SBNF Ig

Americas Headquarters
Cisco Systems, Inc.

170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Implementation Guide
December, 2012
SMART Designs
Small Business Network Foundation

Cisco SMART Designs
Cisco SMART Designs consists of solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable
customer deployments. For more information visit www.cisco.com/go/partner/smartdesigns.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY,
DESIGNS) IN THIS MANUAL ARE PRESENTED AS IS, WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM
ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR
DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR
APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL
ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS
BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Small Business Network Foundation Implementation Guide
2012 Cisco Systems, Inc. All rights reserved.

iii
Cisco Small Business Network Foundation Implementation Guide

C O N T E N T S
Introduction 1
SBNF Solution Benefits 2
Scope of this Guide 2
High Level SBNF Network Topology 3
Implementation Overview 4
Network Topology 4
Network Design Details 6
Main Office Configuration 8
Preparing for the Implementation 10
Updating Software Applications on Laptop PC 10
Using the Quick Start Guides 10
Using the Administration Guides 11
Connecting to the ISA570W and SG500 Series Switches 11
Network Configuration 12
Basic Network Configuration with Internet Access 12
Configuring Interfaces Between the Cisco ISA570W and SG500 Devices 21
ISA570W SBNF Layer 3 Configuration 33
Configuring Quality of Service 40
Configuring WAN QoS 40
Configuring LAN QoS 49
VPN Configuration 52
Using the Site-to-Site VPN Configuration Wizard 53
Mobile Worker Configuration 57
Configuring Laptops of Mobile Workers for Cisco VPN Client 72
Additional Enhancements 78
Remote Office Configuration 78
References 78

Contents
iv

Corporate Headquarters:
Copyright 2012 Cisco Systems, Inc. All rights reserved.
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Cisco Small Business Network Foundation
This document is intended for small business customers with 100 employees or less who are interested
in using the Cisco Small Business Series products to secure their small business network.
The implementation described in this guide is part of the Cisco SMART Designs suite. This guide
describes an implementation based on Cisco Small Business Series networking devices. This
implementation provides a networking foundation for small businesses that supports more advanced
functionalities such as advanced security, voice, wireless, video, and so on.
The design recommendations in the Cisco Small Business Network Foundation (SBNF) Design Guide
provides practical guidance for a Cisco Small Business Series solution that supports up to 100 users,
explains the technology involved, and describes the components and architecture for meeting specific
requirements. The Small Business Network Foundation (SBNF) design guide is located at the following
URL: http://www.cisco.com/go/smartdesigns/sbnf.
This guide contains the following sections:
Introduction, page 1
Implementation Overview, page 4
Preparing for the Implementation, page 9
Network Configuration, page 11
Configuring Quality of Service, page 39
Remote Office Configuration, page 56
References, page 78
Introduction
This implementation guide describes the basic steps for configuring an SBNF deployment in a small
business that can span from a typical single office (main office) environment to one that can connect to
multiple sites, such as remote offices and mobile workers.

2
Introduction
SMART Designs
This implementation guide also shows how to configure the Cisco ISA500 Series Security Appliance and
Cisco SG500 Series switches with aggregation/access layer switches, firewall, site-to-site, and remote
access VPNs. For detailed configuration information, see the administration guides for the
Cisco ISA500 Series and Cisco SG500 Series.
SBNF solutions address the following security, productivity, and connectivity needs of small businesses:
Network communication at a business location with Internet access
High performance zone-based firewall for controlling inbound and outbound traffic
Reserved Guest VLAN (2) for wired and wireless; guest access mapped to the Guest zone
Captive Portal authentication for Guest Users (refer to the WLAN Implementation Guide)
Enhanced Quality of Service (QoS)
DMZ for public websites and services
IPSec VPN connectivity for multi-site deployments
Dual WAN connectivity to ISPs (optional)
SSL VPN (AnyConnect secure client) or Remote Access IPSec VPN for easy remote connectivity
for employees
Aggregation/access layer LAN switching with Cisco SG500 Series Switches with power over
Ethernet (PoE) capability
Stacked aggregation switches (optional), for LAN high availability
SBNF Solution Benefits
An SBNF implementation provides the following benefits:
Easy deployment and management to maximize limited IT staff and resources
Safe, secure, and easy remote network access from anywhere
High performance firewall that protects critical business functions
Resilient LAN that connects data and voice endpoints, such as PCs, servers, and IP phones
WAN failover and load balancing (optional)
Guest access
PoE-enabled switches
Increased employee productivity
Scope of this Guide
This implementation guide describes the following capabilities:
Network security
High performance zone-based firewall
DMZ support
Network connectivity
Secure site-to-site and remote access with IPSec and Secure Socket Layer (SSL) VPN with
AnyConnect client
Introduction

3

Gigabit Ethernet connectivity to the Cisco SG500 Series Switches and WAN
Aggregation switch stacking (optional) to provide highly available LAN
Dual WAN capability with load balancing or failover via the optional WAN port (Optional)
Ease of use
Simple deployment and management with a GUI-based embedded device manager
Featured products
Cisco ISA500 Series Integrated Security appliances (ISA550, ISA550W, ISA570, ISA570W)
Cisco Small Business SG500 Series stackable Switches
The reader is encouraged to read the SBNF Design Guide to better understand the implementation of the
entire SBNF network. Figure 1shows the relationships of other documents to this implementation guide.
Figure 1 Related SBNF Documents
High Level SBNF Network Topology
The topology in Figure 2 shows a high-level network diagram of the SBNF solution. It consists of the
following locations: main office, remote office, and mobile worker (IPSec and SSL VPN). The locations
are linked using VPN connectivity. For more information about the location descriptions, see the
Networking Primer for Small Businesses.
Network Primer
for Small Businesses
2
1
3
1
3
4
Introduction to
Networking Concepts
SBNF
Implementation
Guide
For network
implementers
(network designers)
SBNF
Bill of Material and
Product Selection Guide
For technical decision makers /
network designers /
network implementers
SBNF Design Guide
For technical decision makers /
network designers /
network implementers
Prerequisite document
This document

4
Implementation Overview
SMART Designs
Figure 2 High-Level SBNF Network Diagram
This section provides an overview of the implementation. It includes the following topics:
Network Topology, page 4
Network Design Details, page 6
Main Office Configuration, page 7
Updating Software Applications on Laptop PC, page 9
Using the Quick Start Guides, page 9
Using the Administration Guides, page 10
Network Topology
The descriptions in this document are based on the network topology shown in Figure 3. The pictures in
this topology do not show any specific Cisco Small Business Series devices, because it is generic enough
to be used for any of the Small Business Series routers and switches. However, this implementation guide
uses the Cisco ISA570W Security Appliance and the Cisco SG500 Series switches in a small business
network at the main office and remote office to demonstrate an SBNF deployment. However, other
ISA500 Series security appliances can be used instead of the ISA570W Security Appliance.
Note The mobile worker does not use a Small Business Series router to connect to the small business WAN
network, but instead uses either a home router or some sort of publicly accessible Internet connection,
such as wireless hot spots or free wifi in restaurants, airports, or coffee shops.
Main office
Remote
office
Site-to-site
IPSec VPN
Home office/
mobile worker
Remote
IPSec VPN
Mobile
worker
SSL VPN
2
1
4
7
1
2
Internet

5

Figure 3 SBNF Implementation Topology
Note ISA5xx Integrated WAN Router denotes the Cisco Small Business Series Router that contains the
integrated switch ports, and may also contain other integrated hardware such as wireless AP, voice, and
so on, as well as integrated software functionalities. In this implementation, an ISA570W Security
Appliance performs the role of the ISA5xx.
Mobile workers who obtain their IP address from any other network with connectivity to the Internet,
use SSL VPN or IPSec VPN to connect to the WAN IP address of the ISA500 Series.
The ISA500 Series security appliance connects to the Internet through its WAN port, and connects to the
Cisco 500 aggregation or access switches through one of its switch ports. Based on the exact model used,
one or more of the configurable ports can be used as secondary WAN, DMZ, or extra LAN ports. In the
topology shown in Figure 3, one configurable port is used as the DMZ port connected to a single server.
external switch (connected to multiple DMZ servers), or a LAN segment at the main office. The various
topologies are described the SBNF Design Guide.
Note Note that the SBNF LAN topologies L1L3 cloud, as shown in Figure 3, includes SG500 Series
Switches as aggregation/access layer switches. Outside the cloud, a Cisco Unified Communications 500
(UC500) device is used to test the voice VLANs using voice-over-IP (VoIP) telephones. The UC500 was
used as a voice termination device and not as a complete voice solution with SBNF. For the complete
Unified Communication Services configuration, see the application note, Enhancing SBNF with Unified
Communication Services.
UC500 configuration solution with the SBNF implementation is beyond the scope of this document.
Remote office Main office
Mobile worker
SBNF LAN Topologies
L1-L3
SBNF
LAN L0-L1
Optional port
(DMZ)
SSL VPN
(AnyConnect)/
IPsec VPN
ISA5xx
SG500
Switches
SG500
Switch
IPsec VPN Tunnel
SSLVPN Tunnel
ISA5xx
DMZ server
Admin
default
Cisco-guest VLAN
Cisco-data VLAN
Cisco-voice VLAN
DMZ
802.1q Trunk
LAN Components
(Optional)
Other devices
2
1
3
1
3
5
WAN/Internet

