6034 - SSBS Cyberoam Documentation_V0

8/17/2019 6034 - SSBS Cyberoam Documentation_V0

1/60

Page: 1/60

S S B S

Cyberoam UTM Implementation

Documentation

Release 1.0


2/60

Page: 2/60

Project SSBS Cyberoam UTM Implementation

Client Name SSBS

Client Address Dammam Saudi Arabia

Abstract: This document is providing the as built documentation forSSBS network security appliance. The documentation willhelp SSBS IT team in understanding and administratingtheir new IT network

Document SSBS Cyberoam Implementation

Author Noushad Thadathil

Network Engineer

+966 55 494 3953

Date 20th June 2009

Confidentiality Notice:

This document contains valuable trade secrets and confidential information of SSBS,

and shall not be disclosed to any person, organization, or entity unless such

disclosure is subject to the provisions of written non-disclosure and proprietary rights

agreement or intellectual property license agreement approved by SSBS.

The distribution of this document does not grant any license in or rights in whole or in

part, to the content, the product, technology, or intellectual property described herein.


3/60

Page: 3/60

Document Configuration Control

Issue Date Amended by Summary of Changes

01 20th

June 2009 Mr. Noushad Thadathil Initial Draft

Document Approval

Name Title Initials/Sign Date

Eng. Haris P Mohammed Project Manager 3 July 09

Document Distribution

Name Title Company

Mr.Syed Tahir Infrastructure Manager SSBS

Mr.Shakkeer Network Administrator SSBS


4/60

Page: 4/60

Table of Contents

1 Introduction ……………………………………………………..………… 05a. Purpose of this Document ….….………………………..…………. 05 b. Acknowledgment………………………………………….………… 05

2 Deploy Cyberoam in Gateway mode ……………………………………… 053 Accessing the Web Admin Console…………………………………………124 Upgrading Cyberoam firmware………………………………………… 145 Configuring Gateways………………………………………………………166 Integration with Active Directory………………………………………… 167 Import Active Directory Groups………………………………………… 218 Clientless Single Sign on implementation………………………………… 259 Parent Proxy Deployment………………………………………………… 3110 L2TP VPN………………………………………………………………… 3411 Configure MS Windows XP VPN Client for L2TP connection…………… 3712 High Availability(HA)… ………………………………………………… 4413 Backup and Restore Cyberoam …………………………………………… 4814 Site to Site VPN………………………………………………………..… 5115 Bill of Quantity………………………………………………………..…. 6016 Software Version Information………………….…………………..……. 60


5/60

Page: 5/60

1. Introduction

1.a Purpose of this Document

This document is providing the as built documentation for the Cyberoam UTMdeployment. The documentation will help SSBS IT team in understanding andadministrating their new infrastructure.

1.b. Acknowledgment:

GBS would like to thank SSBS IT Infrastructure team for the dedication and team workwith GBS team, in addition to facilitation, cooperation & support which enables us toachieve a successful implementation

2. Deploy Cyberoam in Gateway mode

Starting Network Configuration Wizard

Click Wizard button on the top right of the Dashboard to start Network Configuration Wizard and click Start.


6/60


7/60

Page: 7/60


8/60

Page: 8/60


9/60

Page: 9/60


10/60

Page: 10/60

Configuring Mail Settings

Configure mail server IP address, administrator email address from where the notification mails will be send and theemail address of the notification recipient.

Configuring Date and Time zone


11/60

Page: 11/60

Cyberoam will take time to restart, please wait for some time before clicking to access the Web Admin Console.

Note: After changing the LAN IP address, you must use this IP address to reconnect to the web admin console. You mightalso have to change the IP address of the management station to be on the same subnet as the new IP address.

This finishes the basic configuration of Cyberoam and now you are ready to use the Appliance.


