20
CALL THE TELSTRA BUSINESS TECHNICAL HELPDESK ON 1800 066 594 VISIT TELSTRA.COM/BUSINESS cisco user guide XXXXXX code apr 10
Call the telstra BusinessteChniCal helpdesk on 1800 066 594
visit telstra.Com/Business
cisco user guide
XXXXXX
code
apr 10
1. AboutthisuserGuide–AboutsecuritydeviceMAnAGer(sdM) 03
2. thinGstonotebeforeyoustArt 03
3. MiniMuMsysteMsrequireMents 04
4. securitydeviceMAnAGer 06
5. WAystoAccessthesdMoffcdorGui 06
6. instAllinGthesecuritydeviceMAnAGer(sdMversion2.5) 07
7. lAunchinGsdM 09
8. instAllinGciscovPnclient 11
9. confiGurinGyourrouterusinGsdM 21
10. coMMonlyrequestedfeAturesforbusinessbroAdbAndequiPMentextrAs–ciscocPe 23
11. “hoWto”foreAchfeAture 25
12. GlossAry 37
13. needAdditionAlhelP? 37
Welcome to telstra Business BroadBand equipment – cisco® 877W and 18121 router
youhavepurchasedtelstrabusinessbroadbandequipmentextras–cisco®customerpremisesequipment.theciscouserguidewillhelpyoutoconfigureandsetupyournewrouter,soyoucangetmoreoutofyourtelstrabusinessbroadbandservice.
02
ethernetcustoMers
thecisco1812–K9routerdoesnothavebuilt-inwireless
capability.ifyourequirewirelesscapability,please
consultyouritspecialistorcontact1800655744for
informationonourrangeofitsupportoptions,
availablethroughtelstrabusinesssupportextras.
ifyouhavepurchasedourtelstra
broadbandequipmentextraswithcisco
AdslcustomerPremisesequipment(cPe),
yourincludedrouteristhecisco877W–K9.
ithaswirelesscapability.
AdslcustoMers
thisisastep-by-stepguidetohelp
youconfigureyourciscorouterwith
thesecuritydeviceManager(sdM),
sothatitcanbeusedwithyour
telstrabusinessbroadbandAdsl
orethernetservice.
itwillguideyouthroughthebasicsteps
tosetuptheconfigurationandfeatures
forthecisco877Wor1812router
suppliedwithyourtelstrabusiness
broadbandequipmentextras.
theuserguiderequiresthereaderto
haveabasicworkingknowledgeof
ciscoequipment,andshouldbeusedto
supplementthecisco850,cisco870and
1800seriesAccessrouterscablingand
quickstartGuide,whichisincludedin
yourtelstrabusinessbroadband
equipmentkit.
tohelpmakethesetupofthebasic
andstandardconfigurationseasier,
werecommendcustomersfamiliarise
themselveswiththesecuritydevice
Manager(yoursdMsoftwareisincluded
inthisextraspackage).
customersrequiringmoreadvanced
routerconfigurationorlocalArea
network(lAn)settingsshoulduse
thecommandlineinterface(cli)2.
ifyoudonothavetheexpertisetodo
this,pleaseconsultyouritspecialist,
Accountrepresentativeorcall
1800655744formoreinformation
onourrangeofitsupportoptions,
availablethroughthebusiness
supportextras3.
a. Pleaseensureyouhavereadthe
minimumsystemsrequirements
andcompatibilitycriteria.
b. ensurethatallhardwaremeets
minimumsystemrequirements
aspersection3.
c. Pleasestorethisuserguidein
asecureplace,forquickand
easyreference.
d. youcanaccesstherouter
intwoways:
1. commandlineinterface4
(foradvancedconfiguration
&lAnsettings)
2. securitydeviceManager
(recommended).
e. Allthecommonlyrequested
featuresnotedinsection10and11
havebeenmadeavailableonyour
suppliedrouter(877Wor1812)5;
thisdocumentwillguideyou
throughhowtoenablethese
featuresusingthesdM.
f. Pleaseensureyouhavereadthe
cisco850&cisco870seriesorthe
1800seriesAccessrouterscabling
andquickstartGuideforconnecting
yourciscoroutertothetelstra
businessbroadbandAdslor
ethernetservice.thisquickstart
Guideisincludedinthekit.
g. Werecommendyouchangeorreset
yourrouterdefaultpasswordas
soonaspossibleafteryouhave
installedandconfiguredyour
suppliedciscorouter.
2. thinGstonotebeforeyoustArt
3.MiniMuMsysteMsrequireMents
A.sdM
thefollowingtabledefinestheminimumsystemrequirementstoinstallthesdMonyourcomputer.
b.Wireless
Pleaseensureyoucheckthe
followingrequirementsforusing
WPAwirelessprotocol.
yourwirelesscardmustsupport
WPAorWeP.
