5 key.
The authentication key is encrypted and sent along with the RIP-V2 message.
Not Valid Before—Enter the start date and time when the authentication key
is valid for authentication.
Not Valid After—Enter the end date and time when the authentication key is
valid for authentication.
STEP 4 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Cisco RV220W Administration Guide 36
Page 37
Configuring Networking
Port Management
Port Management
The Cisco RV220W has four LAN ports and a dedicated WAN port. You can enable or disable ports, configure the duplex mode, and set the port speed.
To open this page: In the navigation tree, choose Networking > Port Management.
STEP 1 Update the port settings as needed:
Enable—Check this box to enable a port, or uncheck this box to disable the
Auto Negotiation—Check this box to allow the RV220W and network
2
port. By default, all ports are enabled. The LAN 1 port is always enabled and cannot be disabled.
determine the optimal port settings (recommended). Uncheck this box to manually set the duplex mode and speed. Auto Negotiation is enabled by default. This setting is available only when the Enable box is checked.
Duplex—If you disabled Auto Negotiation, choose either half- or full-duplex
based on the port support. The default is full-duplex for all ports. This setting is available only when the Auto Negotiation box is unchecked.
Speed—If you disabled Auto Negotiation, choose one of the following port
speeds: 10 Mbps, 100 Mbps, or 1000 Mbps. The default setting is 1000 Mbps for all ports. This setting is available only when the Auto Negotiation box is unchecked. You can change the port speed if a network is designed to run at a particular speed, such as 10 Mbps mode. For example, you may want to change the port to 10 Mbps if the endpoint also uses 10 Mbps mode, either by auto-negotiation or manual setting.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Cisco RV220W Administration Guide 37
Page 38
Configuring Networking
Dynamic DNS
Dynamic DNS
STEP 1 Select the Dynamic DNS Service you are using. Selecting None disables this
2
Dynamic DNS (DDNS) is an Internet service that allows routers with dynamic public IP addresses to be located by using Internet domain names. To use DDNS, set up an account with a DDNS provider such as DynDNS.com or TZO.com.
When this feature is enabled, and you have an active account with a DDNS provider, the Cisco RV220W notifies DDNS servers of changes in the WAN IP address, so that any public services on your network can be accessed by using the domain name.
To open this page: In the navigation tree, choose Networking > Dynamic DNS.
service.
STEP 2 Enter the settings for the selected service.
If you selected DynDNS.com, enter these settings:
- Specify the complete Host Name and Domain Name for the DDNS
service.
- Enter the DynDNS account Username.
- Enter the DynDNS account Password. Re-enter it in the Confirm
Password box.
- Check the Use Wildcards box to enable the wildcards feature, which
allows all subdomains of your DynDNS Host Name to share the same public IP as the Host Name. You can enable this option here if not done on the DynDNS website.
- Enter the Update Period in hours. This value is the interval at which the
router sends updates to the Dynamic DNS Service. The default value is 360 hours.
If you selected TZO.com, enter these settings:
- Specify the complete Host Name and Domain Name for the DDNS
service.
- Enter the User E-mail Address for the TZO account.
- Enter the User Key for the TZO account.
Cisco RV220W Administration Guide 38
Page 39
Configuring Networking
IPv6
STEP 3 Click Save to save your settings, or click Cancel to reload the page with the
IPv6
2
- Enter the Update Period in hours. This value is the interval at which the
router sends updates to the Dynamic DNS Service. The default value is 360 hours.
current settings.
The IPv6 configuration information for your RV220W is performed in several windows in the Device Manager of the Cisco RV220W. Make sure you enable IPv4 and IPv6 Dual-Stack, configure the WAN, and configure the LAN.
IPv6 WAN (Internet), page 40
Configuring IPv6 LAN Properties, page 41
Configuring IPv6 Static Routing, page 43
Configuring IPv6-to-IPv4 Tunneling, page 45
Configuring Router Advertisement, page 46
RADVD Advertisement Prefixes, page 48
IP Mode
To open this page: In the navigation tree, click Networking > IPv6 > IP Mode.
Choose one of the following options:
IPv4-only—Choose this option if your network supports only IPv4 devices
and does not require connectivity to IPv6 devices or networks.
IPv4 and IPV6 Dual-Stack—Choose this option if your network supports
IPv6 devices or needs to connect to IPv6 devices or networks.
STEP 4 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
STEP 5 If you changed the settings, click OK to allow the RV220W to reboot.
Cisco RV220W Administration Guide 39
Page 40
Configuring Networking
IPv6
NOTE If your service provider requires PPPoE, first configure a PPPoE profile. See PPPoE
STEP 1 In the WAN (Internet) Address (IPv6) section, choose the connection type
2
IPv6 WAN (Internet)
Use the IPv6 > IPv6 WAN (Internet) page to configure your Cisco RV220W in an IPv4 and IPv6 Dual-Stack network. Before you can configure your IPv6 WAN settings, you need to enable IPv4 and IPV6 Dual-Stack mode on the IPv6 > IP Mode page. See the “Configuring the IPv4 WAN Settings” section on page 17.
Profiles for Point-to-Point Protocol over Ethernet Connections, page 20.
To open this page: In the navigation tree, choose IPv6 > IPv6 WAN (Internet).
specified by your service provider.
DHCPv6—Choose this option if your service provider gave you a dynamic
DHCP connection to the Internet, your PC receives its IP address from your cable or DSL modem. This address can change. No additional settings are required for this connection type.
Static IP—Choose this option if your service provider gave you a Static IP
connection to the Internet, your Internet Service Provider (ISP) has assigned you an IP address that does not change. Enter the IP address, mask, default gateway, and DNS server information. The fields are described in the table below this step.
STEP 2 If you chose Static IPv6 as the connection type, enter the Static IP Address
settings:
IPv6 Address—Enter the IPv6 IP address assigned to your RV220W.
IPv6 Prefix Length—Enter the IPv6 prefix length defined by the ISP. The
IPv6 network (subnet) is identified by the initial bits of the address which are called the prefix (for example, in the IP address 2001:0DB8:AC10:FE01::, 2001 is the prefix). All hosts in the network have identical initial bits for their IPv6 address; the number of common initial bits in the network’s addresses is set in this field.
Default IPv6 Gateway—Enter the default IPv6 gateway address, or the IP
address of the server at the ISP that this RV220W will connect to for accessing the internet.
Primary DNS Server, Secondary DNS Server—Enter the primary and
secondary DNS server IP addresses on the ISP's IPv6 network. DNS servers map Internet domain names (for example, www.cisco.com) to IP addresses.
Cisco RV220W Administration Guide 40
Page 41
Configuring Networking
IPv6
STEP 3 If you chose DHCPv6 as the connection type, choose the type of address auto-
STEP 4 Click Save to save your settings, or click Cancel to reload the page with the
2
configuration:
Stateless Address Auto Configuration—An ICMPv6 discover message will
originate from the RV220W and is used for auto-configuration, rather than the RV220W contacting the DHCP server at the ISP to obtain a leased address.
Stateful Address Auto Configuration—The RV220W connects to the ISP's
DHCPv6 server for a leased address.
current settings.
Configuring IPv6 LAN Properties
Use the Networking > IPv6 > IPv6 LAN (Local Network) page to configure your IPv6 LAN. In IPv6 mode, the LAN DHCP server is enabled by default. The DHCPv6 server assigns IPv6 addresses from configured address pools with the IPv6 Prefix Length assigned to the LAN.
To open this page: In the navigation tree, choose Networking > IPv6 > IPv6 LAN (Local Network).
STEP 1 In the LAN TCP/IP Setup section, enter these settings:
IPv6 Address—Enter the IP address of the Cisco RV220W. The default IPv6
address for the gateway is fec0::1. You can change this 128-bit IPv6 address based on your network requirements.
IPv6 Prefix Length—Enter number of bits in the IPv6 prefix. The IPv6
network (subnet) is identified by the initial bits of the address, called the prefix. By default, the prefix is 64-bits long. All hosts in the network have the identical initial bits in their IPv6 address; the number of common initial bits is set by the prefix length.
STEP 2 In the DHCPv6 section, disable or enable the DHCPv6 server. When this feature is
enabled, the Cisco RV220W assigns an IP address within the specified range plus additional specified information to any LAN endpoint that requests DHCP-served
Cisco RV220W Administration Guide 41
Page 42
Configuring Networking
IPv6
2
addresses. If you disable DHCPv6, proceed to the next step. If you enable DHCPv6, enter these settings:
Choose the DHCP mode.
- Stateless—If you choo se this opti on, an external IP v6 DHCP s er ver is not
required because the IPv6 LAN hosts are auto-configured by the Cisco RV220W. In this case, the Cisco RV220W advertisement daemon (RADVD) must be configured on this device, and ICMPv6 RV220W discovery messages are used by the host for auto-configuration. There are no managed addresses to serve the LAN nodes.
- Stateful—If you choose this option, the IPv6 LAN host will rely on an
external DHCPv6 server to provide required configuration settings.
Domain Name—(Optional) Enter the domain name of the DHCPv6 server.
Server Preference—Enter a number to indicate the preference level of this
DHCP server. DHCP advertise messages with the highest server preference value are preferred over other DHCP server advertise messages. The range is 0 to 255. The default setting is 255.
DNS Servers—Choose the DNS proxy behavior:
- Use DNS Proxy—If you choose this option, the RV220W acts as a proxy
for all DNS requests and communicate with the ISP’s DNS servers (as configured in the WAN settings page).
- Use DNS from ISP—If you choose this option, the ISP defines the DNS
servers (primary/secondary) for the LAN DHCP client.
- Use Below—If you choose this option, you specify the primary/
secondary DNS servers to use. If you chose this option, enter the IP address of the primary and secondary DNS servers.
Lease/Rebind Time—Enter the duration (in seconds) for which IP
addresses will be leased to endpoints on the LAN.
STEP 3 In the IP Address Pool Table, manage the entries as needed. You can define the
IPv6 delegation prefix for a range of IP addresses to be served by the Cisco RV220W’s DHCPv6 server. Using a delegation prefix, you can automate the process of informing other networking equipment on the LAN of DHCP information specific for the assigned prefix.
To add an entry, click Add. To edit an entry, check the box and then click Edit.
Enter the starting IP address, the ending IP address, and the prefix length. The number of common initial bits in the network’s addresses is set by the prefix length field.
Cisco RV220W Administration Guide 42
Page 43
Configuring Networking
IPv6
STEP 4 Click Save to save your settings, or click Cancel to reload the page with the
2
To remove an entry, check the box and then click Delete.
current settings. After saving or cancelling, you can add, edit, or delete other entries.
Configuring IPv6 Static Routing
You can configure static routes to direct packets to the destination network. A static route is a pre-determined pathway that a packet must travel to reach a specific host or network.
Some ISPs require static routes to build your routing table instead of using dynamic routing protocols. Static routes do not require CPU resources to exchange routing information with a peer router or RV220W.
You can also use static routes to reach peer routers and RV220Ws that do not support dynamic routing protocols. Static routes can be used together with dynamic routes. Be careful not to introduce routing loops in your network.
Managing IPv6 Static Routes
Configuring an IPv6 Static Route
Managing IPv6 Static Routes
Use the Networking > IPv6 > Routing page to view, add, edit, or delete static routes.
To open this page: In the navigation tree, choose Networking > IPv6 > Routing.
Perform these tasks:
To add a new route, click Add. Then enter the settings on the Add / Edit
Static Route Configuration page. For more information, see Configuring an
IPv6 Static Route, page 44.
To edit a route, check the box, and then click Edit. Then enter the settings on
the Add / Edit Static Route Configuration page. For more information, see
Configuring an IPv6 Static Route, page 44.
To delete a route, check the box, and then click Delete. When the
confirmation message appears, click OK to continue with the deletion, or otherwise, click Cancel.
