170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Implementation Guide December, 2012 SMART Designs Small Business Network Foundation
Cisco SMART Designs Cisco SMART Designs consists of solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable customer deployments. For more information visit www.cisco.com/go/partner/smartdesigns. ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, DESIGNS) IN THIS MANUAL ARE PRESENTED AS IS, WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Small Business Network Foundation Implementation Guide 2012 Cisco Systems, Inc. All rights reserved.
iii Cisco Small Business Network Foundation Implementation Guide
C O N T E N T S Introduction 1 SBNF Solution Benefits 2 Scope of this Guide 2 High Level SBNF Network Topology 3 Implementation Overview 4 Network Topology 4 Network Design Details 6 Main Office Configuration 8 Preparing for the Implementation 10 Updating Software Applications on Laptop PC 10 Using the Quick Start Guides 10 Using the Administration Guides 11 Connecting to the ISA570W and SG500 Series Switches 11 Network Configuration 12 Basic Network Configuration with Internet Access 12 Configuring Interfaces Between the Cisco ISA570W and SG500 Devices 21 ISA570W SBNF Layer 3 Configuration 33 Configuring Quality of Service 40 Configuring WAN QoS 40 Configuring LAN QoS 49 VPN Configuration 52 Using the Site-to-Site VPN Configuration Wizard 53 Mobile Worker Configuration 57 Configuring Laptops of Mobile Workers for Cisco VPN Client 72 Additional Enhancements 78 Remote Office Configuration 78 References 78
Contents iv Cisco Small Business Network Foundation Implementation Guide
Corporate Headquarters: Copyright 2012 Cisco Systems, Inc. All rights reserved. Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Cisco Small Business Network Foundation Implementation Guide This document is intended for small business customers with 100 employees or less who are interested in using the Cisco Small Business Series products to secure their small business network. The implementation described in this guide is part of the Cisco SMART Designs suite. This guide describes an implementation based on Cisco Small Business Series networking devices. This implementation provides a networking foundation for small businesses that supports more advanced functionalities such as advanced security, voice, wireless, video, and so on. The design recommendations in the Cisco Small Business Network Foundation (SBNF) Design Guide provides practical guidance for a Cisco Small Business Series solution that supports up to 100 users, explains the technology involved, and describes the components and architecture for meeting specific requirements. The Small Business Network Foundation (SBNF) design guide is located at the following URL: http://www.cisco.com/go/smartdesigns/sbnf. This guide contains the following sections: Introduction, page 1 Implementation Overview, page 4 Preparing for the Implementation, page 9 Network Configuration, page 11 Configuring Quality of Service, page 39 Remote Office Configuration, page 56 References, page 78 Introduction This implementation guide describes the basic steps for configuring an SBNF deployment in a small business that can span from a typical single office (main office) environment to one that can connect to multiple sites, such as remote offices and mobile workers.
2 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Introduction SMART Designs This implementation guide also shows how to configure the Cisco ISA500 Series Security Appliance and Cisco SG500 Series switches with aggregation/access layer switches, firewall, site-to-site, and remote access VPNs. For detailed configuration information, see the administration guides for the Cisco ISA500 Series and Cisco SG500 Series. SBNF solutions address the following security, productivity, and connectivity needs of small businesses: Network communication at a business location with Internet access High performance zone-based firewall for controlling inbound and outbound traffic Reserved Guest VLAN (2) for wired and wireless; guest access mapped to the Guest zone Captive Portal authentication for Guest Users (refer to the WLAN Implementation Guide) Enhanced Quality of Service (QoS) DMZ for public websites and services IPSec VPN connectivity for multi-site deployments Dual WAN connectivity to ISPs (optional) SSL VPN (AnyConnect secure client) or Remote Access IPSec VPN for easy remote connectivity for employees Aggregation/access layer LAN switching with Cisco SG500 Series Switches with power over Ethernet (PoE) capability Stacked aggregation switches (optional), for LAN high availability SBNF Solution Benefits An SBNF implementation provides the following benefits: Easy deployment and management to maximize limited IT staff and resources Safe, secure, and easy remote network access from anywhere High performance firewall that protects critical business functions Resilient LAN that connects data and voice endpoints, such as PCs, servers, and IP phones WAN failover and load balancing (optional) Guest access PoE-enabled switches Increased employee productivity Scope of this Guide This implementation guide describes the following capabilities: Network security High performance zone-based firewall DMZ support Network connectivity Secure site-to-site and remote access with IPSec and Secure Socket Layer (SSL) VPN with AnyConnect client Implementation Guide Introduction
3 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Gigabit Ethernet connectivity to the Cisco SG500 Series Switches and WAN Aggregation switch stacking (optional) to provide highly available LAN Dual WAN capability with load balancing or failover via the optional WAN port (Optional) Ease of use Simple deployment and management with a GUI-based embedded device manager Featured products Cisco ISA500 Series Integrated Security appliances (ISA550, ISA550W, ISA570, ISA570W) Cisco Small Business SG500 Series stackable Switches The reader is encouraged to read the SBNF Design Guide to better understand the implementation of the entire SBNF network. Figure 1shows the relationships of other documents to this implementation guide. Figure 1 Related SBNF Documents High Level SBNF Network Topology The topology in Figure 2 shows a high-level network diagram of the SBNF solution. It consists of the following locations: main office, remote office, and mobile worker (IPSec and SSL VPN). The locations are linked using VPN connectivity. For more information about the location descriptions, see the Networking Primer for Small Businesses. Network Primer for Small Businesses 2 1 3 1 3 4 Introduction to Networking Concepts SBNF Implementation Guide For network implementers (network designers) SBNF Bill of Material and Product Selection Guide For technical decision makers / network designers / network implementers SBNF Design Guide For technical decision makers / network designers / network implementers Prerequisite document This document
4 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Implementation Overview SMART Designs Figure 2 High-Level SBNF Network Diagram Implementation Overview This section provides an overview of the implementation. It includes the following topics: Network Topology, page 4 Network Design Details, page 6 Main Office Configuration, page 7 Updating Software Applications on Laptop PC, page 9 Using the Quick Start Guides, page 9 Using the Administration Guides, page 10 Network Topology The descriptions in this document are based on the network topology shown in Figure 3. The pictures in this topology do not show any specific Cisco Small Business Series devices, because it is generic enough to be used for any of the Small Business Series routers and switches. However, this implementation guide uses the Cisco ISA570W Security Appliance and the Cisco SG500 Series switches in a small business network at the main office and remote office to demonstrate an SBNF deployment. However, other ISA500 Series security appliances can be used instead of the ISA570W Security Appliance. Note The mobile worker does not use a Small Business Series router to connect to the small business WAN network, but instead uses either a home router or some sort of publicly accessible Internet connection, such as wireless hot spots or free wifi in restaurants, airports, or coffee shops. Main office Remote office Site-to-site IPSec VPN Home office/ mobile worker Remote IPSec VPN Mobile worker SSL VPN 2 1 4 7 1 2 Internet Implementation Guide Implementation Overview
5 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 3 SBNF Implementation Topology Note ISA5xx Integrated WAN Router denotes the Cisco Small Business Series Router that contains the integrated switch ports, and may also contain other integrated hardware such as wireless AP, voice, and so on, as well as integrated software functionalities. In this implementation, an ISA570W Security Appliance performs the role of the ISA5xx. Mobile workers who obtain their IP address from any other network with connectivity to the Internet, use SSL VPN or IPSec VPN to connect to the WAN IP address of the ISA500 Series. The ISA500 Series security appliance connects to the Internet through its WAN port, and connects to the Cisco 500 aggregation or access switches through one of its switch ports. Based on the exact model used, one or more of the configurable ports can be used as secondary WAN, DMZ, or extra LAN ports. In the topology shown in Figure 3, one configurable port is used as the DMZ port connected to a single server. external switch (connected to multiple DMZ servers), or a LAN segment at the main office. The various topologies are described the SBNF Design Guide. Note Note that the SBNF LAN topologies L1L3 cloud, as shown in Figure 3, includes SG500 Series Switches as aggregation/access layer switches. Outside the cloud, a Cisco Unified Communications 500 (UC500) device is used to test the voice VLANs using voice-over-IP (VoIP) telephones. The UC500 was used as a voice termination device and not as a complete voice solution with SBNF. For the complete Unified Communication Services configuration, see the application note, Enhancing SBNF with Unified Communication Services. UC500 configuration solution with the SBNF implementation is beyond the scope of this document. Remote office Main office Mobile worker SBNF LAN Topologies L1-L3 SBNF LAN L0-L1 Optional port (DMZ) SSL VPN (AnyConnect)/ IPsec VPN ISA5xx SG500 Switches SG500 Switch IPsec VPN Tunnel SSLVPN Tunnel ISA5xx DMZ server Admin default Cisco-guest VLAN Cisco-data VLAN Cisco-voice VLAN DMZ 802.1q Trunk LAN Components (Optional) Other devices 2 1 3 1 3 5 WAN/Internet
