ADMINISTRATION GUIDE Cisco Small Business RVS4000 4-Port Gigabit Security Router with VPN
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) © 2011 Cisco Systems, Inc. All rights reserved.
Contents Chapter 1: Introduction 8 Chapter 2: Networking and Security Basics 9 An Introduction to LANs 9 The Use of IP Addresses 10 The Intrusion Prevention System (IPS) 11 Chapter 3: Planning Your Virtual Private Network (VPN) 13 Why do I need a VPN? 13 1) MAC Address Spoofing 14 2) Data Sniffing 14 3) Man in the middle attacks 14 What is a VPN? 15 VPN Router to VPN Router 16 Computer (using the Cisco QuickVPN Client software) to VPN Router 17 Chapter 4: Getting Started with the
Contents Setup > DMZ 40 Setup > MAC Address Clone 41 Setup > Advanced Routing 42 Setup > Time 44 Setup > IP Mode 45 Firewall 46 Firewall > Basic Settings 46 Firewall > IP Based ACL 48 Firewall > Internet Access Policy 51 Firewall > Single Port Forwarding 54 Firewall > Port Range Forwarding 55 Firewall > Port Range Triggering 56 ProtectLink ProtectLink > ProtectLink Purchase VPN 57 57 58 VPN > Summary 58 VPN > IPSec VPN 60 VPN > VPN Client Accounts 64 VPN > VPN Passthrough
Contents IPS 82 IPS > Configuration 82 IPS > P2P/IM 83 IPS > Report 84 IPS > Information 86 L2 Switch 86 L2 Switch > Create VLAN 86 L2 Switch > VLAN Port Setting 88 L2 Switch > VLAN Membership 89 L2 Switch > RADIUS 90 L2 Switch > Port Setting 91 L2 Switch > Statistics 92 L2 Switch > Port Mirroring 93 L2 Switch > RSTP 94 Status 95 Status > Gateway 95 Status > Local Network 97 Chapter 6: Using the VPN Setup Wizard 98 VPN Setup Wizard 98 Before You Begin 98 Running the V
Contents Downloading and Installing from the Internet 137 Using the Cisco QuickVPN Software 137 Distributing Certificates to QuickVPN Users 140 Appendix C: Configuring IPSec with a Windows 2000 or XP Computer 142 Introduction 142 Environment 143 Windows 2000 or Windows XP 143 RVS4000 143 How to Establish a Secure IPSec Tunnel Establishing a Secure IPSec Tunnel Appendix D: Gateway-to-Gateway VPN Tunnel 143 144 166 Overview 166 Before You Begin 166 Configuration when the Remote Gateway U
Contents Setup/Config 190 Management 191 Security Features 191 QoS 191 Network 192 VPN 192 Routing 192 Layer 2 192 Environmental 193 Appendix G: Where to Go From Here 194 Product Resources 194 Related Documentation 195 Cisco RVS4000 Security Router with VPN Administrator Guide 7
1 Introduction Thank you for choosing the Cisco RVS4000 4-Port Gigabit Security Router with VPN. The 4-Port Gigabit Security Router with VPN is an advanced Internet-sharing network solution for your small business needs. Like any router, it lets multiple computers in your office share an Internet connection.
2 Networking and Security Basics This chapter describes networking and security basics. It includes these sections: • An Introduction to LANs, page 9 • The Use of IP Addresses, page 10 • The Intrusion Prevention System (IPS), page 11 An Introduction to LANs A router is a network device that connects two networks together. The router connects your local area network (LAN), or the group of PCs in your home or office, to the Internet.
Networking and Security Basics The Use of IP Addresses 2 The Use of IP Addresses IP stands for Internet Protocol. Every device in an IP-based network, including PCs, print servers, and routers, requires an IP address to identify its location, or address, on the network. This applies to both the Internet and LAN connections. There are two ways of assigning IP addresses to your network devices. A static IP address is a fixed IP address that you assign manually to a PC or other device on the network.
Networking and Security Basics The Intrusion Prevention System (IPS) 2 NOTE Since the router is a device that connects two networks, it needs two IP addresses—one for the LAN, and one for the Internet. In this Administration Guide, you’ll see references to the “Internet IP address” and the “LAN IP address”. Since the router uses NAT technology, the only IP address that can be seen from the Internet for your network is the router’s Internet IP address.
Networking and Security Basics The Intrusion Prevention System (IPS) 2 IPS Scenarios Cisco RVS4000 Security Router with VPN Administrator Guide 12
3 Planning Your Virtual Private Network (VPN) This chapter provides information for planning your VPN. It includes these sections: • Why do I need a VPN?, page 13 • What is a VPN?, page 15 Why do I need a VPN? Computer networking provides a flexibility not available when using an archaic, paper-based system. With this flexibility, however, comes an increased risk in security. Firewalls address this risk. Firewalls help to protect data inside of a local network.
Planning Your Virtual Private Network (VPN) Why do I need a VPN? 3 1) MAC Address Spoofing Packets transmitted over a network, either your local network or the Internet, are preceded by a packet header. These packet headers contain both the source and destination information for that packet to transmit efficiently. A hacker can use this information to spoof (or fake) a MAC address allowed on the network. With this spoofed MAC address, the hacker can also intercept information meant for another user.
Planning Your Virtual Private Network (VPN) What is a VPN? 3 What is a VPN? A VPN, or Virtual Private Network, is a connection between two endpoints—a VPN router, for instance—in different networks that allows private data to be sent securely over a shared or public network, such as the Internet. This establishes a private network that can send data securely between these two locations or networks. This is done by creating a “tunnel”.
Planning Your Virtual Private Network (VPN) What is a VPN? 3 VPN Router to VPN Router With a VPN-router-to-VPN-router VPN, a telecommuter uses his VPN router for his always-on Internet connection. His router is configured with his office’s VPN settings. When he connects to his office’s router, the two routers create a VPN tunnel, encrypting and decrypting data. As VPNs utilize the Internet, distance is not a factor.
Planning Your Virtual Private Network (VPN) What is a VPN? 3 Computer (using the Cisco QuickVPN Client software) to VPN Router In this illustration, you see an example of a computer-to-VPN router VPN. In her hotel room, a traveling businesswoman connects to her ISP. Her notebook computer has the Cisco QuickVPN Client software, which is configured with her office’s IP address. She accesses the Cisco QuickVPN Client software and connects to the VPN router at the central office.
4 Getting Started with the RVS4000 Router This chapter describes the physical features of the RVS4000 router and explains how to install the router. It includes these sections: • Front Panel, page 18 • Back Panel, page 19 • Placement Options, page 20 • Installing the Router, page 22 • Configuring the Router, page 23 Front Panel The LEDs are located on the front panel of the router. Front Panel POWER LED: Steady green when the router is powered on.
4 Getting Started with the RVS4000 Router Back Panel IPS LED: Steady green when the Intrusion Prevention System (IPS) function is enabled. Unlit when IPS functions are disabled. Flashes green when an external attack is detected. Flashes red when an internal attack is detected. Ethernet Port LEDs 1-4: For each LAN port, there are three LEDs. Steady green when the router is connected to a device at the speed indicated through the corresponding port (1, 2, 3, or 4).
4 Getting Started with the RVS4000 Router Placement Options ETHERNET Ports 1-4: Provide a LAN connection to network devices, such as PCs, print servers, or additional switches. POWER Port: Connects the router to power via the supplied AC power adapter. Placement Options You can place the router horizontally on the rubber feet, mount it in the stand, or mount it on the wall. Desktop Option For desktop placement, place the Cisco RVS4000 router horizontally on a surface so it sits on its four rubber feet.
4 Getting Started with the RVS4000 Router Placement Options To place the router vertically, follow these steps. STEP 1 Locate the left side panel of the router. STEP 2 With the two large prongs of one of the stands facing outward, insert the short prongs into the little slots in the router and push the stand upward until the stand snaps into place. STEP 3 Repeat step 2 with the other stand. Wall Option To mount the Cisco RVS4000 router on the wall, follow these steps.
Getting Started with the RVS4000 Router Installing the Router 4 Installing the Router To prepare the router for installation complete these tasks: • Obtain the setup information for your specific type of Internet connection from your Internet Service Provider (ISP). • Power off all of your network hardware, including the router, PCs, and cable modem or DSL modem. Perform the steps in this section to install the hardware.