12/60

Page: 12/60

3. Accessing the Web Admin Console

Cyberoam Web Admin Console (GUI) access requires Microsoft Internet Explorer 5.5+ or Mozilla Firefox1.5+ and Display settings as True color (32 bits)

Log on Methods

HTTP log inTo open unencrypted login page, in the browser’s Address box, typehttp://


13/60

Page: 13/60

Screen – Dashboard


14/60

Page: 14/60

4. Upgrading Cyberoam Firmware

Before You Update

Cyberoam Should be registered.

IPS Module Registered and Updated ( Trial )

Step 1. Check for UpgradesPress F10 to go to Dashboard from any of the screens.Under the Installation Information section, click Check for Upgrades

Step 2. Download UpgradeClick Download against the version to be downloaded and follow the on screen instructions to save theupgrade file.

Step 3. Upload downloaded version to CyberoamSelect Help Upload UpgradeType the file name with full path or select using ‘Browse’ and click Upload


15/60

Page: 15/60

Step 4. UpgradeOnce the upgrade file is uploaded successfully, log on to Console to upgrade the version.Log on to Cyberoam Telnet Console.Type ‘6’ to upgrade from the Main menu and follow the on-screen instructions.Successful message will displayed if upgraded successfully.

Repeat above steps if more than one upgrade is available. If more than one upgrade is available, pleaseupgrade in the same sequence as displayed on the Available Upgrades page.


16/60

Page: 16/60

5. Configuring Gateways

Basic load balancing consists of defining multiple gateways. During the installation, you have

already configured the IP address of the default Gateway. Apart from defining gateway,configuration also consists of:1. Assigning weight to each link2. How to check for the link failure3. What action to take in case of link failure

Add GatewaySelect System Gateway Manage Gateway(s)

Weight Displays weight assigned to the Gateway Used for load balancing and failover

6. Integration with Active Directory

Implement Clientless Single Sign On authentication in Multiple Active Directory Domain Controller

Cyberoam – ADS integration feature allows Cyberoam to map the users and groups from Active Directory for thepurpose of authentication.

Prerequisites:

• NetBIOS Domain name • FQDN Domain name • Search DN • Active Directory Server IP address

• Administrator Username and Password (Active Directory Domain) • IP address of Cyberoam Interface connected to Active Directory server • Import Active Directory Groups • Configure Clientless SSO

x

On the ADS server:• Go to Start>Programs > Administrative Tools > Active Directory Users and Computers• Right Click the required domain and go to Properties tab• Search DN will be based on the FQDN. In the given example FQDN is SSBS.LAN andSearch DN will be DC=SSBS, DC=LAN


17/60

Page: 17/60


18/60

Page: 18/60

Configuring ADS authenticationLogon to Cyberoam Web Admin Console and follow the below given steps:

Version 9.5.3.14 or aboveyou can import AD groups into Cyberoam using Import Wizard.

One can import groups only after integrating and defining AD parameters into Cybeoam.

Step 2: Define Authentication parametersGo to User>Authentication SettingsSelect ‘Active Directory’ under Configure Authentication & Integration parameters

Select Default Group.

Cyberoam will create user(s) in the respective groups if groups are already created in Cyberoam otherwise userwill be created in the group selected as Default group.


19/60

Page: 19/60

Step 3: Configure Cyberoam to use Active DirectoryClick Add to configure Active Directory parametersSpecify IP address of Active Directory

Specify TCP/IP port number in Port field. It is the port on which ADS server listens for theauthentication requests. On Cyberoam appliance, the default port for ADS traffic is 389. If your ADserver is using another port, specify port number in Port field.


20/60

Page: 20/60

Enter Domain name (FQDN Domain Name)Click Add and enter Search DN. Check the steps provided in section ‘Determine NETBIOS Name,FQDN and Search DN’ to find the Search DN.

Click OK to save the query.


21/60

Page: 21/60

7. Importing Active Directory Groups If you have deployed v 9.5.3 build 14 or above, import AD groups into Cyberoam using ImportWizard before configuring for single sign on.


22/60

Page: 22/60

Follow the on-screen steps:Step 2: Specify Base DN. Cyberoam will fetch AD groups from the specified Base DN.

