SSBS

Cyberoam UTM Implementation

Documentation
Release 1.0

Page: 1/60

Project

SSBS Cyberoam UTM Implementation

Client Name

SSBS

Client Address

Dammam Saudi Arabia

Abstract:

This document is providing the as built documentation for

SSBS network security appliance. The documentation will
help SSBS IT team in understanding and administrating
their new IT network

Document

SSBS Cyberoam Implementation

Author

Noushad Thadathil
Network Engineer
+966 55 494 3953

Date

20th June 2009

Confidentiality Notice:
This document contains valuable trade secrets and confidential information of SSBS,
and shall not be disclosed to any person, organization, or entity unless such
disclosure is subject to the provisions of written non-disclosure and proprietary rights
agreement or intellectual property license agreement approved by SSBS.
The distribution of this document does not grant any license in or rights in whole or in
part, to the content, the product, technology, or intellectual property described herein.

Page: 2/60

Issue
01

Document Configuration Control

Date
Amended by
Summary of Changes
th
20 June 2009 Mr. Noushad Thadathil
Initial Draft

Name
Eng. Haris P Mohammed

Name
Mr.Syed Tahir
Mr.Shakkeer

Document Approval
Title
Initials/Sign
Project Manager

Document Distribution
Title
Infrastructure Manager
SSBS
Network Administrator
SSBS

Date
3 July 09

Company

Page: 3/60

Table of Contents
1 Introduction .. 05
a. Purpose of this Document ..... 05
b. Acknowledgment. 05
2 Deploy Cyberoam in Gateway mode 05
3 Accessing the Web Admin Console12
4 Upgrading Cyberoam firmware 14
5 Configuring Gateways16
6 Integration with Active Directory 16
7 Import Active Directory Groups 21
8 Clientless Single Sign on implementation 25
9 Parent Proxy Deployment 31
10 L2TP VPN 34
11 Configure MS Windows XP VPN Client for L2TP connection 37
12 High Availability(HA) 44
13 Backup and Restore Cyberoam 48
14 Site to Site VPN.. 51
15 Bill of Quantity... 60
16 Software Version Information.... 60

Page: 4/60

1. Introduction
1.a Purpose of this Document
This document is providing the as built documentation for the Cyberoam UTM
deployment. The documentation will help SSBS IT team in understanding and
administrating their new infrastructure.
1.b. Acknowledgment:
GBS would like to thank SSBS IT Infrastructure team for the dedication and team work
with GBS team, in addition to facilitation, cooperation & support which enables us to
achieve a successful implementation
2. Deploy Cyberoam in Gateway mode
Starting Network Configuration Wizard
Click Wizard button on the top right of the Dashboard to start Network Configuration Wizard and click Start.

Page: 5/60

Configuring deployment mode and IP addresses

Page: 6/60

Page: 7/60

Page: 8/60

Page: 9/60

Configuring Mail Settings

Configure mail server IP address, administrator email address from where the notification mails will be send and the
email address of the notification recipient.

Configuring Date and Time zone

Page: 10/60

Cyberoam will take time to restart, please wait for some time before clicking to access the Web Admin Console.

Note:
After changing the LAN IP address, you must use this IP address to reconnect to the web admin console. You might
also have to change the IP address of the management station to be on the same subnet as the new IP address.
This finishes the basic configuration of Cyberoam and now you are ready to use the Appliance.

Page: 11/60

3. Accessing the Web Admin Console

Cyberoam Web Admin Console (GUI) access requires Microsoft Internet Explorer 5.5+ or Mozilla Firefox
1.5+ and Display settings as True color (32 bits)
Log on Methods

HTTP log in
To open unencrypted login page, in the browsers Address box, type
http://<IP address of Cyberoam>

Page: 12/60

Screen Dashboard

Page: 13/60

4. Upgrading Cyberoam Firmware

Before You Update
Cyberoam Should be registered.
IPS Module Registered and Updated ( Trial )

Step 1. Check for Upgrades

Press F10 to go to Dashboard from any of the screens.
Under the Installation Information section, click Check for Upgrades

Step 2. Download Upgrade

Click Download against the version to be downloaded and follow the on screen instructions to save the
upgrade file.