6
SMART Designs
Network Design Details
The Cisco ISA500 Series security appliance and the Cisco 500 Series switch come with preconfigured
VLANs: data (1) and voice (100), and the IP addresses listed in Table 1. However, this implementation
guide uses the VLANs and network addresses as described in the IP Address Scheme section of the
SBNF Design Guide. For convenience, the IP addressing table from the SBNF Design Guide is duplicated
here.
Implementations can use these default values or modify them to suit the network design.This guide uses
the modified values for VLANs and IP addresses listed in Table 2.
Table 1 Default VLANs and IP Addresses
VLAN Identifier and IP Address
Data VLAN 1
IP address/default gateway 192.168.75.1
DHCP pool for data VLAN 192.168.75.100254
Voice VLAN 100
Guest VLAN 2
Guest DHCP range 192.168.25.100-254
Guest default gateway 192.168.25.1
Table 2 Sample IP Address Assignments
Sample Value for
Main Site
Sample Value for
First

Remote Office Home Office
For PCs (gets address via DHCP)
Data VLAN (cisco-data) 10 10 1
Private IP range for data VLAN (for
PCs)
1
10.1.20.0 10.2.20.0/24* NA
Default gateway for data VLAN 10.1.20.1 10.2.20.1 10.x.20.1
DHCP excluded addresses in data
VLAN for assigning fixed addresses
to interfaces, test tools, and so on
10.1.20.19 10.2.20.1: 10.2.20.9 10.x.1.10: 10.x.20.9
IP Phones get address via DHCP (if voice service is implemented)
For the home office, x can be any number other than those of the remote offices and SSL VPN network
addresses.
Voice VLAN (Cisco-voice) 100 100 1
Private IP range for voice VLAN 10.1.100.2/24 10.2.100.0/24* Same as data
Default gateway for voice VLAN) 10.1.100.1 10.2.100.1 Same as data
TFTP server IP address for IP phones
to download their configuration
10.1.1.1 10.1.1.1 10.1.1.1
VPN-Related Addresses (if the deployment supports home offices and/or mobile workers)

7

Note Remote office IP address assignment for the data VLAN (10.x.20.0/24) is done by changing the value
of x to make the addresses of a remote office distinct from those of other locations. The mobile worker
uses a fixed subnet of 10.1.254.0/24 for IPsec VPN Client and 10.1.154.0/2 for SSLVPN AnyConnect
client.
Main Office Configuration
In the main office, the WAN router (ISA570W Security Appliance) enables communication between the
LAN and allows computers to access the Internet as well as the other office locations. This includes
access switches and any aggregation switch as described in the Network Topologies L1L3 in the SBNF
Design Guide). With the default settings, the ISA570W Security Appliance gets its WAN IP address
dynamically from the ISP via the cable/DSL modem. All the devices on the data VLAN receive their IP
addresses dynamically from the ISA570W Security Appliance, while those on the voice VLANs receive
their IP addresses from the UC500 (see Figure 4).
All devices have access to the Internet, but unsolicited inbound traffic is disallowed from the Internet to
any LAN device. The Guest VLAN can only communicate to the Internet using Captive Portal
authentication.
Public IP address for VPN gateway 50.101.1.1 (sample.
This is assigned by
the service
provider)
NA NA
SSLVPN Clients 10.1.154.0/24 N/A N/A
IPSec VPN Client 10.1.254.0/24 N/A N/A
DMZ-Related VLANs / IP addresses
Private IP range for DMZ_VLAN 172.16.2.0/24 NA NA
Default gateway for DMZ VLAN 172.16.2.1 NA NA
Public Addresses for Internet Access
WAN interface address Public IP address as
assigned by service
provider (for
example:
51.101.1.1/24)
Public IP address as
assigned by service
provider
assigned by service
provider
Optional WAN interface address
(redundancy/failover)
assigned by service
provider (for
example:
51.101.2.1/24)
N/A N/A
1. Since UC500 uses the 10.1.10.0 network internally, the data VLAN subnet is assigned 10.1.20.0/24 in this implementation.
Table 2 Sample IP Address Assignments
Sample Value for
Main Site
Sample Value for
First

Remote Office Home Office

8
SMART Designs
In this implementation guide, the voice VLAN is optional and necessitates a voice termination device
such as a UC 500. Note that the ISA570W Security Appliance also facilitates IP phone communication
between main and remote offices, as well SIP and H.323 types of voice traffic to the Internet using the
Application Level Gateway (ALG) configuration.
All other types of IP communications to the outside world use a voice gateway. Figure 4 shows the layout
of a main office with the ISA570W Security Appliance as well as the SG500 Series aggregation and
access switches.
Figure 4 Main Office Topology Detail Layout
Table 3 summarizes the connectivity details between the connected devices in Figure 4.
192.168.25.1
(VLAN 2)
192.168.75.1
(VLAN 1)
10.1.20.1
(VLAN 10)
VLAN database
1,10,25,100
10.1.100.1
(VLAN 100)
WAN Interface - 10.1.1.1
172.16.2.1
G2/1/22
51.101.1.1
G2/1/20
VLAN 1, 25,10, 100
VLAN 1, 2,
10, 100
G1/1/8
VLAN 1, 2,
10, 100
G2/1/19
VLAN 1, 2,
10, 100
G2/1/7
G1/1/20 G1/1/8 G1/1/19 G1/1/7
VLAN 1, 2,
10, 100
VLAN
2
VLAN
10
VLAN
10
VLAN
2
E48
VLAN
10
E2
VLAN
10
E3
VLAN
10, 100
E4
VLAN
10, 100
E5
VLAN 1
WAN 1
DMZ
GE 2
G1/1/24
HTTP Server
Private IP 172.16.2.20
Public IP 51.101.1.20
VLAN 1 - default VLAN
VLAN 2 - guest VLAN
VLAN 10 - data VLAN
VLAN 100 - voice VLAN
2
1
4
7
4
8
ISA570W Security Appliance
SG500 Access Switch
192.168.75.3
SG500 Access Switch
192.168.75.4
2 x SG500 Stacked Aggregation Switches
Stack IP Address 192.166.75.2
UC500
Network
Preparing for the Implementation

9

This section provides instructions before beginning the actual implementation. It includes the following
topics:
Updating Software Applications on Laptop PC
Using the Quick Start Guides
Using the Administration Guides
Connecting to the ISA570W Security Appliance and SG500 Series Switches
Updating Software Applications on Laptop PC
Download all the latest software in the event that an upgrade of the Cisco SBNF components is required.
Download the latest version of the software to a common directory of your laptop PC. To find the latest
software for components, go to http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm and
search under the specific component name.
Using the Quick Start Guides
Obtain a paper or electronic copy of the quick start guides before connecting to the Cisco ISA570W
Security Appliance and Cisco SG500 Series switches. For new equipment, the quick start guide should
be included in the shipping box or package. Each new equipment purchase should include the following
items:
Device
Power cord
Table 3 Main Office Connectivity Detail
Connection
ISA570W
Security
Appliance
SG500
Aggregation
Switch
Access
switch 1
Access
switch2 UC500
ISA570W
Security
Appliance(ISA
570W)
GE2
SG500 Stacked
aggregation
switch
(SG500-24)
GE 1/1/24 Stack
connection
G1/1/7
G2/1/19
G1/1/8
G2/1/20
G2/1/22
Access Switch
1 (SG500-48P)
G1/1/7
G1/1/19
Access Switch
2(SG500-48P)
G1/1/8
G1/1/20
UC500 WAN interface

10
SMART Designs
Mounting hardware
Rubber feet for desktop mounting
Serial cable
Quick start guide
Device series CD
Besides the description of the device, the quick start guide shows how to initially configure the device
using either a static or DHCP IP address, Cisco Configuration Assistant, when supported, how to connect
devices, and provides references to other relevant documents.
For the initial configuration details of the Cisco ISA570W Security Appliance and Cisco SG500 Series
Switches, use the respective quick start guide: The quick start guides contain the following sections:
Product Overview: Displays the front and back panel of the device, and describes the physical
aspects of the device
Installation Options: Describes the environment in which to place the equipment
Installation: Connects all equipment according to the topology to be deployed
Launching the Configuration Utility: Connects and logs in to the device
Getting Started with the Configuration: Explains how to use the getting started page to do most of
the configuration tasks, including upgrading the firmware/software
Note Cisco recommends upgrading the firmware/software for the ISA570W Security Appliance and SG500
Series switches if upgrades are available.
Using the Administration Guides
Obtain a paper or electronic copy of the administration guides before configuring the ISA570W Security
Appliance and SG500 Series switches.The following topics are not covered in this document because
they are available in the appropriate administration guide:
ISA570W Security Appliance and Cisco SG500 switches and feature overview
How to connect to the ISA570W Security Appliance and SG500 Series switches
How to use the configuration utility for the ISA570W Security Appliance and SG500 Series
switches
Default settings on the ISA570W Security Appliance and the SG500 Series switches
Basic tasks such as upgrading the firmware, changing the default name and password, and backing
up the configuration
This implementation guide focuses on the configuration of a network as shown in Figure 4.
Note Configuring the Cisco UC500 is beyond the scope of this document. For configuring the UC500 with
SBNF, see the Enhancing Cisco Small Business Network Foundation with Unified Communications
application note.
Network Configuration