6 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Implementation Overview SMART Designs Network Design Details The Cisco ISA500 Series security appliance and the Cisco 500 Series switch come with preconfigured VLANs: data (1) and voice (100), and the IP addresses listed in Table 1. However, this implementation guide uses the VLANs and network addresses as described in the IP Address Scheme section of the SBNF Design Guide. For convenience, the IP addressing table from the SBNF Design Guide is duplicated here. Implementations can use these default values or modify them to suit the network design.This guide uses the modified values for VLANs and IP addresses listed in Table 2. Table 1 Default VLANs and IP Addresses VLAN Identifier and IP Address Data VLAN 1 IP address/default gateway 192.168.75.1 DHCP pool for data VLAN 192.168.75.100254 Voice VLAN 100 Guest VLAN 2 Guest DHCP range 192.168.25.100-254 Guest default gateway 192.168.25.1 Table 2 Sample IP Address Assignments Sample Value for Main Site Sample Value for First
Remote Office Home Office For PCs (gets address via DHCP) Data VLAN (cisco-data) 10 10 1 Private IP range for data VLAN (for PCs) 1 10.1.20.0 10.2.20.0/24* NA Default gateway for data VLAN 10.1.20.1 10.2.20.1 10.x.20.1 DHCP excluded addresses in data VLAN for assigning fixed addresses to interfaces, test tools, and so on 10.1.20.19 10.2.20.1: 10.2.20.9 10.x.1.10: 10.x.20.9 IP Phones get address via DHCP (if voice service is implemented) For the home office, x can be any number other than those of the remote offices and SSL VPN network addresses. Voice VLAN (Cisco-voice) 100 100 1 Private IP range for voice VLAN 10.1.100.2/24 10.2.100.0/24* Same as data Default gateway for voice VLAN) 10.1.100.1 10.2.100.1 Same as data TFTP server IP address for IP phones to download their configuration 10.1.1.1 10.1.1.1 10.1.1.1 VPN-Related Addresses (if the deployment supports home offices and/or mobile workers) Implementation Guide Implementation Overview
7 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Note Remote office IP address assignment for the data VLAN (10.x.20.0/24) is done by changing the value of x to make the addresses of a remote office distinct from those of other locations. The mobile worker uses a fixed subnet of 10.1.254.0/24 for IPsec VPN Client and 10.1.154.0/2 for SSLVPN AnyConnect client. Main Office Configuration In the main office, the WAN router (ISA570W Security Appliance) enables communication between the LAN and allows computers to access the Internet as well as the other office locations. This includes access switches and any aggregation switch as described in the Network Topologies L1L3 in the SBNF Design Guide). With the default settings, the ISA570W Security Appliance gets its WAN IP address dynamically from the ISP via the cable/DSL modem. All the devices on the data VLAN receive their IP addresses dynamically from the ISA570W Security Appliance, while those on the voice VLANs receive their IP addresses from the UC500 (see Figure 4). All devices have access to the Internet, but unsolicited inbound traffic is disallowed from the Internet to any LAN device. The Guest VLAN can only communicate to the Internet using Captive Portal authentication. Public IP address for VPN gateway 50.101.1.1 (sample. This is assigned by the service provider) NA NA SSLVPN Clients 10.1.154.0/24 N/A N/A IPSec VPN Client 10.1.254.0/24 N/A N/A DMZ-Related VLANs / IP addresses Private IP range for DMZ_VLAN 172.16.2.0/24 NA NA Default gateway for DMZ VLAN 172.16.2.1 NA NA Public Addresses for Internet Access WAN interface address Public IP address as assigned by service provider (for example: 51.101.1.1/24) Public IP address as assigned by service provider Public IP address as assigned by service provider Optional WAN interface address (redundancy/failover) Public IP address as assigned by service provider (for example: 51.101.2.1/24) N/A N/A 1. Since UC500 uses the 10.1.10.0 network internally, the data VLAN subnet is assigned 10.1.20.0/24 in this implementation. Table 2 Sample IP Address Assignments Sample Value for Main Site Sample Value for First
Remote Office Home Office
8 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Implementation Overview SMART Designs In this implementation guide, the voice VLAN is optional and necessitates a voice termination device such as a UC 500. Note that the ISA570W Security Appliance also facilitates IP phone communication between main and remote offices, as well SIP and H.323 types of voice traffic to the Internet using the Application Level Gateway (ALG) configuration. All other types of IP communications to the outside world use a voice gateway. Figure 4 shows the layout of a main office with the ISA570W Security Appliance as well as the SG500 Series aggregation and access switches. Figure 4 Main Office Topology Detail Layout Table 3 summarizes the connectivity details between the connected devices in Figure 4. 192.168.25.1 (VLAN 2) 192.168.75.1 (VLAN 1) 10.1.20.1 (VLAN 10) VLAN database 1,10,25,100 10.1.100.1 (VLAN 100) WAN Interface - 10.1.1.1 172.16.2.1 G2/1/22 51.101.1.1 G2/1/20 VLAN 1, 25,10, 100 VLAN 1, 2, 10, 100 G1/1/8 VLAN 1, 2, 10, 100 G2/1/19 VLAN 1, 2, 10, 100 G2/1/7 G1/1/20 G1/1/8 G1/1/19 G1/1/7 VLAN 1, 2, 10, 100 VLAN 2 VLAN 10 VLAN 10 VLAN 2 E48 VLAN 10 E2 VLAN 10 E3 VLAN 10, 100 E4 VLAN 10, 100 E5 VLAN 1 WAN 1 DMZ GE 2 G1/1/24 HTTP Server Private IP 172.16.2.20 Public IP 51.101.1.20 VLAN 1 - default VLAN VLAN 2 - guest VLAN VLAN 10 - data VLAN VLAN 100 - voice VLAN 2 1 4 7 4 8 ISA570W Security Appliance SG500 Access Switch 192.168.75.3 SG500 Access Switch 192.168.75.4 2 x SG500 Stacked Aggregation Switches Stack IP Address 192.166.75.2 UC500 Network Implementation Guide Preparing for the Implementation
9 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Preparing for the Implementation This section provides instructions before beginning the actual implementation. It includes the following topics: Updating Software Applications on Laptop PC Using the Quick Start Guides Using the Administration Guides Connecting to the ISA570W Security Appliance and SG500 Series Switches Updating Software Applications on Laptop PC Download all the latest software in the event that an upgrade of the Cisco SBNF components is required. Download the latest version of the software to a common directory of your laptop PC. To find the latest software for components, go to http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm and search under the specific component name. Using the Quick Start Guides Obtain a paper or electronic copy of the quick start guides before connecting to the Cisco ISA570W Security Appliance and Cisco SG500 Series switches. For new equipment, the quick start guide should be included in the shipping box or package. Each new equipment purchase should include the following items: Device Power cord Table 3 Main Office Connectivity Detail Connection ISA570W Security Appliance SG500 Aggregation Switch Access switch 1 Access switch2 UC500 ISA570W Security Appliance(ISA 570W) GE2 SG500 Stacked aggregation switch (SG500-24) GE 1/1/24 Stack connection G1/1/7 G2/1/19 G1/1/8 G2/1/20 G2/1/22 Access Switch 1 (SG500-48P) G1/1/7 G1/1/19 Access Switch 2(SG500-48P) G1/1/8 G1/1/20 UC500 WAN interface
10 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Preparing for the Implementation SMART Designs Mounting hardware Rubber feet for desktop mounting Serial cable Quick start guide Device series CD Besides the description of the device, the quick start guide shows how to initially configure the device using either a static or DHCP IP address, Cisco Configuration Assistant, when supported, how to connect devices, and provides references to other relevant documents. For the initial configuration details of the Cisco ISA570W Security Appliance and Cisco SG500 Series Switches, use the respective quick start guide: The quick start guides contain the following sections: Product Overview: Displays the front and back panel of the device, and describes the physical aspects of the device Installation Options: Describes the environment in which to place the equipment Installation: Connects all equipment according to the topology to be deployed Launching the Configuration Utility: Connects and logs in to the device Getting Started with the Configuration: Explains how to use the getting started page to do most of the configuration tasks, including upgrading the firmware/software Note Cisco recommends upgrading the firmware/software for the ISA570W Security Appliance and SG500 Series switches if upgrades are available. Using the Administration Guides Obtain a paper or electronic copy of the administration guides before configuring the ISA570W Security Appliance and SG500 Series switches.The following topics are not covered in this document because they are available in the appropriate administration guide: ISA570W Security Appliance and Cisco SG500 switches and feature overview How to connect to the ISA570W Security Appliance and SG500 Series switches How to use the configuration utility for the ISA570W Security Appliance and SG500 Series switches Default settings on the ISA570W Security Appliance and the SG500 Series switches Basic tasks such as upgrading the firmware, changing the default name and password, and backing up the configuration This implementation guide focuses on the configuration of a network as shown in Figure 4. Note Configuring the Cisco UC500 is beyond the scope of this document. For configuring the UC500 with SBNF, see the Enhancing Cisco Small Business Network Foundation with Unified Communications application note. Implementation Guide Network Configuration
11 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Connecting to the ISA570W Security Appliance and SG500 Series Switches To connect to the ISA570W Security Appliance, perform the following steps: Step 1 Boot the ISA570W Security Appliance. Step 2 After the security appliance has powered on, connect the switch, APs, and other devices to one of the switch ports on the security appliance so they can obtain a DHCP IP address from the security appliance. Step 3 From the Navigation menu on the security appliance, click Status > Network Status > DHCP Bindings to view the IP address of the newly connected device. Figure 5 DHCP Bindings Step 4 After connecting to the devices using the DHCP IP address, change the IP address to a static IP address outside the DHCP pool. Network Configuration This section describes the procedures necessary to configure the network. It includes the following topics: Basic Network Configuration with Internet Access, page 12 Configuring Interfaces Between the Cisco ISA570W Security Appliance and SG500 Devices, page 20 ISA570W Security Appliance SBNF Layer 3 Configuration, page 32 Remote Office Configuration, page 56 Note It is assumed that before configuring the devices, the network has been installed, as shown in Figure 4.