Getting Started with the RVS4000 Router Configuring the Router 4 STEP 4 Power on the cable or DSL modem. STEP 5 Connect the power adapter to the router’s Power port and plug the other end into an electrical outlet. STEP 6 The Power and Internet LEDs on the front panel lights up green as soon as the power adapter is connected. STEP 7 Power on the PCs. The router hardware installation is now complete.
Getting Started with the RVS4000 Router Configuring the Router 4 STEP 4 Click OK. For added security, you should later set a new password on the Administration > Management page of the configuration utility. STEP 5 The configuration utility appears with the Setup menu and Summary selected. Click WAN under the Setup menu. STEP 6 If requested by your ISP (usually cable ISPs), complete the Host Name and Domain Name fields, and the MTU and MTU Size fields. Otherwise, leave the defaults.
5 Setting Up and Configuring the Router This chapter explains how to configure these router functions: • Setup, page 26 • Firewall, page 46 • VPN, page 58 • QoS, page 67 • Administration, page 72 • IPS, page 82 • L2 Switch, page 86 • Status, page 95 Configure the router by using the built-in web-based configuration utility. To access the configuration utility of the router, open your web browser and enter http://192.168.1.1 into the Address field.
Setting Up and Configuring the Router Setup 5 Login Window After you log in, the configuration utility starts. The menus appear as links in the navigation pane on the left side of the screen. After you select a menu, a list of windows appears. To perform a specific function, select a menu, and then select the appropriate window. By default, the Setup menu’s Summary window appears after you log in. The utility’s menus and windows are described below.
Setting Up and Configuring the Router Setup 5 Setup > Summary System Information Firmware version Displays the router’s current firmware version. CPU Displays the router’s CPU type. System up time Displays the length of time that has elapsed since the router was last reset. DRAM Displays the amount of DRAM installed in the router. Flash Displays the amount of flash memory installed in the router.
Setting Up and Configuring the Router Setup 5 Network Setting Status LAN IP The IP address of the router’s LAN interface. WAN IP The IP address of the router’s WAN interface. If this address was assigned by using DHCP, click DHCP Release to release the address, or click DHCP Renew to renew the address. Mode The operating mode, Gateway or Router. Gateway The Gateway address, which is the IP address of your ISP’s server.
Setting Up and Configuring the Router Setup 5 Setup > WAN Internet Connection Type The router supports six types of connections. Each Setup > WAN window and available features differ, depending on the selected connection type. Automatic Configuration - DHCP By default, the router’s Configuration Type is set to Automatic Configuration DHCP, and it should be kept only if your ISP supports DHCP or you connect through a dynamic IP address.
Setting Up and Configuring the Router Setup 5 Static IP If your connection uses a permanent IP address to connect to the Internet, then select Static IP. Static IP Internet IP Address The router’s IP address, when seen from the WAN, or the Internet. Your ISP will provide you with the IP Address to specify here. Subnet Mask The router’s Subnet Mask, as seen by external users on the Internet (including your ISP). Your ISP will provide you with the Subnet Mask.
Setting Up and Configuring the Router Setup 5 PPPoE Some DSL-based ISPs use PPPoE (Point-to-Point Protocol over Ethernet) to establish Internet connections. If you connect to the Internet through a DSL line, check with your ISP to see if they use PPPoE. If they do, enable PPPoE. PPPoE User Name and Password Enter the User Name and Password provided by your ISP.
Setting Up and Configuring the Router Setup 5 Keep Alive: Redial period If you select this option, the router periodically checks your Internet connection. If you are disconnected, then the router automatically reestablishes your connection. To use this option, click the radio button next to Keep Alive. In the Redial Period field, specify how often you want the router to check the Internet connection. The default Redial Period is 30 seconds.
Setting Up and Configuring the Router Setup 5 Connect on Demand: Max Idle Time You can configure the router to cut the Internet connection after it has been inactive for a specified period of time (Max Idle Time), and then automatically re-establish the connection as soon as you attempt to access the Internet again.
Setting Up and Configuring the Router Setup 5 Connect on Demand: Max Idle Time You can configure the router to cut the Internet connection after it has been inactive for a specified period of time (Max Idle Time), and then automatically re-establish the connection as soon as you attempt to access the Internet again.
Setting Up and Configuring the Router Setup 5 Gateway Your ISP will provide you with the Default Gateway Address. L2TP Server Enter the IP address of the L2TP server. User Name and Password Enter the User Name and Password provided by your ISP.
Setting Up and Configuring the Router Setup 5 Optional Settings (Required by some ISPs) Your ISP may require some of these settings. Verify with your ISP before making any changes. Optional Settings Host Name Some ISPs, usually cable ISPs, require a host name as identification. You may have to check with your ISP to see if your broadband Internet service has been configured with a host name. In most cases, you can leave this field blank.
Setting Up and Configuring the Router Setup 5 DDNS Service DDNS Service is disabled by default. To enable DDNS Service, follow these instructions: Connect The Connect button is displayed when DDNS is enabled. You can click this button to contact the DDNS server to manually update your IP address information. The Status area on this window is also updated. STEP 1 Sign up for DDNS Service: • DynDNS - Sign up for DDNS service at www.dyndns.
Setting Up and Configuring the Router Setup 5 Setup > LAN The Setup > LAN window allows you to change the router’s local network settings.
Setting Up and Configuring the Router Setup 5 VLAN Select the VLAN for the DHCP server from the drop-down menu. NOTE This option appears only if you have created at least one VLAN from the L2 Switch > Create VLAN window. IPv4 The router’s Local IP Address and Subnet Mask appear here. In most cases, you can keep the defaults. Local IP Address The default value is 192.168.1.1. Subnet Mask The default value is 255.255.255.0.
Setting Up and Configuring the Router Setup 5 Static IP Mapping Static IP Mapping is used to bind a specific IP address to a specific MAC address. This helps external (WAN) users to access LAN servers that are advertised through NAPT port forwarding. You can define up to 50 entries. Static IP Address Enter the IP address to be mapped. MAC Address Enter the MAC address to be mapped. Host Name Enter the host name to be mapped. Click Add to create the entry and add it to the list.
Setting Up and Configuring the Router Setup 5 Setup > DMZ DMZ Hosting This feature allows one local PC to be exposed to the Internet for use of a special-purpose service such as Internet gaming and videoconferencing. To use this feature, select Enable. To disable the DMZ feature, select Disable. DMZ Host IP Address To expose one PC, enter the computer’s IP address. Click Save to save your changes, or click Cancel to undo your changes.
Setting Up and Configuring the Router Setup 5 Setup > Advanced Routing Setup > Advanced Routing Operating Mode Operation Mode Select the Operating mode for this router: • Gateway The normal mode of operation. This allows all devices on your LAN to share the same WAN (Internet) IP address. In Gateway mode, the NAT (Network Address Translation) mechanism is enabled.
Setting Up and Configuring the Router Setup 5 RIP Send Packet Version Choose the TX protocol to use to transmit data on the network: RIPv1 or RIPv2. This setting should match the version supported by other routers on your LAN. RIP Recv Packet Version Choose the RX protocol to use to receive data from the network: RIPv1 or RIPv2. This should match the version supported by other routers on your LAN.
Setting Up and Configuring the Router Setup 5 Click Save to save your changes, or click Cancel to undo your changes. Setup > Time Setup > Time Set the local time Manually If you wish to enter the time and date manually, select this option, then select the Date from the drop-down fields and enter the hour, minutes, and seconds in the Time fields in 24-hour format. For example, for 10:00 pm, enter 22 in the hours field, 0 in the minutes field, and 0 in the seconds field.
Setting Up and Configuring the Router Setup 5 Setup > IP Mode Setup > IP Mode IPv4 Only Select this option to use IPv4 on the Internet and local network. Dual-Stack IP Select this option to use IPv4 on the Internet and IPv4 and IPv6 on the local network. IPv6 hosts in the LAN are connected to remote IPv6 islands over 6to4 tunnels (per RFC3056). Click Save to save your settings or click Cancel to undo your changes.
Setting Up and Configuring the Router Firewall 5 Firewall Use the Firewall menu to configure the router to deny or allow specific internal users from accessing the Internet. You can also configure the router to deny or allow specific Internet users from accessing the internal servers. You can set up different packet filters for different users on the internal (LAN) side or external (WAN) side based on their IP addresses or their network Port number.
