GemTek Technology ISA550 Cisco ISA550 Integrated Security Appliance with WiFi User Manual shiner admin guide

Gemtek Technology Co., Ltd. Cisco ISA550 Integrated Security Appliance with WiFi shiner admin guide

UserManual.wiki >

GemTek Technology >

ISA550 User Manual

User Manual

Cisco Small BusinessISA500 Series Integrated Security ApplianceADMINISTRATION GUIDE

3OL-23370-01Federal Communication Commission Interference Statement (For ISA570 and ISA570W)This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.(For ISA550 and ISA550W)This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:•Reorient or relocate the receiving antenna.•Increase the separation between the equipment and receiver.•Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.•Consult the dealer or an experienced radio/TV technician for help.FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment.This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.IMPORTANT NOTE:FCC Radiation Exposure Statement: (For ISA550W and ISA570W)This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body.This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.The availability of some specific channels and/or operational frequency bands are country dependent and are firmware programmed at the factory to match the intended destination. The firmware setting is not accessible by the end user.Industry Canada statement:This device complies with RSS-210 of the Industry Canada Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.

4OL-23370-01 Ce dispositif est conforme à la norme CNR-210 d'Industrie Canada applicable aux appareils radio exempts de licence. Son fonctionnement est sujet aux deux conditions suivantes: (1) le dispositif ne doit pas produire de brouillage préjudiciable, et (2) ce dispositif doit accepter tout brouillage reçu, y compris un brouillage susceptible de provoquer un fonctionnement indésirable. IMPORTANT NOTE:Canada Radiation Exposure Statement: (For ISA550W and ISA570W)This equipment complies with Canada radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator and your body.NOTE IMPORTANTE: (Pour l'utilisation de dispositifs mobiles)Déclaration d'exposition aux radiations:Cet équipement est conforme aux limites d'exposition aux rayonnements IC établies pour un environnement non contrôlé. Cet équipement doit être installé et utilisé avec un minimum de 20 cm de distance entre la source de rayonnement et votre corps.This device has been designed to operate with an antenna having a maximum gain of 1.8 dBi. Antenna having a higher gain is strictly prohibited per regulations of Industry Canada. The required antenna impedance is 50 ohms.Under Industry Canada regulations, this radio transmitter may only operate using an antenna of a type and maximum (or lesser) gain approved for the transmitter by Industry Canada. To reduce potential radio interference to other users, the antenna type and its gain should be so chosen that the equivalent isotropically radiated power (e.i.r.p.) is not more than that necessary for successful communication. (Le manuel d'utilisation de dispositifs émetteurs équipés d'antennes amovibles doit contenir les informations suivantes dans un endroit bien en vue:)Ce dispositif a été conçu pour fonctionner avec une antenne ayant un gain maximal de 1.8 dBi. Une antenne à gain plus élevé est strictement interdite par les règlements d'Industrie Canada. L'impédance d'antenne requise est de 50 ohms.Conformément à la réglementation d'Industrie Canada, le présent émetteur radio peutfonctionner avec une antenne d'un type et d'un gain maximal (ou inférieur) approuvé pourl'émetteur par Industrie Canada. Dans le but de réduire les risques de brouillage radioélectriqueà l'intention des autres utilisateurs, il faut choisir le type d'antenne et son gain de sorte que lapuissance isotrope rayonnée équivalente (p.i.r.e.) ne dépasse pas l'intensité nécessaire àl'établissement d'une communication satisfaisante.UL/CBRack Mount Instructions - The following or similar rack-mount instructions are included with the installation instructions:A) Elevated Operating Ambient - If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tma) 40 degree C specified by the manufacturer.B) Reduced Air Flow - Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.C) Mechanical Loading - Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading.

5OL-23370-01D) Circuit Overloading - Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 1 ContentsChapter 1: Getting Started 12Introduction 12Feature Overview 13Device Overview 14Front Panel 14Back Panel 17Installation 18Before You Begin 19Installation Options 19Placement Tips 19Wall Mounting 20Rack Mounting 21Hardware Installation 22Getting Started with the Configuration Utility 23Launching the Configuration Utility 23Navigating Through the Configuration Utility 24Using the Help System 25Using the Management Buttons 25About the Default Settings 25Performing Common Configuration Tasks 27Changing the User Name and Password of the Default Administrator Account at Your First Login 27Saving Your Configuration 28Upgrading the Firmware if needed 29Resetting the Device 30Chapter 2: Wizards 32Using the Startup Wizard 32Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W 40Using the Wireless Wizard to Configure the Wireless Settings 41Configuring the SSID for Intranet WLAN Access 43Configuring the SSID for Guest WLAN Access 44Configuring the SSID for Guest WLAN Access (Captive Portal) 45

Cisco ISA500 Series Integrated Security Appliance Administration Guide 2 ContentsUsing the DMZ Wizard to Configure the DMZ Settings 46Using the DMZ Wizard to Configure the DMZ Settings 47Configuring the DMZ 48Configuring the DMZ Services 49Using the Dual WAN Wizard to Configure the WAN Redundancy Settings 51Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels 53Using the Site-to-Site Wizard to Establish the Site-to-Site VPN tunnel 53Configuring the IKE Policies 55Configuring the Transform Policies 57Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 58Using Cisco IPSec VPN to Establish the IPSec VPN Tunnels 58Configuring the Cisco IPSec VPN User Groups 63Using SSL VPN to Establish the SSL VPN Tunnels 63Configuring the SSL VPN Group Policies 66Configuring the SSL VPN User Groups 69Chapter 3: Status 70System Status 70Interface Status 74ARP Table 74DHCP Pool Assignment 75Interface 75Interface Statistics 77Wireless Status for ISA550W and ISA570W 79Wireless Status 80Client Status 81Active Users 81VPN Status 81IPSec VPN Status 82SSL VPN Status 83Reports 85Reports of Event Logs 86Reports of WAN Bandwidth 87Reports of Security Services 87