11

Connecting to the ISA570W Security Appliance and SG500 Series
Switches
To connect to the ISA570W Security Appliance, perform the following steps:
Step 1 Boot the ISA570W Security Appliance.
Step 2 After the security appliance has powered on, connect the switch, APs, and other devices to one of the
switch ports on the security appliance so they can obtain a DHCP IP address from the security appliance.
Step 3 From the Navigation menu on the security appliance, click Status > Network Status > DHCP Bindings
to view the IP address of the newly connected device.
Figure 5 DHCP Bindings
Step 4 After connecting to the devices using the DHCP IP address, change the IP address to a static IP address
outside the DHCP pool.
This section describes the procedures necessary to configure the network. It includes the following
topics:
Basic Network Configuration with Internet Access, page 12
Configuring Interfaces Between the Cisco ISA570W Security Appliance and SG500 Devices,
page 20
ISA570W Security Appliance SBNF Layer 3 Configuration, page 32
Note It is assumed that before configuring the devices, the network has been installed, as shown in Figure 4.

12
SMART Designs
Basic Network Configuration with Internet Access
This section describes tasks that are needed for all the SBNF office locations. The default configurations
on the ISA570W Security Appliance and SG500 Series switches are sufficient for the offices. However,
depending on the requirements of the ISP as well as the preferences for the LAN configuration, changes
should be made as necessary. To enable offices to connect to the Internet, complete the steps in the
following topics.
Configuring WAN on ISA570W Security Appliance
By default, the security appliance is configured to receive a public IP address from your ISP
automatically through DHCP. Depending on the requirements of your ISP, you may need to modify the
WAN settings to ensure Internet connectivity.
If you have two ISP links, one for WAN1 and another for WAN2, you must configure a secondary WAN
interface using one of the configurable ports on the security appliance.
Note When the WAN port is configured to obtain an IP address from the ISP using Dynamic Host
Configuration Protocol (DHCP), you can click the Release icon to release its IP address, or click the
Renew icon to obtain a new IP address.
This section describes how to configure the WAN connections by using the account information provided
by your ISP. Complete the following steps:
Procedure
Configuring the Primary WAN Interface
Step 1 Select Networking > WAN > WAN Settings.
The WAN Settings window is displayed (see Figure 6).
Figure 6 WAN Interface Settings
Step 2 To edit the settings of the primary WAN (WAN1), click the Edit (pencil) icon.
The WAN Add/Edit window is displayed (Figure 7).

13

Figure 7 WAN Interface Settings: Add/Edit Window
Step 3 Enter data as shown in,Figure 7, changing the entries for the specific IP addresses used.
Step 4 Select the WAN zone, which is predefined.
Step 5 Click OK to save your settings.
The screen changes.
Step 6 Click Save to apply your settings.
Figure 8 shows the WAN interface configuration summary.

14
SMART Designs
Figure 8 WAN Interface Settings: Summary
Configuring the Secondary WAN (optional)
To set up two ISP links for a network, configure a secondary WAN in the same way. You can use one
link as the primary link and another link for backup purposes, or you can configure load balancing to use
both links simultaneously.
For more information about configuring the secondary WAN, refer to the following subsection in the
Administration Guide: Networking / Configuring WAN / Configuring WAN Redundancy.
Managing Physical Ports
To configure the physical ports, complete the following steps:
Procedure
Step 1 To open the Physical Interface page, click Networking > Ports > Physical Interface.
The screen shown in Figure 9 is displayed.

15

Figure 9 Physical Interfaces
Step 2 Check the box in the Enable column to enable a physical port, or uncheck it to disable the physical port.
Step 3 To edit the settings of a physical port, click the Edit (pencil) icon.
Configuring the SBNF VLANs on ISA570W Security Appliance
The security appliance comes with the following predefined VLANs: 1 (DEFAULT), 2 (GUEST), 100
(VOICE). In SBNF, The GUEST VLAN is edited to change its IP subnet and a DATA VLAN (10) is
added as follows:
A native VLAN (DEFAULT), with VLAN ID 1 and IP address 192.168.75.1. By default, this VLAN is
in the LAN zone.
A guest VLAN (GUEST), with VLAN ID 2 and IP address 192.168.25.1. By default, this VLAN is in
the GUEST zone.
A data VLAN (DATA) with VLAN ID 10 and IP address 10.1.20.1. By default, this VLAN is in the
LAN zone.
A voice VLAN (VOICE) with VLAN ID 100 and IP address 10.1.1.2. By default, this VLAN is in
the VOICE zone.
Note Configuring a VLAN in the ISA570W Security Appliance also includes assignment of a IP
subnet to the VLAN, as well as a zone.
As stated above, this solution uses the following VLANs data (10), DEFAUlT(1), voice (100), guest (2).
Please see Table 1 for details.

16
SMART Designs
This solution uses the following VLANs data (10), DEFAUlT(1), voice (100), guest (2). Please see
Table 1 for details.
Repeat the following steps to define each VLAN, not already defined.
Step 1 Select Networking > VLAN.
The VLAN window is displayed.
Step 2 To add a new VLAN, click Add.
The VLAN Add/Edit window is displayed (see Figure 10).
Figure 10 VLAN Basic Settings Configuration
Step 3 Choose DHCP Server mode and enter the relevant information in the DHCP Pool Settings tab to
configure DHCP for the VLAN/subnet, as shown in Figure 11.

17

Figure 11 VLAN DHCP Pool Settings Configuration
Note For voice VLAN 100, enter the TFTP server IP address in the field for Option 150. The TFTP server IP
address 10.1.1.1 is actually the IP address of the UC500.
The VLAN configuration summary is displayed as shown in Figure 12.
Figure 12 VLAN Interfaces Configuration Summary

18
SMART Designs
Configuring the DMZ on the ISA570W Security Appliance
This section describes how to configure a DMZ network, which is similar to the VLAN configuration.
To configure a DMZ on an ISA570W Security Appliance, complete the following steps:
Procedure
Step 1 Select Networking > DMZ.
The DMZ window is displayed.
Step 2 To add a DMZ, click Add.
The DMZ Add/Edit window is displayed.
Step 3 Complete the fields as shown in Figure 13 for the DMZ port (in this case GE8).
Step 4 Select the DMZ zone from the Zone selection list.
Figure 13 DMZ Basic Settings Configuration
Note Choose the default DMZ zone or a custom DMZ zone to which the DMZ is mapped. You can click the
Create Zone link to view, edit, or add the zones on the security appliance.

19

Configuring Security Zones in ISA570W Security Appliance for SBNF
The ISA 500 security appliance provides several predefined security zones. Security zones can be added
or deleted. Each zone is associated with a numerical security level. The security level for the zone defines
the level of trust given to that zone.
The security appliance supports five security levels for the following zones:
Trusted(100): Offers the highest level of trust. The LAN zone is always trusted.
VPN(75): Offers a higher level of trust than a public zone, but a lower level of trust than a trusted
zone, which is used exclusively by the predefined VPN and SSLVPN zones. All traffic to and from
a VPN zone is encrypted.
Public(50): Offers a higher level of trust than a guest zone, but a lower level of trust than a VPN
zone. The DMZ zone is a public zone.
Guest(25): Offers a higher level of trust than an untrusted zone, but a lower level of trust than a
public zone. Guest zones can only be used for guest access.
Untrusted(0): Offers the lowest level of trust. It is used by both the WAN and the virtual multicast
zones. You can map the WAN port to an untrusted zone.
A higher permission level is indicated by a higher numeric value. The predefined VPN and SSLVPN
zones have the same security level.
The security appliance predefines the following zones and maps a security level to each zone.
WAN: The WAN zone is an untrusted zone. By default, the WAN1 port is mapped to the WAN zone.
If the secondary WAN (WAN2) is applicable, it can be mapped to the WAN zone or any other
untrusted zone.
LAN: The LAN zone is a trusted zone. You can map one or multiple VLANs to a trusted zone. By
default, the DEFAULT VLAN is mapped to the LAN zone.
DMZ: The DMZ zone is a public zone used for the public servers that you host in the DMZ
networks.
SSLVPN: The SSLVPN zone is a virtual zone used for simplifying secure and remote SSL VPN
connections. This zone does not have an assigned physical port.
VPN: The VPN zone is a virtual zone used for simplifying secure IPsec VPN connections. This zone
does not have an assigned physical port.
GUEST: The GUEST zone can only be used for guest access. By default, the GUEST VLAN is
mapped to this zone.
VOICE: The VOICE zone is a security zone designed for voice traffic. Traffic coming and outgoing
from this zone will be optimized for voice operations. If you have voice devices, such as Cisco IP
Phone, it is desirable to place the devices into the VOICE zone.
The SBNF solution uses all these zones.
Verifying Default Security Zone Definitions
SBNF uses the default zone definitions of ISA570W Security Appliance. This step verifies that the
ISA570W Security Appliance uses the default zone.
Step 1 Select Networking > Zones.
The Zones window is displayed, showing the predefined zones (see Figure 14).