Cisco RV220W Administration Guide 43
Page 44
Configuring Networking
IPv6
STEP 1 Enter these settings:
2
Configuring an IPv6 Static Route
Use the Add / Edit Static Route Configuration page to configure an IPv6 static route.
To open this page: From the Networking > IPv6 > Routing page, click Add or select a route and then click Edit.
Route Name—Enter a descriptive name to identify this route.
Active—If a route is to be immediately active, check the Enable box.
Otherwise, uncheck the box. When a route is added in an inactive state, it will be listed in the routing table, but will not be used by the Cisco RV220W. The route can be enabled later. This feature is useful if the network that the route connects to is not available when you add the route. When the network becomes available, the route can be enabled.
IPv6 Destination—Enter the IPv6 address of the destination host or
network for this route.
IPv6 Prefix Length—Enter the number of prefix bits in the IPv6 address that
define the destination subnet.
Interface—Choose the physical network interface through which this route
is accessible: WAN (Internet), 6 to 4 Tunnel, or LAN (Local Network).
IPv6 Gateway—Enter the IP Address of the gateway through which the
destination host or network can be reached.
Metric—Specify the priority of the route by choosing a value from 2 to 15. If
multiple routes to the same destination exist, the route with the lowest metric is used.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Networking > Routing > Static Routes page.
Cisco RV220W Administration Guide 44
Page 45
Configuring Networking
IPv6
STEP 1 At the top of the page, enter these settings:
2
Configuring IPv6-to-IPv4 Tunneling
Use the Networking > IPv6 > Tunneling page to configure 6-to-4 tunneling, which allows IPv6 packets to be transmitted over an IPv4 network.
To open this page: In the navigation tree, choose Networking > IPv6 > Tunneling.
Automatic Tunneling—Check the Enable box to allows traffic from a LAN
IPv6 network to be tunneled through to a WAN IPv4 network, and vice versa. This feature is typically used when an end site or end user wants to connect to the IPv6 Internet using the exiting IPv4 network. Uncheck the box to disable this feature.
Remote End Point—Check the Enable box to specify a single IPv4 end
point that can be accessed through this tunnel, or otherwise uncheck the box. If you check the box, also enter the Remote End Point IPv4 Address.
Click Save to save your settings, or click Cancel to reload the page with the
current settings.
STEP 2 In the IPv6 Tunnel Status Table, click Refresh to see the most recent data for the
IPv6 tunnel (if enabled). For each tunnel, the table shows the Tunnel Name, the IPv6 Addresses, and the ISATAP Subnet Prefix.
STEP 3 In the ISATAP Tunnel Table, view, add, edit, or delete entries as described below.
To add an entry, click Add. Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP) is a method to transmit IPv6 packets between dual-stack nodes over an IPv4 network. The Cisco RV220W is one endpoint (a node) for the tunnel. You must also set a local endpoint, as well as the ISATAP Subnet Prefix that defines the logical ISATAP subnet to configure a tunnel. Enter the settings on the Add / Edit ISATAP Tunnel Configuration page. See
Configuring an ISATAP Tunnel, page 46.
To edit an entry, check the box and then click Edit. Then enter the settings on
the Add / Edit ISATAP Tunnel Configuration page. See Configuring an
ISATAP Tunnel, page 46.
To delete an entry, check the box and then click Delete. When the
confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
Cisco RV220W Administration Guide 45
Page 46
Configuring Networking
IPv6
STEP 1 Enter this information:
2
Configuring an ISATAP Tunnel
Use the Add / Edit ISATAP Tunnel Configuration page to configure the settings for an ISATAP tunnel. Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is a method to transmit IPv6 packets between dual-stack nodes over an IPv4 network. The Cisco RV220W is one endpoint (a node) for the tunnel. You must also set a local endpoint, as well as the ISATAP Subnet Prefix that defines the logical ISATAP subnet to configure a tunnel.
To open this page: From the Networking > IPv6 > 6 to 4 Tunneling page, click Add or select a tunnel and then click Edit.
Tunnel Name—Enter a descriptive name to identify this tunnel.
Endpoint Address—Enter the endpoint address for the tunnel that starts
with the Cisco RV220W. If the endpoint is on the IPv4 LAN interface, click
LAN (Local Network). If the endpoint is not on the local network, choose Other IP, and then specify the IPv4 address of the endpoint.
ISATAP Subnet Prefix—Enter the 6 4-bi t subn et pref ix tha t is as si gned to the
logical ISATAP subnet for this intranet. This setting can be obtained from your ISP or Internet registry, or derived from RFC 4193.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Networking > IPv6 > 6 to 4 Tunneling page.
Configuring Router Advertisement
Use the Networking > IPv6 > Router Advertisement page to enable the RADVD
(Router Advertisement Daemon) and to enter the key parameters that the router
advertises about the local network. These settings are used for address auto­configuration and routing.
To open this page: In the navigation tree, choose Networking > IPv6 > Router Advertisement.
STEP 1 Enter these settings:
Router Advertisement Status—Check the Enable box to enable this
feature, or uncheck the box to disable it. When this feature is enabled, messages are sent by the router periodically and in response to solicitations.
Cisco RV220W Administration Guide 46
Page 47
Configuring Networking
IPv6
2
A host uses the information to learn the prefixes and parameters for auto­configuration. Disabling this feature effectively disables auto-configuration, requiring manual configuration of the IPv6 address, subnet prefix, and default gateway on each device.
Advertise Mode—Choose one of the following options:
- Unsolicited Multicast—Select this option to send Router Advertisement
messages to all interfaces in the multicast group. If you choose this option, also enter the Advertise Interval, which is the interval at which Router Advertisement messages are sent. Enter any value between 10 and 1800 seconds. The default is 30 seconds.
- Unicast only—Select this option to send Router Advertisement
messages only to well-known IPv6 addresses.
RA Flags—Choose whether or not to use stateful configuration protocols.
When both flags are enabled, hosts obtain addresses and other information through DHCPv6 or other methods (not router advertisements). When both flags are disabled, hosts obtain addresses and other information through router advertisements.
- Managed—When enabled, this flag instructs hosts to use an
administered /stateful configuration protocol (DHCPv6) to obtain stateful addresses.
- Other—When enabled, this flag instructs hosts to use an administered/
stateful configuration protocol (DHCPv6) to obtain other, non-address information, such as DNS server addresses.
Router Preference—Choose Low, Medium, or High. This preference
metric is useful in a network topology in which multi-homed hosts have access to multiple routers. This metric helps a host to choose an appropriate router. If two routers are reachable, the one with the higher preference will be chosen. These values are ignored by hosts that do not implement router preference. The default setting is High.
MTU—Enter the size of the largest packet that can be sent over the network.
The MTU (Maximum Transmission Unit) is used in Router Advertisement messages to ensure that all nodes on the network use the same MTU value when the LAN MTU is not well-known. The default setting is 1500 bytes. This is the standard value for Ethernet networks. For PPPoE connections, the standard is 1492 bytes. Unless your ISP requires a different setting, this setting should not be changed.
Router Lifetime—Enter the time in seconds that the Router Advertisement
messages will exist on the route. The default is 3600 seconds.
Cisco RV220W Administration Guide 47
Page 48
Configuring Networking
IPv6
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
2
current settings.
RADVD Advertisement Prefixes
If you enabled RADVD (Router Advertisement Daemon), you can add RADVD advertisement prefixes to support address auto-configuration by new hosts that connect to your network.
Managing Advertisement Prefixes, page 48
Adding and Editing Advertisement Prefixes, page 49
Managing Advertisement Prefixes
Use the Networking > IPv6 > Advertisement Prefixes page to view, add, edit, or delete RADVD advertisement prefixes.
To open this page: In the navigation tree, choose Networking > IPv6 > Advertisement Prefixes.
Perform these tasks:
To add an entry, click Add. Then enter the settings on the Add/Edit
Advertisement Configuration page. See Adding and Editing
Advertisement Prefixes, page 49.
To edit an entry, check the box and then click Edit. Then enter the settings on
the Add/Edit Advertisement Configuration page. See Adding and Editing
Advertisement Prefixes, page 49.
To delete an entry, check the box and then click Delete. When the
confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
Cisco RV220W Administration Guide 48
Page 49
Configuring Networking
IPv6
STEP 1 Choose an IPv6 Prefix Type. Choose the format for the prefix that precedes the
2
Adding and Editing Advertisement Prefixes
Use the Add/Edit Advertisement Configuration page to enter the settings for an advertisement prefix.
To open this page: From the Networking > IPv6 > Advertisement Prefixes page, click Add or select an entry and then click Edit.
32-bit IPv4 address.
6to4—Choose this option to advertise a 6to4 prefix. Generally, 6to4
tunneling is used for inter-site communication.
If you chose 6to4 as the prefix type, enter the SLA ID. The Site-Level Aggregation Identifier is the interface ID of the interface on which the advertisements are sent. The default value is 1.
Global/Local/ISATAP—Choose this option to advertise a global, local, or
ISATAP prefix. IPv6 global addresses are globally routable, similar to IPv4 public addresses. Your ISP will typically provide you a block of globally routable IPv6 addresses that you could configure for stateless autoconfiguration. Local IPv6 addresses are similar to your IPv4 LAN addresses which are not globally routable.
If you choose Global/Local/ISATAP as the prefix type, enter the following settings:
- IPv6 Prefix—The IPv6 prefix specifies the IPv6 network address.
- IPv6 Prefix Length—The prefix length variable is a decimal value that
indicates the number of contiguous, higher-order bits of the address that make up the network portion of the address.
STEP 2 Enter the Prefix Lifetime, which is the number of seconds that the requesting
router is allowed to use the prefix.
STEP 3 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Cisco RV220W Administration Guide 49
Page 50
Configuring the Wireless Network
The Wireless menu provides access to configuration pages where you can configure your wireless network.
Refer to these topics:
About Wireless Security, page 50
Basic Settings, page 53
3
Advanced Settings, page 62
Wireless Distribution System (WDS), page 63
About Wireless Security
Wireless networks are convenient and easy to install. As a result, businesses with high-speed Internet access are adopting them at a rapid pace. Because wireless networking operates by sending information over radio waves, it can be more vulnerable to intruders than a traditional wired network. Like signals from your cellular or cordless phones, signals from your wireless network can also be intercepted. this information will help you to improve your security:
Wireless Security Tips, page 51
General Network Security Guidelines, page 52
Cisco RV220W Administration Guide 50
Page 51
Configuring the Wireless Network
About Wireless Security
Wireless Security Tips
Since you cannot physically prevent someone from connecting to your wireless network, you need to take some additional steps to keep your network secure:
Change the default wireless network name or SSID
Wireless devices have a default wireless network name or Service Set Identifier (SSID) set by the factory. This is the name of your wireless network, and can be up to 32 characters in length.
You should change the wireless network name to something unique to distinguish your wireless network from other wireless networks that may exist around you, but do not use personal information (such as your Social Security number) because this information may be available for anyone to see when browsing for wireless networks.
3
See Basic Settings, page 53.
Change the default password for the Configuration Utility.
This router has a default password set by the factory. Hackers know these published defaults and may try to use them to access your wireless device and change your network settings. To thwart any unauthorized changes, customize the device’s password so it will be hard to guess.
See User Management, page 158.
Enable MAC address filtering
Cisco routers and gateways give you the ability to enable Media Access Control (MAC) address filtering. The MAC address is a unique series of numbers and letters assigned to every networking device. With MAC address filtering enabled, wireless network access is provided solely for wireless devices with specific MAC addresses. For example, you can specify the MAC address of each computer in your network so that only those computers can access your wireless network.
See MAC Filtering for Wireless Network Access Control, page 58.