Cisco ISA500 Series Integrated Security Appliance Administration Guide 3 ContentsWeb Security Blocked Report 88Anti-Virus Report 88Email Security Report 89Network Reputation Report 90IPS Policy Protocol Inspection Report 90IM and P2P Blocking Report 91Process Status 92Resource Utilization 92Chapter 4: Networking 94Configuring IP Routing Mode 95Port Management 95Viewing the Status of Physical Interfaces 95Configuring the Physical Interfaces 96Configuring 802.1X Access Control on Physical Ports 98Configuring the Port Mirroring 100Configuring the WAN 101Configuring the Primary WAN 101Configuring the Secondary WAN 104Configuring the Network Addressing Mode 106Configuring the PPPoE Profiles 111Configuring the WAN Redundancy 112Loading Balancing for WAN Redundancy 113Load Balancing with Policy-based Routing Configuration Example 115Failover for WAN Redundancy 116Routing Table for WAN Redundancy 117Configuring the Link Failover Detection 117Configuring the VLAN 118Configuring the VLANs 119Configuring DHCP Reserved IPs 122Configuring the DMZ 123Configuring the Zones 127Security Levels for Zones 128Predefined Zones 128

Cisco ISA500 Series Integrated Security Appliance Administration Guide 4 ContentsConfiguring the Zones 129Configuring the Routing 130Configuring the Routing Mode 131Viewing the Routing Table 131Configuring the Static Routing 132Configuring the Dynamic Routing 133Configuring Policy-based Routing Settings 134Priority of Routing Rules 136Dynamic DNS 136IGMP 138VRRP 139Configuring the Quality of Service 140General QoS Settings 141Configuring the WAN QoS 141Managing the WAN Bandwidth for Upstream Traffic 142Configuring the WAN Queue Settings 142Configuring the Traffic Selectors for WAN Interfaces 144Configuring the WAN QoS Policy Profiles 145Mapping the WAN QoS Policy Profiles to WAN Interfaces 146Configuring the LAN QoS 147Configuring the LAN Queue Settings 147Configuring the LAN QoS Classification Methods 148Mapping CoS to LAN Queue 149Mapping DSCP to LAN Queue 149Configuring Default CoS 149Configuring the Wireless QoS 150Default Wireless QoS Settings 150Configuring the Wireless QoS Classification Methods 151Mapping CoS to Wireless Queue 151Mapping DSCP to Wireless Queue 151Address Management 152Configuring the Addresses 152Configuring the Group Addresses 153Service Management 154Configuring the Services 154

Cisco ISA500 Series Integrated Security Appliance Administration Guide 5 ContentsConfiguring the Group Services 155Chapter 5: Wireless Configuration for ISA550W and ISA570W 157Configuring the Radio Settings 157Basic Radio Settings 158Advanced Radio Settings 160Configuring the Access Points 162Configuring the Security Mode 162Controlling the Wireless Access Based on MAC Addresses 169Mapping the SSID to VLAN 170Configuring the SSID Schedule 171Configuring Wi-Fi Protected Setup 172Configuring Wireless Rogue AP Detection 173Configuring Wireless Captive Portal 174Chapter 6: Firewall 177Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic178Default Firewall Settings 178Priorities of Firewall Access Rules 180Preliminary Tasks for Configuring the Firewall Access Rules 180General Settings for Configuring the Firewall Access Rules 181Configuring a Firewall Access Rule 183Configuring a Firewall Access Rule to Allow the Multicast Traffic 185Configuring the Firewall Schedule 186Firewall Access Rule Configuration Examples 187Configuring the NAT Rules to Securely Access a Remote Network 192Configuring Dynamic PAT Rules 193Configuring Static NAT Rules 194Configuring Port Forwarding Rules 195Configuring Port Triggering Rules 196Configuring Advanced NAT Rules 197Viewing NAT Translation Status 199

Cisco ISA500 Series Integrated Security Appliance Administration Guide 6 ContentsPriorities of NAT Rules 200Configuring the Session Settings 200Configuring the Content Filtering to Control Access to Internet 201Configuring the Content Filtering Policy Profiles 201Configuring the Website Access Control List 203Mapping the Content Filtering Policy Profiles to Zones 204Configuring Advanced Settings 204Configuring the MAC Filtering to Permit or Block Traffic 205Configuring the IP/MAC Binding to Prevent Spoofing 206Configuring the Attack Protection 207Configuring the Application Level Gateway 209Chapter 7: Security Services 210Managing the Security Services 210About the Security Services 211Security License 212Priority of Security Services 212Managing the Security Services 212Viewing the Security Service Reports 214Intrusion Prevention Service 214General IPS Settings 215Configuring the IPS Policy and Protocol Inspection 216Blocking the Instant Messaging and Peer-to-Peer Applications 218Anti-Virus 220Configuring the Anti-Virus 220Configuring the Email Notification 223Configuring the HTTP Notification 224Email Reputation Filter 224Web URL Filter 226Configuring the Web URL Filter Policy Profiles 226Configuring the Whitelist and Blacklist of Websites 227Mapping the Web URL Filter Policy Profiles to Zones 228