12 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Basic Network Configuration with Internet Access This section describes tasks that are needed for all the SBNF office locations. The default configurations on the ISA570W Security Appliance and SG500 Series switches are sufficient for the offices. However, depending on the requirements of the ISP as well as the preferences for the LAN configuration, changes should be made as necessary. To enable offices to connect to the Internet, complete the steps in the following topics. Configuring WAN on ISA570W Security Appliance By default, the security appliance is configured to receive a public IP address from your ISP automatically through DHCP. Depending on the requirements of your ISP, you may need to modify the WAN settings to ensure Internet connectivity. If you have two ISP links, one for WAN1 and another for WAN2, you must configure a secondary WAN interface using one of the configurable ports on the security appliance. Note When the WAN port is configured to obtain an IP address from the ISP using Dynamic Host Configuration Protocol (DHCP), you can click the Release icon to release its IP address, or click the Renew icon to obtain a new IP address. This section describes how to configure the WAN connections by using the account information provided by your ISP. Complete the following steps: Procedure Configuring the Primary WAN Interface Step 1 Select Networking > WAN > WAN Settings. The WAN Settings window is displayed (see Figure 6). Figure 6 WAN Interface Settings Step 2 To edit the settings of the primary WAN (WAN1), click the Edit (pencil) icon. The WAN Add/Edit window is displayed (Figure 7). Implementation Guide Network Configuration
13 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 7 WAN Interface Settings: Add/Edit Window Step 3 Enter data as shown in,Figure 7, changing the entries for the specific IP addresses used. Step 4 Select the WAN zone, which is predefined. Step 5 Click OK to save your settings. The screen changes. Step 6 Click Save to apply your settings. Figure 8 shows the WAN interface configuration summary.
14 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Figure 8 WAN Interface Settings: Summary Configuring the Secondary WAN (optional) To set up two ISP links for a network, configure a secondary WAN in the same way. You can use one link as the primary link and another link for backup purposes, or you can configure load balancing to use both links simultaneously. For more information about configuring the secondary WAN, refer to the following subsection in the Administration Guide: Networking / Configuring WAN / Configuring WAN Redundancy. Managing Physical Ports To configure the physical ports, complete the following steps: Procedure Step 1 To open the Physical Interface page, click Networking > Ports > Physical Interface. The screen shown in Figure 9 is displayed. Implementation Guide Network Configuration
15 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 9 Physical Interfaces Step 2 Check the box in the Enable column to enable a physical port, or uncheck it to disable the physical port. Step 3 To edit the settings of a physical port, click the Edit (pencil) icon. Configuring the SBNF VLANs on ISA570W Security Appliance The security appliance comes with the following predefined VLANs: 1 (DEFAULT), 2 (GUEST), 100 (VOICE). In SBNF, The GUEST VLAN is edited to change its IP subnet and a DATA VLAN (10) is added as follows: A native VLAN (DEFAULT), with VLAN ID 1 and IP address 192.168.75.1. By default, this VLAN is in the LAN zone. A guest VLAN (GUEST), with VLAN ID 2 and IP address 192.168.25.1. By default, this VLAN is in the GUEST zone. A data VLAN (DATA) with VLAN ID 10 and IP address 10.1.20.1. By default, this VLAN is in the LAN zone. A voice VLAN (VOICE) with VLAN ID 100 and IP address 10.1.1.2. By default, this VLAN is in the VOICE zone. Note Configuring a VLAN in the ISA570W Security Appliance also includes assignment of a IP subnet to the VLAN, as well as a zone. As stated above, this solution uses the following VLANs data (10), DEFAUlT(1), voice (100), guest (2). Please see Table 1 for details.
16 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs This solution uses the following VLANs data (10), DEFAUlT(1), voice (100), guest (2). Please see Table 1 for details. Repeat the following steps to define each VLAN, not already defined. Step 1 Select Networking > VLAN. The VLAN window is displayed. Step 2 To add a new VLAN, click Add. The VLAN Add/Edit window is displayed (see Figure 10). Figure 10 VLAN Basic Settings Configuration Step 3 Choose DHCP Server mode and enter the relevant information in the DHCP Pool Settings tab to configure DHCP for the VLAN/subnet, as shown in Figure 11. Implementation Guide Network Configuration
17 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 11 VLAN DHCP Pool Settings Configuration Note For voice VLAN 100, enter the TFTP server IP address in the field for Option 150. The TFTP server IP address 10.1.1.1 is actually the IP address of the UC500. Step 4 Click OK to save your settings. Step 5 Click Save to apply your settings. The VLAN configuration summary is displayed as shown in Figure 12. Figure 12 VLAN Interfaces Configuration Summary
18 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Configuring the DMZ on the ISA570W Security Appliance This section describes how to configure a DMZ network, which is similar to the VLAN configuration. To configure a DMZ on an ISA570W Security Appliance, complete the following steps: Procedure Step 1 Select Networking > DMZ. The DMZ window is displayed. Step 2 To add a DMZ, click Add. The DMZ Add/Edit window is displayed. Step 3 Complete the fields as shown in Figure 13 for the DMZ port (in this case GE8). Step 4 Select the DMZ zone from the Zone selection list. Figure 13 DMZ Basic Settings Configuration Note Choose the default DMZ zone or a custom DMZ zone to which the DMZ is mapped. You can click the Create Zone link to view, edit, or add the zones on the security appliance. Step 5 Click OK to save your settings. Step 6 Click Save to apply your settings. Implementation Guide Network Configuration
19 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Configuring Security Zones in ISA570W Security Appliance for SBNF The ISA 500 security appliance provides several predefined security zones. Security zones can be added or deleted. Each zone is associated with a numerical security level. The security level for the zone defines the level of trust given to that zone. The security appliance supports five security levels for the following zones: Trusted(100): Offers the highest level of trust. The LAN zone is always trusted. VPN(75): Offers a higher level of trust than a public zone, but a lower level of trust than a trusted zone, which is used exclusively by the predefined VPN and SSLVPN zones. All traffic to and from a VPN zone is encrypted. Public(50): Offers a higher level of trust than a guest zone, but a lower level of trust than a VPN zone. The DMZ zone is a public zone. Guest(25): Offers a higher level of trust than an untrusted zone, but a lower level of trust than a public zone. Guest zones can only be used for guest access. Untrusted(0): Offers the lowest level of trust. It is used by both the WAN and the virtual multicast zones. You can map the WAN port to an untrusted zone. A higher permission level is indicated by a higher numeric value. The predefined VPN and SSLVPN zones have the same security level. The security appliance predefines the following zones and maps a security level to each zone. WAN: The WAN zone is an untrusted zone. By default, the WAN1 port is mapped to the WAN zone. If the secondary WAN (WAN2) is applicable, it can be mapped to the WAN zone or any other untrusted zone. LAN: The LAN zone is a trusted zone. You can map one or multiple VLANs to a trusted zone. By default, the DEFAULT VLAN is mapped to the LAN zone. DMZ: The DMZ zone is a public zone used for the public servers that you host in the DMZ networks. SSLVPN: The SSLVPN zone is a virtual zone used for simplifying secure and remote SSL VPN connections. This zone does not have an assigned physical port. VPN: The VPN zone is a virtual zone used for simplifying secure IPsec VPN connections. This zone does not have an assigned physical port. GUEST: The GUEST zone can only be used for guest access. By default, the GUEST VLAN is mapped to this zone. VOICE: The VOICE zone is a security zone designed for voice traffic. Traffic coming and outgoing from this zone will be optimized for voice operations. If you have voice devices, such as Cisco IP Phone, it is desirable to place the devices into the VOICE zone. The SBNF solution uses all these zones. Verifying Default Security Zone Definitions SBNF uses the default zone definitions of ISA570W Security Appliance. This step verifies that the ISA570W Security Appliance uses the default zone. Step 1 Select Networking > Zones. The Zones window is displayed, showing the predefined zones (see Figure 14).
