About VPNs | Casio ISA550WBUN3K9 guide

VPN	8
VPN
About VPNs

About VPNs

A VPN provides a secure communication channel (also known as a “tunnel”) between two gateway routers or between a remote PC and a gateway router. The security appliance supports the following VPN solutions:

•Site-to-Site VPN: Connects two routers to secure traffic between two sites that are physically separated. See Configuring a Site-to-Site VPN, page 340.

•IPsec Remote Access: Allows the security appliance to act as a head-end device in remote access VPNs. Your security appliance will be set as an IPsec VPN server and push the security policies to remote VPN clients, so that remote VPN clients have up-to-date policies in place before establishing the VPN connections. The IPsec VPN server can also terminate the VPN connections initiated by remote VPN clients. This flexibility allows mobile and remote users to access critical data and applications on corporate Intranet. See Configuring IPsec Remote Access, page 355.

•Teleworker VPN Client: Minimizes the configuration requirements at remote locations by allowing the security appliance to work as a Cisco VPN hardware client to receive the security policies over the VPN tunnel from a remote IPsec VPN server. See Configuring Teleworker VPN Client, page 363.

•SSL VPN: Allows remote users to access the corporate network by using the Cisco AnyConnect Secure Mobility Client software. Remote access is provided through a SSL VPN gateway. See Configuring SSL VPN, page 372.

•L2TP: Allows remote clients to use a public IP network to secure communicate with private corporate network servers. See Configuring L2TP Server, page 385.

NOTE The security appliance can function as an IPsec VPN server or as a Cisco VPN hardware client, but not both simultaneously.

