Cisco Small Business RV320, Administration Manual

Page 1: ...Cisco RV320 RV325 Gigabit Dual WAN VPN Router ADMINISTRATION GUIDE ...

Page 2: ...78 20928 01 ...

Page 3: ...tatus 14 SSL VPN Status 15 Log Setting Status 15 Chapter 3 Setup 17 Setup Network 17 IP Mode 17 WAN1 or WAN2 Port Settings 18 USB1 or USB2 Port Settings 28 3G 4G Connection 28 Setting Failover and Recovery 29 DMZ Enable 31 Password 31 Time 33 DMZ Host 34 Port Forwarding 34 Port Address Translation 37 Adding or Editing a Service Name 38 Setting Up One to One NAT 38 MAC Address Cloning 39 Assigning ...

Page 4: ... 49 IP and MAC Binding 49 DNS Local Database 51 Router Advertisement IPv6 52 Chapter 5 System Management 55 Dual WAN Connections 55 Bandwidth Management 57 SNMP 59 Configuring SNMP 59 Discovery Bonjour 61 LLDP Properties 62 Using Diagnostics 62 Factory Default 63 Firmware Upgrade 63 Language Selection or Language Setup 64 Restart 65 Backup and Restore 65 Chapter 6 Port Management 69 Configuring th...

Page 5: ... Summary 81 Gateway to Gateway 83 Add a New Tunnel 83 Local Group Setup 84 Advanced Settings for IKE with Preshared Key and IKE with Certificate 89 Client to Gateway 91 Advanced Settings for IKE with Preshared Key and IKE with Certificate 98 VPN Passthrough 100 PPTP Server 100 Chapter 9 Certificate Management 101 My Certificate 101 Trusted SSL Certificate 103 Trusted IPsec Certificate 103 Certific...

Page 6: ...ide 6 Contents Chapter 10 Log 107 System Log 107 System Statistics 110 Processes 110 Chapter 11 SSL VPN 111 Status 112 Group Management 112 Resource Management 115 Advanced Setting 116 Chapter 12 Wizard 117 Chapter 13 User Management 119 ...

Page 7: ...lt IP address of the device 192 168 1 1 The browser might issue a warning that the web site is untrusted Continue to the web site STEP 4 When the login page appears enter the default user name cisco and the default password cisco lowercase STEP 5 Click Login The System Summary page appears Check the Port Activity to see if a WAN connection is enabled If not continue to the next step STEP 6 To use ...

Page 8: ...nd let it sit idle for about 2 minutes Then power on the device You should now receive a WAN IP address If you have a DSL modem ask your ISP to put the DSL modem into bridge mode Features of the User Interface The user interface is designed to make it easy for you to set up and manage your device Navigation The major modules of the web interface are represented by buttons in the left navigation pa...

Page 9: ...tting Started Features of the User Interface Cisco RV320 RV325 Administration Guide 9 1 Logout To exit the web interface click Logout near the top right corner of the web interface The Login page appears ...

Page 10: ...Getting Started Features of the User Interface 10 Cisco RV320 RV325 Administration Guide 1 ...

Page 11: ...the device LAN IPv6 Prefix IPv6 management IP address and prefix Working Mode Controls the behavior of the device in relation to the WAN connection Gateway Mode is selected when the device is hosting an Internet WAN connection Router Mode is selected when the device is on a network that does not have a WAN connection or another device is used to establish the WAN connection To change this paramete...

Page 12: ...detailed information about current link activity click the Status entry for the port Port Information detail The Port Information window displays detailed information about the interface and the current activity on the port Type Type of port 10BASE T or 100BASE TX or 1000BASE T Interface Type of interface LAN DMZ or WAN Link Status Status of the link Up or Down Port Activity Current activity on th...

Page 13: ...le when Dual Stack IP is enabled on the Setup Network page WAN Information The following WAN information is provided IP Address Public IP address for this interface Default Gateway Default gateway for this interface DNS IP address of the DNS server for this interface Dynamic DNS DDNS settings for this port Disabled or Enabled Release and Renew These buttons appear if the port is set to obtain an I...

Page 14: ...ck WAN Request Makes it difficult for outside users to work their way into your network by hiding the network ports from Internet devices and preventing the network from being pinged or detected by other Internet users The status is On green or Off red Block WAN Request Remote Management Indicates that a remote connection for the purpose of managing the device is allowed or denied On green indicat...

Page 15: ...to encapsulate PPP packets PPTP Tunnel s Available PPTP tunnels available SSL VPN Status An SSL VPN can connect from locations where IPsec otherwise conflicts with Network Address Translation NAT and the firewall rules SSL VPN Tunnel s Used SSL VPN tunnels in use SSL VPN Tunnel s Available SSL VPN tunnels remaining for use Log Setting Status This section displays the status of the logs Syslog Serv...

Page 16: ...System Summary Log Setting Status 16 Cisco RV320 RV325 Administration Guide 2 ...