Makesureyouhavethemostcurrent
driversforyourwirelesscard.
yourcomputermusthaveWindows
xPservicepack2installedand
allthelatestupdates(youcan
downloadthemthroughthe
Windowsupdatesite
atwindowsupdate.microsoft.com).
importantfirststep:
WindowsxPusersmustinstall
aMicrosoftupdatetoenableWPA
supportbeforecontinuing.
theupdatecanbedownloadedat
support.microsoft.com/kb/893357
youwillneedtorestartyour
computerafterdownloading
andinstallingtheupdate.
WirelessAccessissupportedvia
Macos®x10.3.3orlaterwith
AirPort®software3.3orlater.
Webbrowserversions
ciscosdMcanbeusedwith
thefollowingbrowsers:
firefox®1.0.6andlaterversions
please note: ifyouhavefirefoxset
asyourdefaultwebbrowserand
wouldliketocontinuetouseit,
youwillneedtonotethefollowing:
– ensurethatthepop-upblocker
isswitchedoff
– youwillnotbeabletoconnect
usinghttpsorsecuremode.
internetexplorer®5.5
andlaterversions.
netscape®7.1,7.2,and9.0.
Java™runtimeenvironment(Jre)
ciscosdMrequiressunJava™runtime
environment(Jre).theJavaruntime
environmentcanbedownloaded
fromthefollowingwebpage:
www.java.com/getjava/
03 04
1. AboutthisdocuMent–AboutsecuritydeviceMAnAGer(sdM)
coMPuter oPerAtinGsysteM requireMents
computerwithaPentium®-classprocessororgreater
Windowsvista®(businessedition)
Windows®xPProfessional
Windows2003server(standardedition)
Windows2000ProfessionalwithservicePack4
Windows2000Advancedserverisnotsupported
MicrosofttcP/iPinstalled(confirmviastart>settings>controlPanel>network>Protocolsorconfiguration)
9Mbharddiskspace
rAM:
–128MbforWindowsxP(256Mbrecommended)
–64MbforWindows2000(128Mbrecommended)
coMPuter oPerAtinGsysteM requireMents
computerwithaPentium®-classprocessororgreater,includingtabletPc
(ciscovPnclientversion5.0.03.560)
Windowsvista(allreleasedversions)
WindowsxP
Windows20007
tabletPc2004/2005
NoteforallWindowsoperatingsystems,only32-bitplatformsaresupported
MicrosofttcP/iPinstalled(confirmviastart>settings>controlPanel>network>Protocolsorconfiguration).
50Mbharddiskspace
rAM:
– 128MbforWindowsxP(256Mbrecommended)
– 64MbforWindows2000(128Mbrecommended)
– 32MbforWindows98(seenoteunderoperatingsystems)
– 64MbforWindowsntandWindowsMe(seenoteunderoperatingsystems)
Apple®computer
(ciscovPnclientversion4.9.00.0050)
Macos®x,version10.4orlater 50Mbharddiskspace
PPconly.noneoftherelease4.9.00.0050Macos®x10.4andhigheronbothPowerPc(PPc)andintelprocessors
notsupportedonMacos®x10.3.9andearlier
c.ciscovPnclient
ciscovPnclientforWindowsvista,
release5.0.03.560,doesNOTsupport
thefollowingfeatures:
systemupgradedfromWindowsxP
orearlierWindowsoperating
systemstovista.please note:
cleanosinstallationifrequired.
startbeforelogon.
smartcardauthentication.
integratedfirewall.
installshield.
Autoupdate.
Advisoryaboutconnection
timeonWindows
usingthevPnclienttoconnect
toaWindowsvistasystemmight
takelongerthanthetimeneeded
toconnecttoaWindows2000or
WindowsxPsystem.
theactualtimeittakestoconnect
mayvaryforeachcustomer.
thesecuritydeviceManageris
asoftwareprogramprovidedbycisco
toallowuserstoconfigurerouterios,
securityandnetworkconnection
featuresviaawebbasedGraphical
userinterface(Gui).
4. securitydeviceMAnAGer
Werecommendusersaccessthe
sdMGuibyopeningupawebbrowser
andtypingin:https://10.10.10.1
please note: Aninternetconnection
doesnotneedtobeopeninorderto
accessthissiteasitoperatesat
therouterlevel.
5. WAystoAccessthesdMoffcdorGui
05 06
thefollowingtableindicatesthesystemrequirementstoinstalltheciscovPnclientoneachofthesupportedplatforms.6
MiniMuMsysteMsrequireMents
6.instAllinGthesecuritydeviceMAnAGer(sdMversion2.5)
STEpS:
1. insertthesdMcdintoyourcddrive.
2. downloadthesdMzipfiletothePc.
3. extractthesdMzipfile.GotosdMinstallerfolder
andclicksetup.exe.theinstallationwizardwill
startasshownabove.