To import users from default AD Container:


23/60

Page: 23/60

To import users from custom AD Container:

If multiple custom containers are created, repeat the entire process for each container.

Step 3: Select Groups that are to be imported in Cyberoam. Use + Click to select multiplegroups. All the groups (not imported and already imported groups in Cyberoam) created in AD aredisplayed. * besides the group name indicates that the group is already imported to Cyberoam.Use arrows to move groups across the group lists.


24/60

Page: 24/60

If user is the member of multiple AD groups, Cyberoam will decide the user group based on theorder of the groups defined in Cyberoam. Cyberoam searches Group ordered list from top tobottom to determine the user group membership. The first group that matches is considered as the


25/60

Page: 25/60

group of the user and that group policies are applied to the user.Re-ordering of groups to change the membership preference is possible using Wizard.

8. Clientless Single Sign on (SSO)

Transparent Authentication (Clientless Single Sign on)Cyberoam introduces Clientless Single Sign On as a Cyberoam Transparent Authentication Suite(CTAS).With Single Sign On authentication, user automatically logs on to the Cyberoam when logs on toWindows through his windows username and password. Hence, eliminating the need of multiplelogins and username & passwords.But, Clientless Single Sign On not only eliminates the need to remember multiple passwords –Windows and Cyberoam, it also eliminates the installation of SSO clients on each workstation.Hence, delivering high ease-of-use to end-users, higher levels of security in addition to loweringoperational costs involved in client installation.

Cyberoam Transparent Authentication Suite (CTAS)CTA Suite consists of

CTA Agent – It monitors user authentication request coming on the domain controller and sendsinformation to the Collector for Cyberoam authentication.

CTA Collector – It collects the user authentication request from multiple agents, processes therequest and sends to Cyberoam for authentication.

Step 6: Installing CTA SuiteDownload CTA Suite from http://www.cyberoam.com/clientless_sso.htmlExtract ctas.rar and install CTA Suite on Domain controller by following the on-screen instructions.

Administrative right is required to install CTA Suite.

Check for “Cyberoam Transparent Authentication Suite” tab from “Start” > “All Programs”.If installed successfully, “Cyberoam Transparent Authentication Suite” tab will be added.Consider the below given hypothetical network example where single domain controller isconfigured and follow the below given steps to configure Cyberoam Transparent Authentication:


26/60

Page: 26/60

Configure CTA Collector from CTA Collector Tab on Primary Domain Controller


27/60

Page: 27/60

If “logoff detection settings” is enabled and firewall is configured on the Workstation, please allowthe traffic to and from Domain controller. If ping is blocked, then Cyberoam will always detect useras logged out.Step 8. Configure Agent from CTA Agent Tab on Primary Domain Controller


28/60

Page: 28/60

Configure Agent from CTA Agent Tab on Additional Domain Controller 1


29/60

Page: 29/60

Repeat step 9 for all the additional Domain ControllerStep 10. Configure CyberoamLogon to CLI Console with default password, go to Option 4 Cyberoam Console and executefollowing command at the prompt:

corporate>cyberoam cta enablecorporate>cyberoam cta collector add collector-ip collector-port

Please make sure that you restart management services after enabling the CTA services.


30/60

Page: 30/60

Enable Security Event logging on Active Directory

This completes the configuration.


31/60

Page: 31/60

9. Parent proxy configuration

Parent proxy can be deployed in the:

• Internet

• Internal network (LAN or DMZ)

Parent proxy deployed in LAN/DMZ

When Parent proxy is deployed in the LAN or DMZ, Cyberoam is to be configured as a proxy server for the LANusers. Cyberoam routes all the outbound requests through parent proxy.

Figure 2 - Parent Proxy deployed in DMZ

Log on to Web Admin Console


32/60

Page: 32/60

Step 1. Go to System > HTTP Proxy > Configure HTTP Proxy and configure Upstream proxy IP address andcommunication port.