20 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Figure 14 Zone Configuration List Step 2 Verify that the zones and their associated trust security levels are defined exactly as shown in Figure 14. Step 3 If the configuration differs, click Reset to restore your zone configuration to the factory default settings, and verify again. Configuring Interfaces Between the Cisco ISA570W Security Appliance and SG500 Devices This section describes the Layer 2 configuration between the two devices, and includes the following topics: Configuring the ISA570W Security Appliance Interface Connected to the Aggregation Switch, page 20 Configuring the SG500 Series Switch, page 21 Configuring the ISA570W Security Appliance Interface Connected to the Aggregation Switch Configure the ISA570W Security Appliance port connected to the aggregation switch (GE2) as a trunk port that carries the following VLANs: DEFAULT, DATA, VOICE, and GUEST. Complete the following steps: Procedure Step 1 Select Ports > Physical Interface. The Physical Interfaces screen is displayed. Step 2 Click the pencil symbol for the port GE2 to edit it. This displays the Ethernet Configuration ADD/EDIT screen shown in Figure 15. Step 3 Enter the data for the GE2 port, as shown Figure 15. Implementation Guide Network Configuration
21 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 15 ISA570W Security Appliance To SG500 Interface Configuration Note Because the GE2 is connected to the aggregation switch, all VLANs are added Step 4 Click OK. Step 5 Click Save to apply the settings to the port. Figure 16 displays the summary of the ports. Figure 16 ISA500 Series Interface Configuration Summary Configuring the SG500 Series Switch The SG500 system dashboard (Figure 17) is displayed after logging in to the switch.
22 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Figure 17 SG500 Switch Main Menu Screen This is the main menu for configuring the switch. Adding the SBNF VLANs on an SG500 Series Switch For laptop and IP phones or any other networking endpoints to work properly with the Cisco SG500 Series switches, the following configuration must be completed: VLANs must first be added into the switch VLAN database. Ports carrying the VLANs or trunks must be configured properly as a trunk mode. VLANs must be added on both sides of the trunks. The SG500 Series switch comes preconfigured with a default VLAN 1 for data and voice. This implementation guide uses the default VLAN 1 for device initial configuration. However, VLAN 10 is used for the data VLAN. The Cisco best practice is to not use VLAN 1 in a network to mitigate security risks and for controlling access to the network. Note It is recommended to configure all the VLANs according Table 1 on page 6 before configuring ports and trunks. To add VLAN 10, VLAN 2, and VLAN 100 to the SG500 Series switch, complete the following steps. Implementation Guide Network Configuration
23 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Procedure Step 1 Select VLAN management > Create VLAN. This displays the current VLANs. Step 2 Click Add to create a new VLAN. This displays the screen to enter data for the new VLAN to be created. Step 3 Enter the VLAN number 10 and VLAN name cisco-data for the new VLAN, as shown in Figure 18. Figure 18 Adding SBNF VLAN to SG500 Series Switches Step 4 Click Apply. This creates the new VLAN 10. Step 5 Repeat the above procedures to create the guest VLAN with VLAN number 2 (Guest) Step 6 Repeat the same steps to add all SBNF VLANs in all LAN switches VLANs 1, and 100 are predefined. Step 7 Verify that all required VLANs (1, 10, 2, 100) are defined. Select VLAN Management > Create VLAN. Step 8 This displays the existing VLANs (see Figure 19).
24 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Figure 19 SBNF VLANs Summary Configuring Voice VLAN Properties Complete the following steps to assign VLAN 100 as the voice VLAN and to change the default voice VLAN properties. Procedure Step 1 Select VLAN Management > Voice VLAN > Properties. Step 2 Change Voice VLAN ID to 100, and keep the default QoS settings including DSCP and CoS/802.1p. Step 3 Make sure that Enable Auto Voice VLAN is checked and that Auto Voice VLAN Activation is set to Immediate, as shown in Figure 20. Implementation Guide Network Configuration
25 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 20 Activating Auto Voice VLAN on all switches Step 4 Repeat the same steps on all LAN switches. Updating Smartport Types for SBNF Smartport types make it easy to provision switch ports by automatically applying the appropriate configuration for attached devices such as IP phones, routers, access points, switches, or other devices to optimize network performance. Smartport macros on the Small Business Series Switches are described in the SBNF Design Guide. The SG500 Series switches come with a list of Smartport types such as Printer, Desktop, Guest, Sever, Host, IP Camera, IP Phone, IP Phone + Desktop, Switch, Router, and Wireless Access Point. To view the default Smartport Type, select Smartport > Smartport Type Settings. The Smartport types are shown in Figure 21:
26 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Figure 21 Smartport Types Defaults The Figure 22 displays the Smartport types after configuring Auto Voice VLAN 100. Figure 22 Smartport Type with Auto Voice VLAN Configured Modifying Smartport Type parameters on SG500 Switch The default Smartport settings assume certain VLANs and other parameters, and need to be edited before the macros can be applied for an SBNF network. Complete the following steps to edit the Smartport macros-. Implementation Guide Network Configuration
27 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Procedure Step 1 Select Smartport > Smartport Type settings. This displays the Smartport Type Settings table. Step 2 Select a Smartport type, for example, IP Phone+ Desktop, and click Edit at the bottom of the screen. This displays the screen to edit the parameters of the selected Smartport (see Figure 23). Figure 23 Smartport Type Edit In Figure 23 max_hosts is set to 3 and DATA VLAN to 10. Step 3 Repeat the same steps to update the remaining Smartport types. Figure 24 shows the SG500 Series Smartport type customized for SBNF.
28 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Figure 24 Smartport Types Customized for SBNF Applying Smartport Types to an Interface There are two ways to apply a Smartport macro by Smartport type to an interface: Static Smartport: Static Smartport applies a fixed VLAN and QoS configuration on a port. You can connect a suitable device that is recommended for this configuration. If any other device is connected, it will not work correctly. This type of Smartport assignment is recommended for infrastructure network elements such as switches, servers, access points, and so on. Auto Smartport: Auto Smartport waits for a device to be attached to the interface before applying a configuration. When a device is detected from an interface, the Smartport macro that corresponds to the Smartport type of the attaching device is automatically applied (if assigned). Configuring an SG500 Trunk Port Using Smartport Types The connection between the Cisco ISA570W Security Appliance and the SG500 switches is between the integrated switch ports on the ISA570W Security Appliance and the SG500-48 switch ports. This requires a trunk configuration between the two devices to carry multiple VLANs. The connections between the Cisco SG500 aggregation switch and the SG500 access switches also require switch trunk port configurations. To configure the switch port using static Smartport method, complete the following steps. Procedure Step 1 Go to Smartport > Interface Settings, select the interface, and click Edit. Step 2 In the new window, change the Smartport Application from Auto Smartport to Router and keep the default value for native VLAN (see Figure 25). Implementation Guide Network Configuration
29 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 25 Smartport Type Router Applied to Switch Port Connected to Router Step 3 Click Apply to complete the changes. Configuring an SG500 Switch Port Connected to a Laptop To configure a port for a PC or laptop using the data VLAN, complete the following steps. Procedure Step 1 Select Smartport > Interface Settings, select the interface, and then click Edit. Step 2 In the new window, change Smartport Application from Auto Smartport to Desktop and change the default value for $native_vlan to 10. Figure 26 shows the Smartport Desktop Settings page.
30 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Figure 26 Figure 26: Smartport type Desktop Step 3 Click Apply to complete the changes. Configuring SG500 a Switch Port Connected to an IP Phone and Desktop To configure a port for an IP phone with a desktop PC connected to the LAN port of the phone using both the data VLAN and voice VLAN, complete the following steps. Procedure Step 1 Select Smartport > Interface Settings, select the interface, and click Edit. Step 2 In the new window, change Smartport Application from Auto Smartport to IP Phone + Desktop and change the default value for $native_vlan to 10. The voice VLAN ID is automatically updated by the system using the Voice VLAN ID configured globally. Figure 27 shows the Smartports Desktop Settings page. Implementation Guide Network Configuration
31 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 27 Smartport Type IP Phone + Desktop Step 3 Click Apply to complete the changes. Adding VLANs to SG500 Series Trunks in SBNF To assign a port like the Aggregation Switch port GE24 connected to the ISA570W Security Appliance to all the SBNF VLANs, complete the following steps: Procedure Step 1 Select VLAN Management > Port VLAN Membership. The Port VLAN Membership page is displayed. Step 2 Select the port GE24, and click the Join VLAN button. The Join VLAN page is displayed. If the VLANs are showing under the Mode column instead of the Trunk column. Step 3 Click the right arrow (>) to switch the VLAN to the Trunk column, as shown in Figure 28.