Enable encryption
Encryption protects data transmitted over a wireless network. Wi-Fi Protected Access (WPA/WPA2) and Wired Equivalency Privacy (WEP) offer different levels of security for wireless communication. Currently, devices that are Wi-Fi certified are required to support WPA2, but are not required to support WEP.
Cisco RV220W Administration Guide 51
Page 52
Configuring the Wireless Network
About Wireless Security
A network encrypted with WPA/WPA2 is more secure than a network encrypted with WEP, because WPA/WPA2 uses dynamic key encryption. To protect the information as it passes over the airwaves, you should enable the highest level of encryption supported by your network equipment.
WEP is an older encryption standard and may be the only option available on some older devices that do not support WPA.
See Security Settings for Wireless Networks, page 56.
Keep wireless routers, access points, or gateways away from exterior walls
and windows.
Turn wireless routers, access points, or gateways off when they are not
being used (for example, at night or during vacations).
Use strong passphrases that are at least eight characters in length.
Combine letters and numbers to avoid using standard words that can be found in the dictionary.
3
See Password Rules for Password Complexity, page156.
General Network Security Guidelines
Wireless network security is useless if the underlying network is not secure. Cisco recommends that you take the following precautions:
Password protect all computers on the network and individually password
protect sensitive files.
Change passwords on a regular basis.
Install anti-virus software and personal firewall software.
Disable file sharing (peer-to-peer). Some applications may open file sharing
without your consent and/or knowledge.
Cisco RV220W Administration Guide 52
Page 53
Configuring the Wireless Network
Basic Settings
Basic Settings
The Cisco RV220W provides four SSIDs or virtual access points. These networks can be configured and enabled with individual settings. You can set up multiple networks to segment the network traffic, to allow different levels of access, such as guest access, or to allow access for different functions such as accounting, billing, and so on.
NOTE One wireless network, rv220_1, is enabled by default, with SSID Broadcast
enabled and no security settings. This configuration allows you to immediately begin using your wireless network. However, you should configure all of your networks with the highest possible security that is supported by your network devices.
Use the Wireless > Basic Settings page to configure the radio and other basic settings for your wireless network. This page provides access to related pages where you can configure security, MAC filtering, and Wi-Fi Multimedia quality of service values.
3
To open this page: In the navigation tree, choose Wireless > Basic Settings.
STEP 1 At the top of the page, enter these settings:
Radio—Click Enable to enable the radio, or click Disable to disable it. By
default, the radio is enabled. Disabling it prevents access to all wireless networks. The settings on this page are available only when Enable is selected.
Operating Frequency—Choose a frequency: 2.4GHz or 5GHz.
Wireless Network Mode—Choose one of the options described below.
The available options depend on the selected frequency.
- B/G-Mixed (2.4GHz)—Select this mode if you have devices in the
network that support 802.11b and 802.11g.
- G Only (2.4GHz)—Select this mode if all devices in the wireless network
support 802.11g.
- G/N-Mixed (2.4GHz)—Select this mode if you have devices in the
network that support 802.11g and 802.11n.
- A Only (5GHz)—Select this mode if all devices in the wireless network
support 802.11a.
Cisco RV220W Administration Guide 53
Page 54
Configuring the Wireless Network
Basic Settings
- A/N-Mixed (5GHz)—Select this mode to allow 802.11n and 802.11a
- N Only— (2.4GHz and 5GHz)Select this mode if all devices in the
Channel Bandwidth—Choose the channel bandwidth. The available
options depend on the selected wireless network mode. Choosing Auto (if applicable) represents 20/40 MHz.
Control Sideband—This setting defines the sideband which is used for the
secondary or extension channel when the access point is operating in 40 Mhz channel width. Choose lower or upper. The signal components above the carrier frequency constitute the upper sideband (USB) and those below the carrier frequency constitute the lower sideband (LSB).
Channel—Choose the frequency that the radio uses to transmit wireless
frames, or choose Auto to let the Cisco RV220W determine the best channel based on the environment noise levels for the available channels. The Current Channel field displays the currently selected channel and frequency. The default setting is Auto.
3
clients to connect to this access point.
wireless network can support 802.11n.
Default Transmit Power—Enter a value in dBm that is the default
transmitted power level. The default setting is 30.
STEP 2 After modifying the radio settings, click Save to save your settings, or click Cancel
to reload the page with the current settings.
STEP 3 Use the Wireless Basic Setting Table to view information and to perform these
tasks:
To edit the basic settings for a wireless network, select a network and then
click Edit. To select all wireless networks, check the box in the heading row. Then enter the settings as described below. After making changes, click Save to save your settings, or click Cancel to reload the page with the current settings.
- Enable SSID—Check the box to enable the wireless network, or
uncheck the box to disable it. One network, rv220_1, is enabled by default.
- SSID Name—Enter a unique name for this wireless network. Include up
to 32 characters, using any of the characters on the keyboard. For added security, you should change the default value to a unique name.
Cisco RV220W Administration Guide 54
Page 55
Configuring the Wireless Network
Basic Settings
- SSID Broadcast—Check the box to allow all wireless clients within
- VLAN—Enter the VLAN ID for this wireless network, if you have
- Max. Associated Clients—Enter the maximum number of endpoints that
To edit the security mode for a wireless network, select a network and then
click Edit Security Mode. Enter the settings on the Wireless > Basic Settings > Security Settings page. See Security Settings for Wireless
Networks, page 56.
3
range to detect this wireless network when they are scanning the local area. Disable this feature if you do not want to make the SSID known. When this feature is disabled, wireless users can connect to this wireless network only if they know the SSID (and provide the required security credentials).
configured multiple VLANs.
can use this wireless network. The default value is 20. You can change this number if you want to restrict traffic on the network to prevent it from being overloaded, for example.
To restrict access to a wireless network based on MAC addresses, select a
network and then click Edit MAC Filtering. Enter the settings on the MAC Filtering page. See MAC Filtering for Wireless Network Access Control,
page 58.
To edit the multimedia settings for a wireless network, select a network and
then click Edit WMM. Then enter the settings on the WMM page. See Wi-Fi
Multimedia and Quality of Service Settings, page 60.
To restrict access to a wireless network based on the day and time, select a
network and then click Edit SSID Scheduling. Then enter the settings on the SSID Schedule page. See SSID Schedule for Network Availability,
page 61.
Cisco RV220W Administration Guide 55
Page 56
Configuring the Wireless Network
Basic Settings
Security Settings for Wireless Networks
Use the Wireless > Basic Settings > Security Settings page to configure security for the selected wireless network. All devices on this network (SSID) must use the same security mode and settings to work correctly. Cisco recommends using the highest level of security that is supported by the devices in your network.
To open this page: From the Wireless > Basic Settings page, select a network and then click Edit Security Mode.
NOTE To configure a network with WPA Enterprise, WPA2 Enterprise, or WPA2 Enterprise
Mixed security mode, you must first add a RADIUS Server configuration. See Using
the Cisco RV220W With a RADIUS Server, page 146.
STEP 1 If needed, select a different network in the Select SSID list.
STEP 2 Enter these settings for the selected network:
3
Wireless Isolation within SSID—Check Enable to prevent clients on this
wireless network from accessing devices on other wireless networks. To allow access, click Disable.
Security—Choose a security mode:
- Disabled—Any device can connect to the network. Not recommended.
- Wired Equivalent Privacy (WEP)— Weak security with a basic
encryption method that is not as secure as WPA. WEP may be required if your network devices do not support WPA; however, it is not recommended.
- Wi-Fi Protected Access (WPA) Personal—WPA is part of the wireless
security standard (802.11i) standardized by the Wi-Fi Alliance and was intended as an intermediate measure to take the place of WEP while the
802.11i standard was being prepared. It supports TKIP/AES encryption. The personal authentication is the Preshared Key (PSK) that is an alphanumeric passphrase shared with the wireless peer.
- WPA Enterprise—Allows you to use WPA with RADIUS server
authentication.
- WPA2 Personal—WPA2 is the implementation of security standard
- WPA2 Personal Mixed—Allows both WPA and WPA2 clients to connect
Cisco RV220W Administration Guide 56
specified in the final 802.11i standard. It supports AES encryption and this option uses PSK based authentication.
simultaneously using PSK authentication.
Page 57
Configuring the Wireless Network
Basic Settings
- WPA2 Enterprise—Allows you to use WPA2 with RADIUS server
- WPA2 Enterprise Mixed—Allows both WPA and WPA2 clients to
Encryption Type—An option is chosen automatically, based on the
selected security mode.
- TKIP+AES is used for WPA Personal, WPA Enterprise, WPA2 Personal
- AES is used for WPA2 Personal and WPA2 Enterprise.
If you chose WPA Enterprise or WPA2 Enterprise Mixed, no further settings are required. You can save the settings.
STEP 3 If you chose WPA Personal, WPA2 Personal, or WPA2 Personal Mixed, enter
these settings:
3
authentication.
connect simultaneously using RADIUS authentication.
Mixed, and WPA2 Enterprise Mixed.
WPA Key—Enter the pre-shared key for WPA/WPA2 PSK authentication.
The clients also need to be configured with the same password. As you type the password, a message indicates the strength. For a stronger password, enter at least eight characters including a variety of character types (numbers, upper- and lowercase letters, and symbols).
Unmask Password—Check the box if you want to see the key as typed.
Otherwise, the password is masked.
Key Renewal—Enter the number of seconds after which the Cisco RV120W
will generate a new key. These keys are internal keys exchanged between the Cisco RV120W and connected devices. The default value (3600 seconds) is usually adequate unless you are experiencing network problems.
STEP 4 If you chose WEP, enter these settings:
Authentication—Choose the option that is supported by your network
devices: Open System or Shared Key. In either case, the client must provide the correct shared key (password) in order to connect to the wireless network.
Encryption—Choose 64-bit or 128-bit. 64-bit WEP has a 40-bit key, and
128-bit WEP has a 104-bit key. A larger key provides stronger encryption, because the key is more difficult to crack.
Cisco RV220W Administration Guide 57
Page 58
Configuring the Wireless Network
Basic Settings
WEP passphrase (Optional)Enter an alphanumeric phrase (longer than
eight characters for optimal security) and click Generate Key to generate four unique WEP keys in the WEP Key fields below. Otherwise, you can manually enter one or more keys in the fields.
WEP Key 1-4—If you did not use the WEP Passphrase to generate keys,
enter one or more valid keys. Select a key to use as the shared key that devices must have in order to use the wireless network. The length of the key must be 5 ASCII characters (or 10 hexadecimal characters) for 64-bit WEP and 13 ASCII characters (or 26 hexadecimal characters) for 128-bit WEP. Valid hexadecimal characters are “0” to “9” and “A” to “F”.
STEP 5 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Wireless > Basic Settings page.
If you need to configure the settings for another network, select it from the Select
SSID list, and then repeat this procedure.
3
MAC Filtering for Wireless Network Access Control
Use the MAC Filtering page to permit or deny access to the wireless network based on the MAC (hardware) address of the requesting device. For example, you can enter the MAC addresses of a set of PCs and only allow those PCs to access the network. MAC filtering is configured separately for each virtual access point in the router.
To open this page: From the Wireless > Basic Settings page, select a network, and then click Edit MAC Filtering.
STEP 1 If needed, select a different network in the Select SSID list.
STEP 2 Click Enable to enable MAC filtering, or click Disable to disable this feature. By
default, it is disabled, and a connection is allowed from any client, subject to the security settings. The other fields on the page become available after you enable this feature.
STEP 3 In the Connection Control section, choose one of the following options to limit
access to the selected network:
Block—Deny connections from the endpoints identified in the Connection
Control List. Access is allowed from all other clients, subject to the security settings.
Cisco RV220W Administration Guide 58
Page 59
Configuring the Wireless Network
Basic Settings
Allow—Accept connections only from the endpoints identified in the
Connection Control List. Access is denied from all other clients.