Setting Up and Configuring the Router Firewall 5 HTTPS This option limits access to the configuration utility from the WAN to https sessions only. An https session uses SSL encryption, which provides better protection for your remote session than does http. The default is Enable. • Remote IP address Select the appropriate value to specify which external IP address(es) can access the router. • Any IP Address Allows access from any external IP address.
Setting Up and Configuring the Router Firewall 5 Firewall > IP Based ACL The IP-Based ACL window allows you to create an Access Control List (ACL) with up to 50 rules. Each ACL rule denies or allows access to the network based on various criteria including priority, service type, interface, source IP address, destination IP address, day of the week, and time of day. Firewall > IP Based ACL Priority The rule’s priority. Enable This indicates whether the rule is enabled or disabled.
Setting Up and Configuring the Router Firewall 5 To add a new rule to the ACL rule table, click Add New Rule and the Edit IP ACL Rule window appears. Follow the instructions in the section below to create a new ACL rule. To disable all the rules without deleting them, click Disable All Rules. To delete all the rules from the table, click Delete All Rules. Editing IP ACL Rules Editing IP ACL Rules Action Select the desired action, Allow or Deny, from the drop-down menu.
Setting Up and Configuring the Router Firewall 5 Source Interface Select the source interface, WAN, LAN, or ANY, from the dropdown menu. Source IP To apply the rule to one source IP address, select Single from the dropdown menu, then enter the address in the field. To apply the rule to all source IP addresses, select ANY from the drop-down menu. To apply the rule to a range of IP addresses, select Range and enter the starting and ending IP addresses.
Setting Up and Configuring the Router Firewall 5 Firewall > Internet Access Policy Firewall > Internet Access Policy You can manage access to your network by configuring a policy. Use the settings on this window to establish an access policy. Select a policy from the drop-down menu to display the settings for a policy. You can then perform these operations: • Create a Policy: See the instructions below. • Delete the current policy: Click Delete.
Setting Up and Configuring the Router Firewall 5 • View all policies: Click Summary to display the Internet Policy Summary window, which lists all of the Internet access policies and includes this information: No., Policy Name, Days, Time, and a check box to delete (clear) the policy. To delete a policy, check the box in the Delete column, and then click Delete. • View or change the PCs covered by the current policy: Click Edit List of PCs to display the List of PCs window.
Setting Up and Configuring the Router Firewall 5 On the List of PCs popup, you can define PCs by MAC Address or IP Address. You can also enter a range of IP Addresses if you want this policy to affect a group of PCs. To create an Internet Access policy: STEP 1 Select the desired policy number from the Internet Access Policy drop-down menu. STEP 2 Enter a Policy Name in the field provided. STEP 3 To enable this policy, set the Status option to Enable.
Setting Up and Configuring the Router Firewall 5 Firewall > Single Port Forwarding Firewall > Single Port Forwarding Application Enter the name of the application you wish to configure. External Port The port number used by the server or Internet application. Internet users must connect using this port number. Check with the software documentation of the Internet application for more information.
Setting Up and Configuring the Router Firewall 5 Enabled Click the Enabled checkbooks to enable port forwarding for the relevant application. Click Save to save your changes, or click Cancel to undo your changes. Firewall > Port Range Forwarding Firewall > Port Range Forwarding Application Enter the name of the application you wish to configure. Start The beginning of the port range. Enter the beginning of the range of port numbers (external ports) used by the server or Internet application.
Setting Up and Configuring the Router Firewall 5 Firewall > Port Range Triggering Firewall > Port Range Triggering Application Name Enter the name of the application you wish to configure. Triggered Range For each application, list the triggered port number range. These ports are used by outgoing traffic. Check with the Internet application documentation for the port number(s) needed. In the first field, enter the starting port number of the Triggered Range.
Setting Up and Configuring the Router ProtectLink 5 ProtectLink ProtectLink > ProtectLink Purchase ProtectLink > ProtectLink Purchase The optional Cisco ProtectLink Web service provides security for your network. For more information, see Appendix E, “Cisco ProtectLink Web Service.
Setting Up and Configuring the Router VPN 5 VPN VPN > Summary VPN > Summary Tunnels Used Displays the number of tunnels used. Tunnel(s) Available Displays the number of available tunnels. Detail button Click Detail to display more tunnel information. Tunnel Status No. Displays the number of the tunnel. Name Displays the name of the tunnel, as defined by the Tunnel Name field on the VPN > IPSec VPN window.
Setting Up and Configuring the Router VPN 5 Config Click Edit to change the tunnel’s settings. Click Trash to delete all of the tunnel’s settings. Tunnel(s) Enabled Displays the total number of currently enabled tunnels. Tunnel(s) Defined Displays the number of tunnels currently defined. This number will be greater than the Tunnels Enabled field if any defined tunnels have been disabled. VPN Clients Status No. Displays the user number from 1 to 5. Username. Displays the username of the VPN Client.
Setting Up and Configuring the Router VPN 5 VPN > IPSec VPN Use the VPN > IPSec VPN window to create and configure a Virtual Private Network (VPN) tunnel.
Setting Up and Configuring the Router VPN 5 Select Tunnel Entry To create a new tunnel, select new. To configure an existing tunnel, select it from the drop-down menu. Delete Click this button to delete all settings for the selected tunnel. Summary Clicking this button shows the settings and status of all enabled tunnels. IPSec VPN Tunnel Check the Enable option to enable this tunnel. Tunnel Name Enter a name for this tunnel, such as “Anaheim Office”.
Setting Up and Configuring the Router VPN 5 domain name in the Domain Name field. Then select either IP Address or IP by DNS Resolved from the drop-down menu, and fill in the IP Address field or Domain Name field. Remote Security Group Type Select the remote LAN user(s) behind the remote gateway who can use this VPN tunnel. This may be a single IP address or a Subnetwork. Note that the Remote Security Group Type must match the other router’s Local Security Group Type.
Setting Up and Configuring the Router VPN 5 • Encryption The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. Only 3DES is supported. Note that both sides must use the same Encryption method. • Authentication Authentication determines a method to authenticate the ESP packets. Either MD5 or SHA1 may be selected. Note that both sides (VPN endpoints) must use the same Authentication method. • MD5 A one-way hashing algorithm that produces a 128-bit digest.
Setting Up and Configuring the Router VPN 5 Aggressive Mode Specifies the type of Phase 1 exchange, Main mode or Aggressive mode. Check the box to select Aggressive Mode or leave the box unchecked (default) to select Main mode. Aggressive mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange. If network security is preferred, select Main mode. NetBios Broadcasts Check the box to enable NetBIOS traffic to pass through the VPN tunnel.
Setting Up and Configuring the Router VPN 5 Re-enter to Confirm Retype the password to ensure it has been entered correctly. Allow User to Change Password This option determines whether a user can change his or her own password. VPN Client List Table No. Displays the user number. Active When checked, the designated user can connect, otherwise the VPN client account is disabled. Username Displays the username. Edit Allows editing of the username or password.
Setting Up and Configuring the Router VPN 5 VPN > VPN Passthrough VPN > VPN Passthrough IPSec PassThrough Internet Protocol Security (IPSec) is a suite of protocols used to implement secure exchange of packets at the IP layer. IPSec Passthrough is enabled by default to allow IPSec tunnels to pass through the router. To disable IPSec Passthrough, select Disabled. PPTP PassThrough Point-to-Point Tunneling Protocol (PPTP) allows the Point-toPoint Protocol (PPP) to be tunneled through an IP network.
Setting Up and Configuring the Router QoS 5 QoS You can use QoS (Quality of Service) to perform Bandwidth Management, by either Rate Control or Priority. You can also configure QoS Trust Mode and the DSCP settings.
Setting Up and Configuring the Router QoS 5 Bandwidth This section lets you specify the maximum bandwidth provided by the ISP on the WAN interface, for both the upstream and downstream directions. Bandwidth Management Type Type The desired type of bandwidth management, either Rate Control or Priority (default). Depending on your selection, the lower portion of the window displays either the Rate Control section or the Priority section. Rate Control Service Select the service from the drop-down menu.
Setting Up and Configuring the Router QoS 5 Priority QoS > Bandwidth Management - Priority Service Select the service from the drop-down menu. If it does not contain the service you need, click Service Management to add the service. Direction Select Upstream for outbound traffic or Downstream for inbound traffic from the drop-down menu. Priority Select High, Medium, Normal, or Low priority for the service. The default is Medium. Enable Check this box to enable this Priority Rule.