Cisco ISA500 Series Integrated Security Appliance Administration Guide 7 ContentsConfiguring Advanced Web URL Filter Settings 229Web Reputation Filter 230Network Reputation 231Chapter 8: VPN 232About VPN 232Configuring the Cisco IPSec VPN Server 233Cisco VPN Client Compatibility 234Configuring the Group Policies for Cisco IPSec VPN Server 235Configuring the Cisco IPSec VPN Client 238Restrictions for Cisco IPSec VPN Client 239Benefits of the Cisco IPSec VPN Client Feature 239Modes of Operation 240Client Mode 240Network Extension Mode 241General Settings 242Configuring the Group Policies for Cisco IPSec VPN Client 243Configuring the Site-to-Site VPN 246Configuration Tasks to Establish a Site-to-Site VPN 246General Site-to-Site VPN Settings 247Configuring the IPSec VPN Policies 248Configuring the IPSec IKE Policies 254Configuring the IPSec Transform Policies 256Configuring the SSL VPN 257Elements of the SSL VPN 258Configuration Tasks to Establish a SSL VPN Tunnel 259Installing the Cisco AnyConnect VPN Client on User’s PC 260Importing the Certificates for User Authentication 260Configuring the SSL VPN Users 260Configuring the SSL VPN Gateway 261Configuring the SSL VPN Group Policies 263Configuring the SSL VPN Portal 266Configuring the L2TP Server 266

Cisco ISA500 Series Integrated Security Appliance Administration Guide 8 ContentsConfiguring the VPN Passthrough 268Viewing the VPN Status 268Monitoring the IPSec VPN Status 269Monitoring the SSL VPN Status 270Chapter 9: User Management 273About the Users and Groups 273Available Services for User Groups 273Default User and Group 274Preempt the Administrators 274Configuring the Users and Groups 275Configuring Local Users 275Configuring Local User Groups 276Configuring the User Authentication Settings 277Authentication Methods for User Login 278Using Local Database for Authentication 279Using RADIUS Server for Authentication 279Using Local Database and RADIUS Server for Authentication 282Using LDAP for Authentication 283Using Local Database and LDAP for Authentication 286Configuring the User Session Settings 286Viewing Active User Sessions 287Chapter 10: Device Management 288Remote Management 289Administration 290Changing the User Name and Password for the Default Administrator Account290Configuring the User Session Settings 291SNMP 292Configuration Management 294Saving your Current Configurations 294Restoring your Settings from a Saved Configuration File 295

Cisco ISA500 Series Integrated Security Appliance Administration Guide 9 ContentsReverting to the Factory Default Settings 296Firmware Management 297Viewing the Firmware Information 297Checking for New Firmwares 298Upgrading the Firmware 299Using the Secondary Firmware 300Firmware Auto Fall Back Mechanism 301Using the Rescue Mode to Recover the System 302Rebooting the Security Appliance 302Log Management 302Configuring the Log Settings 303Configuring the Log Facilities 305Viewing the Logs 306Managing the Security License 307Checking the License Status 308Renewing the Security License 309Managing the Certificates for Authentication 310Viewing the Certificate Status 310Managing the Certificates 311Exporting the Certificates to Local PC 312Exporting the Certificates to a USB Device 313Importing the Certificates from Your Local PC 313Importing the Certificates from a Mounted USB Device 314Importing the Signed Certificate for CSR from Your Local PC 314Generating New Certificate Signing Requests 315Configuring the Email Alert Settings 316Configuring the RADIUS Servers 319Configuring the Time Zone 320Device Discovery 321UPnP 321Bonjour 322CDP 323LLDP 324

Cisco ISA500 Series Integrated Security Appliance Administration Guide 10 ContentsDiagnosing the Device 324Ping 325Tracert 325DNS Lookup 326Packet Capture 326System Diagnostics 327Measuring and Limiting Traffic with the Traffic Meter 328Configuring the ViewMaster 330Configuring the CCO Account 331Configuring the Device Properties 332Configuring the Debug Settings 332Appendix A: Troubleshooting 333Internet Connection 333Date and Time 336Pinging to Test LAN Connectivity 337Testing the LAN Path from Your PC to Your Security Appliance 337Testing the LAN Path from Your PC to a Remote Device 338Restoring Factory Default Settings 339Appendix B: Technical Specifications and Environmental Requirements 340Appendix C: Factory Default Settings 343Device Management 343User Management 346Networking 347Wireless 352VPN 353Security Services 356Firewall 357Reports 359Default Service Objects 360Default Address Objects 363

Cisco ISA500 Series Integrated Security Appliance Administration Guide 11 ContentsAppendix D: Where to Go From Here 365

1Cisco ISA500 Series Integrated Security Appliance Administration Guide 12 Getting StartedThis chapter provides the product overview and installation instruction to help you to install the security appliance, and describes the default settings and some basic configuration tasks to help you to begin configuring your security appliance. It includes the following sections: •Introduction, page 12•Feature Overview, page 13•Device Overview, page 14•Installation, page 18•Getting Started with the Configuration Utility, page 23•About the Default Settings, page 25•Performing Common Configuration Tasks, page 27IntroductionThe Cisco ISA500 Series Integrated Security Appliances are a set of Unified Threat Management (UTM) security appliances that provide business class security gateway solutions with zone-based firewall, site-to-site and remote access VPN (including Cisco IPSec VPN and SSL VPN) support, and Internet threat protection with multiple UTM security services. The ISA550W and ISA570W include 802.11b/g/n access point capabilities. The following table lists the available model numbers to help you become familiar with your security appliance.