Step 2. Configure firewall rule

a. Create host for Parent proxy b. Create LAN to WAN firewall rule for Parent proxy To prevent routing loop, do not apply Internet access policy (IAP) and HTTP scanning.


33/60

Page: 33/60

c. Create LAN to LAN firewall rule

If parent proxy is deployed in DMZ, create DMZ to WAN and DMZ to DMZ firewall rule.


34/60

Page: 34/60

10. L2TP VPN

You can use Layer 2 Tunneling Protocol (L2TP) to create VPN tunnel over public networks such as the Internet. Forauthentication, currently Cyberoam supports only Password Authentication Protocol (PAP) algorithm.

Procedure outlines how to configure Cyberoam as a L2TP server and create L2TP connection from Web Admin console:

Step 1. Configure default L2TP setting from VPN → L2TP Configuration

1. IP address selected in “Local IP Address” field will be assigned to L2TP server 2. Specify IP address range. L2TP clients will be assigned IP address from the specified range. 3. Specify DNS and alternate DNS server IP address 4. Specify WINS and alternate WINS server IP address 5. Click “Save” button to save the details 6. Click “Add Users” button to define users.

Click “Add Users” button to define users.

Step 3: Create policy from VPN → Policy → Create Policy with the following values:

Policy Name: l2tp_policy Using Template: None Keying Method: Automatic


35/60

Page: 35/60

Allow Re-keying: No

Pass Data In Compressed Format: Yes Perfect Forward Secrecy (PFS): NoKey life: 3600 secs

Action When Peer Is Not Active: Clear

Change other values as per your requirements.

Step 4. Create L2TP Connection from VPN→ L2TP Connection → Create Connection with the following values:

Name: branch_1 Policy: l2tp_policy (created in step 3)

Action on Restart: Active Authentication Type: Preshared key Preshared key: specify as per your requirement Local server: select WAN IP address of Cyberoam Local ID: specify as per your requirement

Change other values as per your requirements.


36/60

Page: 36/60

Step 5. Activate connection from VPN → L2TP Connection → Manage Connection and click under Connection Statusagainst each connection

under Connection Status indicates that the connection is successfully activated. Once the connection is activated,L2TP client can establish the connection.


37/60

Page: 37/60

11. Configuring Windows VPN Client for L2TP

The following procedures outline how to configure a Windows XP VPN client to access resourcesbehind a Cyberoam Appliance that has been set up to accept L2TP connections.Set up a L2TP connection on a Windows XP client as follows:

1. Go to Start Control Panel Network Connections Create a New

Connection and then click Next


38/60

Page: 38/60

2. Select ‘Connect to the network at my workplace’ and click Next

3. Select ‘Virtual Private Network Connection’ and click Next


39/60

Page: 39/60

4. In Company Name, specify connection name and click Next

5. In the Host name or IP address field, type the WAN IP1 address of the Cyberoam and clickNext

WAN IP address should be same as specified in ‘Local server’ field under Local Network Details in L2TP Connection Select ‘Anyone’s use’ and click Next

7. Click ‘Finish’


40/60

Page: 40/60

8. If Windows Dialer does not open automatically, click Connection to open dialer

9. Click PropertiesIn Networking tab - select ‘L2TP IPSec VPN’ as Type of VPN and click OK


41/60

Page: 41/60

In Security tab:1) Select ‘Advanced’ and click ‘Settings’ and enable ‘Unencrypted password (PAP)’ and click

OK


42/60

Page: 42/60

2) Click IPSec Settings and enable ‘Use pre-shared key for authentication’. Specify presharedkey and click OK


43/60

Page: 43/60

9. Specify valid username and password and click Connect


44/60

Page: 44/60

12. High Availability (HA) Configuration

Below given diagram, displays how two appliances – primary and secondary appliance will beconnected physically.

Before configuring HAPoints to be noted• DHCP & PPPoE – High Availability (HA) cluster cannot be configured if any of the CyberoamInterfaces is dynamically configured using DHCP and PPPoE protocols.