20
SMART Designs
Figure 14 Zone Configuration List
Step 2 Verify that the zones and their associated trust security levels are defined exactly as shown in Figure 14.
Step 3 If the configuration differs, click Reset to restore your zone configuration to the factory default settings,
and verify again.
Configuring Interfaces Between the Cisco ISA570W Security
Appliance and SG500 Devices
This section describes the Layer 2 configuration between the two devices, and includes the following
topics:
Configuring the ISA570W Security Appliance Interface Connected to the Aggregation Switch,
page 20
Configuring the SG500 Series Switch, page 21
Configuring the ISA570W Security Appliance Interface Connected to the Aggregation
Switch
Configure the ISA570W Security Appliance port connected to the aggregation switch (GE2) as a trunk
port that carries the following VLANs: DEFAULT, DATA, VOICE, and GUEST. Complete the following
steps:
Procedure
Step 1 Select Ports > Physical Interface.
The Physical Interfaces screen is displayed.
Step 2 Click the pencil symbol for the port GE2 to edit it.
This displays the Ethernet Configuration ADD/EDIT screen shown in Figure 15.
Step 3 Enter the data for the GE2 port, as shown Figure 15.

21

Figure 15 ISA570W Security Appliance To SG500 Interface Configuration
Note Because the GE2 is connected to the aggregation switch, all VLANs are added
Step 4 Click OK.
Step 5 Click Save to apply the settings to the port.
Figure 16 displays the summary of the ports.
Figure 16 ISA500 Series Interface Configuration Summary
Configuring the SG500 Series Switch
The SG500 system dashboard (Figure 17) is displayed after logging in to the switch.

22
SMART Designs
Figure 17 SG500 Switch Main Menu Screen
This is the main menu for configuring the switch.
Adding the SBNF VLANs on an SG500 Series Switch
For laptop and IP phones or any other networking endpoints to work properly with the Cisco SG500
Series switches, the following configuration must be completed:
VLANs must first be added into the switch VLAN database.
Ports carrying the VLANs or trunks must be configured properly as a trunk mode.
VLANs must be added on both sides of the trunks.
The SG500 Series switch comes preconfigured with a default VLAN 1 for data and voice. This
implementation guide uses the default VLAN 1 for device initial configuration. However, VLAN 10 is
used for the data VLAN. The Cisco best practice is to not use VLAN 1 in a network to mitigate security
risks and for controlling access to the network.
Note It is recommended to configure all the VLANs according Table 1 on page 6 before configuring ports and
trunks.
To add VLAN 10, VLAN 2, and VLAN 100 to the SG500 Series switch, complete the following steps.

23

Procedure
Step 1 Select VLAN management > Create VLAN.
This displays the current VLANs.
Step 2 Click Add to create a new VLAN.
This displays the screen to enter data for the new VLAN to be created.
Step 3 Enter the VLAN number 10 and VLAN name cisco-data for the new VLAN, as shown in Figure 18.
Figure 18 Adding SBNF VLAN to SG500 Series Switches
Step 4 Click Apply.
This creates the new VLAN 10.
Step 5 Repeat the above procedures to create the guest VLAN with VLAN number 2 (Guest)
Step 6 Repeat the same steps to add all SBNF VLANs in all LAN switches
VLANs 1, and 100 are predefined.
Step 7 Verify that all required VLANs (1, 10, 2, 100) are defined. Select VLAN Management > Create VLAN.
Step 8 This displays the existing VLANs (see Figure 19).

24
SMART Designs
Figure 19 SBNF VLANs Summary
Configuring Voice VLAN Properties
Complete the following steps to assign VLAN 100 as the voice VLAN and to change the default voice
VLAN properties.
Procedure
Step 1 Select VLAN Management > Voice VLAN > Properties.
Step 2 Change Voice VLAN ID to 100, and keep the default QoS settings including DSCP and CoS/802.1p.
Step 3 Make sure that Enable Auto Voice VLAN is checked and that Auto Voice VLAN Activation is set to
Immediate, as shown in Figure 20.

25

Figure 20 Activating Auto Voice VLAN on all switches
Step 4 Repeat the same steps on all LAN switches.
Updating Smartport Types for SBNF
Smartport types make it easy to provision switch ports by automatically applying the appropriate
configuration for attached devices such as IP phones, routers, access points, switches, or other devices
to optimize network performance.
Smartport macros on the Small Business Series Switches are described in the SBNF Design Guide. The
SG500 Series switches come with a list of Smartport types such as Printer, Desktop, Guest, Sever, Host,
IP Camera, IP Phone, IP Phone + Desktop, Switch, Router, and Wireless Access Point.
To view the default Smartport Type, select Smartport > Smartport Type Settings.
The Smartport types are shown in Figure 21:

26
SMART Designs
Figure 21 Smartport Types Defaults
The Figure 22 displays the Smartport types after configuring Auto Voice VLAN 100.
Figure 22 Smartport Type with Auto Voice VLAN Configured
Modifying Smartport Type parameters on SG500 Switch
The default Smartport settings assume certain VLANs and other parameters, and need to be edited before
the macros can be applied for an SBNF network. Complete the following steps to edit the Smartport
macros-.

27

Procedure
Step 1 Select Smartport > Smartport Type settings.
This displays the Smartport Type Settings table.
Step 2 Select a Smartport type, for example, IP Phone+ Desktop, and click Edit at the bottom of the screen.
This displays the screen to edit the parameters of the selected Smartport (see Figure 23).
Figure 23 Smartport Type Edit
In Figure 23 max_hosts is set to 3 and DATA VLAN to 10.
Step 3 Repeat the same steps to update the remaining Smartport types.
Figure 24 shows the SG500 Series Smartport type customized for SBNF.

28
SMART Designs
Figure 24 Smartport Types Customized for SBNF
Applying Smartport Types to an Interface
There are two ways to apply a Smartport macro by Smartport type to an interface:
Static Smartport: Static Smartport applies a fixed VLAN and QoS configuration on a port. You can
connect a suitable device that is recommended for this configuration. If any other device is
connected, it will not work correctly. This type of Smartport assignment is recommended for
infrastructure network elements such as switches, servers, access points, and so on.
Auto Smartport: Auto Smartport waits for a device to be attached to the interface before applying a
configuration. When a device is detected from an interface, the Smartport macro that corresponds
to the Smartport type of the attaching device is automatically applied (if assigned).
Configuring an SG500 Trunk Port Using Smartport Types
The connection between the Cisco ISA570W Security Appliance and the SG500 switches is between the
integrated switch ports on the ISA570W Security Appliance and the SG500-48 switch ports. This
requires a trunk configuration between the two devices to carry multiple VLANs.
The connections between the Cisco SG500 aggregation switch and the SG500 access switches also
require switch trunk port configurations.
To configure the switch port using static Smartport method, complete the following steps.
Procedure
Step 1 Go to Smartport > Interface Settings, select the interface, and click Edit.
Step 2 In the new window, change the Smartport Application from Auto Smartport to Router and keep the
default value for native VLAN (see Figure 25).

29

Figure 25 Smartport Type Router Applied to Switch Port Connected to Router
Step 3 Click Apply to complete the changes.
Configuring an SG500 Switch Port Connected to a Laptop
To configure a port for a PC or laptop using the data VLAN, complete the following steps.
Procedure
Step 1 Select Smartport > Interface Settings, select the interface, and then click Edit.
Step 2 In the new window, change Smartport Application from Auto Smartport to Desktop and change the
default value for $native_vlan to 10.
Figure 26 shows the Smartport Desktop Settings page.

30
SMART Designs
Figure 26 Figure 26: Smartport type Desktop
Configuring SG500 a Switch Port Connected to an IP Phone and
Desktop
To configure a port for an IP phone with a desktop PC connected to the LAN port of the phone using
both the data VLAN and voice VLAN, complete the following steps.
Procedure
Step 1 Select Smartport > Interface Settings, select the interface, and click Edit.
Step 2 In the new window, change Smartport Application from Auto Smartport to IP Phone + Desktop and
change the default value for $native_vlan to 10.
The voice VLAN ID is automatically updated by the system using the Voice VLAN ID configured
globally.
Figure 27 shows the Smartports Desktop Settings page.