Cisco ISA500 Series Integrated Security Appliances Administration Guide

334

Image 334

Casio ISA550WBUN3K9 manual About VPNs

Contents

Administration Guide Cisco Systems, Inc. All rights reserved 78-20776-03 Important Note FCC Radiation Exposure Statement For ISA550W and ISA570W Canada Radiation Exposure Statement For ISA550W and ISA570W Industry Canada statementDéclaration dexposition aux radiations UL/CB Configuration Wizards Getting Started Using Remote Access VPN Wizard for SSL Remote Access Status Networking 115 Understanding Dscp Values 171 Wireless for ISA550W and ISA570W only 206 Vlan Setup 180 Wireless Setup 181 User Authentication Vlan Setup 222 Wireless Setup 223 User Authentication Firewall 251 Security Services 291 General Application Control Settings 314 VPN 333 Client Mode 366 Network Extension Mode 367 User Management 388 Device Management 403 Contents Appendix a Troubleshooting 453 Appendix D Where to Go From Here 479 Getting Started Getting Started Model Description ConfigurationIntroduction ISA550W Front Panel Product OverviewFront Panel, Back Panel, VPN POWER/SYSLight Description USB LINK/ACT Back PanelSpeed ISA550 and ISA550W Back Panel Feature Description ANT01/ANT02 Power Switch Getting Started with the Configuration UtilityReset Button Power Logging in to the Configuration Utility Navigating Through the Configuration Utility Number Component Description Configuration Utility Icons Using the Help SystemIcon Description Action Getting Started Factory Default Settings Default Settings of Key Features Restoring the Factory Default Settings Changing the Default Administrator Password Performing Basic Configuration TasksParameter Default Value Upgrading your Firmware After your First Login Click Continue Backing Up Your Configuration Configuration Wizards Using the Setup Wizard for the Initial Configuration Configuration Wizards Starting the Setup Wizard Enabling Firmware Upgrade Validating Security License Enabling Bonjour and CDP Discovery Protocols Configuring Remote Administration Configuring Physical Ports Configuring the Secondary WAN Configuring the Primary WANConfiguring WAN Redundancy Configuring Default LAN Settings Configuring DMZ Configuring DMZ Services Configuration Wizards WAN Configuring Wireless Radio SettingsWAN IP Configuring Intranet Wlan Access Configure Security Services Security Services Viewing Configuration Summary Click Configuration Wizards Dual WAN Wizard Configuring a Configurable Port as a Secondary WAN PortStarting the Dual WAN Wizard Configuring the Primary WAN Configuring Network Failure Detection Using the Remote Access VPN Wizard Using the Remote Access VPN Wizard for IPsec Remote Configuring IPsec Remote Access Group Policy Starting the Remote Access VPN WizardClick Configuration Wizards Remote Access VPN Wizard Configuring WAN Settings Configuring Operation Mode Configuring Access Control Settings Configuring DNS and Wins Settings Configuring Split Tunneling Configuring Backup ServersViewing Group Policy Summary Configuring IPsec Remote Access User Groups Viewing IPsec Remote Access Summary Using Remote Access VPN Wizard for SSL Remote Access Configuring SSL VPN Gateway Client Netmask Client Address Pool Configuring SSL VPN Group Policy Configuration Wizards Configuration Wizards Configuring SSL VPN User Groups Using the Site-to-Site VPN Wizard to Configure Site-to-Site Viewing SSL VPN Summary Click Configuration Wizards Site-to-Site VPN Wizard Configuring VPN Peer SettingsStarting the Site-to-Site VPN Wizard Configuring IKE Policies Configuring Transform Policies Configuring Local and Remote Networks Click Configuration Wizards DMZ Wizard Using the DMZ Wizard to Configure DMZ SettingsConfiguring Ddns Profiles Starting the DMZ Wizard Configuring DMZ Network Configuration Wizards Configuring DMZ Services WAN Starting the Wireless Wizard Using the Wireless Wizard for ISA550W and ISA570W onlyClick Configuration Wizards Wireless Wizard Configuring Wireless Connectivity Types Specify Wireless Connectivity Settings for All Enabled SSIDs Configuring the Ssid for Intranet Wlan Access Configuring Wireless Security, Configuring the Ssid for Guest Wlan Access Configuration Wizards Configuration Wizards Configuration Wizards Field Description Device Status DashboardStatus Dashboard System Information Licenses StatusResource Utilization Syslog Summary Site-to-Site VPN Remote Access VPNRouting Mode Physical Ports Field Status Summary Network StatusStatus Summary Ethernet Vlan Pvid Vlan DMZ Traffic Statistics