Step 3. Upload downloaded version to Cyberoam

Select Help Upload Upgrade

Type the file name with full path or select using Browse and click Upload

Page: 14/60

Step 4. Upgrade
Once the upgrade file is uploaded successfully, log on to Console to upgrade the version.
Log on to Cyberoam Telnet Console.
Type 6 to upgrade from the Main menu and follow the on-screen instructions.
Successful message will displayed if upgraded successfully.

Repeat above steps if more than one upgrade is available. If more than one upgrade is available, please
upgrade in the same sequence as displayed on the Available Upgrades page.

Page: 15/60

5. Configuring Gateways
Basic load balancing consists of defining multiple gateways. During the installation, you have
already configured the IP address of the default Gateway. Apart from defining gateway,
configuration also consists of:
1. Assigning weight to each link
2. How to check for the link failure
3. What action to take in case of link failure

Add Gateway

Select System

Gateway

Manage Gateway(s)

Weight Displays weight assigned to the Gateway Used for load balancing and failover

6. Integration with Active Directory

Implement Clientless Single Sign On authentication in Multiple Active Directory Domain Controller
Cyberoam ADS integration feature allows Cyberoam to map the users and groups from Active Directory for the
purpose of authentication.
Prerequisites:

NetBIOS Domain name

FQDN Domain name
Search DN
Active Directory Server IP address
Administrator Username and Password (Active Directory Domain)
IP address of Cyberoam Interface connected to Active Directory server
Import Active Directory Groups

Configure Clientless SSO

x
On the ADS server:
Go to Start>Programs > Administrative Tools > Active Directory Users and Computers
Right Click the required domain and go to Properties tab
Search DN will be based on the FQDN. In the given example FQDN is SSBS.LAN and
Search DN will be DC=SSBS, DC=LAN

Page: 16/60

Page: 17/60

Configuring ADS authentication

Logon to Cyberoam Web Admin Console and follow the below given steps:
Version 9.5.3.14 or above
you can import AD groups into Cyberoam using Import Wizard.
One can import groups only after integrating and defining AD parameters into Cybeoam.
Step 2: Define Authentication parameters
Go to User>Authentication Settings
Select Active Directory under Configure Authentication & Integration parameters
Select Default Group.
Cyberoam will create user(s) in the respective groups if groups are already created in Cyberoam otherwise user
will be created in the group selected as Default group.

Page: 18/60

Step 3: Configure Cyberoam to use Active Directory

Click Add to configure Active Directory parameters
Specify IP address of Active Directory

Specify TCP/IP port number in Port field. It is the port on which ADS server listens for the
authentication requests. On Cyberoam appliance, the default port for ADS traffic is 389. If your AD
server is using another port, specify port number in Port field.

Page: 19/60

Enter Domain name (FQDN Domain Name)

Click Add and enter Search DN. Check the steps provided in section Determine NETBIOS Name,
FQDN and Search DN to find the Search DN.

Click OK to save the query.

Page: 20/60

7. Importing Active Directory Groups

If you have deployed v 9.5.3 build 14 or above, import AD groups into Cyberoam using Import
Wizard before configuring for single sign on.

Page: 21/60

Follow the on-screen steps:

Step 2: Specify Base DN. Cyberoam will fetch AD groups from the specified Base DN.

To import users from default AD Container:

Page: 22/60

To import users from custom AD Container:

If multiple custom containers are created, repeat the entire process for each container.
Step 3: Select Groups that are to be imported in Cyberoam. Use <Ctrl> + Click to select multiple
groups. All the groups (not imported and already imported groups in Cyberoam) created in AD are
displayed. * besides the group name indicates that the group is already imported to Cyberoam.
Use arrows to move groups across the group lists.

Page: 23/60

If user is the member of multiple AD groups, Cyberoam will decide the user group based on the
order of the groups defined in Cyberoam. Cyberoam searches Group ordered list from top to
bottom to determine the user group membership. The first group that matches is considered as the

Page: 24/60

group of the user and that group policies are applied to the user.
Re-ordering of groups to change the membership preference is possible using Wizard.