Page 17: ...re provided but they can be changed as needed Host Name Keep the default setting or enter a hostname specified by your ISP Domain Name Keep the default setting or enter a domain name specified by your ISP IP Mode Choose the type of addressing to use on the networks IPv4 Only Only IPv4 addressing Dual Stack IP IPv4 and IPv6 addressing After saving the parameters you can configure both IPv4 and IPv6...

Page 18: ...evice IP Address and Subnet Mask STEP 4 Click Save to save your changes or click Cancel to undo them To edit a subnetwork select the IPv4 subnetwork to be modified and click Edit The DHCP Setup section describes the process for modifying the subnetwork parameters Editing the IPv6 Address Prefix If you enabled Dual Stack IP for the IP Mode you can configure the IPv6 prefix To configure the IPv6 pre...

Page 19: ... To configure the IPv6 parameters check Enable The DHCPv6 client process and requests for prefix delegation through the selected interface are enabled Use this option when your ISP is capable of sending LAN prefixes by using DHCPv6 If your ISP does not support this option manually configure a LAN prefix NOTE When DHCP PD is enabled manual LAN IPv6 addressing is disabled When DHCP PD is disabled ma...

Page 20: ... the MTU size The size in bytes of the largest protocol data unit that the layer can pass To configure the IPv6 parameters LAN IPv6 Address Global IPv6 prefix that was assigned by your ISP for your LAN devices if applicable Check with your ISP for more information Prefix Length IPv6 prefix length The IPv6 network subnet is identified by the initial bits of the address called the prefix All hosts i...

Page 21: ... The default maximum idle time is 5 minutes Keep Alive Ensures that your router is always connected to the Internet When this feature is selected the router keeps the connection alive by sending out a few data packets periodically This option keeps your connection active indefinitely even when the link sits idle for an extended period of time If you enable this feature also enter the Redial Period...

Page 22: ...osts in the network have the identical initial bits for their IPv6 address Enter the number of common initial bits in the network addresses The default prefix length is 64 LAN Prefix Assignment Without any action Does not provide Stateless or Stateful IPv6 address for LAN side PCs Configure to RA automatically Provides Stateless IPv6 address for LAN side PCs Configure to DHCPv6 automatically Provi...

Page 23: ... MTU Maximum transmission unit MTU size Select Auto to set the size automatically Otherwise to set the MTU size manually select Manual and enter the MTU size The size in bytes of the largest protocol data unit that the layer can pass Transparent Bridge IPv4 Choose this option if you are using this router to connect two network segments Only one WAN interface can be set as transparent bridge Specif...

Page 24: ...t that the layer can pass To configure the IPv6 parameters LAN IPv6 Address Global IPv6 prefix that was assigned by your ISP for your LAN devices if applicable Check with your ISP for more information Prefix Length IPv6 prefix length The IPv6 network subnet is identified by the initial bits of the address called the prefix All hosts in the network have the identical initial bits for their IPv6 add...

Page 25: ...ress Global IPv6 prefix that was assigned by your ISP for your LAN devices if applicable Check with your ISP for more information Prefix Length IPv6 prefix length The IPv6 network subnet is identified by the initial bits of the address called the prefix All hosts in the network have the identical initial bits for their IPv6 address Enter the number of common initial bits in the network addresses T...

Page 26: ...r a second DNS server The first available DNS server is used LAN IPv6 Address Global IPv6 prefix that was assigned by your ISP for your LAN devices if applicable Check with your ISP for more information Prefix Length IPv6 prefix length The IPv6 network subnet is identified by the initial bits of the address called the prefix All hosts in the network have the identical initial bits for their IPv6 a...

Page 27: ...s Optionally you can enter a second DNS server The first available DNS server is used LAN IPv6 Address Global IPv6 prefix that was assigned by your ISP for your LAN devices if applicable Check with your ISP for more information Prefix Length IPv6 prefix length The IPv6 network subnetwork is identified by the initial bits of the address called the prefix All hosts in the network have the identical ...

Page 28: ...ame Internet network that the mobile device is connecting to Enter the access point name provided by your mobile network service provider If you do not know the name of the access point contact your service provider Dial Number Number provided by your mobile network service provider for the Internet connection Username and Password User name and password provided by your mobile network service pro...

Page 29: ...ver Hot Standby A lost Ethernet WAN port connection redirects the WAN traffic over the 3G 4G USB link The USB dongle is powered on while on standby 3G 4G Failover Cold Standby A lost Ethernet WAN port connection redirects the WAN traffic over the 3G 4G USB link The USB dongle is powered off while on standby Primary Mode The 3G 4G link is used as the primary WAN connection Signal Quality Indicates ...

Page 30: ...ection since the counters were reset STEP 5 Set the Diagnostic behaviors Restart count Check and enter the day of the month to enable the counters to be reset on that day If the value is greater than the number of days in the month for example a value of 31 in a 30 day month the counters are restarted on the last day of the month Self test daily Check and enter the time of day 24 hour clock to tes...