32 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Figure 28 Adding SBNF VLANs to Router Trunk Port Step 4 Click Apply. The settings are modified and written to the Running Configuration file. Step 5 To see the administrative and operational VLANs on an interface, click Details (see Figure 29) Figure 29 Administrative and Operational VLANs on Trunk Port Step 6 Repeat the previous steps to add all the SBNF VLANs to trunk ports between switches and whenever necessary. ISA570W Security Appliance SBNF Layer 3 Configuration This section describes the SBNF Layer 3 configuration in the ISA570W Security Appliance and includes the following topics: Configuring Routing on the ISA570W Security Appliance, page 33 Viewing the Routing table in ISA570W Security Appliance, page 34 Configuring the Firewall, page 34 Configuring NAT and Dynamic PAT , page 35 Configuring Static NAT Rules for DMZ servers, page 36 Configuring ACLs for Access to DMZ Servers, page 38 Implementation Guide Network Configuration
33 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Configuring Quality of Service, page 39 Configuring Routing on the ISA570W Security Appliance Verify that the ISA570W Security Appliance is configured to operate in NAT mode. By default, NAT mode is enabled. Complete the following steps: Procedure Step 1 Select Networking > Routing > Routing Mode. The Routing Mode window is displayed. Step 2 Click Off to disable the Routing mode, if you find it is enabled. Figure 30 Routing Mode Settings Step 3 Click Save to apply your settings. Configuring Inter-VLAN Routing To enable communication between the various VLANs (voice, data, and so on), add those VLANs in the same zone, or zones with the same security level. Configuring Static Routing This solution requires static routes on the security appliance so that the security appliance can send traffic destined to local subnets of the UC500 such as 10.1.1.0/24 (10.1.1.1 is the TFTP server inside the UC500), and 10.1.10.0/24 (voice mail). For more information about the exact subnets to be routed, refer to the Enhancing Small Business Network Foundation Network for Unified Communication Services. application note.
34 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Viewing the Routing table in ISA570W Security Appliance To view the routing table, select the Networking > Routing > Routing Table. \This displays the routing table as shown in Figure 31. Figure 31 Routing Table Note This page is automatically updated every 10 seconds. Click Refresh to manually refresh the routing table. Configuring the Firewall This implementation uses the default zones and their security levels to simplify configuration. The default zones and the firewall rules, based on the security levels for each zones, are shown in Table 4. By default, the firewall prevents all traffic from a lower security zone to a higher security zone, but allows traffic from a higher security zone to a lower security zone. Table 4 Default Zones and Security Levels From/To LAN VOICE VPN SSLVPN DMZ GUEST WAN LAN N/A Deny Permit Permit Permit Permit Permit VOICE Deny N/A Permit Permit Permit Permit Permit VPN Deny Deny N/A Deny Permit Permit Permit SSLVPN Deny Deny Deny N/A Permit Permit Permit DMZ Deny Deny Deny Deny N/A Permit Permit GUEST Deny Deny Deny Deny Deny N/A Permit WAN Deny Deny Deny Deny Deny Deny N/A Implementation Guide Network Configuration
35 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Verify that the default firewall rules are in effect. Figure 32 illustrates the ISA570W Security Appliance Default Policies. Click the triangle associated with a zone to expand the screen, and to show all the traffic permissions for the zone. Figure 32 shows the expanded data for the LAN and the WAN Zones. Figure 32 Default Policies: Zones to Zones Note These default rules can be changed according to deployment requirements by adding or modifying additional zones and policies Configuring NAT and Dynamic PAT This implementation uses dynamic Pat for data and guest subnets. Each DMZ server has a public IP address and a private IP address, and hence requires static NAT. Complete the following steps: Procedure Step 1 Select Firewall > NAT > Dynamic PAT. Step 2 Figure 33 is displayed.
36 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Figure 33 Dynamic PAT Configuration Step 3 Select Auto for WAN1 interface (also WAN 2, if used) to set the translated address to be the public IP address of the WAN interface. Step 4 Turn on Dynamic PAT for the Guest, Voice, and DATA VLANs as shown. Step 5 Click Save. Configuring Static NAT Rules for DMZ servers Static NAT is used for each DMZ server. This example shows the NAT configuration for an HTTP server in the DMZ zone. This step is not necessary if DMZ servers are not deployed. Complete the following steps: Procedure Step 1 Select Firewall > NAT > Static NAT. Step 2 To add a static NAT rule, click Add. The ADD/Edit screen is displayed (see Figure 34). Figure 34 Static NAT: Add/Edit Step 3 Enter the following information: WAN: Choose either WAN1 (or WAN2) as the WAN port. Implementation Guide Network Configuration
37 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Public IP: Choose an IP address object from the drop down list corresponding to the public IP address of the DMZ server. Private IP: Choose an IP address object from the selection list corresponding to the private IP address of the DMZ server. Step 4 If the IP address that you want is not in the list, choose Create a new address to create a new IP address object, that displays the Address ADD/Edit screen shown in Figure 35. Figure 35 Address Add/Edit Step 5 Enter a name to the address object to be created. Once completed, the screen should look like Figure 36. Figure 36 Static NAT Rule Add/Edit Step 6 Click OK to save your settings. Step 7 Click Save to apply your settings. The static NAT summary is displayed (see Figure 37).
38 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Network Configuration SMART Designs Figure 37 Static NAT Rules Summary Configuring ACLs for Access to DMZ Servers In this step, configure ACL rules to allow traffic from Internet to DMZ servers. It is strongly recommended to make the rules very specific so as that they match the IP address and the TCP/UDP port of the DMZ server. Complete the following steps: Procedure Step 1 Select Firewall > Access Control > ACL Rules. The ACL Access Control List table appears on the right pane. Step 2 Click Add. This displays the Rule Add/Edit screen (see Figure 38). Implementation Guide Configuring Quality of Service
39 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 38 ACL Rule: Add/Edit Step 3 To add a HTTP DMZ server for which the public IP address object HTTP_Public has been defined in the previous step, enter the data as shown in Figure 38 for the ACL rule. This allows HTTP traffic from the Internet to the servers public IP address. Step 4 Click OK to save your settings. Step 5 Click Save to apply your settings. This displays the ACL summary (see Figure 39). Figure 39 ACL Rules Access Control List Configuring Quality of Service This section describes the SBNF QoS configuration for WAN and LAN, on the ISA570W Security Appliance. It includes the following topics: Configuring WAN QoS, page 39 Configuring LAN QoS, page 48 Configuring WAN QoS Use the General Settings page to enable or disable the WAN QoS, LAN QoS, and WLAN QoS features. This section includes the following topics:
40 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Configuring Quality of Service SMART Designs Enabling WAN Qos, page 40 Managing WAN Bandwidth for Upstream Traffic, page 40 Configuring WAN Queue Settings, page 41 Configuring Traffic Selectors, page 42 Configuring WAN QoS Policy Profiles, page 45 Mapping WAN QoS Policy Profiles to WAN Interfaces, page 47 Enabling WAN Qos Step 1 Select Networking > QoS > General Settings. The General Settings window is displayed (Figure 40). Figure 40 QoS General Settings Step 2 Click Save to apply your settings. Managing WAN Bandwidth for Upstream Traffic Use the Bandwidth page to specify the maximum bandwidth for upstream traffic allowed on each WAN interface. Step 1 Select Networking > QoS > WAN QoS > Bandwidth. The Bandwidth window is displayed (Figure 41). Implementation Guide Configuring Quality of Service
41 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 41 Bandwidth Step 2 Enter the maximum bandwidth in kb/s for upstream traffic allowed WAN1 interface, for example, is 6000 for 6 mb/s. This should be same as the WAN link connection bandwidth as provided by the service provider. The default value is 0 kb/s, which indicates that there is no bandwidth limit for upstream traffic. Step 3 Click Save to apply your settings. Configuring WAN Queue Settings Step 1 Select Networking > QoS > WAN QoS > Queue Settings. This opens the Queue Settings screen, which allows you to set the characteristics of each of the six queues available for WAN1 and WAN2 interfaces (Figure 42).