Setting Up and Configuring the Router QoS 5 QoS > QoS Setup Use the QoS Setup window to configure QoS Trust Mode for each LAN port. QoS > QoS Setup Port ID The number of the LAN port. Trust Mode Select either Port, CoS, or DSCP. The default is Port. Default CoS/Port Priority If Trust Mode is set to Port, select the port priority from 1 to 4 from the drop-down menu, where 4 is the highest priority. If Trust Mode is set to CoS, select the default CoS priority from 0 to 7 from the drop-down menu.
Setting Up and Configuring the Router QoS 5 QoS > DSCP Setup QoS > DSCP Setup DSCP The Differentiated Services Code Point value in the incoming packet. Queue Select the traffic forwarding queue, 1 to 4, to which the DSCP priority is mapped. Queue 4 has the highest priority. Restore Defaults Click this button to restore the default DSCP values. Click Save to save your changes, or click Cancel to undo your changes.
Setting Up and Configuring the Router Administration 5 Administration Use the Administration menu to configure the system administration settings and tools. Administration > Management Administration > Management Router Access Router Userlist Select the desired router user list. Router Username Enter the user name here. Router Password Enter the password. Re-enter to Confirm Retype the password in this field. SNMP SNMP Select Enable if you wish to use SNMP.
Setting Up and Configuring the Router Administration 5 System Contact Enter contact information for the system. System Location Enter the location of the system. Read Community Enter the SNMP community name for SNMP “Get” commands. Write Community Enter the SNMP community name for SNMP “Set” commands. Trap Community Enter the SNMP community name for SNMP “Trap” commands. Trap To Enter the IP Address of the SNMP Manager to which traps will be sent. If desired, this may be left blank.
5 Setting Up and Configuring the Router Administration Administration > Log Administration > Log Log Setting Log Level Select the log level(s) that the router should record.
5 Setting Up and Configuring the Router Administration Log Levels Level Severity Name Description 4 LOG_WARNING Warning conditions 3 LOG_ERR Error conditions 2 LOG_CRIT Critical conditions 1 LOG_ALERT Immediate action needed 0 LOG_EMERG System unusable Outgoing Log Select Enable to cause all outgoing packets to be logged. You can then click View Outgoing Table to display information on the outgoing packets including Source IP, Destination IP, and Service/Port number.
Setting Up and Configuring the Router Administration 5 Email Log Now Press this button to cause the log to be emailed immediately. Syslog Enable Syslog Check the box if you want to use this feature. Syslog Server Enter the IP Address in this field when Enable Syslog is checked. Local Log Local Log Enable this if you want to see a log of all incoming and outgoing URLs or IP addresses. View Log Click this button when you wish to view the logs. A new window appears with the log data.
Setting Up and Configuring the Router Administration 5 Ping Test Parameters Ping Target IP Enter the IP address or URL that you want to ping. Ping Size Enter the size of the packet you want to use. Number of Pings Enter the number of times you wish to ping the target device. Ping Interval Enter the time period (milliseconds) between each ping. Ping Timeout Enter the desired time period (milliseconds). If a response is not received within the defined ping period, the ping is considered to have failed.
Setting Up and Configuring the Router Administration 5 Administration > Backup & Restore Administration > Backup & Restore To download a copy of the current configuration and store the file on your PC, click Backup to start the download. Restore Configuration To restore a previously saved config file back to the router, enter the file name in the field or click Browse to select the config file, then click Restore to upload the config file.
Setting Up and Configuring the Router Administration 5 Administration > Factory Default Administration > Factory Default Restore Factory Defaults Click this button to reset all configuration settings to their factory default values. Any previously saved settings will be lost when the default settings are restored. After clicking the button, another window appears. Click OK to continue. Another window appears while the system reboots.
Setting Up and Configuring the Router Administration 5 Administration > Reboot Administration > Reboot Reboot Click this button to reboot the router. This operation does not cause the router to lose any of its stored settings. Administration > Firmware Upgrade Administration > Firmware Upgrade Use this page to upgrade the router by using firmware from Cisco.com. Step-bystep instructions are provided on the next page.
Setting Up and Configuring the Router Administration 5 STEP 1 Check the hardware version of the router by referring to the label on the bottom panel. The PIDVID number includes the characters V01 (Version 1) or V02 (Version 2). STEP 2 To find the latest firmware for the router, go to www.cisco.com/go/software. STEP 3 In the search box, enter: RVS4000, and then click Go. STEP 4 In the Search Results, click the Download Software link for your router (usually the first link).
Setting Up and Configuring the Router IPS 5 IPS IPS > Configuration IPS > Configuration IPS Function Select Enable to enable or Disable to disable the IPS Function. Anomaly Detection HTTP Web attack signature is matched. HTTP request decoder decodes UTF-8 (1, 2, and 3 byte) code and normalize URI (according to those evasion methods mentioned in whisker) before pattern match. FTP FTP Bounce Detection and Inserting telnet opcodes into FTP command stream Detection.
Setting Up and Configuring the Router IPS 5 IPS > P2P/IM Peer To Peer Peer to Peer Peer-to-peer file sharing applications can be blocked (Block) or allowed (NonBlock). The preconfigured file sharing networks are GNUTELLA (EZPEER), FASTTRACK, KURO, EDONKEY2000, BITTORRENT, DIRECTCONNECT, PIGO, and WINMX. Instant Messenger Instant messaging applications can be blocked (Block) or allowed (Non-Block).
Setting Up and Configuring the Router IPS 5 IPS > Report Provides a graphical representation of the level of network traffic and attacks during the last twenty four hours. Attacker Displays the IP Address of attackers and the frequency (number of times) of the attacks. Attack Category Displays the category (type) of attack and the frequency (number of times) of the attacks.
Setting Up and Configuring the Router IPS 5 IPS > Report Cisco RVS4000 Security Router with VPN Administrator Guide 85
Setting Up and Configuring the Router L2 Switch 5 IPS > Information IPS > Information Signature Version Displays the version of the signature patterns in the router that protects against malicious threats. Last Time Upload This displays when the signature patterns in the router were last updated. Protect Scope Lists the types of attacks that the router’s IPS feature protects against.
Setting Up and Configuring the Router L2 Switch 5 VLANs function at layer 2. Since VLANs isolate traffic within the VLAN, a Layer 3 router is needed to allow traffic flow between VLANs. Layer 3 routers identify segments and coordinate with VLANs. VLANs are broadcast and multicast domains. Broadcast and multicast traffic is transmitted only in the VLAN in which the traffic is generated. The RVS4000 supports up to 4 VLANs, including the default VLAN. L2 Switch > Create VLAN VLAN ID The VLAN ID number.
Setting Up and Configuring the Router L2 Switch 5 L2 Switch > VLAN Port Setting L2 Switch > VLAN Port Setting Port ID Displays the port number from 1 to 4. Mode Select the mode of the port, either Trunk, Untagged, or Tagged. The default is Untagged. In Trunk mode, incoming and outgoing frames can be either tagged or untagged; incoming untagged frames are tagged with the default PVID (Port VLAN ID). In Untagged mode, all incoming and outgoing frames are untagged.
Setting Up and Configuring the Router L2 Switch 5 L2 Switch > VLAN Membership L2 Switch > VLAN Membership VLAN ID Select the VLAN whose membership you want to configure. Description Enter a VLAN group name of up to 50 characters. Function/Port table The top half of the table indicates each port’s current mode (Untagged, Tagged, or Trunk). The lower half of the table is used to assign port membership for the selected VLAN. The default for each port is Exclude (the port is not a member of the VLAN).
Setting Up and Configuring the Router L2 Switch 5 L2 Switch > RADIUS L2 Switch > RADIUS Mode Select Enabled or Disabled from the drop-down menu to enable or disable RADIUS. RADIUS IP Enter the Server IP address. RADIUS UDP Port Enter the UDP port. The UDP port is used to verify the RADIUS server authentication. RADIUS Secret Enter the Key string for authenticating and encrypting all RADIUS communications between the device and the RADIUS server. This key must match the RADIUS server encryption key.
Setting Up and Configuring the Router L2 Switch 5 L2 Switch > Port Setting L2 Switch > Port Setting Port Displays the physical port number. Link Displays the port duplex mode and speed. Full Duplex indicates that the interface supports transmission between the device and its link partner in both directions simultaneously. Half Duplex indicates that the interface supports transmission between the device and the client in only one direction at a time.