Page 31: ...ose Setup Network and check Enable DMZ A message appears STEP 2 Click Yes to accept the change STEP 3 Select the DMZ interface in the DMZ Settings table and click Edit The Edit DMZ Connection window appears STEP 4 Select Subnet to identify a subnetwork for DMZ services and enter the DMZ IP Address and Subnet Mask Or select Range to reserve a group of IP addresses on the same subnetwork for DMZ ser...

Page 32: ...ank STEP 3 In the Old Password field enter the current password This is required if you are changing the username but keeping the current password NOTE If you are changing the username but keeping the current password leave New Password and Confirm New Password blank STEP 4 In the New Password field enter the new password for the device Use a combination of alphanumeric characters and symbols The ...

Page 33: ... Network Time Protocol NTP server to synchronize the date and time The router then gets its date and time information from the NTP server Minimum number of character classes Enter the number of classes that the password must include By default the password must contain characters from at least three of these classes Uppercase letters Lowercase letters Numbers Special characters available on a stan...

Page 34: ...ress and click Save Port Forwarding Port forwarding allows public access to services on network devices on the LAN by opening a specific port or port range for a service such as FTP Port triggering opens a port range for services such as Internet gaming that use alternate ports to communicate between the server and the LAN host Configuring Port Forwarding When users make requests for services on y...

Page 35: ...x to enable the service Uncheck the box to disable the service STEP 3 Click Save Adding or Editing a Service Name To add or edit an entry on the Service list STEP 1 Click Service Management If the web browser displays a warning about the pop up window allow the blocked content STEP 2 To add a service click Add in the Service Management table To edit a service select the row and click Edit The fiel...

Page 36: ... or edit an application name to the table STEP 1 Click Setup Forwarding STEP 2 To add an application name click Add in the Port Range Forwarding table To edit an application name select the row and click Edit The fields are open for modification If the web browser displays a warning about the pop up window allow the blocked content STEP 3 Configure the following Application Name Name of the applic...

Page 37: ...er computer logs on the Internet this device assigns it the same public IP address but a different port number Although both computers are sharing the same public IP address this device knows which computer to send its packets because the device uses the port numbers to assign the packets the unique internal IP address of the computers To add or edit PAT STEP 1 To add a service click Add in the Po...

Page 38: ...l Refer to the documentation for the service that you are hosting External Port External port number Internal Port Internal port number STEP 4 Click Save Setting Up One to One NAT One to one NAT creates a relationship that maps a valid WAN IP address to LAN IP addresses that are hidden from the WAN Internet by NAT This protects the LAN devices from discovery and attack For best results reserve IP ...

Page 39: ...y and click Edit The information appears in the text fields Make the changes and click Save MAC Address Cloning Some ISPs require that you register a MAC address the unique 12 digit identification code assigned to every network device If you previously registered a different MAC address for the device with your ISP you can select this feature to clone that address to your device Otherwise you must...

Page 40: ...nterface and click Edit To edit the DDNS service STEP 1 From the DDNS Service list choose a service STEP 2 Enter the information for your account Username Username for the DDNS account If you have not registered a hostname click Register to go to the DynDNS com web site where you can sign up for free Dynamic DNS service Password Password for your DDNS account Host Name Hostname that you registered...

Page 41: ...this mode if this device is hosting the network connection to the Internet This is the default setting Router Choose this mode if the device is on a network with other routers and another device is the network gateway to the Internet or this network is not connected to the Internet In Router mode Internet connectivity is available to the network devices only if you have another router that functio...

Page 42: ...up Network page To enable RIPng check the RIPng box Configuring Static Routing Static routing can be configured for IPv4 or IPv6 These are routes that do not age out of the routing table You can enter up to 30 routes To configure a static route click Add or select an entry and click Edit Destination IP Subnetwork address of the remote LAN segment For a Class C IP domain the network address is the ...

Page 43: ...rovider assigned domain name TTL Time to Live Time interval for DNS inquiries second 0 65535 A long interval affects refresh time A shorter interval increase the system load but the accuracy of the Inbound Load Balance is better You can adjust this parameter for the best performance for your network Admin Administrator E mail address STEP 3 Enter the DNS Server parameters Name Server DNS server th...

Page 44: ...d at http www openspf org Tools wizard mydomain x 35 y 6 STEP 7 Enter the Mail Server parameters Host Name Name without the domain name of mail host Weight Order of the mail hosts The lower number has the highest priority Mail Server Name of the server that is saved in the A Record or the name of an external mail server STEP 8 Click Save USB Device Update USB device firmware can be updated by usin...

Page 45: ... appropriate for the client and sends configuration information appropriate for that client The DHCP server and DHCP client must be connected to the same network link In larger networks each network link contains one or more DHCP relay agents These DHCP relay agents receive messages from DHCP clients and forward them to DHCP servers DHCP servers send responses back to the relay agent and the relay...