STEP 4 In the Connection Control List, enter the MAC address of each client that is
subject to MAC filtering.
Tip: To view a list of current clients, you can click the Wireless Clients List button. Any unsaved changes on this page will be abandoned. The Connected Clients list displays the MAC address, connection settings, and connection time for all connected clients. To copy an address, use your mouse to select it, then right-click and choose Copy. You can click the browser’s Back button to return to the Connection Control List, where you can paste the copied address into a MAC address field.
STEP 5 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Wireless > Basic Settings page.
3
If you need to configure the settings for another network, select it from the Select SSID list, and then repeat this procedure.
Connected Clients
Use the Connected Clients page to display information about the clients that are connected to a selected wireless network
To open this page: From the MAC Filtering page, click the Wireless Clients List button.
The Connected Clients list displays the MAC address, connection settings, and connection time for all connected clients.
Tip: To copy an address, use your mouse to select it, then right-click and choose Copy. You can click the browser’s Back button to return to the Connection Control
List, where you can paste the copied address into a MAC address field.
Cisco RV220W Administration Guide 59
Page 60
Configuring the Wireless Network
Basic Settings
Wi-Fi Multimedia and Quality of Service Settings
Use the WMM page to enable Wi-Fi Multimedia (WMM) quality of service features on the selected wireless network. You also can assign different processing priorities to different types of traffic.
To open this page: From the Wireless > Basic Settings page, select a network, and then click Edit WMM.
STEP 1 If needed, select a different network in the SSID list.
STEP 2 To enable WMM, check the Enable box. WMM helps in prioritizing wireless traffic
according to four access categories:
Voice (highest priority, 4)
Video (high priority, 3)
3
Best effort (medium priority, 2)
Background (lowest priority, 1)
STEP 3 In the DSCP to Queue table, for each ingress DSCP, you can choose the output
queue for the traffic. The Differentiated Services Code Point (DSCP) field identifies the data packet, and the output queue identifies the priority in which the packet is transmitted:
Voice (4) or Video (3)—High priority queue, minimum delay. Typically used to
send time-sensitive data such as video and other streaming media.
Best Effort (2)—Medium priority queue, medium throughput and delay. Most
traditional IP data is sent to this queue.
Background (1)—Lowest priority queue, high throughput. Bulk data that
requires maximum throughput and is not time-sensitive is typically sent to this queue (FTP data, for example).
Note: If you saved changes to the DSCP settings, you can revert to the default values by clicking the Restore Defaults button.
STEP 4 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Wireless > Basic Settings page.
If you need to edit the settings for another network, select it from the SSID list, and then repeat this procedure.
Cisco RV220W Administration Guide 60
Page 61
Configuring the Wireless Network
Basic Settings
SSID Schedule for Network Availability
Use the SSID Schedule page to set a time period each day when the selected wireless network is available for use.
To open this page: From the Wireless > Basic Settings page, select a network, and then click Edit SSID Scheduling.
STEP 1 If needed, select a different network in the Select SSID list.
STEP 2 Enter these settings:
Active Time—To enable a schedule, check the enable box. In this case, if a
network is enabled, it is available only between the specified Start Time and Stop Time. To disable a schedule, uncheck the box. In this case, if a network is enabled, it is always available.
3
Start Time—Use the lists to specify the time when the network becomes
available each day.
Stop Time—Use the lists to specify the time when the network becomes
unavailable each day.
STEP 3 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Wireless > Basic Settings page.
If you need to edit the settings for another network, select it in the SSID list, and then repeat this procedure.
Cisco RV220W Administration Guide 61
Page 62
Configuring the Wireless Network
Advanced Settings
Advanced Settings
Use the Wireless > Advanced Settings page to configure advanced settings for the Cisco RV220W wireless radio.
NOTE The default settings should be sufficient for most small business networks. These
settings should be changed only if you are experiencing issues in your environment.
STEP 1 Choose Wireless > Advanced Settings.
STEP 2 Enter these settings, as needed:
Beacon Interval—Enter a value in milliseconds for the beacon interval. The
default setting is 100 milliseconds (10 seconds).
3
DTIM interval—Enter the interval at which the DTIM (Delivery Traffic
Indication Message) should be sent. The default interval is 2 beacon
intervals.
Request to Send (RTS) Threshold—Enter the packet size, in bytes, that
requires a Request To Send (RTS)/Clear To Send (CTS) handshake before sending. A low Request to Send (RTS) Threshold setting consumes more bandwidth but can help the network to recover from interference or collisions. The default value is 2346, which effectively disables RTS.
Fragmentation Threshold—Enter the frame length, in bytes, that requires
packets to be split into two or more frames. It may be helpful to reduce the
Fragmentation Threshold in areas experiencing interference. However, only
minor changes are recommended. Setting the fragmentation threshold too low may result in poor network performance. The default value is 2346, which effectively disables fragmentation.
Preamble Mode—Choose a Long or Short preamble, depending on the
devices in the network. A long preamble is needed for compatibility with the legacy 802.11 systems operating at 1 and 2 Mbps. The default selection is Long.
Protection Mode—Choose whether or not to enable CTS-to-Self
Protection. This mechanism is used to minimize collisions among stations in a mixed 802.11b and 802.11g environment. This function boosts the Cisco RV220W’s ability to catch all wireless transmissions but severely decreases performance. The default selection is None.
Cisco RV220W Administration Guide 62
Page 63
Configuring the Wireless Network
Wireless Distribution System (WDS)
Short Retry Limit and Long Retry Limit—Enter the number of seconds that
the radio will wait before attempting to retransmit a frame. The limit applies to both long and short frames of a size less than or equal to the RTS threshold.
STEP 3 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Wireless Distribution System (WDS)
Use the Wireless > WDS page to enable a Wireless Distribution System. A WDS allows a wireless network to be expanded by using multiple access points without requiring a wired backbone to link them. Also manage the WDS peers, which are other access points in the WDS.
3
You must configure all WDS peers to use the same operating frequency (2.4 or 5 GHz), wireless network mode, channel, and security encryption (none, WEP, WPA, or WPA2) with the exact same WPA password (preshared key) on the first SSID— other SSIDs cannot be used for communicating with WDS peers. RV220W supports up to 3 WDS peers.
To open this page: In the navigation tree, choose Wireless > WDS.
STEP 1 Check the Enable box to enable WDS in the Cisco RV220W. Otherwise, uncheck
the box. WDS is disabled by default.
STEP 2 If you enabled WDS and use WPA security mode, enter the WPA Key. It must be
the same WPA key that is used on the first SSID in the Wireless Basic Setting Table on the Wireless > Basic Settings page.
STEP 3 In the WDS Peers Table, perform these tasks to manage the WDS peers:
To add a peer, click Add, and then enter the MAC address. Click Save to save
your settings, or click Cancel to reload the page with the current settings.
To delete a peer, check the box and then click Delete. To select all peers,
check the box in the heading row.
STEP 4 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Cisco RV220W Administration Guide 63
Page 64
Firewall
4
The Firewall menu provides access to pages where you can configure the firewall properties of the Cisco RV220W.
Refer to these topics:
Cisco RV220W Firewall Features, page 64
Access Rules, page 66
Attack Prevention, page 72
Content Filtering, page 73
URL Blocking, page 75
Port Triggering, page 76
Port Forwarding, page 78
DMZ Host, page 82
Advanced Firewall Settings, page 82
Firewall Configuration Examples, page 94
Cisco RV220W Firewall Features
You can secure your network by creating and applying access rules that the Cisco RV220W uses to selectively block and allow inbound and outbound Internet traffic. You then specify how and to what devices the rules apply. You can configure the following:
Services or traffic types (examples: web browsing, VoIP, other standard
services and also custom services that you define) that the router should allow or block. If you need to add custom services before you begin configuring access rules, see Custom Services, page 87.
Cisco RV220W Administration Guide 64
Page 65
Firewall
Cisco RV220W Firewall Features
4
Rules for outbound (from your LAN to the Internet) or inbound (from the
Internet to your LAN) traffic.
Schedules as to when the router should apply rules. If you want to use
schedules, set them up before you begin configuring your access rules. See Schedules for Firewall Rules and Port Forwarding Rules, page 89.
Keywords (in a domain name or on a URL of a web page) that the router
should allow or block.
MAC addresses of devices whose inbound access to your network the
router should block.
Port triggers that signal the router to allow or block access to specified
services as defined by port number.
Reports and alerts that you want the router to send to you.
You can, for example, establish restricted-access policies based on time-of-day, web addresses, and web address keywords. You can block Internet access by applications and services on the LAN, such as chat rooms or games. You can block just certain groups of PCs on your network from being accessed by the WAN or public network.
Inbound (Internet to LAN) rules restrict access to traffic entering your network, selectively allowing only specific outside users to access specific local resources. By default, all access from the insecure WAN side is blocked from accessing the secure LAN, except in response to requests from the LAN or DMZ. To allow outside devices to access services on the secure LAN, you must create a firewall rule for each service.
If you want to allow incoming traffic, you must make the router's WAN port IP address known to the public. This is called “exposing your host.” How you make your address known depends on how the WAN ports are configured; for the Cisco RV220W, you may use the IP address if a static address is assigned to the WAN port, or if your WAN address is dynamic, a DDNS (Dynamic DNS) name can be used.
Outbound (LAN to Internet) rules restrict access to traffic leaving your network, selectively allowing only specific local users to access specific outside resources. The default outbound rule is to allow access from the secure zone (LAN) to the insecure WAN. To block hosts on the secure LAN from accessing services on the outside (insecure WAN), you must create a firewall rule for each service.
Cisco RV220W Administration Guide 65
Page 66
Firewall
Access Rules
Access Rules
4
Access Rules allow or prevent specific types of traffic to and from your secure local network (LAN). You can perform these tasks:
Setting the Default Outbound Policy and Managing Access Rules,
page 66
Adding and Editing Access Rules, page 67
Changing Access Rule Priorities, page 71
Setting the Default Outbound Policy and Managing Access Rules
Use the Firewall > Access Rules page to set a default policy for outbound traffic, and to manage Access Rules for specific types of inbound and outbound traffic that you want to control.
The default outbound policy applies to all outbound traffic that is not covered by a specific Access Rule. For example, you can create Access Rules to restrict outbound instant messaging and video traffic, while your default outbound policy allows all other traffic to the Internet.
NOTE The default
(LAN) is always blocked and cannot be changed. You can create Access Rules to allow specified types of inbound traffic.
To open this page: In the navigation tree, choose Firewall > Access Rules.
STEP 1 In the Default Outbound Policy section, choose whether to allow or block traffic
from your LAN to the Internet. This policy applies to all traffic that is not covered by an Access Rule.
STEP 2 Under Default Outbound Policy, choose one of the following options:
Allow—Choose this option to permit traffic from your LAN to the Internet.
Block—Choose this option to prevent traffic from your LAN to the Internet.
STEP 3 If you changed the Default Outbound Policy, click Save to save your settings. Any
unsaved changes will be abandoned if you add or edit Access Rules.
inbound
policy for traffic from the Internet to your secure local network
STEP 4 In the Access Rule Table, perform these tasks:
To add a rule, click Add Rule. Then enter the settings on the Add/Edit
Access Rule Configuration page. See Adding and Editing Access Rules,
page 67.
Cisco RV220W Administration Guide 66
Page 67
Firewall
Access Rules
4
To edit a rule, check the box and then click Edit Rule. Then enter the settings
on the Add/Edit Access Rule Configuration page. See Adding and Editing
Access Rules, page 67.
To delete a rule, check one or more boxes and then click Delete. To select all
rules, check the box in the heading row. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
To enable a rule, check the box and then click Enable. To select all rules,
check the box in the heading row.
To disable a rule, check the box and then click Disable. To select all rules,
check the box in the heading row.