Getting StartedFeature OverviewCisco ISA500 Series Integrated Security Appliance Administration Guide 131 Feature OverviewThe features of the Cisco ISA500 Series Integrated Security Appliance are compared in the following table.Models Description ConfigurationISA550 Cisco ISA550 Integrated Security Appliance1 WAN port, 2 LAN ports, 4 configurable ports, and 1 USB 2.0 portISA550W Cisco ISA550 Integrated Security Appliance with WiFi1 WAN port, 2 LAN ports, 4 configurable ports, 1 USB 2.0 port, and 802.11b/g/nISA570 Cisco ISA570 Integrated Security Appliance1 WAN port, 4 LAN ports, 5 configurable ports, and 1 USB 2.0 portISA570W Cisco ISA570 Integrated Security Appliance with WiFi1 WAN port, 4 LAN ports, 5 configurable ports, 1 USB 2.0 port, and 802.11b/g/nFeature ISA550 ISA550W ISA570 ISA570WFirewall Throughput (1000B)150 Mbps 150 Mbps 300 Mbps 300 MbpsFirewall Throughput (IMIX)70 Mbps 70 Mbps 150 Mbps 150 MbpsIPSec VPN (large packet)75 Mbps 75 Mbps 150 Mbps 150 MbpsAnti-Virus Throughput60 Mbps 60 Mbps 130 Mbps 130 MbpsIntrusion Prevention Service Throughput80 Mbps 80 Mbps 150 Mbps 150 MbpsUTM Throughput 45 Mbps 45 Mbps 120 Mbps 120 Mbps

Getting StartedDevice OverviewCisco ISA500 Series Integrated Security Appliance Administration Guide 141 Device OverviewBefore you begin to use the security appliance, become familiar with the lights on the front panel and the ports on the rear panel. It includes the following sections: •Front Panel, page 14•Back Panel, page 17Front PanelISA550 Front PanelISA550W Front PanelMaximum Concurrent Sessions15,000 15,000 40,000 40,000Sessions per Seconds (cps)2,500 2,500 3,000 3,000Wireless (802.11b/g/n)No Yes No YesIPSec Tunnels 50 50 100 100SSL VPN Tunnels 25 25 50 50Feature ISA550 ISA550W ISA570 ISA570W282351Small Business1VPN USB WAN LAN CONFIGURABLEPOWER/SYSSPEEDLINK /ACT234567ISA550 Cisco281983Small Business1VPN USB WAN LAN CONFIGURABLEPOWER/SYSSPEEDLINK /ACT234567WLANISA550W Cisco

Getting StartedDevice OverviewCisco ISA500 Series Integrated Security Appliance Administration Guide 151 ISA570 Front PanelISA570W Front PanelFront Panel LightsThe following table describes the lights on the front panel of the security appliance. These lights are used for monitoring system activity.Small Business1VPN USB WAN LAN CONFIGURABLEPOWER/SYSSPEEDLINK /ACT9102345678282350ISA570 CiscoSmall Business1VPN USB WAN LAN CONFIGURABLEPOWER/SYSSPEEDLINK /ACT9102345678WLAN281980ISA570W CiscoLights DescriptionPOWER/SYS Indicates the power status and system status.•Green lights when the system is powered on and operates normally. •Green flashes when the system is booting. •Amber flashes when the system booting has a problem, a device error occurs, or the system has a problem.VPN Indicates the Site-to-Site VPN connection status.•Green lights when the Site-to-Site VPN tunnel is established. •Green flashes when attempting to establish the Site-to-Site VPN tunnel. •Amber flashes when the system is experiencing problems setting up the Site-to-Site VPN connection.

Getting StartedDevice OverviewCisco ISA500 Series Integrated Security Appliance Administration Guide 161 NOTE The front panel of the ISA550 and ISA570 does not include the WLAN light. USB Indicates the USB device status.•Green lights when a USB device is detected and operates normally. •Green flashes when the USB device is transmitting and receiving data. WLAN(ISA550W and ISA570W only)Indicates the WLAN status. •Green lights when the WLAN is enabled and associated. •Green flashes when the WLAN is transmitting and receiving data.SPEED Indicates the traffic rate of the associated port.•Off when the traffic rate is 10 or 100 Mbps. •Green lights when the traffic rate is 1000 Mbps.LINK/ACT Indicates a connection is being made through the port.•Green lights when the link is up. •Green flashes when the port is transmitting and receiving data.Lights Description

Getting StartedDevice OverviewCisco ISA500 Series Integrated Security Appliance Administration Guide 171 Back PanelThe back panel is where you connect the network devices. The ports on the panel vary depending on the model.ISA550 and ISA550W Back PanelISA570 and ISA570W Back Panel281984ANT02ANT01RESETI/OPOWER12VDC4567CONFIGURABLE23LAN1WANANT01 ANT02ResetButtonPowerSwitchPowerConnectorWANPortUSBPort ConfigurablePortsLANPorts281981I/ORESETANT02ANT011678910WANCONFIGURABLE POWER12VDC2345LANANT01 ANT02ResetButtonPowerSwitchPowerConnectorWANPortUSBPort ConfigurablePortsLANPorts

Getting StartedInstallationCisco ISA500 Series Integrated Security Appliance Administration Guide 181 Back Panel DescriptionsNOTE The back panel of ISA550 and ISA570 does not include two threaded connectors for the antennas.InstallationThis section describes how to install the security appliance. It includes the following topics:•Before You Begin, page 19Feature DescriptionANT01/ANT02 Threaded connectors for the antennas (for ISA550W and ISA570W only). USB Port Connects the unit to a USB device. You can use a USB device to backup and restore the configurations, or to upgrade the firmware images.Configurable PortsCan be set to operate as WAN, LAN, or DMZ ports. The ISA550 and ISA550W have 4 configurable ports. The ISA570 and ISA570W have 5 configurable ports.LAN Ports Connects PCs and other network appliances to the unit. The ISA550 and ISA550W have 2 dedicated LAN ports. The ISA570 and ISA570W have 4 dedicated LAN ports.WAN Port Connects the unit to a DSL or a cable modem, or another WAN connectivity device.RESET Button To reboot the unit, push and release the RESET button. To restore the factory default settings, push and hold the RESET button for 3 seconds.Power Switch Turns the unit on or off.Power ConnectorConnects the unit to power using the supplied power cord and adapter.