Page 46: ...iginated DHCP packets to a DHCP server The DHCP server can use this information to implement IP addressing or other parameter assignment policies To set up DHCP IPv4 click the IPv4 tab To set up DHCP IPv6 click the IPv6 tab Configuring DHCP for IPv4 To configure DHCP for IPv4 STEP 1 Choose VLAN or Option 82 STEP 2 If you choose Option 82 add circuit IDs by using DHCP Option 82 Those circuit IDs ar...

Page 47: ...service type where the DNS server IP address is acquired Static DNS 1 and Static DNS 2 Static IP address of a DNS Server Optionally if you enter a second DNS server the device uses the first DNS server to respond to a request WINS Optional IP address of a Windows Internet Naming Service WINS server that resolves NetBIOS names to IP addresses If you do not know the IP address of the WINS server use...

Page 48: ...0 0 to use a dynamically assigned DNS server STEP 4 Enter the IPv6 address pool Start Address Beginning address of the IPv6 address pool End Address Ending address of the IPv6 address pool Prefix Length Length of the IPv6 IP address prefix Viewing the DHCP Status DHCP Status displays the status of the DHCP server and its clients The IPv6 tab is available only if you enabled Dual Stack IP on the Se...

Page 49: ...sing or other parameter assignment policies The DHCP Option 82 Configurable Circuit ID enhances validation security by allowing you to determine what information is provided in the Option 82 Circuit ID description To add a Circuit ID click Add A new row is added to the table and the circuit IDs are listed in the Circuit ID drop down menu in the DHCP Setup window To edit a Circuit ID select the row...

Page 50: ...d devices Bind IP Addresses Manually To add a new binding to the list click Add and enter the following information Static IP Address Static IP address You can enter 0 0 0 0 if you want the router to assign a static IP address to this device MAC Address MAC address of the device Enter the address without punctuation Name Descriptive name for the device Enable Check this box to bind the static IP a...

Page 51: ...rk Uncheck the box to allow access by any device that is configured with an IP address in the correct range DNS Local Database Domain Name Service DNS matches a domain name to its routable IP address You can set up a DNS Local Database that enables the device to act as a local DNS server for commonly used domain names Using a local database might be faster than using an external DNS server If a re...

Page 52: ... IPv6 The RADVD Router Advertisement Daemon is used for IPv6 auto configuration and routing When enabled messages are sent by the router periodically and in response to solicitations A host uses the information to learn the prefixes and parameters for the local network Disabling this feature effectively disables auto configuration requiring manual configuration of the IPv6 address subnet prefix an...

Page 53: ...n appropriate router If two routers are reachable the one with the higher preference is chosen These values are ignored by hosts that do not implement router preference The default setting is High MTU Size of the largest packet that can be sent over the network The MTU Maximum Transmission Unit is used in Router Advertisement messages to ensure that all nodes on the network use the same MTU value ...

Page 54: ...DHCP Router Advertisement IPv6 54 Cisco RV320 RV325 Administration Guide 4 ...

Page 55: ... from the drop down menu Load Balance Use both WAN connections simultaneously to increase the available bandwidth The router balances the traffic between the two interfaces in a weighted round robin method NOTE DNS queries are not subject to load balancing To configure Interface Settings select the WAN Interface and click Edit The settings window for the interface appears Enter the following param...

Page 56: ...IP address For a DNS Lookup host enter a host name or domain name Uncheck a box if you do not want to ping this device for network service detection Protocol Binding Protocol Binding requires this interface to be used for specified protocols source and destination addresses It allows an administrator to bind specific outbound traffic to a WAN interface This is commonly used when the two WAN interf...

Page 57: ...mation Service Name A short description Protocol Required protocol Refer to the documentation for the service that you are hosting Port Range Required port range To Edit the settings select an entry in the list and click Edit The information appears in the text fields Make the changes and click Save To Delete an entry from the list select the entry to delete and click Delete To select a block of e...

Page 58: ... to add a service IP IP address or range to control Direction Select Upstream for outbound traffic Select Downstream for inbound traffic Min Rate Minimum rate in kbs for the guaranteed bandwidth Max Rate Maximum rate in kbs for the guaranteed bandwidth Check the box to enable the service Configure Priority To add an interface that is subject to bandwidth management click Add and enter the settings...

Page 59: ...occur on the network The device supports SNMP v1 v2c and SNMP v3 The device supports standard Management Information Bases MIBs such as MIBII as well as private MIBs The device acts as an SNMP agent that replies to SNMP commands from SNMP Network Management Systems The commands it supports are the standard SNMP commands get next set It also generates trap messages to notify the SNMP manager when a...

