Deployment Guide 159
EXAMPLE 3: PROVIDING GUEST ACCESS THROUGH A CAPTIVE WEB PORTAL
Per User Queue Management: Enter the following items in bold, and leave all other settings unchanged:
The rate limit for network control and voice is 0 Kbps because guests are not permitted to run any
applications that would generate network control traffic or use VoIP applications. In this example, guests
are expected to use cell phones or other phones provided for them. (If you want to provide VoIP for guests,
then you must enable the SIP ALG, add another rule to the firewall policy permitting SIP traffic, and set the
rate limit for voice at 128 Kbps.)
Firewall Policy
You create a firewall policy that permits outgoing HTTP and HTTPS traffic from within the corporate network to
the public network but not to the corporate network itself. When applying the policy to a user profile, you apply
a default action that denies all incoming traffic and all other unspecified types of outgoing traffic.
Address Objects
To make address objects for use in firewall rules to block traffic to private IP address space in the internal
network, click Configuration > Advanced Configuration > Network Objects > IP Objects/Host Names > New,
enter the following, and then click Apply:
Network: (select)
Object Name: 10.0.0.0/8
In the IP Entry field, enter 10.0.0.0 for the IP address, 255.0.0.0 for the netmask, choose Global for the
type, enter a useful description such as Deny RFC 1918 (private addresses), and then click Apply.
To save the address and close the dialog box, click Save.
Repeat the above to create two more address objects, one for 172.16.0.0/12 (IP address = 172.16.0.0; netmask
= 255.240.0.0) and another for 192.168.0.0/16 (IP address = 192.168.0.0; netmask = 255.255.0.0).
Custom Service
To make a custom service for NAT-T (NAT Traversal) to permit IKE traffic when traversing a NAT device, click
Configuration > Advanced Configuration > Network Objects > Network Services > New, enter the following,
and then click Save:
Name: NAT-T
Description: NAT Traversal
IP Protocol: UDP (17)
Port Number: 4500
Service Idle Timeout: 1800
ALG Type: (leave blank)
Class Number - Name Scheduling Type Scheduling
Weight
Weight %
(Read Only)
Policing Rate
Limit (Kbps)
(802.11a/b/g)
Policing Rate
Limit (Kbps)
(802.11n)
7 - Network Control Strict
0 0% 00
6 - Voice Strict 0 0% 00
5 - Video Weighted Round Robin 60
28% 2000 2000
4 - Controlled Load Weighted Round Robin 50
23% 2000 2000
3 - Excellent Effort Weighted Round Robin 40 19% 2000 2000
2 - Best Effort 1 Weighted Round Robin 30
14% 2000 2000
1 - Best Effort 2 Weighted Round Robin 20
9% 2000 2000
0 - Background Weighted Round Robin 10 4% 2000 2000
To Next Page
Loading...