8. Clientless Single Sign on (SSO)

Transparent Authentication (Clientless Single Sign on)
Cyberoam introduces Clientless Single Sign On as a Cyberoam Transparent Authentication Suite
(CTAS).
With Single Sign On authentication, user automatically logs on to the Cyberoam when logs on to
Windows through his windows username and password. Hence, eliminating the need of multiple
logins and username & passwords.
But, Clientless Single Sign On not only eliminates the need to remember multiple passwords
Windows and Cyberoam, it also eliminates the installation of SSO clients on each workstation.
Hence, delivering high ease-of-use to end-users, higher levels of security in addition to lowering
operational costs involved in client installation.
Cyberoam Transparent Authentication Suite (CTAS)
CTA Suite consists of
CTA Agent It monitors user authentication request coming on the domain controller and sends
information to the Collector for Cyberoam authentication.
CTA Collector It collects the user authentication request from multiple agents, processes the
request and sends to Cyberoam for authentication.
Step 6: Installing CTA Suite
Download CTA Suite from http://www.cyberoam.com/clientless_sso.html
Extract ctas.rar and install CTA Suite on Domain controller by following the on-screen instructions.
Administrative right is required to install CTA Suite.

Check for Cyberoam Transparent Authentication Suite tab from Start > All Programs.
If installed successfully, Cyberoam Transparent Authentication Suite tab will be added.
Consider the below given hypothetical network example where single domain controller is
configured and follow the below given steps to configure Cyberoam Transparent Authentication:

Page: 25/60

Configure CTA Collector from CTA Collector Tab on Primary Domain Controller

Page: 26/60

If logoff detection settings is enabled and firewall is configured on the Workstation, please allow
the traffic to and from Domain controller. If ping is blocked, then Cyberoam will always detect user
as logged out.
Step 8. Configure Agent from CTA Agent Tab on Primary Domain Controller

Page: 27/60

Configure Agent from CTA Agent Tab on Additional Domain Controller 1

Page: 28/60

Repeat step 9 for all the additional Domain Controller

Step 10. Configure Cyberoam
Logon to CLI Console with default password, go to Option 4 Cyberoam Console and execute
following command at the prompt:
corporate>cyberoam cta enable
corporate>cyberoam cta collector add collector-ip <ipaddress> collector-port<port number>
Please make sure that you restart management services after enabling the CTA services.

Page: 29/60

Enable Security Event logging on Active Directory

This completes the configuration.

Page: 30/60

9. Parent proxy configuration

Parent proxy can be deployed in the:

Internet
Internal network (LAN or DMZ)

Parent proxy deployed in LAN/DMZ

When Parent proxy is deployed in the LAN or DMZ, Cyberoam is to be configured as a proxy server for the LAN
users. Cyberoam routes all the outbound requests through parent proxy.

Figure 2 - Parent Proxy deployed in DMZ

Log on to Web Admin Console

Page: 31/60

Step 1. Go to System > HTTP Proxy > Configure HTTP Proxy and configure Upstream proxy IP address and
communication port.

Step 2. Configure firewall rule

a. Create host for Parent proxy
b. Create LAN to WAN firewall rule for Parent proxy
To prevent routing loop, do not apply Internet access policy (IAP) and HTTP scanning.

Page: 32/60

c. Create LAN to LAN firewall rule

If parent proxy is deployed in DMZ, create DMZ to WAN and DMZ to DMZ firewall rule.

Page: 33/60

10. L2TP VPN

You can use Layer 2 Tunneling Protocol (L2TP) to create VPN tunnel over public networks such as the Internet. For
authentication, currently Cyberoam supports only Password Authentication Protocol (PAP) algorithm.
Procedure outlines how to configure Cyberoam as a L2TP server and create L2TP connection from Web Admin console:
Step 1. Configure default L2TP setting from VPN L2TP Configuration

1.
2.
3.
4.
5.
6.

IP address selected in Local IP Address field will be assigned to L2TP server

Specify IP address range. L2TP clients will be assigned IP address from the specified range.
Specify DNS and alternate DNS server IP address
Specify WINS and alternate WINS server IP address
Click Save button to save the details
Click Add Users button to define users.

Click Add Users button to define users.