Setting Up and Configuring the Router L2 Switch 5 L2 Switch > Statistics L2 Switch > Statistics Statistics Overview Tx Bytes Displays the number of Bytes transmitted from the selected port. Tx Frames Displays the number of Frames transmitted from the selected port. Rx Bytes Displays the number of Bytes received on the selected port. Rx Frames Displays the number of Frames received on the selected port. Tx Errors Displays the number of error packets transmitted from the selected port.
Setting Up and Configuring the Router L2 Switch 5 L2 Switch > Port Mirroring L2 Switch > Port Mirroring Mirror Source Use this to enable or disable source port mirroring for each port on the router. To enable source port mirroring on a port, check the box next to that port. To disable source port mirroring on a port, leave the box unchecked. The default is disabled. Mirror Port Select the mirror destination port from the drop-down menu.
Setting Up and Configuring the Router L2 Switch 5 L2 Switch > RSTP L2 Switch > RSTP The RSTP (Rapid Spanning Tree Protocol) protocol prevents loops in the network and dynamically reconfigures which physical links in a switch should forward frames. System Priority Enter the system priority from 0 to 61440 in increments of 4096. Valid values are 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 40960, 45056, 49152, 53248, 57344, and 61440.
Setting Up and Configuring the Router Status 5 Path Cost The RSTP path cost for the designated ports. Enter a number from 1 to 200000000, or type the word auto (autogenerated path cost). The default is auto. The default is auto. Status Status > Gateway Status > Gateway Firmware Version Displays the Gateway’s current firmware. MAC Address Displays the Gateway MAC Address, as seen by your ISP. Current Time Displays the time, based on the time zone you selected on the Setup menu.
Setting Up and Configuring the Router Status 5 DNS 1-2 Displays the DNS (Domain Name System) IP addresses currently used by this Gateway. IP Conntrack Click this button to display the IP Conntrack window. IP Conntrack The IP Conntrack (Connection Tracking) window displays information about TCP/ UDP connections, such as source and destination IP address and port number pairs (known as socket pairs), protocol types (TCP/UDP/ICMP), connection state and timeouts.
Setting Up and Configuring the Router Status 5 Status > Local Network Status > Local Network Current IP address System This shows the current system. MAC Address The router MAC Address, as seen on your local, Ethernet network. IP Address The Internet IP Address. Subnet Mask The Subnet Mask for the IP address above. IPv6 Address The IPv6 IP address, if applicable. DHCP Server The status of the router’s DHCP server function.
6 Using the VPN Setup Wizard This chapter explains how to use the VPN Setup Wizard. It includes these sections: • VPN Setup Wizard, page 98 • Before You Begin, page 98 • Running the VPN Setup Wizard, page 99 VPN Setup Wizard Now you can configure a gateway-to-gateway VPN tunnel between two VPN routers in a fast and efficient way by using the VPN Setup Wizard. The VPN Setup Wizard works with users running Microsoft Windows 2000, XP, and Vista. This document describes how to run the VPN Setup Wizard.
6 Using the VPN Setup Wizard Running the VPN Setup Wizard STEP 1 Click Firewall > Basic Settings. STEP 2 Enable Remote Management and enter 8080 in the Port field. Please note that you cannot enter any other value if you want to use the VPN Wizard. Also, make sure that HTTPS has been selected. STEP 3 Click Save. STEP 4 Click VPN > Summary and make sure the Tunnel(s) available are not zero.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 Welcome Window Cisco RVS4000 Security Router with VPN Administrator Guide 100
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 STEP 4 Read the information about the wizard, and then click Next to proceed.
6 Using the VPN Setup Wizard Running the VPN Setup Wizard STEP 5 Choose one method to build the VPN connection: • If your PC is local to one of the two routers, choose Build VPN connection from Local LAN port of one router, click Next, and continue with these instructions. • If your PC is remote to the routers, choose Build VPN connection from Internet remotely, and see the“Building Your VPN Connection Remotely,” on page 109 for instructions on this type of installation.
6 Using the VPN Setup Wizard Running the VPN Setup Wizard STEP 6 Enter the required data in the Configure VPN Tunnel window and click Next to continue. Configure VPN Tunnel • Router 1 User Name: Enter the user name of the Router 1. • Router 1 Password: Enter the password of the Router 1. • Router 2 User Name: Enter the user name of the Router 2. • Router 2 Password: Enter the password of the Router 2. • Tunnel Name: Enter a name for this tunnel.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 The router configuration is checked.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 STEP 7 When the Summary window appears, use the Click button to view the VPNC Summary window. Summary Window STEP 8 Review the settings, as needed. Click Close when you are ready to continue.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 STEP 9 In the Summary window, if all your entries appear correct, click Go. Otherwise click Back to go back and make any corrections. Configure the Router STEP 10 Click Testing to make sure the connection is successfully established.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 Test the Connection STEP 11 When testing is done, click Exit to end the Wizard.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 Exit the Wizard Congratulations! Setup is now complete. You may now log into the Web Administrator Interface and see the results.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 Building Your VPN Connection Remotely This procedure continues from Step 5 on page 102. Use this procedure to build your VPN connection from a remote PC. STEP 1 Choose Build VPN connection from Internet remotely. Click Next to continue. Build VPN Connection Remotely STEP 2 Enter the required data in the Configure VPN Tunnel window and then click Next to continue.
6 Using the VPN Setup Wizard Running the VPN Setup Wizard Configure VPN Tunnel Window • Router 1 User Name: Enter the user name of the Router 1. • Router 1 Password: Enter the password of the Router 1. • Router 2 User Name: Enter the user name of the Router 2. • Router 2 Password: Enter the password of the Router 2. • Tunnel Name: Enter a name for this tunnel. • Pre-shared Key: IKE uses the Pre-shared Key field to authenticate the remote IKE peer.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 STEP 3 The router configuration is checked. Check Router Configuration STEP 4 The Summary window appears. Use the Click box to view the VPNC Summary window.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 Summary Window STEP 5 The VPNC Summary window appears showing the settings that were made to industry standards. Click Close when you are ready to continue. VPNC Summary Window STEP 6 In the Summary window, if all your entries appear correct, click Go. Otherwise click Back to go back and make any corrections.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 Configure the Router STEP 7 Click Testing to make sure the connection is successfully established.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 Test the Connection STEP 8 When testing is done, click Exit to end the Wizard.
Using the VPN Setup Wizard Running the VPN Setup Wizard 6 Congratulations! Setup is now complete. You may now log into the Web Administrator Interface and see the results.
A Troubleshooting This appendix provides solutions to problems that may occur during the installation and operation of the router. Read the descriptions below to help solve your problems. If you can’t find an answer here, check the Cisco website at www.cisco.com. I need to set a static IP address on a PC. The router, by default, assigns an IP address range of 192.168.1.100 to 192.168.1.149 using the DHCP server on the router. To set a static IP address, you can only use the ranges 192.168.1.2 to 192.168.
A Troubleshooting STEP 8 Click OK in the Internet Protocol (TCP/IP) Properties window, and click OK in the Local Area Connection Properties window. STEP 9 Restart the computer if asked. Windows XP STEP 1 Click Start and Control Panel. STEP 2 Click the Network and Internet Connections icon and then the Network Connections icon. STEP 3 Right-click the Local Area Connection associated with your Ethernet adapter, and click Properties.
A Troubleshooting I want to test my Internet connection. STEP 1 Check your TCP/IP settings. Windows 2000 a. Click Start, Settings, and Control Panel. Double-click Network and Dial-Up Connections. b. Right-click the Local Area Connection that is associated with the Ethernet adapter you are using, and click Properties. c. In the Components checked are used by this connection box, select Internet Protocol (TCP/IP), and click Properties.
A Troubleshooting STEP 3 At the command prompt, type ping 192.168.1.1 and press Enter. • If you get a reply, the computer is communicating with the router. • If you do NOT get a reply, check the cable, and make sure Obtain an IP address automatically is selected in the TCP/IP settings for your Ethernet adapter. STEP 4 At the command prompt, type ping followed by your Internet IP address and press Enter. You can find the Internet IP Address in the configuration utility of the router.
A Troubleshooting STEP 5 Make sure the cable connecting from your cable or DSL modem is connected to the router’s Internet port. Verify that the Status page of the router’s configuration utility shows a valid IP address from your ISP. STEP 6 Turn off the computer, router, and cable/DSL modem. Wait 30 seconds, and then turn on the router, cable/DSL modem, and computer. Check System > Summary from the router’s configuration utility to see if you get an IP address.