42 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Configuring Quality of Service SMART Designs Figure 42 Low Latency Queuing Step 2 For WAN1 interface, choose Low Latency Queuing. Enter the values as shown in Figure 42 to assign bandwidth values and queue descriptions. The completed screen shows that voice traffic will get a maximum of 2000 kb/s and will be treated as priority traffic. The rest of the traffic, after voice has been serviced, is assigned to the other types of the traffic as shown. For example, voice/video signaling will get a minimum of 5% of the bandwidth remaining after voice priority queue is serviced. It can share additional bandwidth, when available. Step 3 Click the On button to turn on Random Early detection on the WAN1 interface. Step 4 Click Save to apply your settings Note Figure 42 shows SBNF settings for the WAN1 interface. Similar settings can be used for WAN2 interface, if used. Configuring Traffic Selectors This section describes how to specify the DSCPs for the various traffic classes. Step 1 Select Networking > QoS > WAN QoS > Traffic Selector (Classification). The Traffic Selector (Classification) window is displayed (Figure 43). Implementation Guide Configuring Quality of Service
43 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 43 Traffic Selector Step 2 To add a new traffic selector, click Add. The Traffic Selector: Add/Edit window is displayed Step 3 Enter the DSCP value for voice traffic: a. Enter the traffic class name Voice for the Class Name field. b. Set the value Any for each field: Source Address, Destination Address, Source Service, Destination Service, Cos, and VLAN. c. Move DSCP 46 to the Selection box by selecting 46 from the left box and clicking the -> button d. Click OK to create the traffic class. This displays the Traffic Selector (Classification) screen with the name of the newly created class.
44 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Configuring Quality of Service SMART Designs Figure 44 Add Traffic Selector Step 4 Click Save to apply the settings. Step 5 Repeat Step 3 to add the following additional traffic classes with the following DSCP values Traffic Class name: DSCP Value(s) Signaling: 24, 26 Routing-VPN Control: 48 Management: 16 Video: 32 Best Effort: 0, 8 The final Traffic Selector (Classification) screen should look like Figure 45. Figure 45 Completed Traffic Selector Screen Implementation Guide Configuring Quality of Service
45 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Step 6 Click Save to apply your settings. Configuring WAN QoS Policy Profiles Next, the WAN QoS Policy Profiles are created. Profiles assign specific traffic classes to specific queues and provide options to police and mark the traffic. Step 1 Select Networking > QoS > WAN QoS > QoS Policy Profile. The QoS Policy Profile window is displayed (Figure 46). Figure 46 QoS Policy Profile Step 2 To create a new WAN QoS policy profile, click Add. This displays the QoS Policy: Add/Edit window (Figure 47). Figure 47 QoS Policy Add/Edit Step 3 To create a policy to place voice traffic in to the priority queue (Q1), enter the name Voice policy for the policy as shown in the QoS Policy Add/Edit window (Figure 47). Step 4 Apply this policy to outbound traffic by selecting the Outbound Traffic radio button, and click Add. This displays the QoS Class Add/Edit screen (Figure 48).
46 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Configuring Quality of Service SMART Designs Figure 48 QoS Class Rule Add/Edit Specify the values shown in Table 5 for the rule for the voice class Step 5 Click OK to create the Class Rule. This displays the QoS Policy: Add/Edit window, with the newly created rule. Repeat Step 2 to create rules for assigning the other classes of traffic with their queues, with data shown in Table 6: Table 5 QoS Field Descriptions Field Value to be selected/entered Remark Class Drop Down list Voice Queue Drop Down list Q1 Q1 is the Priority Queue DSCP Marking Drop Down list none Optional- specify a DSCP value if you want to remark the traffic CoS Marking Drop Down list none This cant be changed Rate Limiting 0 Specify a bandwidth value if you want to rate limit the traffic Table 6 QoS Class Descriptions Class Queue DSCP marking Cos Marking Rate limiting Signaling Q2 none none 0 Routing-VPN Control Q3 none none 0 Management Q4 none none 0 Video Q5 none none 0 Best effort Q6 none none 0 Implementation Guide Configuring Quality of Service
47 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 49 QoS Policy: Add/Edit The final QoS Policy Add/edit window should look like Figure 49. Step 6 Click OK. This displays the QoS Policy Profile Window showing the created WAN Policy. Step 7 Click Save to apply the settings. Mapping WAN QoS Policy Profiles to WAN Interfaces In this step, the Policy Profile created earlier is assigned to the WAN1 Interface. Step 1 Select Networking > QoS > WAN QoS > Policy Profile to Interface Mapping. The Policy Profile to Interface Mapping window is displayed (Figure 50). Figure 50 Policy Profile to Interface Mapping Step 2 To edit the policy profile settings associated with the WAN1 interface, click the Edit (pencil) icon. The Policy Profile to Interface Mapping: Edit window is displayed (Figure 51).
48 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Configuring Quality of Service SMART Designs Figure 51 Policy Profile to Interface Mapping: Edit Step 3 Enter the following information: interface: WAN1 Inbound Policy Name: Choose none. Outbound Policy Name: Choose WAN policy Step 4 Click OK to save your settings. This displays the Policy Profile to Interface Mapping window showing that the WAN1 interface is now associated with the policy WAN policy (Figure 52). Figure 52 Policy Profile to Interface Mapping: Mapped Interface Step 5 Click Save to apply your settings. You may also assign the same QoS Policy profile to WAN2 Interface, when used. Configuring LAN QoS This section configures the LAN QoS of the ISA570W Security Appliance Security appliance. It includes the following topics: Enabling LAN QoS, page 49 Configuring LAN Queue Settings, page 49 Configuring LAN QoS Classification Methods, page 50 Mapping DSCP to LAN Queue, page 51 Implementation Guide Configuring Quality of Service
49 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Enabling LAN QoS Use the General Settings page to enable or disable the WAN QoS, LAN QoS, and WLAN QoS features. Step 1 Select Networking > QoS > General Settings. The General Settings window is displayed (Figure 53). Figure 53 LAN QoS General Settings Step 2 Check the LAN QoS checkbox to enable LAN QoS. Step 3 Click Save to apply your settings. Configuring LAN Queue Settings Configure the type of queuing used by the four queues associated with each Ethernet LAN interfaces of the ISA570W Security Appliance. The options are Weighted Round Robin (WRR) queuing, strict Priority queuing, or a combination of both. If voice is not deployed, then WRR (default) is sufficient. However, because SBNF supports voice, strict priority is turned on for Q1 that carries voice traffic, and the rest of the three queues are configured to use Weighted Round Robin (WRR) queuing. Step 1 Select Networking > QoS > LAN QoS > Queue Settings. The Queue Settings window is displayed (Figure 54).
50 Cisco Small Business Network Foundation Implementation Guide Implementation Guide Configuring Quality of Service SMART Designs Figure 54 LAN QoS: Queue Settings Enable the SP and WRR radio button to turn on priority queuing for Q1 and WRR on the other three queues. Step 2 (Optional) Enter a description for each queue. Step 3 Click Save to apply your settings. Configuring LAN QoS Classification Methods This section configures whether CoS or DSCP of traffic is used to decide in which a queue for the traffic is going to be placed. For SBNF, choose the DSCP as the queue selection criteria. Step 1 Select Networking > QoS > LAN QoS > Classification Methods. The Classification Methods window is displayed (Figure 55). Figure 55 Classification Methods Step 2 Enable Differentiated Services Code Point (DSCP). Step 3 Click Save to apply your settings. Implementation Guide VPN Configuration
51 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Mapping DSCP to LAN Queue This section configures the DSCP that goes to each queue. Step 1 Select Networking > QoS > LAN QoS > Mapping DSCP to Queue. The Mapping DSCP to Queue window is displayed (Figure 56). Figure 56 Mapping DSCP to Queue Step 2 Configure the table exactly as shown in Figure 56. This configuration places voice (DSCP 46), Routing-VPN Control traffic (DSCPs 48), and LAN BPDU in Q1, which is a priority queue. Best Effort traffic (DSCPs 0 and 8) are placed in Q4. Step 3 Click Save to apply your settings. VPN Configuration The example implementation uses IPSec site-to-site VPN between the main office and the remote offices. A mobile worker can use either Remote Access IPSec VPN or SSL VPN (AnyConnect) to connect to the main office. VPN configurations are simple to do in ISA570W Security Appliance by using Configurations wizards for Site to Site VPN and Remote Access VPN wizards.