Page 60: ...ss IP address or domain name for the server where you are running your SNMP management software SNMPv3 Trap Receiver User Username for the server where you are running your SNMP management software Configuring SNMPv3 You can create SNMPv3 groups to manage SNMP MIB access and identify the users that have access to each group To add or edit a group STEP 1 Click Add or select a group and click Edit i...

Page 61: ...uch as computers and servers on your LAN When this feature is enabled the device periodically multicasts Bonjour service records to the LAN to advertise its existence NOTE For discovery of Cisco Small Business products Cisco provides a utility that works through a simple toolbar on the web browser called FindIt This utility discovers Cisco devices in the network and display basic information such ...

Page 62: ...operties on an interface check the Enable WAN1 or WAN2 box They are enabled by default The LLDP Neighbor table displays this information Local Port Port identifier ChassisID Subtype Type of chassis ID for example MAC address ChassisID Identifier of the chassis Where the chassis ID subtype is a MAC address the MAC address of the device is displayed Port ID Subtype Type of the port identifier Port I...

Page 63: ...t To reboot the device and return all parameters to factory default values click Factory Default To restore the device to factory default including the default certificates click Factory Default Including Certificates Firmware Upgrade This feature downloads the firmware for your device from a PC or a USB Flash drive and installs it The window displays the Firmware Version currently running on the ...

Page 64: ...language STEP 3 Click Save Alternatively you can choose a language in the following ways On the Login page choose a language from the Language drop down list On all configuration pages choose a language from the drop down list at the top right hand corner For firmware versions 1 0 2 03 or earlier use the Language Setup page to choose a new language by uploading a language pack to your device STEP ...

Page 65: ...r configuration file is used The router automatically copies the startup configuration to the mirror configuration after 24 hours of running in stable condition no reboots and no configuration changes within the 24 hour period Restoring the Settings from a Configuration File To restore the startup configuration from a file previously saved to a PC or USB Flash drive STEP 1 In the Restore Startup C...

Page 66: ...enames are Startup config and Mirror config The config extension is required For easier identification it might be helpful to enter a filename that includes the current date and time Copying the Mirror File to the Startup File You can manually copy the device startup configuration file to the mirror configuration file You can use this process to back up a known good configuration before you make c...

Page 67: ...nd the startup configuration file click Sanitize Configuration CAUTION The mirror configuration is deleted immediately with no option to cancel the operation The device is reset to use default settings and is restarted Backing Up the Firmware to a USB Flash Drive To back up the firmware to a Flash drive on the USB port select the port from the drop down menu and click Backup The device saves the f...

Page 68: ...System Management Backup and Restore 68 Cisco RV320 RV325 Administration Guide 5 ...

Page 69: ...ng on a Cisco Systems switch is generally referred to as Switched Port Analyzer SPAN Network Engineers or Administrators use port mirroring to analyze and debug data or diagnose errors on a network This feature helps you to monitor network performance and alerts you when problems occur NOTE When MAC Address Cloning is enabled port mirroring does not work To enable port mirroring for RV320 check En...

Page 70: ...x mode When Auto Negotiation is selected the device auto negotiates connection speeds and duplex mode with the connected device Port Status Port status displays a summary of the port states Click Refresh to update the data The Ethernet table displays the following Port ID Location of the port Type Port type Link Status Status of the connection Port Activity Status of the port Priority Port priorit...

Page 71: ...N with inter VLAN routing disabled is isolated from other VLANs Firewall access rules can be configured to further regulate allow or deny the inter VLAN traffic For RV320 LAN 1 through LAN 4 A port can be tagged untagged or excluded from the VLAN For RV325 LAN 1 through LAN 14 A port can be tagged untagged or excluded from the VLAN QoS CoS DSCP Setting This option groups traffic by classes of serv...

Page 72: ...s point to point connection characteristics and of preventing access to that port in cases which the authentication and authorization fails A port in this context is a single point of attachment to the LAN infrastructure To configure port based authentication STEP 1 Check Port based Authentication to enable the feature STEP 2 Enter the IP address of the RADIUS server STEP 3 Enter the RADIUS UDP Po...

Page 73: ...Port Management 802 1X Configuration Cisco RV320 RV325 Administration Guide 73 6 STEP 6 Click Save ...

Page 74: ...Port Management 802 1X Configuration 74 Cisco RV320 RV325 Administration Guide 6 ...

Page 75: ...ed SPI Stateful Packet Inspection Monitors the state of network connections such as TCP streams UDP communication traveling across it The firewall distinguishes legitimate packets for different types of connections Only packets matching a known active connection are allowed by the firewall others are rejected DoS Denial of service Detects attempts to cause a server overload In general terms DoS at...

Page 76: ...printers Internet gateways Wi Fi access points and mobile devices to seamlessly discover each other s presence on the network and establish functional network services for data sharing and communications Restricting Web Features To restrict Web Java Cookies ActiveX or Access to HTTP Proxy Servers features select the check box To allow only the selected features Java Cookies ActiveX or Access to HT...