To reorder the rules, click Reorder. Then change the priorities on the Access
Rules Table (Priorities) page. See Changing Access Rule Priorities,
page 71.
Adding and Editing Access Rules
Use the Add/Edit Access Rule Configuration page to configure an Access Rule for a specified type of inbound or outbound traffic.
NOTE If you want to configure an access rule that is automatically activated or
deactivated for specified days and times, click Firewall > Advanced Settings > Schedules to configure a schedule. Then return to this page to add the rule.
To open this page: From the Firewall > Access Rules page, click Add Rule or select a rule and then click Edit.
STEP 1 For all types of rules, enter these settings:
Connection Type—Choose the traffic flow that is covered by this rule:
- Inbound WAN (Internet) to LAN (Local Network)—Traffic from the
Internet (WAN) to your network (LAN)
- Outbound LAN (Local Network) to WAN (Internet)—Traffi c fro m you r
network (LAN) to the Internet (WAN)
Action—Choose one of the following actions:
- Always Block—Always block the selected type of traffic.
- Always Allow—Never block the selected type of traffic.
Cisco RV220W Administration Guide 67
Page 68
Firewall
Access Rules
4
- Block by schedule, otherwise allow—Block the selected type of traffic
only during specified days and times. Choose a schedule from the drop­down list. To add a new schedule, click the Configure Schedules button.
- Allow by schedule, otherwise block—Allow the selected type of traffic
only during specified days and times. Choose a schedule from the drop­down list. To add a new schedule, click the Configure Schedules button.
Service—Choose the service to allow or block. Choose Any Traffic if the
rule applies to all applications and services. To add a service that is not in the list, click the Configure Services button. After configuring a service, you can use your browser’s Back button to return to this page. By default, the list includes the following services:
- AIM (AOL Instant Messenger)
- BGP (Border Gateway Control)
- BOOTP_CLIENT (Bootstrap Protocol client)
- BOOTP_SERVER (Bootstrap Protocol server)
- CU-SEEME (videoconferencing) UDP or TCP
- DNS (Domain Name System), UDP or TCP
- FINGER
- FTP (File Transfer Protocol)
- HTTP (Hyptertext Transfer Protocol)
- HTTPS (Secure Hypertext Transfer Protocol)
- ICMP (Internet Control Message Protocol) type 3 through 11 or 13
- ICQ (chat)
- IMAP (Internet Message Access Protocol) 2 or 3
- IRC (Internet Relay Chat)
- NEWS
- NFS (Network File System)
- NNTP (Network News Transfer Protocol)
- PING
- POP3 (Post Office Protocol)
Cisco RV220W Administration Guide 68
Page 69
Firewall
Access Rules
4
- PPTP (Point-to-Point Tunneling Protocol)
- RCMD (command)
- REAL-AUDIO
- REXEC (Remote execution command)
- RLOGIN (Remote login)
- RTELNET (Remote telnet)
- RTSP (Real-Time Streaming Protocol) TCP or UDP
- SFTP (Secure Shell File Transfer Protocol)
- SMTP (Simple Mail Transfer Protocol)
- SNMP (Simple Network Management Protocol) TCP or UDP
- SNMP-TRAPS (TCP or UDP)
- SQL-NET (Structured Query Language)
- SSH (TCP or UDP)
- STRMWORKS
- TACACS (Terminal Access Controller Access-Control System)
- TELNET (command)
- TFTP (Trivial File Transfer Protocol)
- RIP (Routing Information Protocol)
- IKE
- SHTTPD (Simple HTTPD web server)
- IPSEC-UDP-ENCAP (UDP Encapsulation of IPsec packets)
- IDENT protocol
- VDOLIVE (live web video delivery)
- SSH (secure shell)
- SIP-TCP or SIP-UDP
Cisco RV220W Administration Guide 69
Page 70
Firewall
Access Rules
4
Source IP—Specify the IP address to which the firewall rule applies:
- Any—The rule applies to traffic originating from any IP address.
- Single Address—The rule applies to traffic originating from a single IP
address. Enter the address in the Start field.
- Address Range—The rule applies to traffic originating from a range of IP
addresses. Enter the starting IP address in the Start field, and the ending IP address in the Finish field.
STEP 2 For inbound rules that allow access to your LAN, enter these additional settings:
Send to Local Server (DNAT IP)—Specify the local IP address of the device
that hosts the service. Destination Network Address Translation (DNAT) maps a public IP address (your dedicated WAN address) to the specified private IP address.
Use Other WAN (Internet) IP Address—To associate the specified Local
Server with a public IP address other than your dedicated WAN address, check the Enable box and then enter the public IP address in the WAN (Internet) Destination IP field. The router supports multi-NAT, which allows multiple public IP addresses for a single WAN interface. If your ISP assigns you more than one public IP address, one of these can be used as your primary IP address on the WAN port, and the others can be assigned to servers on the LAN. In this way, the LAN can be accessed from the Internet by multiple public IP addresses.
STEP 3 For outbound rules only, enter these additional settings:
Destination IP—Specify the public IP address to which the firewall rule
applies:
- Any—The rule applies to traffic going to any IP address.
- Single Address—The rule applies to traffic going to a single IP address.
Enter the address in the Start field.
- Address Range—The rule applies to traffic going to a range of IP
addresses. Enter the starting IP address in the Start field, and the ending IP address in the Finish field.
Use This SNAT IP Address (only for rules that Allow access)—To associate
the specified Destination IP with a public IP address (your dedicated WAN IP address or another public IP address), check the Enable box and then enter the public IP address in the SNAT IP field. Secure Network Address Translation (SNAT) maps a public IP address to an IP address on your private network.
Cisco RV220W Administration Guide 70
Page 71
Firewall
Access Rules
4
STEP 4 For all rules, enable or disable the Rule Status. For example, you can configure an
inbound rule for a local web server and disable it until your web site is ready to receive traffic.
STEP 5 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Firewall > Access Rules page.
Changing Access Rule Priorities
Use the Access Rules (Priority) page to reorder the rules in the Access Rules table. The rules at the top of the table are enforced before the rules at the bottom. For example, you can place generally applicable rules near the bottom of the table and place exceptions to those rules at the top of the table.
To open this page: From the Firewall > Access Rules page, click Reorder.
STEP 1 From the Connection Type drop-down list, choose the type of rule to display:
Outbound—Rules affecting traffic from the LAN (Local Network) to the WAN
(Internet).
Inbound—Rules affecting traffic from the WAN (Internet) to the LAN (Local
Network).
STEP 2 Check the box for one or more rules that you want to move.
STEP 3 Perform the following tasks:
Move the selection to the top of the list—Click the up-arrow button. If you
selected one rule, it will become the first rule in the Priority column. If you selected multiple rules, they will move as a group to the top of the list. For example, if you selected Priority 15 and 20, they would move to Priority 1 and 2, respectively.
Move the selection to the bottom of the list—Click the down-arrow button.
If you selected one rule, it will become the last rule in the Priority column. If you selected multiple rules, they will move as a group to the bottom of the list. For example, if you selected Priority 1 and 5 from a list of 20, they would move to Priority 19 and 20, respectively.
Move the selection to a specific position within the list: Identify the
insertion point by typing an existing priority number in the white text box. Then click Move To. Your selection will be moved immediately below the
Cisco RV220W Administration Guide 71
Page 72
Firewall
Attack Prevention
STEP 4 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Move other rules, or click Back to return to the Firewall > Access Rules page.
Attack Prevention
Attacks are malicious security breaches or unintentional network issues that render the Cisco RV220W unusable. Attack prevention allows you to manage WAN security threats such as continual ping requests and discovery via ARP scans. TCP and UDP flood attack prevention can be enabled to manage extreme usage of WAN resources.
4
specified priority number. For example, if you selected Priority 2 and 10 and entered the number 5 in the white box, they would move to Priority 6 and 7, respectively.
As well, certain Denial-of-Service (DoS) attacks can be blocked. These attacks, if uninhibited, can use up processing power and bandwidth and prevent regular network services from running normally. ICMP packet flooding, SYN traffic flooding, and Echo storm thresholds can be configured to temporarily suspend traffic from the offending source.
To open this page: In the navigation tree, choose Firewall > Attack Prevention.
STEP 1 In the WAN (Internet) Security Checks section, check or uncheck the Enable box
to enable or disable the following security checks:
Respond to Ping on WAN (Internet)—To configure the Cisco RV220W to
allow a response to an Internet Control Message Protocol (ICMP) Echo (ping) request on the WAN interface, check this box. This setting is used as a diagnostic tool for connectivity problems. Not enabled by default.
Stealth Mode—If Stealth Mode is enabled, the router will not respond to
port scans from the WAN. This feature makes the network less susceptible to discovery and attacks. Enabled by default.
Flood—If this option is enabled, the router will drop all invalid TCP packets.
This feature protects the network from a SYN flood attack. Enabled by default.
Cisco RV220W Administration Guide 72
Page 73
Firewall
Content Filtering
4
STEP 2 In the LAN (Local Network) Security Checks section, check or uncheck the
Enable box to enable or disable Block UDP Flood. When this option is enabled,
the router accepts no more than 25 simultaneous, active UDP connections from a single computer on the LAN. Enabled by default.
STEP 3 In the ICSA Settings section, check or uncheck the Enable box to enable or
disable the following International Computer Security Association requirements:
Block Anonymous ICMP Messages—ICSA requires the firewall to silently
block without sending an ICMP notification to the sender. Some protocols, such as MTU Path Discovery, require ICMP notifications. Enable this setting to operate in “stealth” mode. Enabled by default.
Block Fragmented Packets—ICSA requires the firewall to block
fragmented packets from ANY to ANY. Enabled by default.
Block Multicast Packets—ICSA requires the firewall to block multicast
packets. Enabled by default.
STEP 4 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Content Filtering
Use the Firewall > Content Filtering page to enable and configure content filtering. For example, you can block potentially risky web components such as ActiveX or Java. You can prevent web access by blocking all URLs, or you can set up trusted domains by specifying websites and identifying allowed URL keywords.
To open this page: In the navigation tree, choose Firewall > Content Filtering.
STEP 1 In the Content Filtering section, enter these settings:
Content Filtering—To enable Content Filtering, check the Enable box. To
disable this feature, uncheck the box.
Enable Check Referer: Check the box to enable checking the HTTP referer
header for allowed URLs. When enabled, this feature allows a user to access a link on an allowed web page even if the link goes to a different domain.
Cisco RV220W Administration Guide 73
Page 74
Firewall
Content Filtering
4
HTTP Ports—Enter the HTTP ports to which content filtering applies. The
default port is 80. If your networking using an external HTTP proxy server which listens on other ports, they can be added here. Multiple ports can be specified in a comma separated list.
After changing these settings, click Save to save your changes and update
the other fields on the page. For example, the Approved URLs Table becomes available only after you enable Content Filtering.
STEP 2 In the Web Components section, check the box for each web component that you
want to block. Although many reputable web sites use these components for legitimate purposes, these components can be used by malicious websites to infect computers.
Proxy—A proxy server (or simply, proxy) allows computers to route
connections to other computers through the proxy, thus circumventing certain firewall rules. For example, if connections to a specific IP address are blocked by a firewall rule, the requests can be routed through a proxy that is not blocked by the rule, rendering the restriction ineffective. Enabling this feature blocks proxy servers.
Java—Blocks java applets from being downloaded from pages that contain
them. Java applets are small programs embedded in web pages that enable dynamic functionality of the page. A malicious applet can be used to compromise or infect computers. Enabling this setting blocks Java applets from being downloaded.
ActiveX—Similar to Java applets, ActiveX controls are installed on a
Windows computer while running Internet Explorer. A malicious ActiveX control can be used to compromise or infect computers. Enabling this setting blocks ActiveX applets from being downloaded.
