Cisco Dpq3925x User Manual
Have a look at the manual Cisco Dpq3925x User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
4021193 Rev C 61 Configure Security Security VPN Tunnel Page Description Use the descriptions and instructions in the following table to configure the VPN tunnel for your gateway. After you make your selections, click Save Settings to apply your changes or Cancel Changes to cancel. Section Field Description VPN Tunnel Select Tunnel Entry Allows you to display a list of created VPN tunnels Create Button Click this button to create a new tunnel entry Delete Button Click this button to delete all settings for the selected tunnel Summary Button Click this button to display the settings and status of all enabled tunnels IPSec VPN Tunnel Allows you to enable or disable Internet Security Protocol for the VPN tunnel Tunnel Name Enter the name for this tunnel Local Secure Group Select the local LAN user(s) that can use this VPN tunnel. This may be a single IP address or sub-network. Note that the Local Secure Group must match the remote gateways Remote Secure Group. IP Enter the IP address of the local network Mask If the Subnet option is selected, enter the mask to determine the IP address on the local network Remote Secure Group Select the remote LAN user(s) behind the remote gateway who can use this VPN tunnel. This may be a single IP address, a sub-network, or any addresses. If Any is set, the Gateway acts as responder and accepts requests from any remote user. Note that the Remote Secure Group must match the remote gateways Local Secure Group. IP Enter the IP address of the remote network Mask If the Subnet option is selected, enter the mask to determine the IP addresses on the remote network
62 4021193 Rev C Configure Security Section Field Description Remote Secure Gateway Select the desired option, IP Addr., Any, or FQDN. If the remote gateway has a dynamic IP address, select Any or FQDN. If Any is selected, then the Gateway will accept requests from any IP address. FQDN If FQDN is selected, enter the domain name of the remote gateway, so the Gateway can locate a current IP address using DDNS IP The IP address in this field must match the public (WAN or Internet) IP address of the remote gateway at the other end of this tunnel Key Management Key Exchange Method The gateway supports both automatic and manual key management. When automatic key management is selected, Internet Key Exchange (IKE) protocols are used to negotiate key material for Security Association (SA). If manual key management is selected, no key negotiation is needed. Basically, manual key management is used in small static environments or for troubleshooting purposes. Note that both sides must use the same key management method.
4021193 Rev C 63 Configure Security Section Field Description Key Management (continued) Select one of the following options for the key exchange method: Auto (IKE) – Encryption: The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. Notice that both sides must use the same method. – Authentication: The Authentication method authenticates the Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Notice that both sides (VPN endpoints) must use the same method. MD5: A one-way hashing algorithm that produces a 128-bit digest SHA: A one-way hashing algorithm that produces a 160-bit digest – Perfect Forward Secrecy (PFS): If PFS is enabled, IKE Phase 2 negotiation will generate new key material for IP traffic encryption and authentication. Note that both sides must have PFS enabled. – Pre-Shared Key: IKE uses the Pre-Shared Key to authenticate the remote IKE peer. Both character and hexadecimal values are acceptable in this field, e.g., My_@123 or 0x4d795f40313233. Note that both sides must use the same Pre-Shared Key. – Key Lifetime: This field specifies the lifetime of the IKE generated key. If the time expires, a new key will be renegotiated automatically. The Key Lifetime may range from 300 to 100,000,000 seconds. The default lifetime is 3600 seconds. Manual – Encryption: The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. Notice that both sides must use the same method. – Encryption Key: This field specifies a key used to encrypt and decrypt IP traffic. Both character and hexadecimal values are acceptable in this field. Note that both sides must use the same Encryption Key. – Authentication: The Authentication method authenticates the Encapsulating Security Payload (ESP) packets. Select MD5 or SHA. Notice that both sides (VPN endpoints) must use the same method. MD5: A one-way hashing algorithm that produces a 128-bit digest SHA: A one-way hashing algorithm that produces a 160-bit digest – Authentication Key: This field specifies a key used to authenticate IP traffic. Both character and hexadecimal values are acceptable in this field. Note that both sides must use the same Authentication Key. – Inbound SPI/Outbound SPI: The Security Parameter Index (SPI) is carried in the ESP header. This enables the receiver to select the SA, under which a packet should be processed. The SPI is a 32-bit value. Both decimal and hexadecimal values are acceptable. e.g., 987654321 or 0x3ade68b1. Each tunnel must have a unique Inbound SPI and Outbound SPI. No two tunnels share the same SPI. Note that the Inbound SPI must match the remote gateways Outbound SPI, and vice versa.
64 4021193 Rev C Configure Security Section Field Description Status This field shows the connection status for the selected tunnel. The state is either Connected or Disconnected. Buttons Connect Click this button to establish a connection for the current VPN tunnel. If you have made any changes, click Save Settings to first apply your changes. Disconnect Click this button to break a connection for the current VPN tunnel. View Log Click this button to view the VPN log, which shows details of each established tunnel. Advanced Settings If the Key Exchange Method is Auto (IKE), this button provides access to additional settings relating to IKE. Click this button if the gateway is unable to establish a VPN tunnel to the remote gateway, and make sure the Advanced Settings match those on the remote gateway. Phase 1 - Operation Mode Select the method appropriate for the remote VPN endpoint. – Main: Main mode is slower but more secure – Aggressive: Aggressive mode is faster but less secure Local Identity Select the desired option to match the Remote Identity setting at the other end of this tunnel. – Local IP Address: Your WAN (Internet) IP address – Name: Your domain name Remote Identity Select the desired option to match the Local Identity setting at the other end of this tunnel. – Local IP Address: WAN (Internet) IP address of the remote VPN endpoint – Name: Domain name of the remote VPN endpoint. Encryption This is the Encryption algorithm used for the IKE SA. It must match the setting used at the other end of the tunnel.