Getting StartedInstallationCisco ISA500 Series Integrated Security Appliance Administration Guide 191 •Installation Options, page 19•Hardware Installation, page 22Before You BeginBefore you begin the installation, make sure that you have the following equipments and services: •An active Internet account.•Mounting kits and tools for installing the hardware. The kits packed with the security appliance are used for desktop placement and rack mounting. The kits include 4 rubber feet, 2 brackets, 2 silicon rubber spacers, 8 M3 screws, 4 M5 screws, and 4 washers. NOTE The Wall-mounting kit is not included.•RJ-45 Ethernet cables (Category 5 or higher) for connecting computers, WAN and LAN interfaces, or other devices.•A computer with Microsoft Internet Explorer 8.0, or Mozilla Firefox 3.6.x (or later) for using the web-based Configuration Utility.Installation OptionsYou can place your security appliance on a desktop, mount it on a wall, or mount it in a rack. It includes the following topics:•Placement Tips, page 19•Wall Mounting, page 20•Rack Mounting, page 21Placement Tips•Ambient Temperature: To prevent the security appliance from overheating, do not operate it in an area that exceeds an ambient temperature of 104°F (40°C).•Air Flow: Be sure that there is adequate air flow around the device.

Getting StartedInstallationCisco ISA500 Series Integrated Security Appliance Administration Guide 201 •Mechanical Loading: Be sure that the security appliance is level and stable to avoid any hazardous conditions. To place the security appliance on a desktop, install the supplied four rubber feet on the bottom of the security appliance. Place the security appliance on a flat surface.Wall MountingThere is no wall-mounting kit included with your security appliance. We recommend that you use the following screws to install your security appliance to the wall or the ceiling: WARNING Insecure mounting might damage the device or cause injury. Cisco is not responsible for damages incurred by improper wall-mounting.To mount the security appliance to the wall:STEP 1 Determine where you want to mount the security appliance. Verify that the surface is smooth, flat, dry, and sturdy. STEP 2 Insert two 18.6 mm (0.73 inch) screws, with anchors, into the wall 234 mm apart (9.21 inches). Leave 3 to 4 mm (about 1/8 inch) of the head exposed.STEP 3 Place the security appliance wall-mount slots over the screws. Slide the security appliance down until the screws fit snugly into the wall-mount slots.1 8mm/0.32 in 2 25mm/0.98 in 3 6.5mm/0.26in 4 18.6mm/0.73in1243196243

Getting StartedInstallationCisco ISA500 Series Integrated Security Appliance Administration Guide 211 Rack MountingYou can mount the security appliance in any standard size, 19-inch (about 48 cm) wide rack. The security appliance requires 1 rack unit (RU) of space, which is 1.75 inches (44.45 mm) high. !CAUTION Do not overload the power outlet or circuit when installing multiple devices in a rack.STEP 1 Place one of the supplied silicon rubber spacers on the side of the security appliance so that the four holes align to the screw holes. Place the rack mount bracket next to the silicon rubber spacer and install the M3 screws. NOTE If the M3 screws are not long enough to reattach the bracket with the silicon rubber spacer, attach the bracket directly to the case without the silicon rubber spacer.STEP 2 Install the security appliance into a standard rack as shown below. Place the washers on the brackets so that the holes align to the screw holes and then install the M5 screws. 281985Step 1 Step 2

Getting StartedInstallationCisco ISA500 Series Integrated Security Appliance Administration Guide 221 Hardware InstallationFollow these steps to connect the security appliance:STEP 1 Connect the security appliance to power using the supplied power cord and adapter. Make sure that the power switch is turned off.STEP 2 If you are installing the ISA550W and ISA570W, screw each antenna onto a threaded connector on the back panel. Orient each antenna to point upward.STEP 3 For a DSL or cable modem, or other WAN connectivity devices, connect an Ethernet network cable from the device to the WAN port on the back panel. Cisco strongly recommends using Cat5E or better cable.STEP 4 For network devices, connect an Ethernet network cable from the network device to one of the dedicated LAN ports on the back panel.STEP 5 For a UC 500 or a UC 300, connect an Ethernet network cable from the WAN port of the UC 500 or a UC 300 to an available LAN port of the security appliance. STEP 6 For a UC500 or a UC300, connect an Ethernet network cable from the WAN port of the UC500 or UC300 to an available LAN port on the back panel of the security appliance. STEP 7 Power on the connected devices.STEP 8 Power on the security appliance. The lights on the front panel for all connected ports light up to show active connections. A sample configuration is illustrated below.Congratulations! The installation of the security appliance is complete.281982I/ORESETANT02ANT011678910WANCONFIGURABLE POWER12VDC2345LANInternetAccessDevicePublicWeb Server PowerNetworkDevices

Getting StartedGetting Started with the Configuration UtilityCisco ISA500 Series Integrated Security Appliance Administration Guide 231 Getting Started with the Configuration UtilityThe Configuration Utility is a web based device manager that is used to provision the security appliance. To use this utility, you must be able to connect to the security appliance from your administration PC or laptop. You can access the security appliance by using web browser such as Microsoft Internet Explorer 8.0, or Mozilla Firefox 3.6.x (or later). It includes the following sections: •Launching the Configuration Utility, page 23•Navigating Through the Configuration Utility, page 24•Using the Help System, page 25•Using the Management Buttons, page 25Launching the Configuration UtilitySTEP 1 Connect your computer to an available LAN port on the back panel of the security appliance.STEP 2 Start a web browser. In the Address bar, enter the default IP address of the security appliance: 192.168.1.1. NOTE The above address is the factory default LAN address. If you change this setting in the DEFAULT VLAN configuration, you will need to enter the new IP address to connect to the Configuration Utility.STEP 3 Enter the default user name and password in the login screen:•Username: cisco•Password: ciscoSTEP 4 Click Login. For the first login, you are forced to immediately change the default user name and password of the default administrator account to prevent unauthorized access. For more information, see Changing the User Name and Password of the Default Administrator Account at Your First Login, page 27.