Step 3: Create policy from VPN Policy Create Policy with the following values:
Policy Name: l2tp_policy
Using Template: None
Keying Method: Automatic

Page: 34/60

Allow Re-keying: No
Pass Data In Compressed Format: Yes
Perfect Forward Secrecy (PFS): No
Key life: 3600 secs
Action When Peer Is Not Active: Clear
Change other values as per your requirements.

Step 4. Create L2TP Connection from VPN L2TP Connection Create Connection with the following values:
Name: branch_1
Policy: l2tp_policy (created in step 3)
Action on Restart: Active
Authentication Type: Preshared key
Preshared key: specify as per your requirement
Local server: select WAN IP address of Cyberoam
Local ID: specify as per your requirement
Change other values as per your requirements.

Page: 35/60

Step 5. Activate connection from VPN L2TP Connection Manage Connection and click
against each connection

under Connection Status

under Connection Status indicates that the connection is successfully activated. Once the connection is activated,
L2TP client can establish the connection.

Page: 36/60

11. Configuring Windows VPN Client for L2TP

The following procedures outline how to configure a Windows XP VPN client to access resources
behind a Cyberoam Appliance that has been set up to accept L2TP connections.
Set up a L2TP connection on a Windows XP client as follows:
1. Go to Start Control Panel
Connection and then click Next

Network Connections

Create a New

Page: 37/60

2. Select Connect to the network at my workplace and click Next

3. Select Virtual Private Network Connection and click Next

Page: 38/60

4. In Company Name, specify connection name and click Next

5. In the Host name or IP address field, type the WAN IP1 address of the Cyberoam and click
Next

WAN IP address should be same as specified in Local server field under Local Network Details in L2TP Connection
Select Anyones use and click Next

7. Click Finish

Page: 39/60

8. If Windows Dialer does not open automatically, click Connection to open dialer

9. Click Properties
In Networking tab - select L2TP IPSec VPN as Type of VPN and click OK

Page: 40/60

In Security tab:
1) Select Advanced and click Settings and enable Unencrypted password (PAP) and click
OK

Page: 41/60

2) Click IPSec Settings and enable Use pre-shared key for authentication. Specify preshared
key and click OK

Page: 42/60

9. Specify valid username and password and click Connect

Page: 43/60

12. High Availability (HA) Configuration

Below given diagram, displays how two appliances primary and secondary appliance will be
connected physically.

Before configuring HA
Points to be noted
DHCP & PPPoE High Availability (HA) cluster cannot be configured if any of the Cyberoam
Interfaces is dynamically configured using DHCP and PPPoE protocols.
Cyberoam upgrade - AutoUpgrade mode will automatically be disabled on both the cluster
appliances once High Availability (HA) cluster is configured. To upgrade HA cluster
appliances, HA mode is to be disabled and each appliance has to be upgraded individually.
HA Session failover AV Scanned sessions, VPN sessions, UDP, ICMP, multicast, and
broadcast sessions and Proxy traffic sessions are not maintained when HA cluster is
configured.
Masqueraded Connections In case of the following events from any of the HA cluster
appliances, all the masqueraded connections will be dropped:
Restart Management Service (RMS)
Execution of Network Configuration
Manual Synchronization

Page: 44/60

 HA Load balancing Active-Active HA cluster does not load balance VPN sessions, UDP,
ICMP, multicast, and broadcast sessions. TCP traffic for Web Admin Console or Telnet
Console and VLAN traffic sessions are also not load balanced between the cluster
appliances.
Restore backup HA is to be disabled to restore backup.
Network Configuration Wizard will not allow to update the DMZ IP address which is
configured as dedicated HA link port
Before attempting to configure two Cyberoam appliances as a HA pair for Hardware Failover,
check the following requirements:
Both appliances in the HA cluster i.e. primary and Auxiliary appliances must have same
number of interfaces.
Both appliances in the HA cluster must have the same version installed.
You must have separate licenses for primary and auxiliary appliances. On both the
appliances same subscription modules should be enabled else these modules will not be
supported in the event of a failure of the Primary appliance. For example, if IDP module is
enabled at Primary appliance and not enabled on Auxiliary appliance then on failover when
Auxiliary appliance becomes Active, IDP policies will not be applicable.
Dedicated HA link port should be from the DMZ zone interface only and should have unique
IP address on both the appliances.