4021193 Rev C 65 Configure Security View Log The Security VPN View Log page shows events captured by the firewall. The log displays the following items: Description of the event Number of events that have occurred Last occurrence of an event Target and source addresses You can view the following logs from this page: Access log Firewall log VPN log Parental Control log Click Clear to clear the log data.
66 4021193 Rev C Control Access to the Gateway Control Access to the Gateway Access Restrictions > IP Address Filtering Use the Access Restrictions IP Filtering page to configure IP address filters. These filters block a range of IP addresses from accessing the Internet. Note: If you are not familiar with the advanced settings detailed in this section, contact your service provider before you attempt to change any of the residential gateway default advanced IP filtering settings. Select the IP Address Filtering tab to open the Access Restrictions IP Address Filtering page. After you make your selections, click Save Settings to apply your changes or Cancel Changes to cancel. Access Restrictions > MAC Address Filtering Use the Access Restrictions MAC Address Filtering page to configure MAC address filters. These filters permit you to allow or block a range of MAC addresses from accessing the Internet based on MAC Address. Note: If you are not familiar with the advanced settings detailed in this section, contact your service provider before you attempt to change any of the residential gateway default advanced IP filtering settings.
4021193 Rev C 67 Control Access to the Gateway Select the MAC Address Filtering tab to open the Access Restrictions MAC Address Filtering page. The Block/Pass drop down menu allows you to block or pass Internet access to the MAC addresses of the devices you list in the MAC Address Filters table. The following table describes the function of the Block/Pass drop down menu. After you make your selections, click Save Settings to apply your changes or Cancel Changes to cancel. Field Name Description MAC Filtering Block Listed (Default) Select Block Listed to deny Internet access to the MAC addresses of the devices you list in the table. All other MAC addresses will be allowed Internet access. Pass Listed Select Pass Listed to allow Internet access only to the MAC addresses of the devices you list in the table. Any MAC addresses not listed in the table will be denied Internet access. Function Keys The following function keys appear on the Advanced Settings - MAC Address Filtering page. Key Description Apply Saves the values you enter into the fields without closing the page Add MAC Address Saves the MAC Address entered in the associated text field Remove MAC Address Removes the selected MAC address Clear All Removes all defined MAC addresses
68 4021193 Rev C Control Access to the Gateway Access Restrictions > Basic Rules Access restrictions allow you to block or allow specific kinds of Internet usage and traffic, such as Internet access, designated applications, websites, and inbound traffic during specific days and times. The Access Restrictions Basic Rules page allows you to configure parental controls on the residential gateway, and to monitor the individuals who are authorized to set parental controls. Select the Basic Rules tab to open the Access Restrictions Basic Rules page.
4021193 Rev C 69 Control Access to the Gateway Use the descriptions and instructions in the following table to configure the access restrictions basic rules for your residential gateway. After you make your selections, click Save Settings to apply your changes or Cancel Changes to cancel. Section Field Description Parental Control Basic Setup Parental Control Activation Allows you to enable or disable parental controls. To enable parental controls, select the Enable Parental Control check box and click Apply. To disable parental controls, clear the Enable Parental Control check box and click Apply. Add Rule Adds and saves a new Rule to the list of content rules Remove Rule Removes the selected rule from the content rule list Keyword List Keyword List Allows you to create a list of keywords. Any attempt to access a URL that contains any of the keywords in this list will be blocked by the gateway Add/Remove Keyword Allows you to add new keywords to the list or to delete selected keywords from the list Blocked Domain List Blocked Domain List Allows you to create a list of domains that the gateway should block access to. Any attempt to access any of the Domains in this list will be blocked by the gateway Add/Remove Domain Allows you to add new domains to the list or to delete selected domains from the list Allowed Domain List Allowed Domain List Allows you to create a list of domains to which the gateway allows access Add/Remove Allowed Domain Allows you to add new domains to the list or to delete selected domains from the list
70 4021193 Rev C Control Access to the Gateway Section Field Description Override the Password Password Allows you to create a password to temporarily override user access restrictions to a blocked Internet site Re-Enter Password Re-enter the same password for confirmation of the override password in the previous field Access Duration Allows you to designate an amount of time in minutes that the Override password will allow temporary access to a restricted Internet site Apply Saves all additions, edits, and changes To use keyword and domain blocking Keyword and Domain blocking allows you to restrict access to Internet sites by blocking access to those sites based on a word or a text string contained in the URLs used to access those Internet sites. Domain blocking allows you to restrict access to Websites based on the sites Domain Name. The Domain Name is the portion of the URL that precedes the familiar .COM, .ORG, or .GOV extension. Keyword blocking allows you to block access to Internet sites based on a Keyword or text string being present anywhere in the URL, not just in the Domain Name. Note: The Domain blocking feature blocks access to any Domain in the Domain List. It will also block Domains, any portion of which contains an exact match to entries in the list. For example, if you enter example.com as a Domain, any site that contains ―example.com‖ will be blocked. Generally, you do not want to include ―www.‖ in a Domain Name since doing so limits the blocking to only the site that matches that Domain Name exactly. For instance, if you enter www.example.com into the list, only the one site that matches that name exactly will be blocked. Consequently, if you do not include the ―www.,‖ then all sites within and associated with ―example.com‖ will be blocked. Block Access to Websites If you wish to block access to websites, use the Blocked Domain List or the Keyword List To use the Blocked Domain List, enter the URLs or domain names of the websites you wish to block.