4. clickNext.
5. selectI accept the terms of the license agreement
as shown above.
6. clickNext.
9. Acceptthedefaultdestinationfolder–asshowabove
10.clickNext.
itisrecommendedthatusersinstallthesecuritydeviceManagerdirectlytothePcordesktop.
7. selectThis Computer–asshownabove
8. clickNext.
youarenowreadytoinstall:
11.clickInstall. 12.clickFinishaftersuccessfulinstallation–
asshownabove.
07 08
7.lAunchinGsdM
2. entertheDevice Ip addressoftherouter.
telstradefaultshownabove10.10.10.1.
3. selectThis device has HTTpS enabled and I want to use it.
4. clickLaunch.
AsecurityAlertwillappearasperbelow:STEpS:
1. Gotostart–AllPrograms–ciscosystems–ciscosdM
–ciscosdM.youwillthenbepromptedwiththebelow
textbox.
9. Apopupscreenwillnowshowwith
Warning – Securityasabove.clickYes.
5. clickYes.
6. enterUser name andpassword.Adefaultadministrator
usernameandpassword“advantage/advantage”has
beenpre-configuredintotherouterconfiguration.
foryournetworkandroutersecurity,youareadvisedto
changeyourusernameandpassword.seesection8(f)
–adding User name and password.
youwillbepromptedtoentertheusernameandpassword.
7. Anerrormayoccursuchastheoneshownabove.
tounblockthesdMpopuppage,moveyourmouse
cursorovertheyellowbarandrightclickthemouse
andselectallow Blocked Content.
thepopupscreenwillthenAppear:“Warning–httPs”
8. thisisaselfsignedcertificatebytherouter,sothe
publisherwillbeunknown.thisisthecorrectbehaviour,
clickYes.
09 10
11. WindowssecurityAlertmaypopup.
clickUnblock.
10. Awarningwillthenappear,clickYes.
8.confiGurinGyourrouterusinGsdM
A.configuringinterfaces:
1. configuringyourAdsl(WAn)interface
please note:
ifthepreviousstepsfailatthispoint,werecommendyoutake
thefollowingaction:
a. clickConfigure–asperstepsonpage11.
b. clickInterfaces and ConnectionsfromtheTaskssection.
c. click Edit Interface/Connection.
d. highlightaTM0.1
e. doubleclickonUsernameonthebottomhalf
ofthescreen.
f. clickauthenticationinthepopupboxthatappears.
g. PopulateUsername,New password
andConfirm new passwordfields,
capsauthenticationshouldalreadybeselected.
h. clickOK.
i. clickOKagain.
j. clickFile/Write to Startup config
k. clickYeswhenpromptedtocontinuewith
thecopyprocess
6. selectpppoa with aaL5MUX.
7. clickNext.
8. entervaluesforVirtual path Identifier(vPi)andVirtual
Circuit Identifier(vci).thevPiandvciareobtainedfrom
theConfiguration advicefromtelstra.
9. clickNext(ifsuccessful,moveontostep10).
STEpS:
1. clickConfigure.
2. clickInterfaces and ConnectionsintheTaskssection.
3. selectaDSL (pppoE or rFC 1483 routing or pppoa).
4. clickCreate New Connection.
5. clickNext.
11 12
10. selectEasy Ip (Ip Negotiated)asshownabove.
11. clickNext.
12. authentication Type–selectCHap.
13. entertheUsernameandpassword fromthe
Configuration adviceprovidedbytelstra.
14. clickNext.
please note: theaboveisprovidedasanexample.
15. selectport address Translation.
16. LaN interface to be translated –clickdropdownmenu
andselectyourlAninterface.
17. clickNext.
STEpS:
1. clickConfigure.
2. clickroutingfromtheTaskssection
–onthelefthandsideofthescreen.
3. clickaddasshownabove.
youwillbeprovidedwiththefollowingscreen
toaddyourstaticroute:
2. clickInterfaces and ConnectionsfromtheTaskssection.
3. clickEdit Interface/Connection.
4. highlightFastethernet0interface.
5. clickEnable.thestatuscolumnshouldnow
changefromDowntoUp.
6. clickEdit Interface Connectiontab.
7. clickandhighlightinterfaceandclickEdit
please note:theEdittabmaynotalwaysbeactive.
ifthisdoesnotwork,pleaseuse/followthecreate
connectionwizard.
b.configuringstaticroute
c.networkAddresstranslation(nAt )/PortAddresstranslation(PAt )
1. definingtrustedanduntrustedinterface
fillinthedetailsasshownabove.
4. selectIp address radiobutton.
5. enteryourdefaultrouteaddress.
6. selectpermanent route.
7. clickOK
please note: theaboveshowsasampledefaultroute.
13 14
18. selectTest the connection after configuring.
19. clickFinish.