Configure Primary appliance

1. Select Firewall Create Rule and create Firewall rule with the following parameters
(for both the appliances):
Source: DMZ/Any Host
Destination: LOCAL/Dedicated HA link port
Service: HA Service
Action: Accept
2. Select User User Add User and add HA administrator
Make sure to select User Type as Administrator while creating HA Administrator as the Audit
log for the HA events will be logged under this username. HA events from the Audit log can
be identified with this name.
3. Select System HA Configure HA
4. Displays appliance key as the Primary Appliance Key. Auxiliary Appliance Key displayed
after HA is configured.
5. Select HA mode for the cluster. When configuring cluster, you must set all the members of
the HA cluster with the same HA mode.
Active-Active Select to configure a cluster for load balancing and failover HA. In active-active
mode both primary and auxiliary appliances processes traffic and monitors the status of the
other cluster appliance. The primary appliance controls load balancing among both the cluster
appliances.
Active-Passive Select to configure a cluster for failover HA. In active-passive mode the
primary appliance processes all connections. Auxiliary appliance passively monitors the
cluster status and remains synchronized with the primary appliance.
6. Specify HA link port. HA peers are physically connected using a crossover cable through this
port. You must use the same port as an HA link port on peer appliance also.
Cluster appliances use this link to communicate cluster information and to synchronize with
each other.

Page: 45/60

Dedicated HA link port should be from any of the DMZ zone interface only.
7. Specify HA Administrator username. Same as defined in step 2.
8. Specify IP address configured on the HA link port of the peer appliance.
9. Specify Administration Port of Peer appliance i.e. the peer appliance port on which the
access is allowed for administration purpose.
10. Specify Administration Port IP address of Peer appliance. Use this IP address to access
Web Admin Console of Peer appliance.
11. Select the ports to be monitored. Both the appliances will monitor their own ports and if any
of the monitored port goes down, appliance will remove itself from the cluster and failover will
occur.
12. Click Enable HA to enable HA
Before enabling HA, please make sure that firewall rule as specified in step 1 is created on peer
appliance also. The appliance from which HA is enabled will act as a primary appliance while the
peer appliance will act as auxiliary appliance.
If everything is cabled and configured properly and HA is enabled successfully:
As per the configuration mode, Active will be displayed for Primary appliance and Passive
or Active for Auxiliary appliance
Both the appliances will have the same configuration except the HA link port IP address.

Additional options made available after HA is enabled:

Primary Appliance Put on Standby (only for Active-Passive mode), Disable HA, Sync
Auxiliary (use to synchronize Auxiliary appliance and Primary appliance configurations)
Auxiliary appliance - Disable HA, Sync with Primary (use to synchronize Auxiliary appliance
and Primary appliance configurations)
By default, as soon as HA is enabled successfully, both the appliances will synchronize
automatically.
Active Active cluster

Page: 46/60

Page: 47/60

13. Backup and Restore Cyberoam configuration

Objective
This article describes Cyberoam configuration backup and restore procedure.
Cyberoam takes backup of configuration which includes firewall rules, policies, network configuration, user account.
Once the backup is taken, it can be restored on any appliance. Restoring older data will lead to the loss of current
configuration.
Note:

Higher versions can not be restored on lower versions i.e. backup of version 9.5.3 build 22 can not be restored on
version 9.5.0 build 29
Backup of higher end appliances cannot be restored on lower end appliances i.e. from CR1500i on CR500i

Step 1. Backup a configuration

Log on to the Web Admin Console of the Appliance whose backup is to be taken.
From Web Admin Console, go to System > Manage Data > Backup Data and take the system backup till the current
date.

Once the backup is taken successfully, you will be prompted to download and save the backup file.

Page: 48/60

If backup is to be restored onto another appliance, mail this saved backup file to the Administrator who is going to
restore this backup onto another appliance.
Step 2. Restore a configuration
Log on to the Web Admin Console of the Appliance onto which backup is to be restored.
Upload backup file
Upload backup file from System > Manage Data > Restore Data and specify name of the backup file to be uploaded
i.e. the backup file saved in step 2.