31

Figure 27 Smartport Type IP Phone + Desktop
Adding VLANs to SG500 Series Trunks in SBNF
To assign a port like the Aggregation Switch port GE24 connected to the ISA570W Security Appliance
to all the SBNF VLANs, complete the following steps:
Procedure
Step 1 Select VLAN Management > Port VLAN Membership.
The Port VLAN Membership page is displayed.
Step 2 Select the port GE24, and click the Join VLAN button.
The Join VLAN page is displayed.
If the VLANs are showing under the Mode column instead of the Trunk column.
Step 3 Click the right arrow (>) to switch the VLAN to the Trunk column, as shown in Figure 28.

32
SMART Designs
Figure 28 Adding SBNF VLANs to Router Trunk Port
Step 4 Click Apply.
The settings are modified and written to the Running Configuration file.
Step 5 To see the administrative and operational VLANs on an interface, click Details (see Figure 29)
Figure 29 Administrative and Operational VLANs on Trunk Port
Step 6 Repeat the previous steps to add all the SBNF VLANs to trunk ports between switches and whenever
necessary.
ISA570W Security Appliance SBNF Layer 3 Configuration
This section describes the SBNF Layer 3 configuration in the ISA570W Security Appliance and includes
the following topics:
Configuring Routing on the ISA570W Security Appliance, page 33
Viewing the Routing table in ISA570W Security Appliance, page 34
Configuring the Firewall, page 34
Configuring NAT and Dynamic PAT , page 35
Configuring Static NAT Rules for DMZ servers, page 36
Configuring ACLs for Access to DMZ Servers, page 38

33

Configuring Quality of Service, page 39
Configuring Routing on the ISA570W Security Appliance
Verify that the ISA570W Security Appliance is configured to operate in NAT mode. By default, NAT
mode is enabled. Complete the following steps:
Procedure
Step 1 Select Networking > Routing > Routing Mode.
The Routing Mode window is displayed.
Step 2 Click Off to disable the Routing mode, if you find it is enabled.
Figure 30 Routing Mode Settings
Configuring Inter-VLAN Routing
To enable communication between the various VLANs (voice, data, and so on), add those VLANs in the
same zone, or zones with the same security level.
Configuring Static Routing
This solution requires static routes on the security appliance so that the security appliance can send
traffic destined to local subnets of the UC500 such as 10.1.1.0/24 (10.1.1.1 is the TFTP server inside the
UC500), and 10.1.10.0/24 (voice mail). For more information about the exact subnets to be routed, refer
to the Enhancing Small Business Network Foundation Network for Unified Communication Services.
application note.

34
SMART Designs
Viewing the Routing table in ISA570W Security Appliance
To view the routing table, select the Networking > Routing > Routing Table.
\This displays the routing table as shown in Figure 31.
Figure 31 Routing Table
Note This page is automatically updated every 10 seconds. Click Refresh to manually refresh the routing
table.
Configuring the Firewall
This implementation uses the default zones and their security levels to simplify configuration. The
default zones and the firewall rules, based on the security levels for each zones, are shown in Table 4.
By default, the firewall prevents all traffic from a lower security zone to a higher security zone, but
allows traffic from a higher security zone to a lower security zone.
Table 4 Default Zones and Security Levels
From/To LAN VOICE VPN SSLVPN DMZ GUEST WAN
LAN N/A Deny Permit Permit Permit Permit Permit
VOICE Deny N/A Permit Permit Permit Permit Permit
VPN Deny Deny N/A Deny Permit Permit Permit
SSLVPN Deny Deny Deny N/A Permit Permit Permit
DMZ Deny Deny Deny Deny N/A Permit Permit
GUEST Deny Deny Deny Deny Deny N/A Permit
WAN Deny Deny Deny Deny Deny Deny N/A

35

Verify that the default firewall rules are in effect. Figure 32 illustrates the ISA570W Security Appliance
Default Policies. Click the triangle associated with a zone to expand the screen, and to show all the traffic
permissions for the zone. Figure 32 shows the expanded data for the LAN and the WAN Zones.
Figure 32 Default Policies: Zones to Zones
Note These default rules can be changed according to deployment requirements by adding or modifying
additional zones and policies
Configuring NAT and Dynamic PAT
This implementation uses dynamic Pat for data and guest subnets. Each DMZ server has a public IP
address and a private IP address, and hence requires static NAT.
Complete the following steps:
Procedure
Step 1 Select Firewall > NAT > Dynamic PAT.
Step 2 Figure 33 is displayed.

36
SMART Designs
Figure 33 Dynamic PAT Configuration
Step 3 Select Auto for WAN1 interface (also WAN 2, if used) to set the translated address to be the public IP
address of the WAN interface.
Step 4 Turn on Dynamic PAT for the Guest, Voice, and DATA VLANs as shown.
Step 5 Click Save.
Configuring Static NAT Rules for DMZ servers
Static NAT is used for each DMZ server. This example shows the NAT configuration for an HTTP server
in the DMZ zone. This step is not necessary if DMZ servers are not deployed.
Procedure
Step 1 Select Firewall > NAT > Static NAT.
Step 2 To add a static NAT rule, click Add.
The ADD/Edit screen is displayed (see Figure 34).
Figure 34 Static NAT: Add/Edit
Step 3 Enter the following information:
WAN: Choose either WAN1 (or WAN2) as the WAN port.

37

Public IP: Choose an IP address object from the drop down list corresponding to the public IP
address of the DMZ server.
Private IP: Choose an IP address object from the selection list corresponding to the private IP
address of the DMZ server.
Step 4 If the IP address that you want is not in the list, choose Create a new address to create a new IP address
object, that displays the Address ADD/Edit screen shown in Figure 35.
Figure 35 Address Add/Edit
Step 5 Enter a name to the address object to be created.
Once completed, the screen should look like Figure 36.
Figure 36 Static NAT Rule Add/Edit
The static NAT summary is displayed (see Figure 37).

38
SMART Designs
Figure 37 Static NAT Rules Summary
Configuring ACLs for Access to DMZ Servers
In this step, configure ACL rules to allow traffic from Internet to DMZ servers. It is strongly
recommended to make the rules very specific so as that they match the IP address and the TCP/UDP port
of the DMZ server.
Procedure
Step 1 Select Firewall > Access Control > ACL Rules.
The ACL Access Control List table appears on the right pane.
Step 2 Click Add.
This displays the Rule Add/Edit screen (see Figure 38).
Configuring Quality of Service

39

Figure 38 ACL Rule: Add/Edit
Step 3 To add a HTTP DMZ server for which the public IP address object HTTP_Public has been defined in the
previous step, enter the data as shown in Figure 38 for the ACL rule. This allows HTTP traffic from the
Internet to the servers public IP address.
This displays the ACL summary (see Figure 39).
Figure 39 ACL Rules Access Control List
This section describes the SBNF QoS configuration for WAN and LAN, on the ISA570W Security
Appliance. It includes the following topics:
Configuring WAN QoS, page 39
Configuring LAN QoS, page 48
Configuring WAN QoS
Use the General Settings page to enable or disable the WAN QoS, LAN QoS, and WLAN QoS features.
This section includes the following topics:

40
SMART Designs
Enabling WAN Qos, page 40
Managing WAN Bandwidth for Upstream Traffic, page 40
Configuring WAN Queue Settings, page 41
Configuring Traffic Selectors, page 42
Configuring WAN QoS Policy Profiles, page 45
Mapping WAN QoS Policy Profiles to WAN Interfaces, page 47
Enabling WAN Qos
Step 1 Select Networking > QoS > General Settings.
The General Settings window is displayed (Figure 40).
Figure 40 QoS General Settings
Managing WAN Bandwidth for Upstream Traffic
Use the Bandwidth page to specify the maximum bandwidth for upstream traffic allowed on each WAN
interface.
Step 1 Select Networking > QoS > WAN QoS > Bandwidth.
The Bandwidth window is displayed (Figure 41).

41

Figure 41 Bandwidth
Step 2 Enter the maximum bandwidth in kb/s for upstream traffic allowed
WAN1 interface, for example, is 6000 for 6 mb/s. This should be same as the WAN link connection
bandwidth as provided by the service provider. The default value is 0 kb/s, which indicates that there is
no bandwidth limit for upstream traffic.
Configuring WAN Queue Settings
Step 1 Select Networking > QoS > WAN QoS > Queue Settings.
This opens the Queue Settings screen, which allows you to set the characteristics of each of the six
queues available for WAN1 and WAN2 interfaces (Figure 42).