52 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs This section includes the following topics: Using the Site-to-Site VPN Configuration Wizard, page 52 Mobile Worker Configuration, page 57 Remote Office Configuration, page 56 Configuring Laptops of Mobile Workers for Cisco VPN Client, page 72 Using the Site-to-Site VPN Configuration Wizard Because the example implementation uses IPSec site-to-site VPN between the main office and remote offices, configuration must be completed on the WAN routers at both locations. Use the Site-to-Site VPN Wizard to configure a site-to-site VPN policy to provide a secure connection between a remote office and the main office. Complete the following steps. Procedure Step 1 Select Configuration Wizards > Site-to-Site VPN Wizard. The screen shown in Figure 57 is displayed. Figure 57 Site-to-Site VPN Wizard: Getting Started Step 2 Select Getting Started. Step 3 Click Next. This displays the VPN peer setting screen to specify the remote end of the IPSec VPN connection. The first step is Setting up the VPN Peer details. Step 4 Specify a name for the VPN profile (for example: Mo-2-B01), enter the IP address of the remote office WAN interface IP address details as shown in Figure 58, and enter a key that will be used as the Pre-Shared key (see Figure 58). Implementation Guide VPN Configuration
53 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 58 Site-to-Site VPN Wizard: VPN Peer Settings Step 5 Click Next. This displays the IKE Policies screen for configuring the IKE policies for the IPsec VPN policy (see Figure 59). Figure 59 Site-to-Site VPN Wizard: IKE Policies Step 6 Select the default IKE policy, which specifies AES 256 bit encryption, SHA1, Pre-Share key, and DH group 2. Step 7 Click Next. This displays the Transform Set screen for setting the transform set of the VPN connection (see Figure 60).
54 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Figure 60 Site-to-Site VPN Wizard: Transform Sets Step 8 Select the Default transform set that uses ESP_SHA1_HMAC for data integrity, and ESP_AES_256 for data encryption. Step 9 Click Next. This displays the Local and remote Networks screen for specifying the local and remote IP LAN subnets that need to be encrypted through the IPSec tunnel (see Figure 61). Figure 61 Site-to-Site VPN Wizard: Local and Remote Networks Step 10 From the Local Subnet selection list, select Create new address. This displays the Address-Add screen (see Figure 62). Implementation Guide VPN Configuration
55 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 62 Site-to-Site VPN Wizard: Local and Remote Networks: Add Local Address Step 11 For the main office, specify a name for the address object, for example: Main-Office. For the IP Address field, enter the main office LAN IP subnet 10.1.0.0. This includes the data and voice subnets. Step 12 Click Save. Step 13 From the Remote Subnet selection list, select Create new address. This displays the Address-Add screen (Figure 63). Figure 63 Site-to-Site VPN Wizard: Local and Remote Networks: Add Remote Address Step 14 For the remote office, specify a name for the address object, for example: Branch1. For the IP Address field, enter the remote office LAN IP subnet 10.2.0.0. This includes the data and voice subnets. Step 15 Click Save. This displays the Local and Remote Network screen with the subnet names you assigned (see Figure 64).
56 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Figure 64 Site-to-Site VPN Wizard: Local and Remote Networks Summary Step 16 Click Next. This displays the VPN configuration Summary screen (see Figure 65). Figure 65 Site-to-Site VPN Wizard Summary Note Repeat the previous procedure for setting up a VPN connection for each remote office to be connected. Remote Office Configuration Remote office configuration is typically the same as the main office configuration except that the DMZ configuration usually does not exist at a remote office. The remote office typically requires less equipment than the main office; but the WAN and LAN configuration is the same. Follow the same steps to configure the LAN, WAN, and firewall at the remote office. The remote office is connected to the main office using a site-to-site IPsec VPN. Implementation Guide VPN Configuration
57 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Mobile Worker Configuration A mobile worker can set up either a Remote Access IPSec VPN using client software on the laptop or using a SSL VPN session with AnyConnect client. The main office security appliance acts as the VPN gateway. This section describes the configuration of these options for the ISA570W Security Appliance at the main office. The configuration is performed using the Remote Access VPN Wizard, which has two options: Remote Access IPSec VPN and SSL VPN. Using the Remote Access IPSec VPN Wizard Step 1 Select Configuration Wizards. This displays the Remote Access VPN Wizard screen (see Figure 66). Figure 66 Remote Access VPN Wizard: Getting Started Step 2 Select IPsec Remote Access from the VPN Tunnel Type selection list. Step 3 Click Next. This displays the IPSec Remote Access Group Policy screen (see Figure 67).
58 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Figure 67 Remote Access VPN Wizard: IPsec Group Policy Step 4 Use the IPsec Group Policy page to configure the following parameters for the IPsec Remote Access group policy: Group Name: Enter the name for the group policy. IKE Authentication Method: Specify Pre-shared Key as the authentication method. Step 5 Click Next. This displays the WAN Screen (see Figure 68). Figure 68 Remote Access VPN Wizard: WAN Configuration Step 6 Select the WAN Interface to be used for receiving VPN connection requests from mobile workers, for example: WAN1. Step 7 Select Off for WAN Failover. Implementation Guide VPN Configuration
59 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Note WAN failover is optional, and can be deployed if needed. When two WAN Interfaces are configured, you may configure WAN redundancy mode either as Load Balancing or as Failover. For Remote Access VPN to be able to use one of the WAN interfaces as a back up, the redundancy mode should be Failover. In this case, if the primary WAN fails, the security appliance automatically updates the local WAN gateway for the VPN tunnel to the backup WAN link. The backup WAN link has a different IP address, so Dynamic DNS has to be configured because the IP address will change due to failover. In this case, remote VPN clients must use the fully qualified domain name of the IPsec VPN gateway to establish the remote access VPN connections. Step 8 Click Next. This displays the Network Configuration screen (see Figure 69). Figure 69 Remote Access VPN Wizard: Network Configuration Step 9 Configure the Remote Access IPSec VPN mode as Client mode and specify the start and end IP address range of the IP pool for the clients. You may optionally enable the Client Internet Access to allow remote VPN users to access the Internet through the main office. This is not necessary if the clients are configured for split tunneling so that they can directly access Internet. Step 10 Click Next. This displays the Access Control screen for configuring the list of zones to which the VPN clients can communicate (see Figure 70).
60 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Figure 70 Remote Access VPN Wizard: Access Control Step 11 Configure the permissions as shown in the Access Control screen shown in Figure 70, and click Next. This displays the DNS/WINS screen (see Figure 71). Figure 71 DNS/WINS Step 12 Enter the IP address of the DNS server (10.1.20.1) here, which is the address of the security appliance. and click Next. This displays the Backup server screen (see Figure 72). Implementation Guide VPN Configuration
61 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 72 Remote Access VPN Wizard: Backup Server Step 13 Click Next. Step 14 Enter the IP address or domain name for up to three backup servers. You may enter the IP address of any other VPN gateway in the network (either the backup WAN interface, or a separate router) that can accept client requests for VPN connection. The backup server 1 has the highest priority and the backup server 3 has the lowest priority. The backup servers that you specified on the IPsec VPN server configuration are sent to remote VPN clients when initiating the VPN connections. The remote VPN clients cache them. Step 15 Click Next. This displays the Split Tunnel screen (see Figure 73).
62 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Figure 73 Remote Access VPN Wizard: Split Tunnel Configuration Step 16 Enable Split Tunnel. This allows the clients to directly access Internet from their network, and not through the main office security appliance. In addition, specify the subnets that are allowed from clients. In this case they are 10.1.254.0/24 and 192.168.75.0/24. Step 17 Click Next. This displays the Group Policy Summary (see Figure 74). Implementation Guide VPN Configuration
63 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 74 Remote Access VPN Wizard: Group Policy Summary Step 18 Use the Group Policy Summary page to view information for the group policy settings. Step 19 Click Next. This displays the IPSec Remote Access: User Group screen (see Figure 75).
64 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Figure 75 Figure 58: Remote Access VPN Wizard: IPsec Remote Access: User Group Step 20 Click Add. This displays the User Group: Add/edit screen, which is used to configure different user groups for the purpose of Remote Access IPSec VPN and their properties (see Figure 76). Figure 76 Remote Access VPN Wizard: User Group: Add/Edit: Group Settings Step 21 Enter a name for the user group. The user group name is provided to the VPN server as part of the VPN connection set process. The VPN server uses it to allow or block services to the client based on the configuration specified for the group in the User Group Add/Edit screen. Step 22 For the Remote Access IPSec groups, enable IPSec Remote Access for this user group, disable SSL VPN, Web Login, and captive portal as shown in Figure 76. Step 23 Click the Membership tab to add users to the group. Implementation Guide VPN Configuration
65 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation This displays the screen for adding users to the group (see Figure 77). Figure 77 Remote Access VPN Wizard: User Group: Add/Edit: Membership Step 24 Enter each user account name and password and click Create. Step 25 After completing each entry required, click OK. This displays the IPSec Remote Access:User Group screen showing the user group created (see Figure 78). Figure 78 Remote Access VPN Wizard: IPsec Remote Access: User Group
66 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Step 26 Click Next. The IPsec Remote Access Summary screen is displayed (see Figure 79). Figure 79 Remote Access VPN Wizard: IPsec Remote Access: Summary Step 27 Click Finish to complete the Remote Access IPSec VPN. Using Remote Access VPN Wizard for SSL VPN This section describes how to use the Remote Access VPN Wizard to configure the SSL VPN group policies and specify the users and user groups for SSL remote access. Step 1 Select Configuration Wizards. This displays the Setup Wizard screen. Implementation Guide VPN Configuration
67 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Step 2 Click Cancel. This displays the Wizard menu. Step 3 Select Remote Access VPN Wizard. This displays the Remote Access VPN Wizard screen (see Figure 80). Figure 80 Remote Access VPN Wizard: SSL Remote Access: Getting Started Step 4 Click Next. This displays the SSL VPN Configuration screen (see Figure 81).