Traffic Statistics Usage Reports Status WAN Bandwidth Reports ARP Table ARP TableDhcp Bindings Dhcp Bindings STP Status Global Status STP StatusInterface Status Table Status CDP Neighbor Wireless Status Wireless Status for ISA550W and ISA570W onlyWireless Status, Client Status, Client Status NAT StatusNAT Status IPsec VPN Status, SSL VPN Status, VPN StatusIPsec VPN Status VPN Status IPsec VPN Status Statistics Teleworker VPN Client SSL VPN StatusVPN Status SSL VPN Status SSL VPN Statistics Active User Sessions Active User Sessions Security Services Reports Web Security Report Anti-Virus Report Email Security Report Network Reputation Report IPS Report Application Control Report Processes, Resource Utilization, System StatusProcesses System Status Processes CPU Utilization Resource UtilizationSystem Status Resource Utilization Memory Utilization Status Networking Managing Ports Configuring IPv4 or IPv6 RoutingViewing Network Status Networking Viewing Status of Physical Interfaces Configuring Physical Ports Configuring Port Mirroring Configuring Port-Based 802.1x Access Control Networking Configuring WAN Settings for Your Internet Connection Configuring the WANRelease or renew a Dhcp WAN connection, Configure the primary WAN Networking Network Addressing Configuration Mode Configure a secondary WANNetwork Addressing Mode Dhcp Client Static IP PPPoE ISP Pptp L2TP Dual WAN Settings Networking Configuring Link Failover Detection Networking Ddns Services Table Configuring Dynamic DNSAdding or modifying a Ddns service Measuring and Limiting Traffic with the Traffic Meter Networking Configuring a Vlan Networking Networking Networking Configuring DMZ About DMZ networks Example DMZ with One Public IP Address for WAN and DMZ Configuring a DMZ Example DMZ with Two Public IP Addresses Networking Networking Configuring Zones Security Levels for Zones Configuring Zones Predefined Zones Services Configuring Dhcp Reserved IPs Configuring Routing Configuring Routing Mode Viewing the Routing Table Configuring Static Routing Configuring Dynamic Routing RIP Configuring Policy-Based Routing Networking General QoS Settings Configuring Quality of ServiceClick Networking QoS General Settings Managing WAN Bandwidth for Upstream Traffic Configuring WAN QoSClick Networking QoS WAN QoS Bandwidth Configuring WAN Queue Settings Configuring Traffic Selectors Click Networking QoS WAN QoS Queue Settings Networking Configuring WAN QoS Class Rules Configuring WAN QoS Policy ProfilesClick Networking QoS WAN QoS QoS Policy Profile Mapping WAN QoS Policy Profiles to WAN Interfaces WAN QoS Configuration Example WAN1 WAN1IP Source Address Configure WAN QoS for Voice Traffic from LAN to WANClass Name Policy Name QoS Class Rule Configuring WAN QoS for Voice Traffic from WAN to LANQoS Class Rules Configuring LAN QoS Click Networking QoS LAN QoS Queue Settings Configuring LAN Queue SettingsConfiguring LAN QoS Classification Methods Click Networking QoS LAN QoS Classification Methods LAN Queue CoS Value Mapping CoS to LAN QueueMapping Dscp to LAN Queue Click Networking QoS LAN QoS Mapping CoS to Queue Default Wireless QoS Settings Configuring Wireless QoSConfiguring Default CoS 802.1p Priority 802.11e Priority Ieee 802.11e to 802.1p Mapping Configuring Wireless QoS Classification MethodsClick Networking QoS Wireless QoS Classification Methods 802.11e Priority 802.1p Priority Understanding Dscp Values Mapping CoS to Wireless QueueMapping Dscp to Wireless Queue Dscp Value Decimal Value Meaning 100 Configuring Igmp011 Click Networking Igmp Configuring Vrrp Click Networking Vrrp Networking Address Management Configuring AddressesConfiguring Addresses, Configuring Address Groups, Click Networking Address Management Configuring Address Groups Configuring Services, Configuring Service Groups, Service ManagementConfiguring Services Click Networking Service Management Configuring Service Groups Configuring Captive Portal Requirements Vlan Setup Before You Begin Wireless Setup Configuring a Captive PortalUser Authentication Networking Networking Networking Troubleshooting Using External Web-Hosted CGI Scripts Networking Networking Networking Networking Networking Networking Networking Networking CGI Source Code Example No Authentication and Accept Button Networking Networking Networking Networking Networking If result == 2 result == 5 //document.form1.UserName.focus Networking Networking Documentation Related InformationSupport Cisco Small Business Cisco Small Business