2. configuringethernet/staticinterface
youwillbeprovidedwiththefollowingdialoguebox:
8. fillinthedetailsasshownaboveandclickOK.
please note:theaboveIp addressisusedasanexampleonly
–theactualstaticIp addressisdetailedinyourconfiguration
emailfortelstrabusinessbroadband.
STEpS:
1. selectConfigureasshownabove.
STEpS:
1. clickConfigure.
2. clickNaTfromtheTaskssection.
3. selectEdit NaT Configurationtab.
4. clickDesignated NaT Interfaces.
confiGurinGyourrouterusinGsdM
2. dynamicPortAddresstranslation
STEpS:
1. clickConfigure–asshownabove.
2. clickNaTfromtheTaskssection.
3. selectEdit NaT Configurationtab.
4. clickadd.
5. selectDynamic.
6. intheDirectiondropdownmenu:
selectFrom Inside to outside.
7. clickpulldownmenuandselect
Create a new rule (aCL) and select…8. fillinname,typeandDescriptionasappropriate.
9. clickadd
7. clickSave.
5. selectappropriateboxesfortrustedanduntrusted
interfaces–asshownabove.
Pleasenote:theaboveWAninterfaceisprovidedas
anexampleforethernetsetup(ieFastEthernet0),
forAdslcustomerspleaseusedialler0.
6. clickOK.
completethefollowingfields:
10.action.
11.Description(optional).
12.Source Host/Networksource.
13.protocol and Service.
14.selectIpintheIp protocol.
15.clickOK.
please note: thesourceshouldbethetrustednetwork.
16. clickOK.
thefollowingscreenwillbeprovided:
15 16
thefollowingdialogueboxwillappear:
17.clickonSave.
d.staticPortAddresstranslation(staticPAt)
staticportaddresstranslationisrequiredifthecustomerhas
awebserverlocatedwithintheirlAnwhichtheywouldlike
togiveinternetusersaccessto.thisassumesthecustomer
hasappropriatesecuritymeasuresontheserverbefore
configuringthisfeature,ifyouareunsurepleaseconsult
youritspecialistorcontactyourAccountrepresentative
formoreinformationonouritservicessolutions.
thefollowingscreensshowhowtoconfigurePAt
forweb(port80) STEpS:
1. clickConfigure–asshownabove.
2. clickNaTfromtheTaskssection.
3. selectEdit NaT Configurationtab.
4. clickadd.
confiGurinGyourrouterusinGsdM
5. selectStatic–asshownabove.
6. intheDirectiondropdownmenu–select
From inside to outside.
7. intheTranslate from InterfaceentertheIp address
andsubnetmaskoftheWebseveronthelAn.
8. inTranslate to interface,enterthepubliciPaddress
intheIp addressfield.
9. ensurethattheredirect portisselected.
10.selectTCp.
11. Original portandTranslated portaresetto80.
12.clickOK.
13.clickSave.
e. creatingAccesscontrollist
STEpS:
1. clickConfigure–asshownabove.
2. clickadditional TasksfromtheTaskssection.
3. selectEdit NaT Configurationtab.
4. clickadd.
5. completethefieldsName/NumberandDescription.
6. clickadd.
9. theabovewillbeshowntoverifytherule
whichwasconfigured.
10.toapplytherule,clickassociate.
7. theaboveexamplesshowsanyuser(source)allowed
toaccessthepublicaddressofthewebserver.
Accesshasbeenrestrictedtoport80only.
8. onceyouhaveaddedtherule,clickOK.
11.Astheexampleallowsinternetuserstoaccessawebserver
inthelAn,selectaninterface(exampleFastEthernet0)and
specifyInbounddirection.
please note:thisisprovidedasanexampleonly–
forethernetsetupuseieFastEthernetandAdslset
uppleaseuseiedialler0.
12.clickOK.
17 18
confiGurinGyourrouterusinGsdM
2. removingtelstraAdministratorAccount
STEpS:
1. clickConfigureasshownabove.
2. clickadditional TasksintheTaskssection.
3. clickUser account/View.
4. clickandhighlightadvantage
ortheadministratorusername.
5. clickDelete.
please note:
thefollowingprompt–SDM Warningwillbeshown,thiswill
warntheadministrator.beforethisdefaultaccountisdeleted,
makesureaneWusernameandPasswordwithprivilege
Level 15hasbeenconfigured.
6. clickYestoinitiatetheAdministratorAccountdeletion.
15.clickSave.
youwillbeprovidedwiththefollowingscreen: 6. fillintheUsername,New passwordand
Confirm New password fields.
7. forprivilege Level,onlyadministratorsshouldbemarked
with15andallotherusersshouldbemarkedwith1
8. clickOK.