• Cyberoam upgrade - AutoUpgrade mode will automatically be disabled on both the cluster

appliances once High Availability (HA) cluster is configured. To upgrade HA clusterappliances, HA mode is to be disabled and each appliance has to be upgraded individually.

• HA Session failover – AV Scanned sessions, VPN sessions, UDP, ICMP, multicast, andbroadcast sessions and Proxy traffic sessions are not maintained when HA cluster isconfigured.

• Masqueraded Connections – In case of the following events from any of the HA clusterappliances, all the masqueraded connections will be dropped:

• Restart Management Service (RMS)• Execution of Network Configuration• Manual Synchronization


45/60

Page: 45/60

• HA Load balancing – Active-Active HA cluster does not load balance VPN sessions, UDP,

ICMP, multicast, and broadcast sessions. TCP traffic for Web Admin Console or TelnetConsole and VLAN traffic sessions are also not load balanced between the clusterappliances.

• Restore backup – HA is to be disabled to restore backup.• Network Configuration Wizard will not allow to update the DMZ IP address which isconfigured as dedicated HA link port

Before attempting to configure two Cyberoam appliances as a HA pair for Hardware Failover,check the following requirements:

• Both appliances in the HA cluster i.e. primary and Auxiliary appliances must have samenumber of interfaces.

• Both appliances in the HA cluster must have the same version installed.• You must have separate licenses for primary and auxiliary appliances. On both theappliances same subscription modules should be enabled else these modules will not besupported in the event of a failure of the Primary appliance. For example, if IDP module isenabled at Primary appliance and not enabled on Auxiliary appliance then on failover when

Auxiliary appliance becomes Active, IDP policies will not be applicable.• Dedicated HA link port should be from the DMZ zone interface only and should have unique

IP address on both the appliances.

Configure Primary appliance

1. Select Firewall Create Rule and create Firewall rule with the following parameters(for both the appliances):• Source: DMZ/Any Host• Destination: LOCAL/Dedicated HA link port• Service: HA Service• Action: Accept

2. Select User User Add User and add HA administratorMake sure to select User Type as ‘Administrator’ while creating HA Administrator as the Auditlog for the HA events will be logged under this username. HA events from the Audit log canbe identified with this name.

3. Select System HA Configure HA4. Displays appliance key as the Primary Appliance Key. Auxiliary Appliance Key displayedafter HA is configured.5. Select HA mode for the cluster. When configuring cluster, you must set all the members ofthe HA cluster with the same HA mode.

Active-Act ive Select to configure a cluster for load balancing and failover HA. In active-activemode both primary and auxiliary appliances processes traffic and monitors the status of theother cluster appliance. The primary appliance controls load balancing among both the clusterappliances.

Active-Passive Select to configure a cluster for failover HA. In active-passive mode theprimary appliance processes all connections. Auxiliary appliance passively monitors thecluster status and remains synchronized with the primary appliance.6. Specify HA link port. HA peers are physically connected using a crossover cable through thisport. You must use the same port as an HA link port on peer appliance also.Cluster appliances use this link to communicate cluster information and to synchronize witheach other.


46/60

Page: 46/60

Dedicated HA link port should be from any o f the DMZ zone interface only.

7. Specify HA Administrator username. Same as defined in step 2.8. Specify IP address configured on the HA link port of the peer appliance.9. Specify Administration Port of Peer appliance i.e. the peer appliance port on which theaccess is allowed for administration purpose.10. Specify Administration Port IP address of Peer appliance. Use this IP address to accessWeb Admin Console of Peer appliance.11. Select the ports to be monitored. Both the appliances will monitor their own ports and if anyof the monitored port goes down, appliance will remove itself from the cluster and failover willoccur.12. Click Enable HA to enable HABefore enabling HA, please make sure that firewall rule as specified in step 1 is created on peerappliance also. The appliance from which HA is enabled will act as a primary appliance while thepeer appliance will act as auxiliary appliance.If everything is cabled and configured properly and HA is enabled successfully:• As per the configuration mode, ‘Active’ will be displayed for Primary appliance and ‘Passive’or ‘Active’ for Auxiliary appliance

• Both the appliances will have the same configuration except the HA link port IP address.