Page 77: ...e drop down menu If you selected Single enter the destination IP address If you selected Range enter the range of destination IP addresses STEP 9 Configure the Scheduling for this access rule by selecting the time Select Always for the access rule to be in effect 24 hours a day Select Interval to set a time and enter the hours and minutes that the access rule is effective in the From and To fields...

Page 78: ...k Save Content Filter The content filter denies specified domains and web sites with specific keywords The content filter allows or denies specified domains and web sites with specific keywords Blocking Forbidden Domains To block domains STEP 1 Select Block Forbidden Domains STEP 2 Add or edit the domain in the Forbidden Domains table STEP 3 Set a time by entering the hours and minutes that the ac...

Page 79: ...heduled for a specific time on selected days To schedule time and days STEP 1 Select the Time from the drop down menu Select Always for the rule to be in effect 24 hours a day Select Interval to set a time STEP 2 If you selected Always in STEP 1 skip to STEP 4 If you selected Interval set a time by entering the hours and minutes that the access rule is effective in the From and To fields For examp...

Page 80: ...Firewall Content Filter 80 Cisco RV320 RV325 Administration Guide 7 ...

Page 81: ...escribed in Advanced Settings for IKE with Preshared Key and IKE with Certificate enabled To set a range of IP addresses to be used for VPN tunnels click Edit and enter the following parameters Range Start and Range End Starting and ending range of IP addresses used for VPN tunnels DNS Server 1 and DNS Server 2 Optional IP address of a DNS server If you enter a second DNS server the device uses th...

Page 82: ...sed at the other end of the tunnel Status Status of the VPN tunnel Connected or Waiting for Connection Phase2 Enc Auth Grp Phase 2 encryption type NULL DES 3DES AES 128 AES 192 AES 256 authentication method NULL MD5 SHA1 and DH group number 1 2 5 Local Group IP address and subnet mask of the Local Group Remote Group IP address and subnet mask of the Remote Group Remote Gateway IP address of the Re...

Page 83: ... on the same subnet For example if the Site A LAN uses the 192 168 1 x 24 subnet Site B can use 192 168 2 x 24 To configure a tunnel enter corresponding settings reversing local and remote when configuring the two routers Assume that this router is identified as Router A Enter its settings in the Local Group Setup section enter the settings for the other router Router B in the Remote Group Setup s...

Page 84: ...nection IP Only This router has a static WAN IP address The WAN IP address appears automatically IP Certificate This router has a static WAN IP address that appears automatically This option is only available when IKE with Certificate is selected IP Domain Name FQDN Authentication This device has a static IP address and a registered domain name such as MyServer MyDomain com Also enter the Domain N...

Page 85: ...cate IP Address Displays the WAN IP address of the device Local Certificate Certificates available in the Certificate Management My Certificate window Select the certificate from the drop down menu Self Generator displays the Certificate Generator window Import Certificate displays the My Certificate window Local Security Group Type Allows selection of a single IP address a Subnet or an IP address...

Page 86: ...t IP by DNS Resolved and enter the domain name of the router Cisco routers can get the IP address of remote VPN device by DNS Resolved IP E mail Address USER FQDN Authentication This router has a static IP address and you want to use an E mail address for authentication If you know the IP address of the remote VPN router choose IP Address and enter the IP address If you do not know the IP address ...

Page 87: ...enter the same settings when configuring other router for this tunnel Phase 1 Phase 2 DH Group DH Diffie Hellman is a key exchange protocol There are three groups of different prime key lengths Group 1 768 bits Group 2 1 024 bits and Group 5 1 536 bits For faster speed and lower security choose Group 1 For slower speed and higher security choose Group 5 Group 1 is selected by default Phase 1 Phase...

Page 88: ...to 30 keyboard characters or hexadecimal values such as My_ 123 or 4d795f40313233 are not supported Both ends of the VPN tunnel must use the same Preshared Key It is strongly recommended that you change the Preshared Key periodically to maximize VPN security Minimum Preshared Key Complexity Check the Enable box to enable the Preshared Key Strength Meter Preshared Key Strength Meter When you enable...

Page 89: ...er does not implement compression When the router is the responder it accepts compression even if compression is not enabled If you enable this feature for this router also enable it on the router at the other end of the tunnel Keep Alive Attempts to reestablish the VPN connection if it is dropped AH Hash Algorithm Authentication Header AH protocol describes the packet format and default standards...

Page 90: ...user database found in User Management Both IPSec host and edge device must enable Extended Authentication To use the IPsec Host click the radio button and enter the User Name and Password To use the Edge Device click the radio button and select the database from the drop down menu To add or edit the database click Add Edit to display the User Management window Tunnel Backup When DPD determines th...

Page 91: ...to Gateway This feature creates a new VPN tunnel to allow teleworkers and business travelers to access your network by using third party VPN client software such as TheGreenBow Configure a VPN tunnel for one remote user a group VPN for multiple remote users or Easy VPN Tunnel Creates a tunnel for a single remote user The tunnel number is automatically generated Group VPN Creates a tunnel for a gro...