9. clickFileandWrite(filetoolbar)tostartupconfigure
– THIS IS VErY IMpOrTaNT aND IS rEQUIrED TO SaVE
THE CHaNGES INTO THE rOUTEr IN CaSE OF a pOWEr
FaILUrE/pOWEr CYCLE.
19 20
13.youwillbeprovidedwiththisscreen,whichwillconfirm
theinterfaceassociationanddirection.
please note:thetheWAninterfaceisprovidedas
anexampleforethernetsetup(ieFastEthernet),
forAdslcustomersthisshouldindicatedialler0.
14.clickOKtofinish.
f. Adding/modifying/removing usernameandPassword
1. AddingusernAMeandPassword
thefollowinginstructionsshowhowtoadd
newuserswithpasswords.
STEpS:
1. clickConfigureasshownabove.
2. clickadditional TasksintheTaskssection.
3. clickrouter access.
4. clickUser accounts/view.
5. clickaddorclickEditifyouwishtomodifyusername
and/orpassword.
confiGurinGyourrouterusinGsdM
9. instAllinGciscovPnclient
21 22
STEpS:
1. downloadtheciscovPnclienttothePc(thisfeature/
clientisonlyavailabletocustomerswhohavepurchased
ourroutersupportserviceextra).
2. extracttheciscoclientzipfile.GotociscovPnclient
installerfolderandclicksetup.exe.theinstallation
wizardwillstartasshownabove.
3. clickNext.
7. AcceptdefaultdestinationfolderandclickNext.
9. theinstallationwillstartasshownabove.
8. clickNext.
4. ALicense agreementwillappear.
5. selectI accept the license agreement.
6. clickNext.
Cisco VpN install successful:
10.clickFinishwhentheinstallationiscomplete.
youwillbepromptedtorebootyourcomputerforinstallation
totakeeffect:
11.torebootcomputer,clickYes.
A.Wireless
WiredequivalentPrivacy(WeP)and
WifiProtectedAccess(WPA)arethe
twosecurityprotocoloptionsavailable
forencryptingwirelesscommunications
ontherouter.
WerecommendcustomersuseWPA
–thestrongerofthetwoencryption
methods.
WPAisthesecondgenerationwireless
encryptionprotocolanddesignedto
overcomethesecurityflawsthatwere
evidentinWeP.WPAisavailableinWPA2
(enterprise)andWPA-PsK(Personal).
WerecommendyouuseWPAasyour
methodforWirelessencryption.
WPA-PsKiseasiertosetupthanWPA2
(enterprise)sinceitusesapre-shared
key,comparedtocertificatesinan
enterpriseenvironment.theminimum
lengthis8characters;withmaximum
63characters,werecommenda
minimumlengthof20characters.
valuescanbealpha-numeric.
touseeitherWePorWPAboththe
wirelessdevicesandtheoperating
systemmustbeabletosupportit.
please note:someolderoperating
systemsmaynotsupportWPAand
willrequireWeP.itisnotpossible
tomixWPAandWeP.
ifonedeviceonthenetworkislimited
toWeP,theneitherthatdeviceneeds
tobereplacedortheentirenetwork
istobelimitedtousingWeP.
b.remoteAccess
therouterssupportvariousremote
accessapplications,suchassdM,telnet,
andsshtoallowremotemanagement.
sdMcaneitherusehttporhttps.
however,thesdMsoftwareneeds
tobeinstalledonthePc.
telnetandssharenetworkprotocols
whichallowremoteinteractivetcP
sessionstotherouter.telnetisless
securesincethetcPsessionisallin
cleartextwhilesshismoresecure,
itusesencryptiontoprotectthedata
betweentheclientandtherouter.
c.remoteAccessvPn (iPsecvPn)
remoteAccessvPnallowsmobile
workers(tele-workers)tosecurely
accessthecorporatenetworkfrom
anywhereintheworld.
tosecurelyaccessthecorporate
network,therouterneedstobesetup
toacceptandterminatetheiPsecvPn
tunnelandtheciscovPnclient
softwareneedstobeinstalledon
thePctoinitiatetherequest.
WhentheiPsectunnelisestablished,
itofferstheusercomprehensivesecurity
byencryptingthedatabetweenthe
clientPcandtherouter.
Important note:
thisfeatureisavailablethrough
telstraifyouhavepurchasedthe
telstrabusinessbroadbandextras
‘routersupportservice(rss)’.
formoreinformationonthistelstra
businessbroadbandextras,please
contactyourtelstraAccount
representativeorcall1800 655 744.
d.dynamichost controlProtocol (dhcP)
thedhcPprotocolallowsaserverto
dynamicallyassigniPaddressesand
dnsaddressestothePctcP/iPsoftware
stack.theiPaddressesareassigned
fromanarbitraryiPaddresspool.
e. integratedfirewall
initssimplestform,afirewall
preventsunauthorizedaccessfrom
anuntrustedsourcetoatrusted
network.theZonebasefirewall(Zbf)
featureisasophisticatedformof
firewallintroducedinciscoios
version12.4(6)twhichprovides
statefulinspection.
statefulinspectionoffersbetter
securitybykeepingtrackofthepackets
traversingtherouterby“inspecting”
thepacketuptotheapplicationlayer
information.thisallowstherouterto
distinguishlegitimatepacketsfor
differenttypesofconnections.