42
SMART Designs
Figure 42 Low Latency Queuing
Step 2 For WAN1 interface, choose Low Latency Queuing.
Enter the values as shown in Figure 42 to assign bandwidth values and queue descriptions. The
completed screen shows that voice traffic will get a maximum of 2000 kb/s and will be treated as priority
traffic.
The rest of the traffic, after voice has been serviced, is assigned to the other types of the traffic as shown.
For example, voice/video signaling will get a minimum of 5% of the bandwidth remaining after voice
priority queue is serviced. It can share additional bandwidth, when available.
Step 3 Click the On button to turn on Random Early detection on the WAN1 interface.
Step 4 Click Save to apply your settings
Note Figure 42 shows SBNF settings for the WAN1 interface. Similar settings can be used for WAN2
interface, if used.
Configuring Traffic Selectors
This section describes how to specify the DSCPs for the various traffic classes.
Step 1 Select Networking > QoS > WAN QoS > Traffic Selector (Classification).
The Traffic Selector (Classification) window is displayed (Figure 43).

43

Figure 43 Traffic Selector
Step 2 To add a new traffic selector, click Add.
The Traffic Selector: Add/Edit window is displayed
Step 3 Enter the DSCP value for voice traffic:
a. Enter the traffic class name Voice for the Class Name field.
b. Set the value Any for each field: Source Address, Destination Address, Source Service, Destination
Service, Cos, and VLAN.
c. Move DSCP 46 to the Selection box by selecting 46 from the left box and clicking the -> button
d. Click OK to create the traffic class.
This displays the Traffic Selector (Classification) screen with the name of the newly created class.

44
SMART Designs
Figure 44 Add Traffic Selector
Step 4 Click Save to apply the settings.
Step 5 Repeat Step 3 to add the following additional traffic classes with the following DSCP values
Traffic Class name: DSCP Value(s)
Signaling: 24, 26
Routing-VPN Control: 48
Management: 16
Video: 32
Best Effort: 0, 8
The final Traffic Selector (Classification) screen should look like Figure 45.
Figure 45 Completed Traffic Selector Screen

45

Configuring WAN QoS Policy Profiles
Next, the WAN QoS Policy Profiles are created. Profiles assign specific traffic classes to specific queues
and provide options to police and mark the traffic.
Step 1 Select Networking > QoS > WAN QoS > QoS Policy Profile.
The QoS Policy Profile window is displayed (Figure 46).
Figure 46 QoS Policy Profile
Step 2 To create a new WAN QoS policy profile, click Add.
This displays the QoS Policy: Add/Edit window (Figure 47).
Figure 47 QoS Policy Add/Edit
Step 3 To create a policy to place voice traffic in to the priority queue (Q1), enter the name Voice policy for the
policy as shown in the QoS Policy Add/Edit window (Figure 47).
Step 4 Apply this policy to outbound traffic by selecting the Outbound Traffic radio button, and click Add.
This displays the QoS Class Add/Edit screen (Figure 48).

46
SMART Designs
Figure 48 QoS Class Rule Add/Edit
Specify the values shown in Table 5 for the rule for the voice class
Step 5 Click OK to create the Class Rule.
This displays the QoS Policy: Add/Edit window, with the newly created rule.
Repeat Step 2 to create rules for assigning the other classes of traffic with their queues, with data shown
in Table 6:
Table 5 QoS Field Descriptions
Field Value to be selected/entered Remark
Class Drop Down list Voice
Queue Drop Down list Q1 Q1 is the Priority Queue
DSCP Marking Drop Down list none Optional- specify a DSCP value
if you want to remark the traffic
CoS Marking Drop Down list none This cant be changed
Rate Limiting 0 Specify a bandwidth value if you
want to rate limit the traffic
Table 6 QoS Class Descriptions
Class Queue DSCP marking Cos Marking Rate limiting
Signaling Q2 none none 0
Routing-VPN
Control
Q3 none none 0
Management Q4 none none 0
Video Q5 none none 0
Best effort Q6 none none 0

47

Figure 49 QoS Policy: Add/Edit
The final QoS Policy Add/edit window should look like Figure 49.
Step 6 Click OK.
This displays the QoS Policy Profile Window showing the created WAN Policy.
Step 7 Click Save to apply the settings.
Mapping WAN QoS Policy Profiles to WAN Interfaces
In this step, the Policy Profile created earlier is assigned to the WAN1 Interface.
Step 1 Select Networking > QoS > WAN QoS > Policy Profile to Interface Mapping.
The Policy Profile to Interface Mapping window is displayed (Figure 50).
Figure 50 Policy Profile to Interface Mapping
Step 2 To edit the policy profile settings associated with the WAN1 interface, click the Edit (pencil) icon.
The Policy Profile to Interface Mapping: Edit window is displayed (Figure 51).

48
SMART Designs
Figure 51 Policy Profile to Interface Mapping: Edit
Step 3 Enter the following information:
interface: WAN1
Inbound Policy Name: Choose none.
Outbound Policy Name: Choose WAN policy
This displays the Policy Profile to Interface Mapping window showing that the WAN1 interface is now
associated with the policy WAN policy (Figure 52).
Figure 52 Policy Profile to Interface Mapping: Mapped Interface
You may also assign the same QoS Policy profile to WAN2 Interface, when used.
Configuring LAN QoS
This section configures the LAN QoS of the ISA570W Security Appliance Security appliance. It
includes the following topics:
Enabling LAN QoS, page 49
Configuring LAN Queue Settings, page 49
Configuring LAN QoS Classification Methods, page 50
Mapping DSCP to LAN Queue, page 51

49

Enabling LAN QoS
Use the General Settings page to enable or disable the WAN QoS, LAN QoS, and WLAN QoS features.
Step 1 Select Networking > QoS > General Settings.
The General Settings window is displayed (Figure 53).
Figure 53 LAN QoS General Settings
Step 2 Check the LAN QoS checkbox to enable LAN QoS.
Configuring LAN Queue Settings
Configure the type of queuing used by the four queues associated with each Ethernet LAN interfaces of
the ISA570W Security Appliance. The options are Weighted Round Robin (WRR) queuing, strict
Priority queuing, or a combination of both.
If voice is not deployed, then WRR (default) is sufficient. However, because SBNF supports voice, strict
priority is turned on for Q1 that carries voice traffic, and the rest of the three queues are configured to
use Weighted Round Robin (WRR) queuing.
Step 1 Select Networking > QoS > LAN QoS > Queue Settings.
The Queue Settings window is displayed (Figure 54).

50
SMART Designs
Figure 54 LAN QoS: Queue Settings
Enable the SP and WRR radio button to turn on priority queuing for Q1 and WRR on the other three
queues.
Step 2 (Optional) Enter a description for each queue.
Configuring LAN QoS Classification Methods
This section configures whether CoS or DSCP of traffic is used to decide in which a queue for the traffic
is going to be placed.
For SBNF, choose the DSCP as the queue selection criteria.
Step 1 Select Networking > QoS > LAN QoS > Classification Methods.
The Classification Methods window is displayed (Figure 55).
Figure 55 Classification Methods
Step 2 Enable Differentiated Services Code Point (DSCP).
VPN Configuration

51

Mapping DSCP to LAN Queue
This section configures the DSCP that goes to each queue.
Step 1 Select Networking > QoS > LAN QoS > Mapping DSCP to Queue.
The Mapping DSCP to Queue window is displayed (Figure 56).
Figure 56 Mapping DSCP to Queue
Step 2 Configure the table exactly as shown in Figure 56.
This configuration places voice (DSCP 46), Routing-VPN Control traffic (DSCPs 48), and LAN BPDU
in Q1, which is a priority queue. Best Effort traffic (DSCPs 0 and 8) are placed in Q4.
VPN Configuration
The example implementation uses IPSec site-to-site VPN between the main office and the remote
offices. A mobile worker can use either Remote Access IPSec VPN or SSL VPN (AnyConnect) to
connect to the main office. VPN configurations are simple to do in ISA570W Security Appliance by
using Configurations wizards for Site to Site VPN and Remote Access VPN wizards.

52
VPN Configuration
SMART Designs
This section includes the following topics:
Using the Site-to-Site VPN Configuration Wizard, page 52
Mobile Worker Configuration, page 57
Configuring Laptops of Mobile Workers for Cisco VPN Client, page 72
Using the Site-to-Site VPN Configuration Wizard
Because the example implementation uses IPSec site-to-site VPN between the main office and remote
offices, configuration must be completed on the WAN routers at both locations. Use the Site-to-Site
VPN Wizard to configure a site-to-site VPN policy to provide a secure connection between a remote
office and the main office. Complete the following steps.
Procedure
Step 1 Select Configuration Wizards > Site-to-Site VPN Wizard.
The screen shown in Figure 57 is displayed.
Figure 57 Site-to-Site VPN Wizard: Getting Started
Step 2 Select Getting Started.
Step 3 Click Next.
This displays the VPN peer setting screen to specify the remote end of the IPSec VPN connection. The
first step is Setting up the VPN Peer details.
Step 4 Specify a name for the VPN profile (for example: Mo-2-B01), enter the IP address of the remote office
WAN interface IP address details as shown in Figure 58, and enter a key that will be used as the
Pre-Shared key (see Figure 58).
VPN Configuration

53

Figure 58 Site-to-Site VPN Wizard: VPN Peer Settings
Step 5 Click Next.
This displays the IKE Policies screen for configuring the IKE policies for the IPsec VPN policy (see
Figure 59).
Figure 59 Site-to-Site VPN Wizard: IKE Policies
Step 6 Select the default IKE policy, which specifies AES 256 bit encryption, SHA1, Pre-Share key, and DH
group 2.
Step 7 Click Next.
This displays the Transform Set screen for setting the transform set of the VPN connection (see
Figure 60).