Page: 49/60

Restore backup file

Log on to Telnet Console, go to Option 5 Cyberoam Management>Option 6 Restore Backup

Page: 50/60

14. Site-to-Site VPN Configuration

Establish Net-to-Net IPSec VPN Connection between Cyberoam and Cisco Router using Preshared key
Product: The information in this article is based on Cyberoam Version 95314 and Cisco Router.
This article describes a detailed configuration example that demonstrates how to set up a net-to-net IPSec VPN
connection between Cyberoam and Cisco Router using preshared key to authenticate VPN peers.
Throughout the article we will use the network parameters as shown in the below given network diagram. Cyberoam is
installed at Dammam HO while Cisco Router is installed at Bahrain branch.
In the hypothetical example considered in this article, static IP address is configured for Cyberoam but depending on
the network requirement it is also possible that dynamic IP address is configured for Cyberoam.
Article includes network diagram and details on the information to be gathered before configuration and covers
following scenarios when Cyberoam is configured for:

1. Aggressive mode Authentication

2. Main mode Authentication: Static IP address is assigned to Cyberoam, Dynamic IP address is assigned to
Cyberoam
Each scenario includes:

Cyberoam configuration steps

Cisco Router configuration steps

We will establish VPN connection from Damam branch to Bahrain branch therefore:
For Damam HO:
Cyberoam is the Local server.
Cisco Router is the Remote server.
For Bahrain branch:
Cisco Router is the Local server.
Cyberoam is the Remote server.
Network Diagram

Page: 51/60

Information to be gathered before configuration

Before configuring for IPSec connection, gather the following information about the Remote server:

1.
2.
3.
4.

Connection details - Encryption algorithm, Authentication Algorithm and DH/PFS Group

Preshared Key
Server IP addresses
Internal Network Subnet

Configuration Table

Please note: Phase 1 and Phase 2 parameters: Encryption algorithm, Authentication Algorithm and DH/PFS
Group must be same for both the peers Cyberoam and Cisco Router VPN servers.

Page: 52/60

Configuration
Parameters
IPSec Connection
(Net-to-Net)

Cyberoam

Cisco Router

Local Network details

Local Network details

Cyberoam WAN IP address

87.101.231.178

Cisco Router IP address

217.17.240.249

Local Internal Network

172.16.80.0/24

Local Internal Network

10.0.0.0/8

192.168.110.0/24
Preshared Key p@ssw0rd

Preshared Key p@ssw0rd

Remote Network details

Remote Network details

Remote VPN server IP address

217.17.240.249

Remote VPN server IP address

87.101.231.178

Remote Internal Network

10.0.0.0/8

Remote Internal Network

172.16.80.0/24
192.168.110.0./24

Cyberoam Configuration
Applicable to version: 9.5.8 onwards
Task list

1. Define VPN policy configure Phase 1 & Phase 2 parameters to authenticate the remote peer and establish a
secure connection
2. Define VPN connection parameters

Page: 53/60

Page: 54/60

Cisco Router Configuration (Bahrain )

SSBS-BHA#show running-config
Building configuration...
Current configuration : 5206 bytes
!

Page: 55/60

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SSBS-BHA
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 errors
!
no aaa new-model
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.119
ip dhcp excluded-address 10.0.0.191 10.255.255.254
!
ip dhcp pool ssbs-bh
!
ip domain name ssbs.com.bh
ip name-server 217.17.233.101
ip name-server 193.188.97.212
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key p@ssw0rd address 87.101.231.178
!
!
crypto ipsec transform-set SSBS esp-3des esp-md5-hmac
!
crypto map SSBS-DMM 1 ipsec-isakmp
description SSBS-DAMMAM
set peer 87.101.231.178
set transform-set SSBS
match address 190
!
log config

Page: 56/60

hidekeys
!
interface FastEthernet0/0
description $ INSIDE LAN $
ip address 10.0.0.138 255.0.0.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 77.69.141.243 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/3/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/3/0.1 point-to-point
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface Dialer0