10.coMMonlyrequestedfeAturesfortelstrAbusinessbroAdbAndequiPMentextrAs–ciscocPe
f. networkAddresstranslation(nAt)/PortAddresstranslation(PAt)
theconceptofnAtandPAtallows
internaldeviceswithunregistered
(private)addresstoaccesstheinternet
byhavingtherouterre-writeand
replacetheinternaladdresswithan
internet(public)validiPAddress.
nAtallowstheroutertoallocate
onepubliciPaddresstooneinternal
privateiPaddresswhilePAtallowsthe
routertoshareonepubliciPaddress
amongstmanyinternalprivate
iPaddresseddevices.
itshouldbenotedthatsomeprotocols
maybreakwhenusedinconjunction
withnAt/PAtsincesomeprotocols
mayhaveembeddediPaddresses
inthepayloaditself.
itisassumedthecustomerwill
onlyencounterstandardwell
knownprotocols.
23 24
A.ciscovPnclientconfiguration
thisfeatureisavailablethroughtelstraifyouhavepurchased
thetelstrabusinessbroadbandextras‘routersupportservice
(rss)’.formoreinformationonthistelstrabusiness
broadbandextras,pleasecontactyourtelstraAccount
representativeorcall1800 655 744.
b.configuringaniPsecvPnontherouter
thissectionshowshowtoconfiguretheroutertoactasan
iPsecvPnterminationpointtoallowremoteuserswhohave
installedciscovPnclientontheirpersonalcomputer,to
securelyconnecttothecorporatelocalareanetwork.this
featureisavailablethroughtelstraifyouhavepurchasedthe
telstrabusinessbroadbandextras‘routersupportservice
(rss)’.formoreinformationonthistelstrabusiness
broadbandextras,pleasecontactyourtelstraAccount
representativeorcall1800 655 744.
STEpS:
1. clickConfigure.
2. clickVpNintheTaskssection.
3. clickEasy VpN Server.
4. clickLaunch Easy VpN Server Wizard.
3. Connection Entry–isthenameofthis
particularprofile.
4. Description–ameaningfuldescriptionoftheprofile.
5. Host–thepubliciPaddressoftherouter.
6. Group authentication:
Name–userdefined,thisgroupnameMustbethe
sameastheonedefinedinsection11(b)step18.
password–userdefined.
STEpS:
1. starttheciscovPnclient.
2. clickNew.
11.“hoWto”foreAchfeAture
25 26
5. clickNext. 6. clickUnnumbered to.
7. clickthedropdownmenuandchoosetheinterfacewhich
facestheinternet.
8. forauthentication,selectpre-shared Keys.
9. clickNext.
14.selectEnable User authentication.
15.selectLocal Only.
16.clickNext.
12.selectLocal.
13.clickNext.
27 28
17.clickadd.
18. Name of This Group–defineremoteaccesspolicies
thatarecommontoallspecificusers.thisgroupname
mustmatchthenameinsection11(A)step6.
19. pre-shared Keys–passwordfordeviceauthentication.
20. pool Information–rangeofiPaddressesthatcanbe
allocatedtoiPsecvPnclients.thisaddressMust
beunique.
21.clickOK.
“hoWto”foreAchfeAture
youwillbeprovidedwiththefollowingscreen.
10.clickNext. 11.clickNext.
c.otheriPsecvPnsettings
1. dns/Wins
thedns/Winsconfigurationpageallowscustomerswhohaveinternal
serverswithinthecorporatenetworkwhichneedtobeassignedtothe
iPsecvPnusersotheycanresolveprivatehostordevicenames.
2. splittunneling
splittunnelingallowsadministratorstoconfigurethe
routertoallowremoteusers(ciscovPnclients)tohave
secureaccesstothecompanynetworkwhileatthesame
timeallowingunsecureaccesstotheinternet.
splittunnelingcanposeasecurityriskwhenconfigured.
sincevPnclientshaveunsecuredaccesstotheinternet,
theycanbecompromisedbyanattacker.thatattackeris
thenabletoaccessthecorporatelAnviatheiPsectunnel.
itisadvisedadministratorsdonotenablesplittunneling.
STEpS:
1. clickSplit tunnelingtab–asshownabove.
2. selectEnable Split Tunneling.
3. selectSelect the Split tunneling aCL.
4. clickCreate a new rule (aCL) and select…
5. Name/Number–provideameaningfulnameoftheAcl
(nospaces).