68 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Figure 81 Remote Access VPN Wizard: SSL VPN: Configuration Step 5 Configure the SSL VPN gateway interface to be the WAN1 interface. The server is configured to accept SSL connections at TCP port 443. Step 6 Select default certificate file (self-signed certificate), and specify the client address pool as 10.1.154.0/24. Step 7 Enable split tunneling by enabling Client Internet Access. Step 8 Specify the domain of the client and the banner to be displayed to the users during log-in. Step 9 Leave the other fields at their default values and click Next. This displays the following screen to create a new group policy for SSL VPN (see Figure 82). Implementation Guide VPN Configuration
69 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 82 Remote Access VPN Wizard: SSL VPN: Group Policy Step 10 This example uses the SSL default policy, so click Next. The User Group: Add/Edit screen is displayed (see Figure 83). Figure 83 Remote Access VPN Wizard: SSL VPN: Group Settings: Add/Edit Step 11 Create a name (for example: SSLVPN-user) for the group. Step 12 Disable Web Login, select the SSLVPNDefaultPolicy for the Default Policy, and disable Cisco IPSec VPN and Captive portal. Step 13 Click the Membership tab to add users to the group This displays the User Group: Add/Edit Screen (see Figure 84).
70 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Figure 84 Remote Access VPN Wizard: SSL VPN: User Group: Add/Edit: Membership Step 1 Add a user to the group by entering the user account name and password and clicking Create. Step 2 Repeat this for all the users to be created for the group. Step 3 Select each user to be a member of this group under the User table and click the -> key to move the name to the Membership table. Step 4 Click OK. This displays the group details screen (see Figure 85). Implementation Guide VPN Configuration
71 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 85 Remote Access VPN Wizard: SSL VPN: User Group: Details Step 5 Click Next. This displays the User Group screen showing each of the groups that has been added (see Figure 86). Figure 86 Remote Access VPN Wizard: SSL VPN: User Group: Details: Summary Step 6 Click Next. This displays the SSL VPN Summary screen (see Figure 87).
72 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Figure 87 Remote Access VPN Wizard: SSL VPN summary Step 7 Click Finish. This completes SSL VPN configuration on the ISA 500 Security appliance. Configuring Laptops of Mobile Workers for Cisco VPN Client To configure laptops for the Cisco VPN client to connect to the ISA570W Security Appliance gateway, download either or both the Remote Access IPSec VPN Client and the AnyConnect VPN software from the following location: http://www.cisco.com/cisco/software/navigator.html?mdfid=270636499&flowid=4466. Install either or both software images on the laptop. Configuring Mobile Worker Laptops for SSL VPN AnyConnect Client To configure mobile worker laptops for SSL VPN to connect to the ISA570W Security Appliance SSL VPN gateway, complete the following steps. Procedure Step 1 From the client PC/laptop, launch the AnyConnect secure client software and type the WAN IP address of the ISA570W Security Appliance that is acting as the SSL VPN gateway. The system displays the screen shown in Figure 88. Implementation Guide VPN Configuration
73 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 88 AnyConnect Secure Mobility Client: Launch Step 2 Click Connect. Step 3 Click Yes to accept the certificate. The system displays the screen shown in Figure 89. Figure 89 Cisco AnyConnect: Username: Password Step 4 Click Accept to confirm the connection. The system displays the screen shown in Figure 90. Step 5 Enter the user name and password, and click OK. Figure 90 WAN Router Self-Signed Certificate You may get this screen due to a self-signed certificate. Step 6 Click Yes.
74 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs When the AnyConnect session is established the following message is displayed to confirm it (see Figure 91). Figure 91 Cisco AnyConnect: Successful Connection Step 7 Click Accept. This establishes the connection and displays the following status of the SSL VPN AnyConnect Client (see Figure 92). Figure 92 Cisco AnyConnect: Connected Screen Step 8 To check for SSL VPN connectivity, enter the ipconfig, ping command from the Windows command prompt window (see Figure 93). The SSL VPN connected icon appears on the right-corner tray. Implementation Guide VPN Configuration
75 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 93 SSL VPN Connection Verification: IPconfig: Ping Configuring Mobile Worker Laptops for IPSec VPN Client To configure mobile worker laptops using the IPSec VPN Client to connect to the ISA570W Security Appliance IPSec Remote Access gateway, complete the following steps. Procedure Step 1 Select the IPSec VPN client icon on the PC or laptop as shown in Figure 94 to launch the IPSec VPN Client software. Figure 94 IPsec VPN Client Icon The VPN Client Windows is displayed as shown in Figure 95, which allows configuring the VPN profiles.
76 Cisco Small Business Network Foundation Implementation Guide Implementation Guide VPN Configuration SMART Designs Figure 95 IPsec VPN Client Connection Entries window Step 2 Click New or Connection Entries > New to create a connection entry. Step 1 To Edit an existing entry and only need to be modified by highlighting or selecting the existing entry and click the Modify icon or select the option from the Connection Entries menu. Figure 96 shows an IPSec VPN Client Connection Entry. Figure 96 Figure 79: IPsec VPN Client: Connection Entry: Edit/Modify Step 2 Click Save. Figure 97 is displayed showing all the connection entries. Implementation Guide VPN Configuration
77 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation Figure 97 Figure 80: IPsec VPN Client: Connection Entry Step 3 To connect, select a connection entry and click Connect (or double-click the connection entry). Figure 98 shows a successful IPSec VPN client connection. Figure 98 IPsec VPN Client: Connection Success Figure 99 shows the IP address (10.1.254.100) of an IPSec VPN client and a successful ping to an IP address of a remote location. Figure 99 IPsec VPN Client: Connection Verification
78 Cisco Small Business Network Foundation Implementation Guide Implementation Guide References SMART Designs For advanced configurations of IPSec and SSL VPN, see the sections for configuring IPSec VPN for remote access, as well as SSL VPN for browser-based remote access, in the ISA570W Security Appliance administration guide. Additional Enhancements This section briefly describes the following additional enhancements: Configuring Dual WAN Link Support on the ISA570W Security Appliance, page 78 Unified Threat Management System, page 78 Configuring Dual WAN Link Support on the ISA570W Security Appliance The security appliance allows a second IPSec connection using the optional port in WAN mode. When the optional port is in WAN mode, it can be configured with the following options: Failover or auto-rollover to use one of the ISP link as a backup Load balancing to use both ISPs link simultaneously For more information about using the optional port as a second link to the ISP, see the Configuring the Optional WAN section of the ISA570W Security Appliance administration guide. Note The optional WAN mode does not support VPN connectivity. Unified Threat Management System The ISA570W Security Appliance supports Unified Threat Management (UTM) to provide state of the art cloud based security while reducing security management effort. The implementation of UTM will be part of a separate application note. You may also refer to the ISA 500 security Appliance Administration Guide. References Cisco SMART Designs:http://www.cisco.com/go/smartdesigns Cisco ISA 500 Series Quick Start Guide: http://www.cisco.com/en/US/products/ps11752/prod_installation_guides_list.html Cisco ISA 500 Series Administration Guide: http://www.cisco.com/en/US/products/ps11752/prod_maintenance_guides_list.html Other ISA570W Security Appliance Technical documents: http://www.cisco.com/en/US/products/ps11752/prod_technical_reference_list.html Cisco Small Business SA500 Series Security Appliances: http://www.cisco.com/en/US/products/ps9932/tsd_products_support_series_home.html Customer support: http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html Cisco Small Business SG500 Series Managed Switches: http://www.cisco.com/en/US/products/ps10898/tsd_products_support_series_home.html Implementation Guide References
79 Cisco Small Business Network Foundation Implementation Guide
Small Business Network Foundation SNF Role Configuration Guide for Cisco Small Business 300 Series Switches: http://tools.cisco.com/s2slv2/ViewDocument?docName=EXT-AS-405572 Small Business 300/200 Switches for Cisco UC300 Solution: http://tools.cisco.com/s2slv2/ViewDocument?docName=EXT-AS-370390
80 Cisco Small Business Network Foundation Implementation Guide Implementation Guide References SMART Designs