Cookies—Cookies are used to store session information by websites that
usually require login. However, several websites use cookies to store tracking information and browsing habits. Enabling this option filters out cookies from being created by a website.
Note: Many websites require that cookies be accepted in order for the site to be accessed properly. Blocking cookies can cause many websites to not function properly.
STEP 3 In the Approved URLs List Enable section, enable the following options:
Approved URLs List—Check the box to allow access to all URLs in the
Approved URLs Table. Uncheck the box to disable this feature. Users will be allowed to access these web sites even if access would be blocked by other rules such as URL Blocking.
Cisco RV220W Administration Guide 74
Page 75
Firewall
URL Blocking
4
Block All URLs by Default: Check the box to block access to all URLs that
are not specifically allowed.
STEP 4 In the Approved URLs Table, perform these tasks:
To add a new entry, click Add. Choose Web site and enter a full website
address, or choose URL Keyword and enter key words that are allowed in any website address. For example, if you choose Web site and enter www.cisco.com, users can always access that specific web site. If you choose URL Keyword and enter cisco, users can always access any web site whose URL includes that word.
To edit an entry, check the box and then click Edit. To select all entries, check
the box in the heading row. Choose the type and enter the website address or keyword, as described above.
To delete an entry, check the box and then click Delete. To select all entries,
check the box in the heading row.
STEP 5 Click Save to save your settings, or click Cancel to reload the page with the
URL Blocking
STEP 1 In the Blocked Keywords Table, perform these tasks:
current settings.
Use the Firewall > URL Blocking page to block access to websites that contain specified keywords in the URL.
To open this page: In the navigation tree, choose Firewall > URL Blocking.
To add a new entry, click Add Row. Check or uncheck the Status box to
enable or disable the blocked keyword. Enter the keyword in the URL box.
To edit an entry, check the box and then click Edit. To select all entries, check
the box in the heading row. Check or uncheck the Status box to enable or disable the blocked keyword. Enter the keyword in the URL box.
To delete an entry, check the box and then click Delete. To select all entries,
check the box in the heading row.
Cisco RV220W Administration Guide 75
Page 76
Firewall
Port Triggering
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
Port Triggering
4
current settings.
Port triggering allows devices on the LAN to receive inbound traffic from the Internet. Port triggering waits for an outbound request from the LAN on one of the defined outgoing ports, and then opens an incoming port for that specified type of traffic. Port triggering is a form of dynamic port forwarding while an application is transmitting data over the opened outgoing or incoming ports.
Port triggering opens an incoming port for a specific type of traffic on a defined outgoing port.
Port triggering is more flexible than static port forwarding (available when configuring firewall rules) because a rule does not have to reference a specific LAN IP or IP range. Ports are also not left open when not in use, thereby providing a level of security that port forwarding does not offer.
NOTE Port triggering is not appropriate for servers on the LAN, since there is a
dependency on the LAN device making an outgoing connection before incoming ports are opened.
Some applications require that, when external devices connect to them, they receive data on a specific port or range of ports in order to function properly. The router must send all incoming data for that application only on the required port or range of ports. The gateway has a list of common applications and games with corresponding outbound and inbound ports to open. You can also specify a port triggering rule by defining the type of traffic (TCP or UDP) and the range of incoming and outgoing ports to open when enabled.
Managing Port Triggering Rules, page 77
Adding and Editing Port Triggering Rules, page 77
Cisco RV220W Administration Guide 76
Page 77
Firewall
Port Triggering
4
Managing Port Triggering Rules
Use the Firewall > Port Triggering page to view, add, edit, and delete your port triggering rules.
To open this page: In the navigation tree, choose Firewall > Port Triggering.
Perform these tasks:
To add a port triggering rule, click Add. Then enter the settings on the Add/
Edit Port Triggering Rule page. See Adding and Editing Port Triggering
Rules, page 77.
To edit a port triggering rule, check the box and then click Edit. Then enter
the settings on the Add/Edit Port Triggering Rule page. See Adding and
Editing Port Triggering Rules, page 77.
To delete a port triggering rule, check the box and then click Delete. To
select all rules, check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
Adding and Editing Port Triggering Rules
Use the Add/Edit Port Triggering Rule page to enter the settings for a port triggering rule.
To open this page: From the Firewall > Port Triggering page, click Add or select a rule and then click Edit.
STEP 1 At the top of the page, enter these settings:
Name—Enter an easily-identifiable name for this rule.
Port Triggering Rule—Check the Enable box to enable the rule., or uncheck
the box to disable the rule. For example, you may want to configure a rule and disable it until an internal resource is ready to receive traffic.
Protocol—Select whether the port uses TCP, UDP, or Both.
STEP 2 In the Outgoing (Trigger) Port Range section, specify the port number or range of
port numbers that will trigger this rule when a connection request from outgoing traffic is made. If the outgoing connection uses only one port, then specify the same port number in the Start Port and End Port fields.
Cisco RV220W Administration Guide 77
Page 78
Firewall
Port Forwarding
STEP 3 In the Incoming (Response) Port Range section, specify the port number or
range of port numbers used by the remote system to respond to the request it receives. If the incoming connection uses only one port, then specify the same port number in the Start Port and End Port fields.
STEP 4 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Port Forwarding
Port forwarding is used to redirect traffic from the Internet from one port on the WAN to another port on the LAN. The port forwarding rules menu allows selection of a service. Common services are available or you can define a custom service and associated ports to forward.
4
Managing Port Forwarding Rules, page 78
Adding or Editing a Port Forwarding Rule, page 79
Managing Port Forwarding Rules
Use the Firewall > Port Forwarding page to view, add, edit, or delete port forwarding rules.
To open this page: In the navigation tree, choose Firewall > Port Forwarding.
The Port Forwarding Rule Table lists all the available port forwarding rules for this device and allows you to configure port forwarding rules. The table contains this information:
Action—Whether to block or allow traffic (always or by schedule) that
meets these filter rules, and when the rule is applicable.
Service—Service for which this port forwarding rule is applicable.
Status—A port forwarding rule can be disabled if not in use and enabled
when needed. The port forwarding rule is disabled if the status is disabled and it is enabled if the status is enabled. Disabling a port forwarding rule does not delete the configuration.
Source IP—The source IP address for traffic from which traffic is forwarded
(Any, Single Address or Address Range).
Cisco RV220W Administration Guide 78
Page 79
Firewall
Port Forwarding
4
Destination IP—The IP address of the server to which traffic is forwarded.
Forward From Port—From which port traffic will be forwarded.
Forward To Port—To which port traffic will be forwarded.
STEP 1 Perform these tasks:
To add a rule, click Add. Then enter the settings on the Add / Edit Port
Forwarding Configuration page. See Adding or Editing a Port Forwarding
Rule, page 79.
To edit a rule, check the box and then click Edit. Then enter the settings on
the Add / Edit Port Forwarding Configuration page. See Adding or Editing
a Port Forwarding Rule, page 79.
To delete a rule, check the box and then click Delete. To select all rules,
check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
Adding or Editing a Port Forwarding Rule
Use the Add / Edit Port Forwarding Configuration page to configure port forwarding rules.
To open this page: From the Firewall > Port Forwarding page, click Add or select a rule and then click Edit.
STEP 1 Choose the Action and Schedule (if applicable):
Always Block—Always block the selected type of traffic.
Always Allow—Never block the selected type of traffic.
Block by Schedule—Blocks the selected type of traffic according to a
schedule. Choose the schedule from the drop-down list. To add a new schedule, click the Configure Schedules button. After configuring a schedule, you can use your browser’s Back button to return to this page.
Allow by Schedule—Allows the selected type of traffic according to a
schedule. Choose the schedule from the drop-down list. To add a new schedule, click the Configure Schedules button. After configuring a schedule, you can use your browser’s Back button to return to this page.
Cisco RV220W Administration Guide 79
Page 80
Firewall
Port Forwarding
4
STEP 2 Choose the Service that is subject to this rule, or click Configure Services to add
a new service to the list. The following services are included:
AIM (AOL Instant Messenger) PPTP (Point-to-Point Tunneling
Protocol)
BGP (Border Gateway Control) RCMD (command)
BOOTP_CLIENT (Bootstrap Protocol client)
BOOTP_SERVER (Bootstrap Protocol server)
CU-SEEME (videoconferencing) UDP or TCP
DNS (Domain Name System), UDP or TCP
FINGER RTELNET (Remote telnet)
FTP (File Transfer Protocol) RTSP (Real-Time Streaming Protocol)
HTTP (Hyptertext Transfer Protocol) SFTP (Secure Shell File Transfer
HTTPS (Secure Hypertext Transfer Protocol)
ICMP (Internet Control Message Protocol) type 3 through 11 or 13
REAL-AUDIO
REXEC (Remote execution command)
RIP (Routing Information Protocol)
RLOGIN (Remote login)
TCP or UDP
Protocol)
SHTTPD (Simple HTTPD web server)
SIP-TCP or SIP-UDP
ICQ (chat) SMTP (Simple Mail Transfer Protocol)
IDENT protocol SNMP (Simple Network Management
IKE SNMP-TRAPS (TCP or UDP)
IMAP (Internet Message Access Protocol) 2 or 3
IPSEC-UDP-ENCAP (UDP Encapsulation of IPsec packets)
Cisco RV220W Administration Guide 80
Protocol) TCP or UDP
SQL-NET (Structured Query Language)
SSH (secure shell)
Page 81
Firewall
Port Forwarding
4
IRC (Internet Relay Chat) SSH (TCP or UDP)
NEWS STRMWORKS
NFS (Network File System) TACACS (Terminal Access Controller
Access-Control System)
NNTP (Network News Transfer Protocol)
PING TFTP (Trivial File Transfer Protocol)
POP3 (Post Office Protocol) VDOLIVE (live web video delivery)
STEP 3 For all types of rules, select the Source IP:
Any—Specifies that the rule being created is for traffic from the given
endpoint.
Single Address—Limit to one host. Requires the IP address of the host to
which this rule would be applied. If you choose this option, also enter the IP address in the Start field.
Address Range—This is used to apply this rule to a group of computers/
devices within an IP address range. If you choose this option, enter the starting IP address of the range in the Start field and the ending IP address of the range in the Finish field.
STEP 4 For rules that allow access, configure these settings:
Destination IP—Enter the IP address of the network device that receives
the traffic that meets this rule.
TELNET (command)
Forward from Port—Choose Same as Incoming Port if the traffic should
be forwarded from the same port number on which it was received. Otherwise, choose Specify Port and then enter the port number in the Port Number field.
Forward to Port—Choose Same as Incoming Port if the traffic should be
forwarded to the same port on the receiving server. Otherwise, choose
Specify Port and then enter the port number in the Port Number field.
STEP 5 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Firewall > Port Forwarding page.
Cisco RV220W Administration Guide 81
Page 82
Firewall
DMZ Host
DMZ Host
4
The Cisco RV220W supports DMZ options. A DMZ is a sub-network that is open to the public but behind the firewall. DMZ allows you to redirect packets going to your WAN port IP address to a particular IP address in your LAN. It is recommended that hosts that must be exposed to the WAN (such as web or email servers) be placed in the DMZ network. Firewall rules can be allowed to permit access to specific services and ports to the DMZ from both the LAN or WAN. In the event of an attack on any of the DMZ nodes, the LAN is not necessarily vulnerable as well.
You must configure a fixed (static) IP address for the endpoint that will be designated as the DMZ host. The DMZ host should be given an IP address in the same subnet as the router's LAN IP address but it cannot be identical to the IP address given to the LAN interface of this gateway.
To open this page: In the navigation tree, choose Firewall > DMZ Host.
STEP 1 Check the Enable box to enable DMZ on the network. Uncheck the box to disable
this feature.
STEP 2 Enter the IP address for the endpoint that will receive the redirected packets. This
is the DMZ host.