Getting StartedGetting Started with the Configuration UtilityCisco ISA500 Series Integrated Security Appliance Administration Guide 241 After you change them, the Startup Wizard launches. For more information about how to use the Startup Wizard to configure your security appliance, see Using the Startup Wizard, page 32.Navigating Through the Configuration UtilityUse the left hand navigation pane and content pane to perform the tasks in the Configuration Utility. 12Number Components Description1Left Hand Navigation PaneThe left hand navigation pane provides easy navigation through the configurable features. The main branches expand to provide the features. Click on the main branch title to expand its contents. Click on the right arrow of a feature to open its subfeatures, or click on the down arrow of a feature to contract its subfeatures. Click on the title of a feature or subfeature to open it. 2 Content Pane The content of the feature or subfeature appears in this area.

Getting StartedAbout the Default SettingsCisco ISA500 Series Integrated Security Appliance Administration Guide 251 Using the Help SystemThe Configuration Utility includes a detailed Help file for all configuration tasks. To view the Help page, click the Help link in the top right corner of the screen. Using the Management ButtonsDevice Management buttons and icons provide an easy method of configuring device information. In this guide, we use the texts by replacing the buttons or icons to indicate what the buttons or icons are used for. About the Default SettingsThe security appliance is predefined with the settings that allow you to start using the device with minimal changes needed. Depending the requirements of your Internet Service Provider (ISP) and the needs of your business, you might need to modify some of these settings. You can use the Configuration Utility to customize all settings, as needed.Settings of particular interest are described below. For a full list of all factory default settings, see Appendix C, "Factory Default Settings."Icons Actions Icons ActionsMove ExpandMove Down CollapseMove Up Edit or other specific actions with relative descriptionDelete or Delete Selection

Getting StartedAbout the Default SettingsCisco ISA500 Series Integrated Security Appliance Administration Guide 261 •IP Routing Mode: By default, only the IPv4 mode is enabled. To support the IPv4 and IPv6 addressing, you need to enable the IPv4/IPv6 mode. To change the IP routing mode, see Configuring IP Routing Mode, page 95.•WAN Configuration: By default, the security appliance is configured to obtain an IP address from your ISP by using Dynamic Host Configuration Protocol (DHCP). Depending on the requirement of your ISP, you will need to configure the network address mode for the primary WAN and the secondary WAN if applicable. You can change other WAN settings as well. See Configuring the WAN, page 101.•LAN Configuration: By default, the LAN of the security appliance is configured in the 192.168.1.0 subnet and the LAN IP address is 192.168.1.1. The security appliance acts as a DHCP server to the hosts on the WLAN or LAN network. It can automatically assign IP addresses and DNS server addresses to the PCs and other devices on the LAN. For most deployment scenarios, the default DHCP and TCP/IP settings should be satisfactory. However, you can change the subnet address or the default IP address. You can assign static IP addresses to connected devices rather than allowing the security appliance to act as a DHCP server. See Configuring the VLAN, page 118.•VLAN Configuration: The security appliance predefines a native VLAN (DEFAULT) and a guest VLAN (GUEST). You can customize new VLANs for your specific business needs. See Configuring the VLAN, page 118.•Configurable Ports: By default, all configurable ports are set to act as LAN ports. Alternatively, you can configure the configurable port for use as a DMZ port or a secondary WAN port. See Configuring the WAN, page 101 or Configuring the DMZ, page 123.•Wireless Network (for ISA550W and ISA570W only): The ISA550W or ISA570W is configured with four SSIDs. All SSIDs are disabled by default. For security purposes, we strongly recommend that you configure the SSIDs with the appropriate security settings. See Wireless Configuration for ISA550W and ISA570W, page 157. •Administrative Access: You can access the Configuration Utility by using a web browser and entering the default LAN IP address of 192.168.1.1. You can log into by entering the username and password of the default administrator account. You are forced to change the default username and password after the first login. See Changing the User Name and Password of the Default Administrator Account at Your First Login, page 27. You also may want to change the user login settings for authentication. See Configuring the User Authentication Settings, page 277.

Getting StartedPerforming Common Configuration TasksCisco ISA500 Series Integrated Security Appliance Administration Guide 271 •Security Services: By default, the UTM security services such as Intrusion Prevention Service (IPS), Web URL Filter, Web Reputation Filter, Anti-Virus, and Email Reputation Filter are disabled. For more information about how to configure the security services, see Security Services, page 210. •Firewall: By default, the firewall prevents inbound traffic and allows all outbound traffic. If you want to allow some inbound traffic or prevent some outbound traffic, you must customize firewall access rules. The security appliance supports up to 100 custom access rules. See Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic, page 178. •VPN: By default, the VPN feature is disabled. The security appliance can function as a Cisco IPSec VPN server or a Cisco VPN hardware client, or as a SSL VPN gateway so that remote users can securely access the corporate network resources over the VPN tunnels. You can also establish a secure IPSec VPN tunnel between two sites that are physically separated by using the Site-to-Site VPN feature. For more information about how to configure the VPN features, see VPN, page 232. Performing Common Configuration TasksWe strongly recommend that you complete the following common tasks before you begin configuring your security appliance. It includes the following sections: •Changing the User Name and Password of the Default Administrator Account at Your First Login, page 27•Saving Your Configuration, page 28•Upgrading the Firmware if needed, page 29•Resetting the Device, page 30Changing the User Name and Password of the Default Administrator Account at Your First LoginThe default administrator account is an administrative account that has fully privilege to set the configurations and read the system status. It does not belong to any user group. To prevent unauthorized access, you are forced to immediately change the default user name and password at its first login.