• Additional options made available after HA is enabled:Primary Appliance – Put on Standby (only for Active-Passive mode), Disable HA, Sync

Auxiliary (use to synchronize Auxiliary appliance and Primary appliance configurations) Auxiliary appliance - Disable HA, Sync with Primary (use to synchronize Auxiliary applianceand Primary appliance configurations)By default, as soon as HA is enabled successfully, both the appliances will synchronizeautomatically.

Active – Act ive clus ter


47/60

Page: 47/60


48/60

Page: 48/60

13. Backup and Restore Cyberoam configuration

Objective This article describes Cyberoam configuration backup and restore procedure.

Cyberoam takes backup of configuration which includes firewall rules, policies, network configuration, user account.Once the backup is taken, it can be restored on any appliance. Restoring older data will lead to the loss of currentconfiguration.

Note:

• Higher versions can not be restored on lower versions i.e. backup of version 9.5.3 build 22 can not be restored onversion 9.5.0 build 29

• Backup of higher end appliances cannot be restored on lower end appliances i.e. from CR1500i on CR500i

Step 1. Backup a configuration

Log on to the Web Admin Console of the Appliance whose backup is to be taken.

From Web Admin Console, go to System > Manage Data > Backup Data and take the system backup till the currentdate.

Once the backup is taken successfully, you will be prompted to download and save the backup file.


49/60

Page: 49/60

If backup is to be restored onto another appliance, mail this saved backup file to the Administrator who is going torestore this backup onto another appliance.

Step 2. Restore a configuration

Log on to the Web Admin Console of the Appliance onto which backup is to be restored.

Upload backup file

Upload backup file from System > Manage Data > Restore Data and specify name of the backup file to be uploadedi.e. the backup file saved in step 2.


50/60

Page: 50/60

Restore backup f ile

Log on to Telnet Console, go to Option 5 Cyberoam Management>Option 6 Restore Backup


51/60

Page: 51/60

14. Site-to-Site VPN Configuration

Establish Net-to-Net IPSec VPN Connection between Cyberoam and Cisco Router using Preshared key

Product: The information in this article is based on Cyberoam Version 95314 and Cisco Router.

This article describes a detailed configuration example that demonstrates how to set up a net-to-net IPSec VPNconnection between Cyberoam and Cisco Router using preshared key to authenticate VPN peers.

Throughout the article we will use the network parameters as shown in the below given network diagram. Cyberoam isinstalled at Dammam HO while Cisco Router is installed at Bahrain branch.

In the hypothetical example considered in this article, static IP address is configured for Cyberoam but depending onthe network requirement it is also possible that dynamic IP address is configured for Cyberoam.

Article includes network diagram and details on the information to be gathered before configuration and coversfollowing scenarios when Cyberoam is configured for:

1. Aggressive mode Authentication 2. Main mode Authentication: Static IP address is assigned to Cyberoam, Dynamic IP address is assigned to

Cyberoam

Each scenario includes:

• Cyberoam configuration steps • Cisco Router configuration steps

We will establish VPN connection from Damam branch to Bahrain branch therefore:

For Damam HO:Cyberoam is the Local server.Cisco Router is the Remote server.

For Bahrain branch:Cisco Router is the Local server.Cyberoam is the Remote server.

Network Diagram


52/60

Page: 52/60

Information to be gathered before configuration

Before configuring for IPSec connection, gather the following information about the Remote server:

1. Connection details - Encryption algorithm, Authentication Algorithm and DH/PFS Group2. Preshared Key3. Server IP addresses4. Internal Network Subnet

Configuration Table

Please note: Phase 1 and Phase 2 parameters: Encryption algorithm, Authentication Algorithm and DH/PFSGroup must be same for both the peers – Cyberoam and Cisco Router VPN servers.