54
VPN Configuration
SMART Designs
Figure 60 Site-to-Site VPN Wizard: Transform Sets
Step 8 Select the Default transform set that uses ESP_SHA1_HMAC for data integrity, and ESP_AES_256 for
data encryption.
Step 9 Click Next.
This displays the Local and remote Networks screen for specifying the local and remote IP LAN subnets
that need to be encrypted through the IPSec tunnel (see Figure 61).
Figure 61 Site-to-Site VPN Wizard: Local and Remote Networks
Step 10 From the Local Subnet selection list, select Create new address.
This displays the Address-Add screen (see Figure 62).
VPN Configuration

55

Figure 62 Site-to-Site VPN Wizard: Local and Remote Networks: Add Local Address
Step 11 For the main office, specify a name for the address object, for example: Main-Office. For the IP Address
field, enter the main office LAN IP subnet 10.1.0.0. This includes the data and voice subnets.
Step 12 Click Save.
Step 13 From the Remote Subnet selection list, select Create new address.
This displays the Address-Add screen (Figure 63).
Figure 63 Site-to-Site VPN Wizard: Local and Remote Networks: Add Remote Address
Step 14 For the remote office, specify a name for the address object, for example: Branch1. For the IP Address
field, enter the remote office LAN IP subnet 10.2.0.0. This includes the data and voice subnets.
Step 15 Click Save.
This displays the Local and Remote Network screen with the subnet names you assigned (see Figure 64).

56
VPN Configuration
SMART Designs
Figure 64 Site-to-Site VPN Wizard: Local and Remote Networks Summary
Step 16 Click Next.
This displays the VPN configuration Summary screen (see Figure 65).
Figure 65 Site-to-Site VPN Wizard Summary
Note Repeat the previous procedure for setting up a VPN connection for each remote office to be connected.
Remote Office Configuration
Remote office configuration is typically the same as the main office configuration except that the DMZ
configuration usually does not exist at a remote office. The remote office typically requires less
equipment than the main office; but the WAN and LAN configuration is the same. Follow the same steps
to configure the LAN, WAN, and firewall at the remote office. The remote office is connected to the main
office using a site-to-site IPsec VPN.
VPN Configuration

57

Mobile Worker Configuration
A mobile worker can set up either a Remote Access IPSec VPN using client software on the laptop or
using a SSL VPN session with AnyConnect client. The main office security appliance acts as the VPN
gateway. This section describes the configuration of these options for the ISA570W Security Appliance
at the main office.
The configuration is performed using the Remote Access VPN Wizard, which has two options: Remote
Access IPSec VPN and SSL VPN.
Using the Remote Access IPSec VPN Wizard
Step 1 Select Configuration Wizards.
This displays the Remote Access VPN Wizard screen (see Figure 66).
Figure 66 Remote Access VPN Wizard: Getting Started
Step 2 Select IPsec Remote Access from the VPN Tunnel Type selection list.
Step 3 Click Next.
This displays the IPSec Remote Access Group Policy screen (see Figure 67).

58
VPN Configuration
SMART Designs
Figure 67 Remote Access VPN Wizard: IPsec Group Policy
Step 4 Use the IPsec Group Policy page to configure the following parameters for the IPsec Remote Access
group policy:
Group Name: Enter the name for the group policy.
IKE Authentication Method: Specify Pre-shared Key as the authentication method.
Step 5 Click Next.
This displays the WAN Screen (see Figure 68).
Figure 68 Remote Access VPN Wizard: WAN Configuration
Step 6 Select the WAN Interface to be used for receiving VPN connection requests from mobile workers, for
example: WAN1.
Step 7 Select Off for WAN Failover.
VPN Configuration

59

Note WAN failover is optional, and can be deployed if needed. When two WAN Interfaces are configured, you
may configure WAN redundancy mode either as Load Balancing or as Failover.
For Remote Access VPN to be able to use one of the WAN interfaces as a back up, the redundancy mode
should be Failover. In this case, if the primary WAN fails, the security appliance automatically updates
the local WAN gateway for the VPN tunnel to the backup WAN link. The backup WAN link has a
different IP address, so Dynamic DNS has to be configured because the IP address will change due to
failover. In this case, remote VPN clients must use the fully qualified domain name of the IPsec VPN
gateway to establish the remote access VPN connections.
Step 8 Click Next.
This displays the Network Configuration screen (see Figure 69).
Figure 69 Remote Access VPN Wizard: Network Configuration
Step 9 Configure the Remote Access IPSec VPN mode as Client mode and specify the start and end IP address
range of the IP pool for the clients.
You may optionally enable the Client Internet Access to allow remote VPN users to access the Internet
through the main office. This is not necessary if the clients are configured for split tunneling so that they
can directly access Internet.
Step 10 Click Next.
This displays the Access Control screen for configuring the list of zones to which the VPN clients can
communicate (see Figure 70).

60
VPN Configuration
SMART Designs
Figure 70 Remote Access VPN Wizard: Access Control
Step 11 Configure the permissions as shown in the Access Control screen shown in Figure 70, and click Next.
This displays the DNS/WINS screen (see Figure 71).
Figure 71 DNS/WINS
Step 12 Enter the IP address of the DNS server (10.1.20.1) here, which is the address of the security appliance.
and click Next.
This displays the Backup server screen (see Figure 72).
VPN Configuration

61

Figure 72 Remote Access VPN Wizard: Backup Server
Step 13 Click Next.
Step 14 Enter the IP address or domain name for up to three backup servers.
You may enter the IP address of any other VPN gateway in the network (either the backup WAN
interface, or a separate router) that can accept client requests for VPN connection. The backup server 1
has the highest priority and the backup server 3 has the lowest priority.
The backup servers that you specified on the IPsec VPN server configuration are sent to remote VPN
clients when initiating the VPN connections. The remote VPN clients cache them.
Step 15 Click Next.
This displays the Split Tunnel screen (see Figure 73).

62
VPN Configuration
SMART Designs
Figure 73 Remote Access VPN Wizard: Split Tunnel Configuration
Step 16 Enable Split Tunnel.
This allows the clients to directly access Internet from their network, and not through the main office
security appliance. In addition, specify the subnets that are allowed from clients. In this case they are
10.1.254.0/24 and 192.168.75.0/24.
Step 17 Click Next.
This displays the Group Policy Summary (see Figure 74).
VPN Configuration

63

Figure 74 Remote Access VPN Wizard: Group Policy Summary
Step 18 Use the Group Policy Summary page to view information for the group policy settings.
Step 19 Click Next.
This displays the IPSec Remote Access: User Group screen (see Figure 75).

64
VPN Configuration
SMART Designs
Figure 75 Figure 58: Remote Access VPN Wizard: IPsec Remote Access: User Group
Step 20 Click Add.
This displays the User Group: Add/edit screen, which is used to configure different user groups for the
purpose of Remote Access IPSec VPN and their properties (see Figure 76).
Figure 76 Remote Access VPN Wizard: User Group: Add/Edit: Group Settings
Step 21 Enter a name for the user group.
The user group name is provided to the VPN server as part of the VPN connection set process. The VPN
server uses it to allow or block services to the client based on the configuration specified for the group
in the User Group Add/Edit screen.
Step 22 For the Remote Access IPSec groups, enable IPSec Remote Access for this user group, disable SSL
VPN, Web Login, and captive portal as shown in Figure 76.
Step 23 Click the Membership tab to add users to the group.
VPN Configuration

65

This displays the screen for adding users to the group (see Figure 77).
Figure 77 Remote Access VPN Wizard: User Group: Add/Edit: Membership
Step 24 Enter each user account name and password and click Create.
Step 25 After completing each entry required, click OK.
This displays the IPSec Remote Access:User Group screen showing the user group created (see
Figure 78).
Figure 78 Remote Access VPN Wizard: IPsec Remote Access: User Group

66
VPN Configuration
SMART Designs
Step 26 Click Next.
The IPsec Remote Access Summary screen is displayed (see Figure 79).
Figure 79 Remote Access VPN Wizard: IPsec Remote Access: Summary
Step 27 Click Finish to complete the Remote Access IPSec VPN.
Using Remote Access VPN Wizard for SSL VPN
This section describes how to use the Remote Access VPN Wizard to configure the SSL VPN group
policies and specify the users and user groups for SSL remote access.
Step 1 Select Configuration Wizards.
This displays the Setup Wizard screen.
VPN Configuration

67

Step 2 Click Cancel.
This displays the Wizard menu.
Step 3 Select Remote Access VPN Wizard.
This displays the Remote Access VPN Wizard screen (see Figure 80).
Figure 80 Remote Access VPN Wizard: SSL Remote Access: Getting Started
Step 4 Click Next.
This displays the SSL VPN Configuration screen (see Figure 81).