Getting StartedPerforming Common Configuration TasksCisco ISA500 Series Integrated Security Appliance Administration Guide 281 STEP 1 After the first login, a prompt window opens. STEP 2 Enter the following information: •User Name: Enter a new user name that contains the letters, numbers, or underline for the default administrator account. •New Password: Enter a new password for the default administrator account. Passwords are case-sensitive. NOTE Restrictions for password: The password should contain at least three types of these character classes: lower case letters, upper case letters, numbers, and special characters. Do not repeat any character more than three times consecutively. Do not set the password as the user name or the reversed user name. The password cannot be set as “cisco”, “ocsic”, or any variant obtained by changing the capitalization of letters. •Confirm Password: Enter the new password again for confirmation.STEP 3 Click Save to apply your settings. Saving Your ConfigurationAt any point during the configuration process, you can save your configurations. Later, if you make changes that you want to abandon, you can easily revert to the saved configurations. STEP 1 Click Device Management -> Firmware and Configuration -> Configuration.The Configuration window opens. STEP 2 To save the current settings on your local PC, perform the following steps: a. In Backup/Restore Settings area, click Backup after the Save A Copy of Current Settings option. b. The Encryption window opens. You can optionally encrypt the configurations for security purposes, check the Encrypt box and enter the password in the Key field, and then click OK.

Getting StartedPerforming Common Configuration TasksCisco ISA500 Series Integrated Security Appliance Administration Guide 291 c. Locate where to save the configuration file, and then click Save. STEP 3 To save the current settings on a USB device, perform the following steps: a. Insert a USB device into the USB interface on the back panel of your security appliance. The USB device is automatically mounted once you insert it. b. In the USB -> Mount/Unmount area, check the mounting status of the USB device. Make sure that the USB Driver Status shows as “UP” when you use the USB device to manage the configurations. c. In the USB -> Backup/Restore Settings area, click Backup after the Save A Copy of Current Settings option. d. The Encryption window opens. You can optionally encrypt the configurations for security purposes, check the Encrypt box and then enter the password in the Key field, and then click OK. Your current settings are saved as a configuration file on the root folder of the USB device.Upgrading the Firmware if neededBefore you do any other tasks, ensure that you are using the latest firmware version. You can upgrade from a firmware file stored on your computer or a mounted USB device. !CAUTION During a firmware upgrade, do NOT try to go online, turn off the device, shut down the PC, remove the cable, or interrupt the process in anyway until the operation is complete. This process should take several minutes or so including the reboot process. Interrupting the upgrade process at specific points when the flash is being written to can corrupt the flash memory and render the security appliance unusable.STEP 1 Click Device Management -> Firmware and Configuration -> Firmware.The Firmware window opens.

Getting StartedPerforming Common Configuration TasksCisco ISA500 Series Integrated Security Appliance Administration Guide 301 STEP 2 To manually upgrade the firmware from your local PC, perform the following steps: a. In the Network -> Firmware Upgrade area, click Browse to locate and select the firmware image from your local PC. b. To upgrade the firmware and keep using the current settings, click Upgrade. c. To upgrade the firmware and revert to the factory default settings, click Upgrade & Factory Reset. When the operation is complete, the security appliance automatically reboots with the factory default settings. STEP 3 To upgrade the firmware through a USB device, perform the following steps: a. Insert the USB device with the firmware images into the USB interface on the back panel of your security appliance. The USB device is automatically mounted after you inserted it. b. In the USB -> Mount/Unmount area, check the mounting status of the USB device. Make sure that the USB Driver Status shows as “UP” when you use the USB device to manage the firmware.c. In the USB -> Backup/Restore Settings area, all firmware images located on the USB device appears in the list. •To upgrade the firmware and keep using the current settings, select the latest firmware image from the list and then click Upgrade. •To upgrade the firmware and revert to the factory default settings, select the latest firmware image from the list and then click Upgrade & Factory Reset. When the operation is complete, the security appliance automatically reboots with the factory default settings.Resetting the DeviceTo revert your security appliance to the factory default settings, you can press and hold the RESET button on the back panel for minimum of 3 seconds, or perform the following procedures. !CAUTION The Revert To Factory Default Settings operation will wipe out the current configurations used on your security appliance (including the imported certificates). We recommmend that you save the current settings before reverting to the factory default settings.

Getting StartedPerforming Common Configuration TasksCisco ISA500 Series Integrated Security Appliance Administration Guide 311 STEP 1 Click Device Management -> Firmware and Configuration -> Configuration.The Configuration window opens.STEP 2 In the Backup/Restore Settings -> Revert To Factory Default Settings area, click Default.The security appliance will reboot with the factory default settings.

2Cisco ISA500 Series Integrated Security Appliance Administrator Guide 32 WizardsThis chapter describes how to use the wizards to configure your security appliance. •Using the Startup Wizard, page 32•Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W, page 40•Using the DMZ Wizard to Configure the DMZ Settings, page 46•Using the Dual WAN Wizard to Configure the WAN Redundancy Settings, page 51•Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels, page 53•Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access, page 58To access the Wizards pages, click Wizards in the left hand navigation pane. Using the Startup WizardThe Startup Wizard helps you configure the remote management, port, WAN, LAN, DMZ, and WLAN (for ISA550W and ISA570W only) settings. The first time you log into your security appliance, the Startup Wizard automatically launches. STEP 1 Click Wizard -> Startup Wizard. The Getting Started window opens. A prompt warning message is displayed as below.

