Something a little different today.
Some time ago my home lab firewall (RV220W) was end of life (EOL) and of course that was a problem for me. Not that I had ever called Cisco for support but I did appreciate the updates. EOL means generally, no patches. I had liked it and was thinking of getting a newer version of it. Then I was at VMworld – or rather just before it – and I was in a class and the two guys in front of me were talking about the RV320 or RV325 as they both had EOL Cisco Small Business firewalls. Then I discovered the guy beside me was also looking at the RV320 or RV325. So once I heard this, I realized that the RV325 would be a great choice! It was also a reasonable price of approximately 340 CAD on Amazon.ca. This article will be about making it work. There will be other articles too – such on how to do a VPN with it.
I suggest plugging it into power, and into a private network – direct connected to your laptop. No need to connect your external – what Cisco calls the WAN port – at this time as we should get familiar with the firewall, upgrade and configure it, before we have an outage and connect it in place of the old one.
I suggest you check out the support web site and download any updates. My unit was manufactured in October 2013 so I suspect it will need an upgrade!
I note that the QSG said the unit shipped with the power switch in the ON position but mine did not. So I was able to connect the network and power before it powered up. Incidentally it has one of those odd setups where it is hard coded with an IP address so that means when you hook it up you should have your laptop directly connected to it and not have it connected to your actual network.
Once the unit is powered up, and you are connected to it you should connect your browser to HTTPS://192.168.1.1.
We need to log in to configure and the account and password are cisco. What you will see when you first in is the Change Password screen.
When you add your info it will look something like below.
You should pay attention to the arrows, meaning to change the Minimal number of character classes to 4, and to enable the switch for new passwords being different then old ones. As well note the password strength meter to help you understand how good your password is. More green means it is more complex and will take more time to crack.
Now we move on to network changes.
Once we save the new password we will see the Initial Setting screen as seen below (actually after having to log in again I suspect).
We want to configure the LAN settings. You can see how I have configured my settings below.
The red arrows are pointing at subnets I do not have or need. So we need to delete them. You must do that one at a time, and remember to scroll down and select Save in-between each delete.
Now we have only one IP address to work with, and so select it and select Edit.
Once you select Edit you will see the following screen.
I an an AD shop so that means my DHCP is part of Active Domain so it is disabled above. Once you have your IP info done – and potentially tweak or disable DHCP you should hit Save.
Note: the IP address I used above is a legit one for my network and it is backed by an A record in DNS.
You will be warned that you will have network issues.
You should pause – after you select Yes. After the pause you should connect the firewall to your actual corporate (or lab) network, and connect your laptop back to it as well.
Once you (and the firewall) are back on the corporate (or lab) network, we can continue.
Time is very important although it is most important to have consistent time, and then second correct. What I mean by that is all of your devices should have the same time. If it is off by a few minutes, or even more, so long as they are all consistent you can deal with that. Plus consistent helps you go through logs more easily.
So let change to Setup \ Time.
Once I configure it for my world it looks like below.
I have used a Canadian NTP pool of 1.ca.pool.ntp.org but you could also use a US one at 1.us.pool.ntp.org. It is bad practice to have only one NTP server and no test button!
It is important to get all of your logs – where reasonable – to the same place. It can help enormously in troubleshooting if all of your logs – on the same time scale – are in the same UI. How often does an issue happen in isolation?
So lets change to Log \ System Log.
Once you enter your syslog server info, you should use Save.
At this point – even after save we will not see anything in the syslog server you are sending log events to.
Near the bottom of the Log \ System Log page there is a Log section. This is what will determine what log events will be sent out.
Below is what I have selected. Over time you may tweak these settings to conform with your own environment.
Now you will see in your log tool that you are getting traffic. Not a lot mind you.
We just installed this hardware and it does in fact need an update. It is using v1.1.0.09 and there is a v220.127.116.11. Once it is downloaded from here it is seen as RV32X_FW_v18.104.22.168.bin.
So lets change to System Management \ Firmware Upgrade.
So now you use the Choose File and select the firmware you have just downloaded. Then use the Firmware Upgrade button. I like the option to use the USB for an upgrade. You will be prompted to confirm the upgrade and it will then occur.
A reboot occurs.
After the restart is complete – and you log in, which should take abut 5 – 6 minutes – you can check to see if the firmware took.
As you can see in my case, it did.
We will do a lot of config to this firewall before the end users start using it so that means a backup of the config is a good idea. Especially once we get the VPN working it will be very important to get the backup done as who will want to do that config over again!
So lets now change to System Management \ Backup and Restore.
Something to understand first. The Startup configuration is used to start the router. After 24 hours with no restarts or issues, it copies that configuration to Mirror. To be safe, I suggest we backup both Backup Startup Configuration, and Backup Mirror Configuration and store them in a safe location.
I suggest you back up after you make changes. Every time in fact.
Incidentally, you get a log message when you do an export. It has as a msg “Config file exported”. Nice.
- If you press and hold the reset button for more then 3 seconds but less then 10 you get a reset with no lose of configuration info, but if you hold it for more then 10 seconds you get a factory reset. It seemed pretty consistent to me that it reset at 16 seconds. At least the way I count.
- I have 3 or 4 of the Cisco Small Business product line and am very happy with them. This includes SG200, SG300 switches and in the office lab we have a SG500XG with 8 ports of 10 GB that works pretty darn good too. The 1 Gb switches I have are all fanless and have a nice UI.
- Out of the box firmware was v1.1.0.09 2013-07-04.
- I will scan this firewall with my security tools in and present what I find in a later article.
We have now a working firewall. It is not replacing the firewall in production use but it is close. We have AD integration and Policy left and I will cover both in different articles. We will move it into production at that time. I also want to get User VPN working too and that will be another article. I will use the RV325 tag with each article so you can find them all using this link. I will also connect the article as well.
Thanks for reading, and have a great day!
BTW, questions and comments are welcome and I try to answer all of them.