68
VPN Configuration
SMART Designs
Figure 81 Remote Access VPN Wizard: SSL VPN: Configuration
Step 5 Configure the SSL VPN gateway interface to be the WAN1 interface.
The server is configured to accept SSL connections at TCP port 443.
Step 6 Select default certificate file (self-signed certificate), and specify the client address pool as
10.1.154.0/24.
Step 7 Enable split tunneling by enabling Client Internet Access.
Step 8 Specify the domain of the client and the banner to be displayed to the users during log-in.
Step 9 Leave the other fields at their default values and click Next.
This displays the following screen to create a new group policy for SSL VPN (see Figure 82).
VPN Configuration

69

Figure 82 Remote Access VPN Wizard: SSL VPN: Group Policy
Step 10 This example uses the SSL default policy, so click Next.
The User Group: Add/Edit screen is displayed (see Figure 83).
Figure 83 Remote Access VPN Wizard: SSL VPN: Group Settings: Add/Edit
Step 11 Create a name (for example: SSLVPN-user) for the group.
Step 12 Disable Web Login, select the SSLVPNDefaultPolicy for the Default Policy, and disable Cisco IPSec
VPN and Captive portal.
Step 13 Click the Membership tab to add users to the group
This displays the User Group: Add/Edit Screen (see Figure 84).

70
VPN Configuration
SMART Designs
Figure 84 Remote Access VPN Wizard: SSL VPN: User Group: Add/Edit: Membership
Step 1 Add a user to the group by entering the user account name and password and clicking Create.
Step 2 Repeat this for all the users to be created for the group.
Step 3 Select each user to be a member of this group under the User table and click the -> key to move the name
to the Membership table.
Step 4 Click OK.
This displays the group details screen (see Figure 85).
VPN Configuration

71

Figure 85 Remote Access VPN Wizard: SSL VPN: User Group: Details
Step 5 Click Next.
This displays the User Group screen showing each of the groups that has been added (see Figure 86).
Figure 86 Remote Access VPN Wizard: SSL VPN: User Group: Details: Summary
Step 6 Click Next.
This displays the SSL VPN Summary screen (see Figure 87).

72
VPN Configuration
SMART Designs
Figure 87 Remote Access VPN Wizard: SSL VPN summary
Step 7 Click Finish.
This completes SSL VPN configuration on the ISA 500 Security appliance.
Configuring Laptops of Mobile Workers for Cisco VPN Client
To configure laptops for the Cisco VPN client to connect to the ISA570W Security Appliance gateway,
download either or both the Remote Access IPSec VPN Client and the AnyConnect VPN software from
the following location:
http://www.cisco.com/cisco/software/navigator.html?mdfid=270636499&flowid=4466.
Install either or both software images on the laptop.
Configuring Mobile Worker Laptops for SSL VPN AnyConnect Client
To configure mobile worker laptops for SSL VPN to connect to the ISA570W Security Appliance SSL
VPN gateway, complete the following steps.
Procedure
Step 1 From the client PC/laptop, launch the AnyConnect secure client software and type the WAN IP address
of the ISA570W Security Appliance that is acting as the SSL VPN gateway.
The system displays the screen shown in Figure 88.
VPN Configuration

73

Figure 88 AnyConnect Secure Mobility Client: Launch
Step 2 Click Connect.
Step 3 Click Yes to accept the certificate.
Figure 89 Cisco AnyConnect: Username: Password
Step 4 Click Accept to confirm the connection.
Step 5 Enter the user name and password, and click OK.
Figure 90 WAN Router Self-Signed Certificate
You may get this screen due to a self-signed certificate.
Step 6 Click Yes.

74
VPN Configuration
SMART Designs
When the AnyConnect session is established the following message is displayed to confirm it (see
Figure 91).
Figure 91 Cisco AnyConnect: Successful Connection
Step 7 Click Accept.
This establishes the connection and displays the following status of the SSL VPN AnyConnect Client
(see Figure 92).
Figure 92 Cisco AnyConnect: Connected Screen
Step 8 To check for SSL VPN connectivity, enter the ipconfig, ping command from the Windows command
prompt window (see Figure 93).
The SSL VPN connected icon appears on the right-corner tray.
VPN Configuration

75

Figure 93 SSL VPN Connection Verification: IPconfig: Ping
Configuring Mobile Worker Laptops for IPSec VPN Client
To configure mobile worker laptops using the IPSec VPN Client to connect to the ISA570W Security
Appliance IPSec Remote Access gateway, complete the following steps.
Procedure
Step 1 Select the IPSec VPN client icon on the PC or laptop as shown in Figure 94 to launch the IPSec VPN
Client software.
Figure 94 IPsec VPN Client Icon
The VPN Client Windows is displayed as shown in Figure 95, which allows configuring the VPN
profiles.

76
VPN Configuration
SMART Designs
Figure 95 IPsec VPN Client Connection Entries window
Step 2 Click New or Connection Entries > New to create a connection entry.
Step 1 To Edit an existing entry and only need to be modified by highlighting or selecting the existing entry and
click the Modify icon or select the option from the Connection Entries menu.
Figure 96 shows an IPSec VPN Client Connection Entry.
Figure 96 Figure 79: IPsec VPN Client: Connection Entry: Edit/Modify
Step 2 Click Save.
Figure 97 is displayed showing all the connection entries.
VPN Configuration

77

Figure 97 Figure 80: IPsec VPN Client: Connection Entry
Step 3 To connect, select a connection entry and click Connect (or double-click the connection entry).
Figure 98 shows a successful IPSec VPN client connection.
Figure 98 IPsec VPN Client: Connection Success
Figure 99 shows the IP address (10.1.254.100) of an IPSec VPN client and a successful ping to an IP
address of a remote location.
Figure 99 IPsec VPN Client: Connection Verification

78
References
SMART Designs
For advanced configurations of IPSec and SSL VPN, see the sections for configuring IPSec VPN for
remote access, as well as SSL VPN for browser-based remote access, in the ISA570W Security
Appliance administration guide.
Additional Enhancements
This section briefly describes the following additional enhancements:
Configuring Dual WAN Link Support on the ISA570W Security Appliance, page 78
Unified Threat Management System, page 78
Configuring Dual WAN Link Support on the ISA570W Security Appliance
The security appliance allows a second IPSec connection using the optional port in WAN mode. When
the optional port is in WAN mode, it can be configured with the following options:
Failover or auto-rollover to use one of the ISP link as a backup
Load balancing to use both ISPs link simultaneously
For more information about using the optional port as a second link to the ISP, see the Configuring the
Optional WAN section of the ISA570W Security Appliance administration guide.
Note The optional WAN mode does not support VPN connectivity.
Unified Threat Management System
The ISA570W Security Appliance supports Unified Threat Management (UTM) to provide state of the
art cloud based security while reducing security management effort. The implementation of UTM will
be part of a separate application note. You may also refer to the ISA 500 security Appliance
Administration Guide.
References
Cisco SMART Designs:http://www.cisco.com/go/smartdesigns
Cisco ISA 500 Series Quick Start Guide:
http://www.cisco.com/en/US/products/ps11752/prod_installation_guides_list.html
Cisco ISA 500 Series Administration Guide:
http://www.cisco.com/en/US/products/ps11752/prod_maintenance_guides_list.html
Other ISA570W Security Appliance Technical documents:
http://www.cisco.com/en/US/products/ps11752/prod_technical_reference_list.html
Cisco Small Business SA500 Series Security Appliances:
http://www.cisco.com/en/US/products/ps9932/tsd_products_support_series_home.html
Customer support:
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Cisco Small Business SG500 Series Managed Switches:
http://www.cisco.com/en/US/products/ps10898/tsd_products_support_series_home.html
References

79

SNF Role Configuration Guide for Cisco Small Business 300 Series Switches:
http://tools.cisco.com/s2slv2/ViewDocument?docName=EXT-AS-405572
Small Business 300/200 Switches for Cisco UC300 Solution:
http://tools.cisco.com/s2slv2/ViewDocument?docName=EXT-AS-370390

80
References
SMART Designs

SBNF Ig

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

SBNF Ig

Transféré par

Droits d'auteur :

Formats disponibles

Americas Headquarters

Cisco Systems, Inc.

Vous aimerez peut-être aussi