Home Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Viewing Wireless StatusViewing Wireless Statistics Wireless Wireless Status Wireless Status Viewing Wireless Client Status Configuring the Basic SettingsClick Wireless Basic Settings Wireless for ISA550W and ISA570W only Configuring Ssid Profiles Security Mode Description Configuring Wireless SecurityOpen WEP WPA WPA/WPA2-Personal mixed Supports WPA2WPA + WPA2 WPA/WPA2-Enterprise mixed Supports Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Controlling Wireless Access Based on MAC Addresses Configuring Ssid Schedule Mapping the Ssid to Vlan Configuring Wi-Fi Protected Setup Click Wireless Wi-Fi Protected Setup Wireless for ISA550W and ISA570W only Configuring Captive Portal Requirements Configuring a Captive Portal Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Troubleshooting Using External Web-Hosted CGI Scripts Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only CGI Source Code Example No Authentication and Accept Button Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only If result == 2 result == 5 //document.form1.UserName.focus Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Related Information Configuring Wireless Rogue AP Detection Click Wireless Rogue AP Detection Advanced Radio Settings Click Wireless Advanced Settings Wireless for ISA550W and ISA570W only Wireless for ISA550W and ISA570W only Firewall About Security Zones Firewall Security Levels and Predefined Zones Description Default Firewall Settings Click Firewall Access Control Default Policies Preliminary Tasks for Configuring Firewall Rules Priorities of Firewall Rules General Firewall Settings Click Firewall Access Control ACL Rules Configuring a Firewall Rule Configuration Examples, Firewall Configuring a Firewall Rule to Allow Multicast Traffic MAC Address Filtering to Permit or Block Traffic, Configuring Firewall Logging Settings Configuring NAT Rules to Securely Access a Remote Network Viewing NAT Translation Status Firewall NAT NAT Status Inbound Traffic Priorities of NAT RulesOutbound Traffic Configuring Dynamic PAT Rules Click Firewall NAT Dynamic PAT Configuring Static NAT Rules Click Firewall NAT Static NAT Configuring Port Forwarding Rules Click Firewall NAT Port Forwarding Firewall Configuring Port Triggering Rules Click Firewall NAT Port Triggering Configuring Advanced NAT Rules Click Firewall NAT Advanced NAT Configuring IP Alias for Advanced NAT rules As Any Http Configuring an Advanced NAT Rule to Support NAT Hairpinning From Any FTP-CONTROL DefaultDefaultnetwork WAN WAN1 WAN IP WAN1IP Firewall and NAT Rule Configuration Examples Allowing Inbound Traffic Using the WAN IP Address Translated IP InternalFTP Enable Port ForwardingANY Translated IP RDPServer Allowing Inbound Traffic Using a Public IP AddressRDP WAN WAN1 WAN IP Address Original Destination PublicIP Original Services Port NameNetmask Zone CU-SEEME Enable Port Forwarding Create Firewall Rule OffTranslated IP InternalIP Blocking Outbound Traffic to an Offsite Mail Server Blocking Outbound Traffic by Schedule and IP Address RangeSchedule Configuring Content Filtering Policy Profiles Configuring Content Filtering to Control Internet AccessClick Firewall Content Filtering Content Filtering Policies Configuring Website Access Control List Mapping Content Filtering Policy Profiles to Zones Click Firewall Content Filtering Policy to Zone Mapping Configuring Advanced Content Filtering Settings Click Firewall Content Filtering Advanced Settings Configuring MAC Address Filtering to Permit or Block Traffic Click Firewall MAC Filtering MAC Address Filtering Configuring IP-MAC Binding to Prevent Spoofing Click Firewall MAC Filtering IP MAC Binding Rules Configuring Attack Protection Click Firewall Attack Protection Configuring Session Limits Click Firewall Session Limits Configuring Application Level Gateway Click Firewall Application Level Gateway Firewall Security Services About Security Services IPS Activating Security Services Priority of Security Services Security Services Dashboard Click Security Services Dashboard Viewing Security Services Reports Viewing Web Security Report Viewing IPS Report, Viewing Application Control Report, Viewing Anti-Virus Report Viewing Email Security Report Total Since Activated Viewing Network Reputation ReportSystem Date Total Last 7 Days Total Today Viewing IPS ReportGraph Viewing Application Control Report Configuring Anti-Virus General Anti-Virus Settings Click Security Services Anti-Virus General Settings Http Notification, Protocol