A Troubleshooting assigned a static IP address to any computer or network device on the network, you need to change its IP address accordingly to 192.168.2.Y (Y represents any number from 1 to 254). Note that each IP address must be unique within the network. Your VPN may require port 500/UDP packets to be passed to the computer that is connecting to the IPSec server. Check the Cisco website at www.cisco.com for more information. I need to set up a server behind my router.
A Troubleshooting STEP 4 Configure as many entries as you like. STEP 5 When you have completed the configuration, click Save. I need to set up online game hosting or use other Internet applications. If you want to play online games or use Internet applications, most will work without doing any port forwarding or DMZ hosting. There may be cases when you want to host an online game or Internet application.
A Troubleshooting I can’t get an Internet game, server, or application to work. If you have difficulties getting any Internet game, server, or application to function properly, consider exposing one PC to the Internet by using DeMilitarized Zone (DMZ) hosting. This option is available when an application requires too many ports or when you are not sure which port services to use.
A Troubleshooting STEP 6 Click Save. I am a PPPoE user and I need to remove the proxy settings or the dialup pop-up window. If you have proxy settings, you need to disable these on your computer. Because the router is the gateway for the Internet connection, the computer does not need any proxy settings to gain access. Please follow these directions to verify that you do not have any proxy settings and that the browser you use is set to connect directly to the LAN.
A Troubleshooting STEP 4 In the Search Results, click the Download Software link for your router (usually the first link). STEP 5 Click the Router Firmware Rescue Utility link. STEP 6 Click the link for the latest release. STEP 7 Click the Download Now button. STEP 8 Continue through the screens to download the most recent firmware. STEP 9 Extract the file setup.exe from the zip file, then run setup.exe to install the utility on your computer.
A Troubleshooting I can’t access my email, web, or VPN, or I am getting corrupted data from the Internet. You may need to adjust the Maximum Transmission Unit (MTU) setting. By default, the MTU is set at 1500. For most DSL users, it is strongly recommended to use MTU 1492. If you have difficulties, perform these steps: STEP 1 To connect to the router, go to the web browser, and enter http://192.168.1.1 or the IP address of the router. STEP 2 Enter the password, if asked (the default password is admin).
A Troubleshooting STEP 6 Enter the Start and End Ports of the Forwarded Range. Check with your Internet application provider for more information on which incoming port services are required by the Internet application. STEP 7 Check the Enabled box for the entry. STEP 8 When you have completed the configuration, click Save. When I enter a URL or IP address, I get a time-out error or am prompted to retry. • Check if other PCs work.
A Troubleshooting Frequently Asked Questions STEP 3 Click Tools. Click Internet Options. Click the Security tab. Click the Default level button. Make sure the security level is Medium or lower. Then click the OK button. I have QuickVPN tunnel connected to my RVS4000 but I cannot see the computers in the remote network from Internet Explorer. QuickVPN tunneling does not support NetBIOS Broadcast.
A Troubleshooting Frequently Asked Questions What is Network Address Translation and what is it used for? Network Address Translation (NAT) translates multiple IP addresses on the private LAN to one public address that is sent out to the Internet. This adds a level of security since the address of a PC connected to the private LAN is never transmitted on the Internet.
A Troubleshooting Frequently Asked Questions far as hosting games, the HL server does not need to be in the DMZ. Just forward port 27015 to the local IP address of the server computer. How can I block corrupted FTP downloads? If you experience corrupted files when you download a file with your FTP client, try using another FTP program. The web page hangs, downloads are corrupt, or nothing but junk characters are displayed on the window.
A Troubleshooting Frequently Asked Questions using the configuration utility (see Administration > Firmware Upgrade, page 80). If the router’s Internet connection is working well, there is no need to download a newer firmware version, unless that version contains new features that you would like to use. Downloading a more current version of router firmware will not enhance the quality or speed of your Internet connection, and may disrupt your current connection stability.
A Troubleshooting Frequently Asked Questions Does the router replace a modem? Is there a cable or DSL modem in the router? No, this version of the router must work in conjunction with a cable or DSL modem. Which modems are compatible with the router? The router is compatible with virtually any cable or DSL modem that supports Ethernet. How can I check whether I have static or DHCP IP addresses? Ask your ISP to find out.
B Using Cisco QuickVPN for Windows 2000, XP, or Vista Overview This appendix explains how to install and use the Cisco QuickVPN software that can be downloaded from www.cisco.com. QuickVPN works with computers running Windows 2000, XP, Vista, or Windows 7. (Computers using other operating systems will have to use third-party VPN software.) For Windows Vista, QuickVPN Client version 1.2.5 or later is required. For Windows 7, version 1.4.0.5 or later is required.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Before You Begin B STEP 4 Click Add/Save. STEP 5 Check the Active box for VPN Client No. 1. STEP 6 Click Save.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Installing the Cisco QuickVPN Software B Installing the Cisco QuickVPN Software You can install the software by using one of the following methods: • Installing from the CD-ROM, page 135 • Downloading and Installing from the Internet, page 137 Installing from the CD-ROM STEP 1 Insert the RVS4000 CD-ROM into your CD-ROM drive. Go to the Start menu and then click Run. In the field provided, enter D:\VPN_Client.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Installing the Cisco QuickVPN Software B Copying Files Finished Installing Files STEP 3 Click Finished to complete the installation. Proceed to “Using the Cisco QuickVPN Software,” on page 137.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Using the Cisco QuickVPN Software B Downloading and Installing from the Internet STEP 1 Go to firmware download link in Appendix G, “Where to Go From Here.” STEP 2 From the firmware download link, click Download Software. STEP 3 Select Cisco Small Business Routers > RVS4000 from the menu. STEP 4 Select QuickVPN Utility. STEP 5 Save the zip file to your PC, and extract the .exe file. STEP 6 Double-click the .
Using Cisco QuickVPN for Windows 2000, XP, or Vista Using the Cisco QuickVPN Software B The QuickVPN Login window appears. STEP 2 Enter the following information: • Profile Name: Enter a name for your profile. • User Name and Password: Enter the user name and password that were assigned to you. • Server Address: Enter the IP address or domain name of the VPN router.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Using the Cisco QuickVPN Software B QuickVPN Status To terminate the VPN tunnel, click Disconnect. To change your password, click Change Password. For information, click Help. STEP 6 If you clicked Change Password and have permission to change your own password, you will see the Connect Virtual Private Connection window. Enter your password in the Old Password field. Enter your new password in the New Password field.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Distributing Certificates to QuickVPN Users B Connect Virtual Private Connection NOTE You can change your password only if you have been granted that privilege by your system administrator. Distributing Certificates to QuickVPN Users Follow this procedure to export a certificate from the RVS4000 for distribution to QuickVPN users, and to install the certificate on the QuickVPN users’ PCs. STEP 1 Generate the certificate as follows: a.
Using Cisco QuickVPN for Windows 2000, XP, or Vista Distributing Certificates to QuickVPN Users B STEP 3 Each QuickVPN user must then install the certificate as follows: a. Save the certificate into the directory where the QuickVPN Client is installed. For example: C:\Program Files\Cisco\QuickVPN Client\ b. Launch the QuickVPN Client and specify the User Name, Password, and Server Address (IP address or domain name). c. Click Connect.
C Configuring IPSec with a Windows 2000 or XP Computer This appendix explains how to configure IPSec with a computer that is using Windows 2000 or Windows XP. Refer to these topics: • Introduction, page 142 • Environment, page 143 • How to Establish a Secure IPSec Tunnel, page 143 Introduction This appendix explains how to establish a secure IPSec tunnel using preshared keys to join a private network inside the router and a Windows 2000 or XP computer.