Page 92: ... the other end of the tunnel Interface WAN port Keying Mode Choose the key management method Manual Generate the key yourself but do not enable key negotiation Manual key management is used in small static environments or for troubleshooting purposes Enter the required settings IKE Internet Key Exchange with Preshared Key Use this protocol to set up a Security Association SA for your tunnel This s...

Page 93: ...VPN tunnel or uncheck it to disable the tunnel By default the tunnel is enabled Tunnel Mode Split Tunneling allows Internet destined traffic to be sent unencrypted directly to the Internet Full Tunneling sends all traffic to the head end device where it is then routed to destination resources eliminating the corporate network from the path for Web access IP Address IP address assigned to the VPN i...

Page 94: ... Resolved and enter the domain name of the router Cisco routers can get the IP address of remote VPN device by DNS Resolved IP E mail Address USER FQDN Authentication This device has a static IP address and uses an email address for authentication If you know the IP address of the remote VPN router choose IP Address and enter the IP address If you do not know the IP address of the remote VPN route...

Page 95: ...ing options are available for a Single User or Tunnel type VPN IP Only Remote VPN client has a static WAN IP address If you know the IP address of the client choose IP Address and then enter the address If you do not know the IP address of the client select IP by DNS Resolved and then enter the domain name of the client on the Internet The router gets the IP address of the remote VPN client by usi...

Page 96: ...nt has a dynamic IP address and a registered Dynamic DNS hostname available from providers such as DynDNS com Enter the Domain Name to use for authentication The domain name can be used only for one tunnel connection Dynamic IP E mail Addr USER FQDN Authentication Client has a dynamic IP address and does not have a Dynamic DNS hostname Enter any Email Address to use for authentication Remote Clien...

Page 97: ...hod determines the length of the key used to encrypt or decrypt ESP packets AES 256 is recommended because it is more secure Phase 1 Phase 2 Authentication Method of authentication for this phase MD5 or SHA1 The authentication method determines how the ESP Encapsulating Security Payload Protocol header packets are validated MD5 is a one way hashing algorithm that produces a 128 bit digest SHA1 is ...

Page 98: ...d to display the advanced settings If you change the Advanced settings on one router also enter the settings on the other router Aggressive Mode Two modes of IKE SA negotiation are possible Main Mode and Aggressive Mode If network security is preferred Main Mode is recommended If network speed is preferred Aggressive Mode is recommended Check this box to enable Aggressive Mode or uncheck the box t...

Page 99: ...work Address Translation NAT enables users with private LAN addresses to access Internet resources by using a publicly routable IP address as the source address However for inbound traffic the NAT gateway has no automatic method of translating the public IP address to a particular destination on the private LAN This issue prevents successful IPsec exchanges If your VPN router is behind a NAT gatew...

Page 100: ...to Point Tunneling Protocol VPN tunnels can be enabled for users who are running PPTP client software For example in Windows XP or 2000 a user opens the Network Connections panel and creates a new connection In the wizard the user selects the option to create a connection to the workplace by using a Virtual Private Network connection The user must know the WAN IP address of this device For more in...

Page 101: ... can also create certificates by using the Certificate Generator or import certificates from a PC or USB device Self signed SSL Certificates are not inherently trusted by browsers and while they can be used for encryption they do cause browsers to display warning messages informing the user that the certificate has not been issued by an entity the user has chosen to trust A user can also connect w...

Page 102: ...cate After restarting the device import this file to restore the certificate Export Private Key Some VPN client software requires a credential with a private key CA certificate and certificate separately STEP 2 Click Open to display the key Click Save to save the key Importing a 3rd party or Self signed Certificate A Certificate Signing Request CSR generated externally cannot be authorized or sign...

Page 103: ... has an encrypted link with a company who has been issued a trusted SSL Certificate from a trusted Certificate Authority The Certificate Table enables certificates and displays certificate information To view additional information regarding certificates click Details To import a 3rd party certificate click Add and import the certificate STEP 1 Select Import from PC or Import from USB Device STEP ...

Page 104: ...Certificate Signing Request CSR for an external certificate authority to sign When the configuration is saved the generated CSR or self signed certificate displays under My Certificate To generate a certificate STEP 1 Enter the following parameters Type Certificate request type Country Name Country of origin State or Province Name State or province optional Locality Name Municipality optional Orga...

Page 105: ...icate Management CSR Authorization Once an eternally generated CSR is signed by this device the signed CSR becomes a trusted certificate and moved to the Trusted IPsec Certificate window To restore the device configuration to factory default values including the default certificates use the Factory Default window To sign a certificate STEP 1 Click Browse to identify the Certificate Signing Request...

Page 106: ...Certificate Management CSR Authorization 106 Cisco RV320 RV325 Administration Guide 9 ...