ActionNotify + Drop Connection Drop the connection FTP Notification, NetbiosCifs Configuring Advanced Anti-Virus Settings Click Security Services Anti-Virus Advanced Settings Click Security Services Anti-Virus Http Notification Configuring Http NotificationConfiguring Email Notification Click Security Services Anti-Virus Email Notification Updating Anti-Virus Signatures Configuring Application Control Updating Application Signature Database, General Application Control Policy Settings Configuring Application Control PoliciesImportant Tips Adding an Application Control Policy Security Services Permitting or Blocking Traffic for an Application General Application Control Settings Enabling Application Control Service Mapping Application Control Policies to Zones Configuring Application Control Policy Mapping Rules Updating Application Signature Database Advanced Application Control Settings Click Update Database Configuring Spam Filter Click Security Services Spam Filter Security Services Configuring Intrusion Prevention Security Services Configuring Signature Actions Updating IPS Signature Database Configuring Web Reputation Filtering Click Security Services Web Reputation Filtering Configuring Web URL Filtering Configuring Web URL Filtering Policy Profiles Click Security Services Web URL Filtering Policy Profile Configuring Website Access Control List Click Security Services Web URL Filtering Advanced Settings Configuring Advanced Web URL Filtering SettingsMapping Web URL Filtering Policy Profiles to Zones Security Services Network Reputation VPN About VPNs Viewing IPsec VPN Status, Viewing SSL VPN Status, Viewing VPN StatusViewing IPsec VPN Status VPN VPN Status IPsec VPN Status Field Description Viewing SSL VPN Status VPN VPN Status SSL VPN Status SSL VPN Statistics VPN Configuring a Site-to-Site VPN Site-to-Site VPN General Site-to-Site VPN Settings Configuration Tasks to Establish a Site-to-Site VPN TunnelClick VPN Site-to-Site IPsec Policies VPN Configuring IPsec VPN Policies VPN VPN VPN 283058 VPN Click VPN Site-to-Site IKE Policies VPN Configuring Transform Sets Click VPN Site-to-Site Transform Policies Remote Network Remote Teleworker Configuration ExamplesField Setting IKE Policy Name Enable From Transform Destination Address Translated Services Address Translated Configuring IPsec Remote Access Cisco VPN Client Compatibility Then choose Cisco VPN Client Configuring IPsec Remote Access Group Policies Enabling IPsec Remote AccessClick VPN IPsec Remote Access VPN VPN Group Name Allowing IPsec Remote VPN Clients to Access the InternetIKE Authentication WAN Interface Name VPNClienttoWAN1 Enable From Any Mode Client Pool Range for Client Start IPClient Internet Disable Access WAN Failover LAN WAN2 Name VPNClienttoWAN2 Enable From AnyWAN2IP Configuring Teleworker VPN Client Translated Any Destination Address Translated Services Required IPsec VPN Servers Transform Set Modes of Operation Benefits of the Teleworker VPN Client FeatureClient Mode, Client Mode Network Extension Mode, Network Extension Mode IPsec VPN Network Extension Connection General Teleworker VPN Client Settings Click VPN Teleworker VPN Client Configuring Teleworker VPN Client Group Policies VPN VPN Configuring SSL VPN SSL Remote User Access Elements of the SSL VPN Configuration Tasks to Establish a SSL VPN Tunnel Installing Cisco AnyConnect Secure Mobility Client Configuring SSL VPN Gateway Importing Certificates for User AuthenticationConfiguring SSL VPN Users Click VPN SSL Remote User Access SSL VPN Configuration Client Netmask Client Address Pool VPN Configuring SSL VPN Group Policies Click VPN SSL Remote User Access SSL VPN Group Policies VPN VPN Accessing SSL VPN Portal Allowing SSL VPN Clients to Access the Internet Address Original Destination Any Original Services Enable From AnyName SSLVPNtoWAN1 Enable From Any Sslvpnaddresspool Name SSLVPNtoWAN2 Enable From Any Configuring L2TP Server Click VPN L2TP Server Service Configuring VPN Passthrough Click VPN VPN Passthrough Viewing Active User Sessions Users Active User Sessions Available Services for User Groups Configuring Users and User GroupsDefault User and User Group User Management Configuring Local Users Preempt AdministratorsClick Users Users and Groups Configuring Local User Groups User Management Configuring User Authentication Settings Using Radius Server for User Authentication Using Local Database for User AuthenticationClick Users User Authentication Local Database Settings Radius Server Settings Local Radius