Configuring IPSec with a Windows 2000 or XP Computer Environment C Environment The IP addresses and other specifics mentioned in this appendix are for illustration purposes only. Windows 2000 or Windows XP IP Address: 140.111.1.2 <= User ISP provides IP Address; this is only an example. Subnet Mask: 255.255.255.0 RVS4000 WAN IP Address: 140.111.1.1 <= User ISP provides IP Address; this is only an example. Subnet Mask: 255.255.255.0 LAN IP Address: 192.168.1.1 Subnet Mask: 255.255.255.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C Establishing a Secure IPSec Tunnel STEP 1 Create an IPSec policy. a. Click Start, select Run, and type secpol.msc in the Open field. The Local Security Settings window appears. Local Security Settings b. Right-click IP Security Policies on Local Computer (Windows XP) or IP Security Policies on Local Machine (Windows 2000), and click Create IP Security Policy. c.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C Filter List 1: win -> router a. In the new policy’s properties window, verify that the Rules tab is selected. Uncheck the Use Add Wizard box, and click Add to create a new rule. Rules Tab b. Make sure the IP Filter List tab is selected. Click Add.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C IP Filter List Tab c. The IP Filter List window should appear. Enter an appropriate name, such as win-> Router, for the filter list, and uncheck the Use Add Wizard box. Then, click Add.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C d. The Filters Properties window will appear. Select the Addressing tab. Filters Properties In the Source address field, select My IP Address. In the Destination address field, select A specific IP Subnet, and enter the IP Address 192.168.1.0 and Subnet mask 255.255.255.0. (These are the router’s default settings. If you have changed these settings, enter your new values.) e.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C Filter List 2: router -> win g. The New Rule Properties window will appear. Select the IP Filter List tab, and make sure that win -> Router is highlighted. Then, click Add. New Rules Properties h. The IP Filter List window should appear. Enter an appropriate name, such as Router->win for the filter list, and uncheck the Use Add Wizard box. Click Add.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel i. C The Filters Properties window will appear. Select the Addressing tab. In the Source address field, select A specific IP Subnet, and enter the IP Address 192.168.1.0 and Subnet mask 255.255.255.0. (Enter your new values if you have changed the default settings.) In the Destination address field, select My IP Address. Filters Properties j.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C The New Rule Properties window appears with the IP Filter List tab selected. The window will contain listings for Router->win and win->Router. New Rule Properties l. Click OK (Windows XP) or Close (Windows 2000) in the IP Filter List window. STEP 3 Configure individual tunnel rules.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C Tunnel 1: win->Router a. On the IP Filter List tab, select filter list win->Router. IP Filter List Tab b. Click the Filter Action tab, and click the filter action Require Security radio button. Then, click Edit.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C Filter Action Tab c. On the Security Methods tab, verify that the Negotiate security option is enabled, and uncheck the Accept unsecured communication, but always respond using IPSec box. Select Session key Perfect Forward Secrecy, and click OK.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C Security Methods Tab d. Select the Authentication Methods tab, and click Edit.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C Authentication Methods Tab e. Change the authentication method to Use this string to protect the key exchange (preshared key), and enter the preshared key string, such as XYZ12345. Click OK.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel f. C This new Preshared key will be displayed. Click the Apply button to continue, if it appears on your screen; otherwise, proceed to the next step. New Preshared Key g. Select the Tunnel Setting tab, and click The tunnel endpoint is specified by this IP Address radio button. Then, enter the router’s WAN IP Address.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C h. Select the Connection Type tab, and click All network connections. Then, click the OK or Close button to finish this rule. Connection Type Tab Tunnel 2: Router->win i. In the new policy’s Properties window, make sure that win -> Router is selected and uncheck the Use Add Wizard box. Then, click Add to create the second IP filter.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C Properties Window j. Go to the IP Filter List tab, and click the filter list Router->win. IP Filter List Tab k. Click the Filter Action tab, and select the filter action Require Security. Then, click Edit.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C always respond using IPSec box. Select Session key Perfect Forward Secrecy, and click OK. Filter Action Tab l. Click the Authentication Methods tab, and verify that the authentication method Kerberos is selected. Then, click Edit.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C m. Change the authentication method to Use this string to protect the key exchange (preshared key), and enter the preshared key string, such as XYZ12345. (This is a sample key string. Yours should be a key that is unique but easy to remember.) Then click OK. Preshared Key n. This new Preshared key will be displayed.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C New Preshared Key o. Click the Tunnel Setting tab. Click the radio button The tunnel endpoint is specified by this IP Address, and enter the Windows 2000/XP computer’s IP Address.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C p. Click the Connection Type tab, and select All network connections. Then click OK or Close to finish. Connection Type Tab q. On the Rules tab, click the OK or Close button to return to the window showing the security policies.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C Rules Tab STEP 4 Assign new IPSec policy. In the IP Security Policies on Local Machine window, right-click the policy named to_Router, and click Assign. A green arrow appears in the folder icon.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C STEP 5 Create a tunnel through the configuration utility. a. Open your web browser, and enter 192.168.1.1 in the Address field. Press Enter. b. When the User name and Password fields appear, enter the default user name and password, admin. Press Enter. c. Click VPN > IPSec VPN.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C VPN > IPSec VPN d. Select the tunnel you wish to create in the Select Tunnel Entry drop-down box. Then click Enable. Enter the name of the tunnel in the Tunnel Name field. This is to allow you to identify multiple tunnels and does not have to match the name used at the other end of the tunnel.
Configuring IPSec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel C e. Enter the IP Address and Subnet Mask of the local VPN router in the Local Group Setup fields. To allow access to the entire IP subnet, enter 0 for the last set of IP Addresses (e.g. 192.168.1.0). f. Enter the IP Address and Subnet Mask of the VPN device at the other end of the tunnel (the remote VPN router or device with which you wish to communicate) in the Remote Group Setup fields. g.
D Gateway-to-Gateway VPN Tunnel Overview This appendix explains how to configure an IPSec VPN tunnel between two VPN routers by example. Two computers are used to test the liveliness of the tunnel.
Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Static IP Address D Configuration when the Remote Gateway Uses a Static IP Address This example assumes the Remote Gateway is using a static IP address. If the Remote Gateway uses a dynamic IP address, refer to“Configuration when the Remote Gateway Uses a Dynamic IP Address,” on page 172. Gateway-to-Gateway IPSec VPN Tunnel - Remote Gateway Using Static IP NOTE Each computer must have a network adapter installed.
Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Static IP Address D For the Local Security Group Type, select Subnet. Enter the RVS4000’s local network settings in the IP Address and Subnet Mask fields. RVS4000 IPSec VPN Settings g. For the Remote Security Gateway Type, select IP address. Enter the RV082’s WAN IP address in the IP Address field. h. For the Remote Security Group Type, select Subnet.
Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Static IP Address D RVS4000 IPSec Setup Settings k. If you need more detailed settings, click Advanced Settings. Otherwise, click Save and proceed to the next step to configure the RV082. STEP 2 Configuration of the RV082. Follow similar instructions for the RV082. a. Launch the web browser for a networked computer, designated PC 2. b. Access the configuration utility of the RV082. (Refer to the of the RV082 for details.) c.
Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Static IP Address D RV082 VPN Settings h. For the Remote Security Gateway Type, select IP address. Enter the RVS4000’s WAN IP address in the IP Address field. i. For the Remote Security Group Type, select Subnet. Enter the RVS4000’s local network settings in the IP Address and Subnet Mask fields. j. In the IPSec Setup section, select the appropriate encryption, authentication, and other key management settings.
Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Static IP Address D RV082 IPSec Setup Settings 1. If you need more detailed settings, click Advanced Settings. Otherwise, click Save. STEP 3 Configuration of PC 1 and PC 2. Verify that PC 1 and PC 2 can ping each other (refer to Windows Help for more information). If the computers can ping each other, then you know the VPN tunnel is configured correctly.
Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Dynamic IP Address D Configuration when the Remote Gateway Uses a Dynamic IP Address This example assumes the Remote Gateway is using a dynamic IP address. If the Remote Gateway uses a static IP address, refer to “Configuration when the Remote Gateway Uses a Static IP Address,” on page 167. Gateway-to-Gateway IPSec VPN Tunnel - Remote Gateway Using Dynamic IP NOTE Each computer must have a network adapter installed.
Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Dynamic IP Address D For the Local Security Group Type, select Subnet. Enter the RVS4000’s local network settings in the IP Address and Subnet Mask fields. RVS4000 IPSec VPN Settings g. For the Remote Security Gateway Type, select IP by DNS Resolved. Enter the RV082’s domain name in the field provided. h. For the Remote Security Group Type, select Subnet.
Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Dynamic IP Address D RVS4000 IPSec Setup Settings k. If you need more detailed settings, click Advanced Settings. Otherwise, click Save and proceed to the next step, “Configuration of the RV082.” STEP 2 Configuration of the RV082. Follow similar instructions for the RV082. a. Launch the web browser for a networked computer, designated PC 2. b. Access the configuration utility of the RV082. (Refer to the of the RV082 for details.
Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Dynamic IP Address D RV082 VPN Settings h. For the Remote Security Gateway Type, select IP address. Enter the RVS4000’s WAN IP address in the IP Address field. i. For the Remote Security Group Type, select Subnet. Enter the RVS4000’s local network settings in the IP Address and Subnet Mask fields. j. In the IPSec Setup section, select the appropriate encryption, authentication, and other key management settings.
Gateway-to-Gateway VPN Tunnel Configuration when the Remote Gateway Uses a Dynamic IP Address D RV082 IPSec Setup Settings l. If you need more detailed settings, click Advanced Settings. Otherwise, click Save. STEP 3 Configuration of PC 1 and PC 2. Verify that PC 1 and PC 2 can ping each other (refer to Windows Help for more information). If the computers can ping each other, then you know the VPN tunnel is configured correctly.
Gateway-to-Gateway VPN Tunnel Configuration When Both Gateways Use Dynamic IP Addresses D Configuration When Both Gateways Use Dynamic IP Addresses This example assumes both Gateways are using dynamic IP addresses. If only the Remote Gateway uses a dynamic IP address, refer to “Configuration when the Remote Gateway Uses a Dynamic IP Address,” on page 172. Gateway-to-Gateway IPSec VPN Tunnel - Both Gateways Using Dynamic IP NOTE Each computer must have a network adapter installed.
Gateway-to-Gateway VPN Tunnel Configuration When Both Gateways Use Dynamic IP Addresses D For the Local Security Group Type, select Subnet. Enter the RVS4000’s local network settings in the IP Address and Subnet Mask fields. RVS4000 IPSec VPN Settings g. For the Remote Security Gateway Type, select IP by DNS Resolved. Enter the RV082’s domain name in the field provided. h. For the Remote Security Group Type, select Subnet. Enter the RV082’s local network settings in the IP Address and Subnet Mask fields.
Gateway-to-Gateway VPN Tunnel Configuration When Both Gateways Use Dynamic IP Addresses D RVS4000 IPSec Setup Settings k. If you need more detailed settings, click Advanced Settings. Otherwise, click Save and proceed to the next step, “Configuration of the RV082.” STEP 2 Configuration of the RV082. Follow similar instructions for the RV082. a. Launch the web browser for a networked computer, designated PC 2. b. Access the configuration utility of the RV082. (Refer to the of the RV082 for details.) c.
Gateway-to-Gateway VPN Tunnel Configuration When Both Gateways Use Dynamic IP Addresses D RV082 VPN Settings h. For the Remote Security Gateway Type, select IP by DNS Resolved. Enter the RVS4000’s domain name in the field provided. i. For the Remote Security Group Type, select Subnet. Enter the RVS4000’s local network settings in the IP Address and Subnet Mask fields. j. In the IPSec Setup section, select the appropriate encryption, authentication, and other key management settings.
Gateway-to-Gateway VPN Tunnel Configuration When Both Gateways Use Dynamic IP Addresses D RV082 IPSec Setup Settings l. If you need more detailed settings, click Advanced Settings. Otherwise, click Save. STEP 3 Configuration of PC 1 and PC 2. Verify that PC 1 and PC 2 can ping each other (refer to Windows Help for more information). If the computers can ping each other, then you know the VPN tunnel is configured correctly.
E Cisco ProtectLink Web Service Overview The optional Cisco ProtectLink Web service provides security for your network. It filters website addresses (URLs), and blocks potentially malicious websites. ProtectLink is available for online purchase through online resellers such as CDW.com and PCConnection.com.
Cisco ProtectLink Web Service How to Purchase, Register, or Activate the Service E Login Window How to Purchase, Register, or Activate the Service You can purchase, register, or activate the service using the ProtectLink window. ProtectLink Click the ProtectLink menu to display the ProtectLink window. This window appears if ProtectLink has not yet been activated. NOTE If the ProtectLink menu is not displayed, upgrade the router’s firmware.
Cisco ProtectLink Web Service How to Purchase, Register, or Activate the Service E ProtectLink (Inactive) Follow the instructions for the appropriate option: • Learm more about and request Free Trial for Cisco ProtectLink. • Register ProtectLink services and obtain an Activation Code (AC). • Use the Activation Code (AC) to activate ProtectLink. I want to learn more about Cisco ProtectLink Web. To learn more about this service, click this link.
Cisco ProtectLink Web Service How to Use the Service E After you activate ProtectLink, this window appears when you click ProtectLink > ProtectLink Purchase from the menu. ProtectLink (Active) How to Use the Service Configure the service to protect your network. NOTE You need to purchase a ProtectLink Web license to use Web Protection. If you do not have a license, you will be prompted to purchase a license when you click ProtectLink > Web Protection.
Cisco ProtectLink Web Service How to Use the Service E ProtectLink > Web Protection Cisco RVS4000 Security Router with VPN Administrator Guide 186
Cisco ProtectLink Web Service How to Use the Service E Web Protection Enable URL Filtering To filter website addresses (URLs), select this option. Enable Web Reputation To block potentially malicious websites, select this option. URL Filtering Reset Counter The router counts the number of attempted visits to a restricted URL. To reset the counter to zero, click Reset Counter. For each URL category, select the appropriate Filtering option.
Cisco ProtectLink Web Service How to Use the Service E Approved URLs You can designate up to 20 trusted URLs that will always be accessible. Enable Approved URL list To set up a list of always accessible URLs, select this option. URL(s) to approve Enter the trusted URL(s). Separate multiple URLs with semicolons (“;”). Add To add the URLs, click Add. Approved URLs list The trusted URLs are displayed. To delete a URL, click its trash can icon.
Cisco ProtectLink Web Service How to Use the Service E ProtectLink > License The license for the Cisco ProtectLink Web serviceis valid for one year from the time the activation code is generated. On the License window, license information is displayed. Use this window to renew your license, add seats, or view license information online. ProtectLink > License License Update Information To refresh the license information displayed on-screen, click Update Information.
F Specifications The Cisco RVS4000 4-Port Gigabit Security Router with VPN specifications are described in this appendix. Specifications Model RVS4000 Standards IEEE802.3, 802.3u, 802.
F Specifications Management SNMP Version SNMP version 1, 2c Event Logging Local, Syslog, Email Alerts Firmware Upgrade Firmware available through web browser Diagnostics Flash, RAM Security Features Access Control Access Control List (ACL) Capability: MAC-based, IP-based Firewall SPI stateful packet inspection firewall Content Filtering Static URL blocking or keyword blocking (included), Dynamic Filtering through Cisco™ ProtectLink™ Web Security Service (optional) IPS (Intrusion Prevention
F Specifications Network DHCP DHCP Server, DHCP Client, DHCP Relay Agent DNS DNS Relay, Dynamic DNS (DynDNS, TZO) NAT PAT, NAPT DMZ Software configurable on any LAN port configuration, DHCPv6, ICMPv6 IPv6 Dual Stack IPv4 and IPv6, 6to4, Stateless Address Auto- Static DHCP DHCP Server supports static IP address based on MAC address VPN 5 QuickVPN Tunnels for remote client access; 5 IPSec Gateway-to-Gateway Tunnels for branch office connectivity; 3DES Encryption; MD5/SHA1 Authentication; IPSec
F Specifications Port Mirroring One of the five WAN/LAN ports can be mirrored to a selected LAN port RSTP Supports Rapid Spanning Tree Protocol for loop detection and faster reconfiguration Environmental Dimensions 6.69 in. x 1.61 in. x 6.69 in. WxHxD (170 mm x 41 mm x 170 mm) Unit Weight 0.84 lb (0.38 kg) Power 12V 1A Certification FCC Class B, CE, ICES-003 Operating Temp. 32 to 104ºF (0 to 40ºC) Storage Temp.
G Where to Go From Here Cisco provides a wide range of resources to help you and your customer obtain the full benefits of the Cisco RVS4000 4-Port Gigabit Security Router with VPN. Product Resources Support Cisco Small Business Support Community www.cisco.com/go/smallbizsupport Online Technical Support and Documentation www.cisco.com/smallbizhelp Phone Support Contacts www.cisco.com/go/sbsc Cisco Small Business Firmware Downloads www.cisco.
G Where to Go From Here Related Documentation Related Documentation For hardware setup for the Cisco RVS4000 router, see the Cisco Small Business Model RVS4000 4-Port Gigabit Security Router with VPN Quick Start Guide. For compliance and safety information, see the Regulatory Compliance and Safety Information for the Cisco Wired and Wireless Routers and Access Point Devices (EMC Class B Devices).