STEP 3 Click Save to save your settings, or click Cancel to reload the page with the
current settings. After enabling a DMZ host, configure firewall rules for the zone. See Custom Services, page 87.
Advanced Firewall Settings
Use the Advanced Settings menu options to configure the following advanced firewall settings:
One-to-One Network Address Translation (NAT), page 83
MAC Address Filtering, page 85
IP/MAC Address Binding, page 86
Custom Services, page 87
Schedules for Firewall Rules and Port Forwarding Rules, page 89
Cisco RV220W Administration Guide 82
Page 83
Firewall
Advanced Firewall Settings
4
Session Settings, page 91
Internet Group Management Protocol (IGMP), page 92
SIP ALG, page 93
One-to-One Network Address Translation (NAT)
One-to-one NAT is a mechanism that maps public IP addresses to the private IP addresses of devices that are behind a firewall.
Managing One-to-One NAT Rules, page 83
Adding or Editing a One-to-One NAT Rule, page 84
Managing One-to-One NAT Rules
Use the Firewall > Advanced Settings > One-to-One NAT page to view, add, edit, and delete One-to-One NAT Rules.
To open this page: In the navigation tree, choose Firewall > Advanced Settings > One-to-One NAT.
The One-to-One-NAT Rules Table lists the available One-To-One NAT rules that have been configured. It displays the following fields:
Private Range Begin—The starting IP address in the private (LAN) IP
address.
Public Range Begin—The starting IP address in the public (WAN) IP
address.
Range Length—Range length maps one to one private address to public
address up to the given range.
Service—Shows configured services. Services for one-to-one NAT allow
you to configure the service to be accepted by the private IP (LAN) address when traffic is sent to the corresponding public IP address. Configured services on private IP addresses in the range are accepted when traffic is available on the corresponding public IP address.
Perform these tasks:
To add a one-to-one NAT rule, click Add. Then enter the settings on the Add/
Edit One-to-One NAT Configuration page. See Adding or Editing a One-to-
One NAT Rule, page 84.
Cisco RV220W Administration Guide 83
Page 84
Firewall
Advanced Firewall Settings
4
To edit a one-to-one NAT rule, check the box and then click Edit. Then enter
the settings on the Add/Edit One-to-One NAT Configuration page. See
Adding or Editing a One-to-One NAT Rule, page 84.
To delete a one-to-one NAT rule, check the box and then click Delete. To
select all rules, check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
Adding or Editing a One-to-One NAT Rule
Use the Add/Edit One-to-One NAT Configuration page to map a private IP address or range to a public IP address or range.
To open this page: From the Firewall > Advanced Settings > One-to-One NAT page, click Add or select a rule and then click Edit.
STEP 1 Enter this information:
Private Range Begin—The starting IP address in the private (LAN) IP
address.
Public Range Begin—The starting IP address in the public (WAN) IP
address.
Range Length—Range length maps one to one private address to public
address up to the given range.
Service—Choose the service for which the rule applies.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Firewall > Advanced Settings > One- to-One NAT page.
Cisco RV220W Administration Guide 84
Page 85
Firewall
Advanced Firewall Settings
NOTE The MAC filtering policy does not override a firewall rule that directs incoming
STEP 1 In the MAC Filtering Settings section, enter these settings:
4
MAC Address Filtering
Use the Firewall > Advanced Settings > MAC Filtering page to allow or block traffic from certain known machines or devices. The router uses the MAC address of a computer or device on the network to identify it and permit or deny access. Traffic from a specified MAC address will be filtered depending upon the policy.
traffic to a host.
To open this page: In the navigation tree, choose Firewall > Advanced Settings > MAC Filtering.
The MAC Address Table lists the MAC addresses and descriptions for all devices that are subject to the MAC filtering policy.
Source MAC Address Filtering—Check the Enable box to enable MAC
Address Filtering for this device. Uncheck the box to disable this feature. After changing this setting, click Save to save your settings, or click Cancel to reload the page with the current settings. Enabling this feature makes other fields available.
Policy for MAC Addresses Listed Below—If you enabled MAC filtering,
choose one of the following options:
- Block and Allow the Rest—Choose this option to block the traffic from
the specified MAC addresses and to allow traffic from all other addresses.
- Allow and Block the Rest—Choose this option to allow the traffic from
the specified MAC addresses and to block traffic from all other machines on the LAN side of the router.
For example, two computers are on the LAN with MAC addresses of 00:01:02:03:04:05 (host1), and 00:01:02:03:04:11 (host2). If the host1 MAC address is added to the MAC filtering list and the “block and allow the rest” policy is chosen, when this computer tries to connect to a website, the router will not allow it to connect. However, host2 is able to connect because its MAC address is not in the list. If the policy is “allow and block the rest,” then host1 is allowed to connect to a website, but host2 is blocked because its URL is not in the list.
Cisco RV220W Administration Guide 85
Page 86
Firewall
Advanced Firewall Settings
STEP 2 In the MAC Addresses Table, perform these tasks:
STEP 3 After making changes, click Save to save your settings, or click Cancel to reload
4
To add a new entry, click Add. Enter the 12-character MAC Address without
punctuation. The formatting is applied automatically. Optionally, type a Description for your reference.
To delete an entry, check the box and then click Delete. To select all entries,
check the box in the heading row.
the page with the current settings.
IP/MAC Address Binding
Use the Firewall > Advanced Settings > IP/MAC Binding page to bind IP addresses to MAC addresses. This feature is useful if you have configured a machine with a static address and want to discourage a user from changing the IP address. If a specified device sends packets using an unexpected IP address, the Cisco RV220W drops the packets.
To open this page: In the navigation tree, choose Firewall > Advanced Settings > IP/MAC Binding.
The IP/MAC Binding Table lists the names, MAC addresses, and IP addresses for the currently defined IP/MAC binding rules.
STEP 1 Perform these tasks:
To add a new entry, click Add. Enter these settings:
- Name—Enter a short description for your reference.
- MAC Address—Enter the 12-character MAC address of the device
without punctuation. The formatting is applied automatically.
- IP Address—Enter the expected IP address of the specified device.
To edit an entry, check the box and then click Edit. To select all entries, check
the box in the heading row. Edit the information, as described above.
To delete an entry, check the box and then click Delete. To select all entries,
check the box in the heading row.
Cisco RV220W Administration Guide 86
Page 87
Firewall
Advanced Firewall Settings
STEP 2 After making changes, click Save to save your settings, or click Cancel to reload
4
the page with the current settings.
Custom Services
Each firewall rule applies to a specific type of service. Common types of services are pre-configured and can be selected from the Service list when you configure an access rule. (See Adding and Editing Access Rules, page 67.) As needed, you can add services to the list.
Managing Custom Services, page 87
Adding or Editing a Custom Service, page 88
Managing Custom Services
Use the Firewall > Advanced Settings > Custom Services page to view, add, edit, or delete custom services.
NOTE For a list of pre-configured services, see the Service description in the procedure
Adding and Editing Access Rules, page 67.
To open this page: In the navigation tree, choose Firewall > Advanced Settings > Custom Services.
The Custom Services Table lists the details for the custom services that have been defined.
Perform these tasks:
To add a service, click Add. Then enter the settings on the Add/Edit Custom
Services Configuration page. See Adding or Editing a Custom Service,
page 88.
To edit a service, check the box and then click Edit. Then enter the settings
on the Add/Edit Custom Services Configuration page. See Adding or
Editing a Custom Service, page 88.
To delete a service, check the box and then click Delete. To select all
services, check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
Cisco RV220W Administration Guide 87
Page 88
Firewall
Advanced Firewall Settings
STEP 1 Enter these settings:
4
Adding or Editing a Custom Service
Use the Add/Edit Custom Services Configuration page to enter the settings for a custom service.
To open this page: From the Firewall > Advanced Settings > Custom Services page, click Add or select a service and then click Edit.
Name—Enter a service name for identification and management purposes.
Type—Choose layer 4 protocol that the service uses (TCP, UDP, ICMP,
ICMPv6, or other).
- If you chose ICMP or ICMPv6 as the service type, specify the ICMP type
by entering its numeric value (from 0 through 40 for ICMP and from 0 through 255 for ICMPv6).
- If you chose TCP or UDP, enter the first TCP or UDP port of the range that
the service uses. In the Finish Port field, enter the last TCP or UDP port of the range that the service uses.
- If you chose Other, enter the number of the protocol in the Protocol
Number field. (For example, if you are using RDP, enter 27 in the protocol number field.)
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Firewall > Advanced Settings > Custom Services page.
Cisco RV220W Administration Guide 88
Page 89
Firewall
Advanced Firewall Settings
4
Schedules for Firewall Rules and Port Forwarding Rules
You can create schedules to activate firewall access rules and port forwarding rules on specific days or at specific times of the day.
Managing Schedules, page 89
Adding or Editing a Schedule, page 90
Managing Schedules
Use the Firewall > Advanced Settings > Schedules page to view, add, edit, or delete schedules.
To open this page: In the navigation tree, choose Firewall > Advanced Settings > Schedules.
To add a schedule, click Add. Then enter the settings on the Add/Edit
Schedules Configuration page. See Adding or Editing a Schedule,
page 90.
To edit a schedule, check the box and then click Edit. Then enter the
settings on the Add/Edit Schedules Configuration page. See Adding or
Editing a Schedule, page 90.
To delete a schedule, check the box and then click Delete. To select all
schedules, check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
Cisco RV220W Administration Guide 89
Page 90
Firewall
Advanced Firewall Settings
STEP 1 Enter these settings:
4
Adding or Editing a Schedule
Use the Add/Edit Schedules Configuration page to configure a schedule for a firewall access rule or a port forwarding rule.
To open this page: From the Firewall > Advanced Settings > Schedules page, click Add or select a schedule and then click Edit.
Name—Enter a unique name to identify the schedule in the Schedule Table
on the Firewall > Advanced Settings > Schedules page.
Time—Choose one of the following options:
- If this schedule applies to the entire day, check the All Day box.
- If this schedule applies during specified hours of the day, uncheck the All
Day box. Then enter the Start Time and End Time by choosing the Hours, Minutes, and time period (AM or PM). The schedule will become
active at the specified start time and will become inactive at the specified end time on the selected day(s).
Repeat—Choose one of the following options:
- If this schedule applies to all the days of the week, check the Everyday
box.
- If this schedule applies only on specified days, uncheck the Everyday
box. Then check the box for each day when the schedule is active. Uncheck the box for each day when the schedule is inactive.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Firewall > Advanced Settings > Schedules page.
Cisco RV220W Administration Guide 90
Page 91
Firewall
Advanced Firewall Settings
STEP 1 Enter these settings:
4
Session Settings
Use the Firewall > Advanced Settings > Session Settings page to limit the maximum number of unidentified sessions and half-open sessions on the Cisco RV220W. You can also introduce timeouts for TCP and UDP sessions to ensure that Internet traffic is not deviating from expectations in your private network.
To open this page: In the navigation tree, choose Firewall > Advanced Settings > Session Settings.
Maximum Unidentified Sessions—Enter the maximum number of
unidentified sessions for the ALG identification process. This value can range from 2 through 128. The default is 32 sessions.
Maximum Half Open Sessions—Enter the maximum number of half-open
sessions. A half-open session is the session state between receipt of a SYN packet and the SYN/ACK packet. Under normal circumstances, a session is allowed to remain in the half-open state for 10 seconds. The maximum value ranges from 0 through 3,000. The default is 128 sessions.
TCP Session Timeout Duration—Enter the time, in seconds, after which
inactive TCP sessions are removed from the session table. Most TCP sessions terminate normally when the RST or FIN flags are detected. This value ranges from 0 through 4,294,967 seconds. The default is 1,800 seconds (30 minutes).