Page: 57/60

description $ DSL OUTSIDE $

ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ssb2 password 7 00554155500E5D
crypto map SSBS-DMM
!
ip local pool abc 192.168.10.1 192.168.10.100
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10
!
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 10.0.0.222 9996
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.0.0.1 2121 interface Dialer0 2121
ip nat inside source static tcp 10.0.0.40 3007 interface Dialer0 3007
ip nat inside source static tcp 10.0.0.41 22 interface Dialer0 22
ip nat inside source static tcp 10.0.0.41 80 interface Dialer0 8085
ip nat inside source static tcp 10.0.0.81 3389 interface Dialer0 4330
ip nat inside source static tcp 10.0.0.41 8086 interface Dialer0 8086
ip nat inside source static tcp 10.0.0.41 1521 interface Dialer0 1521
ip nat inside source static tcp 10.0.0.60 3389 interface Dialer0 7000
ip nat inside source static tcp 10.0.0.67 8085 interface Dialer0 4777
ip nat inside source static tcp 10.0.0.67 22 interface Dialer0 2777
ip nat inside source static tcp 10.0.0.111 3389 interface Dialer0 2289
ip nat inside source static tcp 10.0.0.64 22 interface Dialer0 1922
ip nat inside source static tcp 10.0.0.85 3389 interface Dialer0 4329
ip nat inside source static tcp 10.0.0.61 3389 interface Dialer0 7329
ip nat inside source list 150 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.40 21 interface Dialer0 21
ip nat inside source static tcp 10.0.0.41 21 interface Dialer0 2101
ip nat inside source static tcp 10.0.0.64 1521 interface Dialer0 1522
ip nat inside source static tcp 10.0.0.41 4848 interface Dialer0 3004
ip nat inside source static tcp 10.0.0.12 3389 interface Dialer0 3389
ip nat inside source static tcp 10.0.0.61 4899 interface Dialer0 4899
!
logging trap alerts
logging 10.0.0.1
logging 10.0.0.222

Page: 58/60

access-list 23 permit 10.0.0.1

access-list 23 permit 10.0.0.190
access-list 23 permit 10.0.0.222
access-list 110 permit ip 10.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 150 deny ip 10.0.0.0 0.255.255.255 172.16.80.0 0.0.0.255
access-list 150 deny ip 10.0.0.0 0.255.255.255 192.168.110.0 0.0.1.255
access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 150 deny ip 10.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255
access-list 150 permit ip 10.0.0.0 0.255.255.255 any
access-list 190 permit ip 10.0.0.0 0.255.255.255 172.16.80.0 0.0.0.255
access-list 190 permit ip 10.0.0.0 0.255.255.255 192.168.110.0 0.0.1.255
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
password 7 115E4D522421293F26020A047A6766013C29
login
line aux 0
password 7 055C5258127F6C3A3B2D36325958570B1E1C
login
line vty 0 4
password 7 014452536838243C03646F294B5144243F35
login
!
scheduler allocate 20000 1000
!
webvpn cef
!
end

15. Bill of Quantity

Sl# Part No.
CR-500i
1
2
3
4
5

CR-500i
03-CBS-BDL-0500-01
03-CFS-BDL-0500-01
03-CIP-BDL-0500-01

Description
Cyberoam UTM Device CR 500i

Serial No.
CO10001154

Cyberoam UTM Device CR 500i

CO10001153

1 Year Antispam & Antivirus for CR500i

1 Year Web and Application Filter for CR500i
1 Year Intrusion Detection & Prevention (IDP) for
CR500i

Page: 59/60

15.1 Software Licenses

1. 01-CBS-BDL-0500-01 Activation Key: AV & AS Software for 1 year
Antivirus

C015008850-S7DZWUWF

Antispam

C015008950-Y7H4I3AY

2. 01-CFS-BDL-0500-01 Activation Key : Web & App. Fil.Software for 1 year

C015008654-YHXN4N5Z

3. 01-CIP-BDL-0500-01 Activation Key: IDP Software for 1 year

C015008752-11CU658Z

16. Software version information

Present Cyberoam software version 9.6.0 build 16

----------------------------------------End of this document----------------------------------------

Page: 60/60