6. Description–provideameaningfuldescription.
7. clickadd.
In the action dropdown box:
8. clickSelect an actionandselectprotect the traffic.
In the Source Host/Network section:
9. Type–selecta Network
10. Ip address and Wildcard Mask–thisisthesourcesubnet.
typicallyitisyourlAnsubnet.
In the Destination Host/Network section:
11. Type–selecta Network
12.Ip address and Wildcard Mask –thisisthedestination
subnet.thisisyourpoolofiPaddressescreateinsection
11(b)step20–Poolinformation:–rangeofiPaddresses
thatcanbeallocatedtoiPsecvPnclients.thisaddress
Mustbeunique.
14.clickNext.
15.clickNext. 16.clickFinish.
13.clickYes.
29 30
STEpS:
1. clickDNS/WINStab.
2. selectConfigure DNS Serversandfillintherequiredfields.
3. checkConfigure WINS Serversandfillin
therequiredfields.
“hoWto”foreAchfeAture
d.Wireless
routerWirelessconfiguration
STEpS:
1. clickConfigure.
2. clickInterface and Connectionsfromthe
Taskssection.
3. clickCreate Connectiontab.
4. clickWirelessradiobutton.
5. clickLaunch Wireless.
radioexpresssetup:
12.fillinthefollowingfields:
SSID(thessidprovidedhereisusedforexample
purposesonly).
Ip address andIp Subnet Mask.
13.clickapply.
configuringWirelessinterface:
14.clickWireless Interface.
15.clickradio 802.11G.
16.clickSettingtab.
17.selectEnable.
6. clickWireless radio Express Setup.
7. selectDefaultforOptimize radio Network for.
8. selectEnableforaironet Extensions.
9. clickapply.
please note:theWirelesshostnameisprovidedasan
exampleonly.
10.clickWireless Express Security.
11.selectrouting fromthe Connection Selection.
18.clickapply.
31 32
configuringWirelesssecurity:
–encryptionManager
19.clickWireless Security.
20.clickEncryption Manger.
21.selectCipherradiobutton.fromthepulldownmenu,
selectTKIp.
22.clickapply.
“hoWto”foreAchfeAture
clientWirelessconfiguration
e. configuringrouterasadhcPserver
STEpS:
1. configurestaticinterfaceasshowninsection8(A)2
configuringethernet/staticinterfaces.
STEpS:
1. searchforvariouswirelessnetworksinthelocalvicinity.
2. thessidconfiguredwillshowupinthelist.selectthe
desiredssidandclickconnect.
please note:thessidshownhereisprovidedasanexample.
2. clickConfigure.
3. clickadditional Tasks.
4. clickDHCp pools.
5. clickadd.
6. fillinthefieldsasrequiredforyourinternalnetwork.
please note:domainnameprovidedhereisanexampleonly.
3. entertheWPAsharedkey.thisisthesamekeyasentered
instep27(opposite)–Authenticatedkeymanagement.
4. re-enterthevalueinConfirm network key.
5. clickConnect.
youhavesuccessfullyconnectedyourclient/Pctothe
Wirelessconnectionasshown.
configuringWirelesssecurity:–ssidManager
23.clickWireless Security.
24.clickSSID Manger.
25.clickBBEfromCurrent SSID List.thebbessidisan
example.theusershouldselecttheircustomssid
asdefinedinstepxii–Fill in the following fields.
26.selectOpen authenticationinauthenticationsetting.
fromthedropdownmenu,selectTKIp.
27.underauthenticated Key Management:
a. KeyManagement,selectMandatory
fromthedropdownmenu.
b. selectWpa.
c. Wpa preshare Key –enterWPApassword,
20to60characterslong.
28.clickapply.
29.Pleaserefertosection8(c)2Dynamic port address
Translationtoconfiguretheroutertoallowwireless
devicestoaccesstheinternet.
33 34
“hoWto”foreAchfeAture
therearethreelevelsofsecurity,asdescribedbelow:
Important notice to all customers selecting “High”
or “Medium” Firewall policy levels.
yourciscodevicewillconstantlydownloadtheinformation
itrequirestoenforceaccesscontrols,whichmayresultinincreased
downloadswhichcounttowardstheusageofyourtelstrabusiness
broadbandplan8.thisismorelikelytooccurifyouhavesetyour
firewall/securitypolicytoeither“High”or“Medium”–please
consultyouritspecialistforfurtheradvice.
highsecurity:
selectthisoptionifyouwanttopreventuseofthese
applicationsonthenetwork.
therouteridentifiesinboundandoutboundinstant
Messaginganddropsit.
therouterchecksinboundandoutboundhttPtraffic
ande-mailtrafficforprotocolcompliance,anddrops
non-complianttraffic.
returntrafficforothertcPandudPapplications
isroutedifthesessionwasinitiatedinsidethefirewall.