UDP Session Timeout Duration—Enter the time, in seconds, after which
inactive UDP sessions are removed from the session table. This value ranges from 0 through 4,294,967 seconds. The default is 120 seconds (2 minutes).
Other Session Timeout Duration (seconds)—Enter the time, in seconds,
after which inactive non-TCP/UDP sessions are removed from the session table. This value ranges from 0 through 4,294,967 seconds. The default is 60 seconds.
TCP Session Cleanup Latency (seconds)—Enter the maximum time for a
session to remain in the session table after detecting both FIN flags. This value ranges from 0 through 4,294,967 seconds. The default is 10 seconds.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Cisco RV220W Administration Guide 91
Page 92
Firewall
Advanced Firewall Settings
4
Internet Group Management Protocol (IGMP)
Use the Firewall > Advanced Settings > IGMP Configuration page to enable the IGMP Proxy on the LAN or WAN interface. Internet Group Management Protocol (IGMP) is an exchange protocol for routers. Hosts that want to receive multicast messages need to inform their neighboring routers of their status. In some networks, each node in a network becomes a member of a multicast group and receives multicast packets. In these situations, hosts exchange information with their local routers by using IGMP. Routers use IGMP periodically to check if the known group members are active. IGMP provides a method called dynamic membership by which a host can join or leave a multicast group at any time.
Enabling IGMP and Managing the Allowed Networks Table, page 92
Adding or Editing the Allowed Networks, page 93
Enabling IGMP and Managing the Allowed Networks Table
Use the Firewall > Advanced Settings > IGMP Configuration page to enable or disable the IGMP Proxy and to view, add, edit, or delete the allowed networks.
To open this page: In the navigation tree, choose Firewall > Advanced Settings > IGMP Configuration.
The Allowed Networks Table lists all the allowed networks configured for the device and allows several operations on the allowed networks:
Network Address—Enter the IP address of the network.
Mask Length—Enter the number of masked bits, as in CIDR slash notation.
Valid values are from 0 to 32.
NOTE By default the device will forward multicast packets which are originating from its
immediate WAN network.
STEP 1 In the IGMP Configuration section, enter these settings:
IGMP Proxy—Check the Enable box to allow IGMP communication
between the router and other nodes in the network. Otherwise, uncheck the box.
Upstream Interface—Choose WAN or LAN to specify the interface on
which the IGMP proxy acts as a multicast client.
After enabling or disabling the proxy, click Save to save your settings or click
Cancel to reload the page with the current settings. Other features become available on the page when IGMP Proxy is enabled.
Cisco RV220W Administration Guide 92
Page 93
Firewall
Advanced Firewall Settings
STEP 2 In the Allowed Networks Table, perform these tasks:
4
To add a network, click Add. Then enter the settings on the Add/Edit
Networks page. See Adding or Editing the Allowed Networks, page 93.
To edit a network, check the box and then click Edit. Then enter the settings
on the Add/Edit Networks page. See Adding or Editing the Allowed
Networks, page 93.
To delete a network, check the box and then click Delete. To select all
networks, check the box in the heading row, and then click Delete. When the confirmation message appears, click OK to continue with the deletion, or otherwise click Cancel.
Adding or Editing the Allowed Networks
Use the Add/Edit Networks page to specify the allowed networks for IGMP communications.
To open this page: From the Firewall > Advanced Settings > IGMP Configuration page, click Add or select a network and then click Edit.
STEP 1 Enter these settings:
Network Address—Enter the IP address of the network.
Mask Length—Enter the number of masked bits, as in CIDR slash notation.
Valid values are from 0 to 32.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings. Click Back to return to the Firewall > Advanced Settings > IGMP Configuration page.
SIP ALG
Session Initiation Protocol Application-Level Gateway (SIP ALG) can rewrite information within SIP messages (SIP headers and SDP body) to allow signaling and audio traffic between a client on your private network and a SIP endpoint.
To open this page: In the navigation tree, choose Firewall > Advanced Settings > SIP ALG.
Cisco RV220W Administration Guide 93
Page 94
Firewall
Firewall Configuration Examples
STEP 1 Check the Enable box to enable SIP ALG support. If disabled, the router will not
allow incoming calls to the UAC (User Agent Client) behind the Cisco RV220W.
STEP 2 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Firewall Configuration Examples
Example 1: Allow inbound HTTP traffic to the DMZ
In this example, you host a public web server on your local DMZ network. You want to allow inbound HTTP requests from any outside IP address to the IP address of your web server at any time of day.
4
Create an inbound rule as follows:
Parameter Value
Connection Type Inbound
Action Always Allow
Service HTTP
Source IP Any
Send to Local Server (DNAT IP) 192.168.5.2 (web server IP address)
Rule Status Enabled
Example 2: Allow videoconferencing from range of outside IP addresses.
In this example, you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses (132.177.88.2 - 132.177.88.254), from a branch office.
Create an inbound rule as follows. In the example, CUSeeMe connections are allowed only from a specified range of external IP addresses.
Cisco RV220W Administration Guide 94
Page 95
Firewall
Firewall Configuration Examples
Parameter Value
Connection Type Inbound
Action Always Allow
Service CU-SEEME:UDP
Source IP Address Range
Start 132.177.88.2
Finish 134.177.88.254
Send to Local Server (DNAT IP) 192.168.1.11
Rule Status Enabled
4
Example 3: Multi-NAT Configuration
In this example, you want to configure multi-NAT to support multiple public IP addresses on one WAN port interface.
Create an inbound rule that configures the firewall to host an additional public IP address. Associate this address with a web server on the DMZ. If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN. One of these public IP addresses is used as the primary IP address of the router. This address is used to provide Internet access to your LAN PCs through NAT. The other addresses are available to map to your DMZ servers.
The following addressing scheme is used to illustrate this procedure:
WAN IP address: 10.1.0.118
LAN IP address: 192.168.1.1; subnet 255.255.255.0
Web server PC in the DMZ, IP address: 192.168.1.2
Access to Web server: (simulated) public IP address 10.1.0.52
Cisco RV220W Administration Guide 95
Page 96
Firewall
Firewall Configuration Examples
Parameter Value
Connection Type Inbound
Action Always Allow
Service HTTP
Source IP Single Address
Start 10.1.0.52
Send to Local Server (DNAT IP) 192.168.1.2 (local IP address of your web server)
Rule Status Enabled
4
Example 4: Block traffic by schedule if generated from specific range of machines
In this example, you want to block all HTTP traffic on the weekends if the request originates from a specific group of machines in the LAN having a known range of IP addresses, and anyone coming in through the Network from the WAN (i.e. all remote users).
For this example, use the Firewall > Advanced Settings > Schedules page to add a schedule that is active all day on Saturday and Sunday. For more information, see
Schedules for Firewall Rules and Port Forwarding Rules, page 89.
Then create the outbound and inbound access rules as shown below.
Create an outbound access rule with the following parameters:
Parameter Value
Connection Type Outbound
Action Block by Schedule
Schedule Weekend
Service HTTP
Source IP Address Range
Cisco RV220W Administration Guide 96
Page 97
Firewall
Firewall Configuration Examples
Parameter Value
Start starting IP address
Finish ending IP address
Destination IP Any
Rule Status Enabled
Create an inbound access rule with the following parameters:
Parameter Value
Connection Type Inbound
4
Action Block by Schedule
Schedule Weekend
Service All Traffic
Source IP Any
Rule Status Enabled
Cisco RV220W Administration Guide 97
Page 98
Cisco ProtectLink Web
The optional Cisco ProtectLink Web service provides security for your network. It filters website addresses (URLs) and blocks potentially malicious websites.
Refer to these topics:
Getting Started with Cisco ProtectLink Web, page 98
Global Settings for Approved URLs and Clients, page 99
5
Web Protection, page 101
Updating the ProtectLink License, page 104
NOTE For more information about this Cisco product, visit the Cisco ProtectLink Web
information page at www.cisco.com/en/US/products/ps9953/index.html
Getting Started with Cisco ProtectLink Web
You can purchase, register, and activate the service by using the links on the Cisco ProtectLink Web page.
To open this page: In the navigation tree, click Cisco ProtectLink Web.
Choose the appropriate option:
Learn more about and request Free Trial for Cisco ProtectLink—Click
this link to open the Cisco ProtectLink Security Solutions page on Cisco.com. You can read product information and get a 30-day trial for your RV router.
Register ProtectLink services and obtain an Activation Code (AC)—
Click this link if you purchased the product and are ready to register it. When the registration page appears, follow the on-screen instructions to enter your Registration Key and provide the required information. Close the web page when you complete this process. The activation code will
Cisco RV220W Administration Guide 98
Page 99
Cisco ProtectLink Web
Global Settings for Approved URLs and Clients
appear on the screen and will be sent to the email address that you provided.
Use the Activation Code (AC) to activate ProtectLink services—Click
this link if you registered the product and received an activation code. When the activation page appears, enter your activation code and follow the on­screen instructions to proceed. Close the web page when you complete this process. Refresh the web browser, and now the ProtectLink Web features are available on your router. The Global Settings page appears.
NOTE If you replace one router with another router that supports this service, you can use
the Use the Activation Code link to transfer your license for the ProtectLink service to the new router.
5
Global Settings for Approved URLs and Clients
After you activate your service, you can use the Cisco ProtectLink Web > Global Settings page to configure the approved clients and approved URLs that are free
from the restrictions that you establish for website access.
Approved Clients, page 99
Approved URLs, page 100
Approved Clients
Use the Cisco ProtectLink Web > Global Settings > Approved Clients page to specify approved clients that are not subject to the restrictions that you configure in Web Protection. Web Protection will not restrict URL requests from these IP addresses.
To open this page: In the navigation tree, choose Cisco ProtectLink Web > Global Settings > Approved Clients.
NOTE This page is available only if you activated your Cisco ProtectLink Web service. See
Getting Started with Cisco ProtectLink Web, page 98.
Cisco RV220W Administration Guide 99
Page 100
Cisco ProtectLink Web
Global Settings for Approved URLs and Clients
STEP 1 In the Approved Clients section, check the Enable box to enable this feature.
STEP 2 In the Approved Clients Table, specify the clients that will always have access to
all URLs, regardless of Web Protection settings.
To add an entry, click Add. On the Approved Client IP Configuration page,
enter IP addresses or ranges. To enter non-consecutive IP addresses, type a semi-colon between entries, such as 1 0 .1 .1.1 ; 1 0 .1 .1. 5 . To enter a range of IP addresses, type a hyphen between the first and last address in the range, such as 1 0 .1 .1. 0 - 1 0 .1 .1.1 0 . Click Save to save your settings.
To edit an entry, check a box, and then click Edit. Enter and save the settings,
as described above.
To delete an entry, check a box, and then click Delete. To select all entries in
the table, check the box in the heading row and then click Delete.
5
STEP 3 Click Save to save your settings, or click Cancel to reload the page with the
current settings.
Approved URLs
Use the Cisco ProtectLink Web > Global Settings > Approved URLs page to specify approved URLs that the users are always able to access. Web Protection will not restrict access to these domains.
To open this page: In the navigation tree, choose Cisco ProtectLink Web > Global Settings > Approved Clients.
NOTE This page is available only if you activated your Cisco ProtectLink Web service. See
Getting Started with Cisco ProtectLink Web, page 98.
STEP 1 In the Approved URLs section, check the Enable box to enable this feature. The
specified URLs will always be accessible.
STEP 2 In the Approved URLs Table, specify the URLs that are always accessible,
regardless of Web Protection settings.
To add an entry, click Add. On the Approved URL Configuration page. Enter
the trusted URL(s) in the box. To enter multiple URLs, type a semi-colon between entries, such as www.cisco.com;www.google.com; www.mycompany.com. All pages in the specified domains will be
Cisco RV220W Administration Guide 100
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use