53/60

Page: 53/60

ConfigurationParameters

Cyberoam Cisco Router

Local Network details Local Network details

Cyberoam WAN IP address –87.101.231.178

Cisco Router IP address –217.17.240.249

Local Internal Network –172.16.80.0/24

192.168.110.0/24

Local Internal Network –

10.0.0.0/8

Preshared Key – p@ssw0rd Preshared Key – p@ssw0rd

Remote Network details Remote Network details

Remote VPN server – IP address –217.17.240.249

Remote VPN server – IP address – 87.101.231.178

IPSec Connection(Net-to-Net)

Remote Internal Network –

10.0.0.0/8

Remote Internal Network –

172.16.80.0/24

192.168.110.0./24

Cyberoam Configuration

Applicable to version: 9.5.8 onwards

Task list

1. Define VPN policy – configure Phase 1 & Phase 2 parameters to authenticate the remote peer and establish asecure connection

2. Define VPN connection parameters


54/60

Page: 54/60


55/60

Page: 55/60

Cisco Router Configuration (Bahrain )

SSBS-BHA#show running-configBuilding configuration...

Current configuration : 5206 bytes!


56/60

Page: 56/60

version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname SSBS-BHA!

boot-start-marker boot-end-marker!logging buffered 4096 errors

!no aaa new-model!

ip cefno ip dhcp use vrf connectedip dhcp excluded-address 10.0.0.1 10.0.0.119ip dhcp excluded-address 10.0.0.191 10.255.255.254!ip dhcp pool ssbs-bh!ip domain name ssbs.com.bhip name-server 217.17.233.101ip name-server 193.188.97.212!

multilink bundle-name authenticated!!voice-card 0no dspfarm

!

crypto isakmp policy 1encr 3deshash md5authentication pre-share

group 2crypto isakmp key p@ssw0rd address 87.101.231.178!!crypto ipsec transform-set SSBS esp-3des esp-md5-hmac!crypto map SSBS-DMM 1 ipsec-isakmpdescription SSBS-DAMMAMset peer 87.101.231.178set transform-set SSBSmatch address 190

!log config


57/60

Page: 57/60

hidekeys!interface FastEthernet0/0description $ INSIDE LAN $ip address 10.0.0.138 255.0.0.0ip nat insideip virtual-reassemblyip route-cache flowduplex autospeed auto

!interface FastEthernet0/1ip address 77.69.141.243 255.255.255.248ip nat insideip virtual-reassembly

duplex autospeed auto!interface Serial0/1/0no ip addressshutdownclock rate 2000000

!interface ATM0/2/0no ip addressshutdown

no atm ilmi-keepalivedsl operating-mode auto

!interface ATM0/2/0.1 point-to-pointno snmp trap link-status

pvc 8/35encapsulation aal5mux ppp dialerdialer pool-member 1

!!interface ATM0/3/0

no ip addressno atm ilmi-keepalivedsl operating-mode auto

!interface ATM0/3/0.1 point-to-pointno snmp trap link-status

pvc 8/35encapsulation aal5snap

protocol ppp dialerdialer pool-member 1

!

!interface Dialer0


58/60

Page: 58/60

description $ DSL OUTSIDE $ip address negotiatedip nat outsideip virtual-reassemblyencapsulation pppdialer pool 1dialer-group 1

ppp authentication pap callin ppp pap sent-username ssb2 password 7 00554155500E5Dcrypto map SSBS-DMM

!ip local pool abc 192.168.10.1 192.168.10.100ip route 0.0.0.0 0.0.0.0 Dialer0ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10!