Mediumsecurity:
selectthisoptionifyouwanttotrackuseofthese
applicationsonthenetwork.
therouteridentifiesinboundandoutboundinstant
Messaging,andchecksinboundandoutboundhttP
trafficande-mailtrafficforprotocolcompliance.
returntcPandudPtrafficonsessionsinitiated
insidethefirewallisrouted.
lowsecurity:
selectthisoptionifyoudonotneedtotrackuseofthese
applicationsonthenetwork.
therouterdoesnotidentifyapplication-specifictraffic.
returnstcPandudPtrafficonsessionsinitiatedinside
thefirewall.
10.selectthesecuritylevelrequired.
11.clickNext.
12.enteryourPrimarydnsserveraddress.
13.clickNext.
yourfirewallconfigurationisnowcomplete.
14.clickFinish.
f. firewall
WArninG:
itisrecommendedthattheadministratorpreviewthe
commandsbeforeapplyingthefirewallpolices.Activating
thefirewallfeaturewithoutfamiliaritywithciscoiosfirewall
policescancausedisconnectionandlocktheadministrator
outoftherouter.
STEpS:
1. clickConfigure.
2. clickFirewall and aCLintheTaskssection.
3. clickBasic Firewall.
4. clickLaunch Easy VpN Server Wizard.
5. clickNext.
35 36
6. setOutside (untrusted) Interface.
7. selectInside (Trusted) Interface.
8. clickNext.
9. clickOK.
youwillbeprovidedwiththebelowscreentoconfirm
theaction:
“hoWto”foreAchfeAture
13.needAdditionAlhelP?
Pleasecontactthetelstrabusinesstechnicalhelpdeskon1800 066 594orvisitusattelstrabusiness.com
thefollowinglinksmaybeuseful:
cisco1812:
www.cisco.com/en/US/products/ps6183/index.html
cisco800seriesisr’sq&A:
www.cisco.com/en/US/prod/collateral/routers/ps380/ps6200/prod_qas0900aecd8028a982.html
ciscosecuritydeviceManager:
www.cisco.com/en/US/products/sw/secursw/ps5318/index.html
Adsl Asymmetricdigitalsubscriberline
ethernet businessdigitalsubscriberline
telstrabusinesssupportextras
itsupportservices–PAyGoptions,itservicesondemand
cli commandlineinterface
cPe customerPremiseequipment
dsl digitalsubscriberline
dns domainnamesystem(server)
dhcP dynamichostcontrolProtocol
ios internetworkoperatingsystem
iPAddress internetProtocolAddress
iPsec internetProtocolsecurity
Jre Javaruntimeenvironment
lAn localAreanetwork
nAt networkAddresstranslation
PAt PortAddresstranslation
routersupportservice subscriptionbasedserviceforbasicrouterconfigurationchanges
ssid servicesetidentifier–theuniquenamegiventoaWirelessnetwork
splittunneling AllowsiPsecvPnuserstoaccesstheinternetandtheirlAnusingthesameconnection
sdM securitydeviceManager
WAn WideAreanetwork
Wins Windowsinternetnameservice
vPn virtualPrivatenetwork
vPnclient theapplicationusedtocommunicatesecurelywithyourciscorouterovertheinternet
12.GlossAry
37 38
forthoseWholiKethedetAils,We’veGottheMhere
1. the1812routersuppliedisnonwireless.
2. thisguidedoesnotstepthroughthemodificationtocommandlineinterface(cli).
3. Additionalfeesandchargesmayapply.
4. thisguidedoesnotprovideinstructionsonhowtomodifythecli.
5. somesupportexclusionsapply.
6. notavailableunlessroutersupportserviceispurchased.telstradoesnotsupportfaultsrelatingtocustomerinitiatediPsecvPn
setup,forsupportofthisfeaturepleasecontactyouritspecialistorcontactuson1800655744tofindoutmoreaboutour
telstrabusinesssupportextrasservices.
7. thevPnclientsupportsboththeWindows2000serverandtheWindows2003serveroperatingsystems.
8. excessusagechargeswillapplyifsubscribedplanisexceeded.
™trademarkoftelstracorporationlimitedAbn33051775556.ciscoisaregisteredtrademarkofciscosystems,inc.and/oritsaffiliatesintheu.s.andcertainothercountries.Pentiumisatrademarkofintelcorporationintheu.s.asothercountries.Microsoft,Windowsvista,WindowsandinternetexplorerareregisteredtrademarksofMicrosoftcorporationintheunitedstatesand/orothercountries.firefoxisaregisteredtrademarkoftheMozillafoundation.netscapeisau.s.trademarkofnetscapecommunicationscorporation.Javaisau.s.trademarkofsunMicrosystems,inc.Macos,AirportandApplearetrademarksofAppleinc.,registeredintheu.s.andothercountries.