Server Settings Database Click Users User Authentication Using Ldap for User Authentication User Management Using Local Database and Ldap for Authentication Configuring Radius Servers Click Users Radius Servers User Management Device Management Viewing Process Status Viewing System StatusViewing Resource Utilization Administration Configuring Administrator Settings Example https//209.165.201.18080 Configuring Email Alert Settings Click Device Management Administration Email Alert New Firmware Alert Event DescriptionCPU Overload Alert Your Firmware from Cisco.com, Security License, Settings page. See Configuring Log Settings,Log Facilities, Up/Down Alert Check Site-to-Site VPN Up/Down Alert in the Enable columnWAN Up/Down Alert Traffic Meter Alert Anti-Virus Alert Settings. See Configuring Application Control, IPS Alert Configuring Snmp Click Device Management Administration Snmp Backing Up and Restoring a Configuration Click Device Management Backup/Restore Device Management Managing Certificates for Authentication Viewing Certificate Status and Details Click Device Management Certificate Management Exporting Certificates to Your Local PC Certificate Type Details Exporting Certificates to a USB Device Importing Certificates from Your Local PC Importing Certificates from a USB Device Generating New Certificate Signing Requests Importing Signed Certificate for CSR from Your Local PC Configuring Cisco Services and Support Settings Configuring Cisco OnPlus Configuring Remote Support Settings Sending Contents for System Diagnosis Configuring System Time Click Device Management Date and Time Click Device Management Device Properties Configuring Device PropertiesDiagnostic Utilities Ping, Traceroute, DNS Lookup, Packet Capture, Ping Click Device Management Diagnostic Utilities PingClick Device Management Diagnostic Utilities Traceroute Traceroute Packet Capture Device Discovery ProtocolsDNS Lookup UPnP Discovery, Bonjour Discovery, CDP Discovery, Lldp Discovery, UPnP DiscoveryClick Device Management Discovery Protocols UPnP Click Device Management Discovery Protocols Bonjour Bonjour DiscoveryCDP Discovery Click Device Management Discovery Protocols CDP Lldp Discovery Click Device Management Discovery Protocols Lldp Firmware Management View the firmware status. See Viewing Firmware Information, Viewing Firmware Information Using the Secondary FirmwareFirmware Version area, click Switch Firmware Click Device Management Firmware Upgrading your Firmware from Cisco.com Upgrading Firmware from a PC or a USB Device Using Rescue Mode to Recover the System Firmware Auto Fall Back Mechanism Managing Security License Checking Security License Status Click Device Management License Management Installing or Renewing Security License Viewing Logs Log ManagementClick Device Management Logs View Logs Click Query Configuring Log Settings Click Device Management Logs Log Settings Critical level Severity Level DescriptionEmergency level Notification level Device Management Configuring Log Facilities Click Device Management Logs Logs Facilities Click Device Management Reboot/Reset Rebooting and Resetting the DeviceReset Device area, click Reset to Factory Defaults Rebooting the Security Appliance Configuring SchedulesClick Device Management Schedules Device Management Device Management Device Management Internet Connection Recommended Actions Troubleshooting Click Status Dashboard Recommended Actions Click Networking WAN WAN Settings Date and Time Enable the Daylight Saving Time Adjustment featureDate and Time Testing the LAN Path from Your PC to Your Security Appliance Pinging to Test LAN Connectivity Testing the LAN Path from Your PC to a Remote Device Feature ISA550 ISA570 Internal Power Supply Physical Specifications Remote Administration Feature SettingDevice Management CDP Factory Default SettingsSnmp Lldp User Groups User ManagementLocal Users IPv4 or IPv6 Routing User Authentication MethodsNetworking Network Addressing Modes WAN Redundancy Operation Modes Port-based Access ControlVLANs Zones Routing LAN QOS Vrrp Wireless Captive Portal Wi-Fi Protected Setup WPSRogue AP Detection IKE Policies IPsec Remote Access SSL VPN Features Setting Security ServicesFirewall MAC Address Filtering Content FilteringNAT IP MAC Binding Reports Default Service Objects Service Name Protocol Port Description Start End FTP-DATA TCP IKE UDP Rtelnet TCP Default Address Objects Address Name Type IP, IP/Netmask, or IP Range Product Documentation Product ResourcesSupport Cisco Small Business