ip flow-cache timeout active 1ip flow-export source FastEthernet0/0ip flow-export version 5ip flow-export destination 10.0.0.222 9996!ip http serverip http access-class 23ip http authentication localno ip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat inside source static tcp 10.0.0.1 2121 interface Dialer0 2121

ip nat inside source static tcp 10.0.0.40 3007 interface Dialer0 3007ip nat inside source static tcp 10.0.0.41 22 interface Dialer0 22ip nat inside source static tcp 10.0.0.41 80 interface Dialer0 8085ip nat inside source static tcp 10.0.0.81 3389 interface Dialer0 4330ip nat inside source static tcp 10.0.0.41 8086 interface Dialer0 8086ip nat inside source static tcp 10.0.0.41 1521 interface Dialer0 1521ip nat inside source static tcp 10.0.0.60 3389 interface Dialer0 7000ip nat inside source static tcp 10.0.0.67 8085 interface Dialer0 4777ip nat inside source static tcp 10.0.0.67 22 interface Dialer0 2777ip nat inside source static tcp 10.0.0.111 3389 interface Dialer0 2289ip nat inside source static tcp 10.0.0.64 22 interface Dialer0 1922

ip nat inside source static tcp 10.0.0.85 3389 interface Dialer0 4329ip nat inside source static tcp 10.0.0.61 3389 interface Dialer0 7329ip nat inside source list 150 interface Dialer0 overloadip nat inside source static tcp 10.0.0.40 21 interface Dialer0 21ip nat inside source static tcp 10.0.0.41 21 interface Dialer0 2101ip nat inside source static tcp 10.0.0.64 1521 interface Dialer0 1522ip nat inside source static tcp 10.0.0.41 4848 interface Dialer0 3004ip nat inside source static tcp 10.0.0.12 3389 interface Dialer0 3389ip nat inside source static tcp 10.0.0.61 4899 interface Dialer0 4899!logging trap alerts

logging 10.0.0.1logging 10.0.0.222


59/60

Page: 59/60

access-list 23 permit 10.0.0.1access-list 23 permit 10.0.0.190access-list 23 permit 10.0.0.222access-list 110 permit ip 10.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255access-list 150 deny ip 10.0.0.0 0.255.255.255 172.16.80.0 0.0.0.255access-list 150 deny ip 10.0.0.0 0.255.255.255 192.168.110.0 0.0.1.255access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255access-list 150 deny ip 10.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255access-list 150 permit ip 10.0.0.0 0.255.255.255 anyaccess-list 190 permit ip 10.0.0.0 0.255.255.255 172.16.80.0 0.0.0.255access-list 190 permit ip 10.0.0.0 0.255.255.255 192.168.110.0 0.0.1.255dialer-list 1 protocol ip permit!

control-plane!

line con 0 password 7 115E4D522421293F26020A047A6766013C29login

line aux 0 password 7 055C5258127F6C3A3B2D36325958570B1E1Clogin

line vty 0 4 password 7 014452536838243C03646F294B5144243F35

login!scheduler allocate 20000 1000

!webvpn cef!end

15. Bill of Quantity

Sl# Part No. Description Serial No.

1 CR-500i Cyberoam UTM Device CR 500i CO10001154

2 CR-500i Cyberoam UTM Device CR 500i CO10001153

3 03-CBS-BDL-0500-01 1 Year Antispam & Antivirus for CR500i

4 03-CFS-BDL-0500-01 1 Year Web and Application Filter for CR500i

5 03-CIP-BDL-0500-01 1 Year Intrusion Detection & Prevention (IDP) forCR500i


60/60

15.1 Software Licenses

1. 01-CBS-BDL-0500-01 Activation Key: AV & AS Software for 1 year

Antivirus C015008850-S7DZWUWF

Antispam C015008950-Y7H4I3AY

2. 01-CFS-BDL-0500-01 Activation Key : Web & App. Fil.Software for 1 year

C015008654-YHXN4N5Z

3. 01-CIP-BDL-0500-01 Activation Key: IDP Software for 1 year

C015008752-11CU658Z

16. Software version information

Present Cyberoam software version 9.6.0 build 16

----------------------------------------End of this document----------------------------------------

6034 - SSBS Cyberoam Documentation_V0

Documents