Page 107: ...the following STEP 1 Click Enable STEP 2 Select USB1 or USB2 to send the log out the USB ports STEP 3 Check the Dial Number1 and or Dial Number2 and enter the phone number to call STEP 4 Click Test to test the link STEP 5 Select when the log is sent When a link is brought up When a link is brought down Authentication fails The system is started STEP 6 Click Save Configuring the System Log Servers ...

Page 108: ... port number Username email user name For example Mail Server smtp gmail com Authentication SSL SMTP PORT 465 Username xxxxx gmail com Password yyyyyy Password email password Send Email to 1 and optionally 2 Email address For example Send email to zzz company com Log Queue Length Number of log entries to be made before notification is sent For example 10 entries Log Time Threshold Time between log...

Page 109: ...dle a ping packet larger than the maximum IPv4 packet size of 65 535 bytes Sending an oversize ping might crash the target computer Win Nuke A remote denial of service attack DoS that affects the Microsoft Windows 95 Microsoft Windows NT and Microsoft Windows 3 1x computer operating systems Deny Policies Access has been denied based on configured policies Authorized Login An authorized user has lo...

Page 110: ...u Log entries include the date and time of the event the event type and a message The message specifies the type of policy such as Access Rule the LAN IP address of the source SRC and the MAC address Outgoing Log Table Outgoing packet information Incoming Log Table Incoming packet information Clear Log Now Click to clear the log without emailing it only if you do not want to view the information i...

Page 111: ...pplications SSL VPN uses the Secure Sockets Layer protocol and its successor Transport Layer Security to provide a secure connection between remote users and specific supported internal resources configured at a central site This device recognizes connections that must be proxied and the SSL VPN web portal interacts with the authentication subsystem to authenticate users Access to resources by use...

Page 112: ...s where each group has access to different set of resources in the LAN Typical scenario has two groups of users where one group contains employees and the other group contains business partners Although this device supports multiple domains it is common to see a small business with a single domain that is tied to a particular authentication database for example a local database RADIUS or LDAP The ...

Page 113: ... or modify a group click Add or select an entry and click Edit and enter the following parameters Group Name Name of the group If you are editing an existing group this parameter cannot be modified Domain Group domain Click Add or Edit to display the Group Management window Enabled Check to enable this group Service Idle Time Time that the connection can be idle before the session is terminated Se...

Page 114: ...mputer to another relaying the graphical screen updates back in the other direction over a network Terminal Service Allows applications such as Word Excel and PowerPoint Other Allows access to My Network Place and Virtual Passage The Virtual Passage can be split tunnel where traffic not specifically tagged for the tunnel is sent over another virtual connection or Full Tunnel where all traffic is s...

Page 115: ...e path to the application To add or modify a resource click Add or select an entry and click Edit and enter the following parameters Application Description Description of the application Application and Path Path and executable file names Working Directory Application directory Host Address IP address of the computer hosting the service Application Icon Icon to display Enable Enables the resource...

Page 116: ...r modify the banners To modify advanced settings enter the following parameters Client Address Range Starts Starting IP address of the allowed range Client Address Range Ends Ending IP address of the allowed range Service Port Port number for SSL VPN Business Name String that is displayed as a banner for the business name Resource Name String that is displayed as a banner for the resource name ...

Page 117: ...etup Wizard to change the number of WAN ports or to configure the Internet connection Click Launch Now to run the Basic Setup Wizard Follow the on screen instructions to proceed Refer to the information from your ISP to enter the required settings for your connection Access Rule Setup Use the Access Rule Setup Wizard to create firewall access rules Click Launch Now to run the Access Rule Setup Wiz...

Page 118: ...Wizard 118 Cisco RV320 RV325 Administration Guide 12 ...

Page 119: ...osoft Challenge Handshake Authentication Protocol MSCHAP or Microsoft Challenge Handshake Authentication Protocol Version 2 MSCHAPv2 Domain Domain name users select to log into the SSL VPN portal Radius Server IP address of the RADIUS server Radius Password Authentication secret Active Directory Windows Active Directory authentication Note that Active Directory authentication is the most error pro...

Page 120: ... enter the following information Username Name the user enters to log into the SSL VPN portal Password Password used for authentication Group Groups sourced from the SSL Status Table in Group Management By default the Group drop down has 5 options 4 default SSLVPN groups and Unassigned The Unassigned group contains PPTP VPN users and EasyVPN users The Administrator group has only one user the defa...

Page 121: ...rt Online Technical Support and Documentation Login Required www cisco com support Phone Support Contacts www cisco com en US support tsd_cisco_small_ business_support_ center_contacts html Software Downloads Login Required Go to tools cisco com support downloads and enter the model number in the Software Search box Cisco Open Source Requests www cisco com go smallbiz_opensource_request Cisco Part...

Page 122: ...Where to Go From Here 122 Cisco RV320 RV325 Administration Guide 14 Revised August 2014 ...