WizardsUsing the Startup WizardCisco ISA500 Series Integrated Security Appliance Administrator Guide 332 !CAUTION When the Startup Wizard is complete, the previous settings relevant to the changed WAN, DDNS, LAN, DMZ, and WLAN are cleaned up, and relevant services are reinitialized. For the first login, you can ignore this warning message and follow the on-screen prompts to complete the initial configuration. If you have already configured the security appliance, make sure that you have read the warning message before you use the Startup Wizard to configure your security appliance. Click OK to close the warning message window. STEP 2 Click Begin.The Remote Management window opens. The security appliance allows remote management securely by using HTTPS and HTTP. For example, https://xxx.xxx.xxx.xxx:8080.Enter the following information: •Remote Management: Click On to enable remote management by using HTTPS, or click Off to disable it. We recommend that you use HTTPS for secure purposes.•HTTPS Listen Port Number: If you enable remote management by using HTTPS, enter the port number to be listened on. By default, the listened port for HTTPS is 8080. •HTTP Enable: Click On box to enable remote management by using HTTP, or click Off to disable it. •HTTP Listen Port Number: If you enable remote management by using HTTP, enter the port number to be listened on. By default, the listened port for HTTP is 80. •Access Type: Choose the level of permission for remote management:-Allow access from any IP address: Any IP address from a remote WAN network can access the Configuration Utility.-Restrict a specific IP address: Only the specified remote host can access the Configuration Utility. Enter the IP address of the remote host in the IP Address field.

WizardsUsing the Startup WizardCisco ISA500 Series Integrated Security Appliance Administrator Guide 342 -Restrict access to a range of IP addresses: Only the hosts in the specified remote network can access the Configuration Utility. Enter the starting IP address in the From field and the ending IP address in the To field. •Remote SNMP: Click On to enable SNMP for the remote connection, or click Off to disable SNMP. Enabling SNMP allows remote users to use the SNMP protocol to access the Configuration Utility. STEP 3 After you are finished, click Next. The Port Configuration window opens. From this page you can specify the port configuration. The Startup Wizard predefines four port configuration solutions. You can also modify the port types for the configurable ports when you create a secondary WAN or configure the DMZs. If you are using the ISA570 or ISA570W, choose one of the following options: •1 WAN, 9 LAN Switch: This is the default setting. The security appliance is set to one WAN port (WAN1) and nine LAN ports. •1 WAN, 1 DMZ, and 8 LAN Switch: The security appliance is set to one WAN port (WAN1), one DMZ port, and eight LAN ports. The configurable port GE10 is set to a DMZ port. •1 WAN, 1 WAN Backup, and 8 LAN Switch: The security appliance is set to two WAN ports (WAN1 is the primary WAN and WAN2 is the secondary WAN) and eight LAN ports. The configurable port GE10 is set to a secondary WAN port. •1 WAN, 1 WAN Backup, 1 DMZ, and 7 LAN Switch: The security appliance is set to two WAN ports (WAN1 is the primary WAN and WAN2 is the secondary WAN), one DMZ port, and seven LAN ports. The configurable port GE10 is set to a secondary WAN port and the configurable port GE9 is set to a DMZ port.If you are using the ISA550 or ISA550W, choose one of the following options: •1 WAN, 6 LAN Switch: This is the default setting. The security appliance is set to one WAN port (WAN1) and six LAN ports. •1 WAN, 1 DMZ, and 5 LAN Switch: The security appliance is set to one WAN port (WAN1), one DMZ port, and five LAN ports. The configurable port GE7 is set to a DMZ port.

WizardsUsing the Startup WizardCisco ISA500 Series Integrated Security Appliance Administrator Guide 352 •1 WAN, 1 WAN Backup, and 5 LAN Switch: The security appliance is set to two WAN ports (WAN1 is the primary WAN and WAN2 is the secondary WAN) and five LAN ports. The configurable port GE7 is set to a secondary WAN port. •1 WAN, 1 WAN Backup, 1 DMZ, and 4 LAN Switch: The security appliance is set to two WAN ports (WAN1 is the primary WAN and WAN2 is the secondary WAN), one DMZ port, and four LAN ports. The configurable port GE7 is set to a secondary WAN port and the configurable port GE6 is set to a DMZ port.NOTE If you have two ISP links, we recommend that you set a backup WAN so that you can provide backup connectivity or load balancing. If you need to host public services, we recommend that you set a DMZ port. NOTE The configurable ports can be set as the WAN, LAN, and DMZ ports. Up to two WAN ports and four DMZ ports can be configured on the security appliance. To configure multiple DMZ ports, go to the Networking -> DMZ page. For more information, see Configuring the DMZ, page 123.STEP 4 After you are finished, click Next. The Primary WAN Connection window opens. From this page you can configure the primary WAN port. Choose the network addressing mode from the IP Address Assignment drop-down list and complete the corresponding fields for the primary WAN port depending on the requirements of your ISP. The security appliance supports DHCPC, Static IP, PPPoE, PPTP, and L2TP. For complete details, see Configuring the Network Addressing Mode, page 106. NOTE If only one single WAN port is configured on your security appliance, skip the next two steps and proceed to the step 7. STEP 5 After you are finished, click Next. The Secondary WAN Connection window opens. From this page you can configure the secondary WAN port.

WizardsUsing the Startup WizardCisco ISA500 Series Integrated Security Appliance Administrator Guide 362 Choose the network addressing mode from the IP Address Assignment drop-down list and complete the corresponding fields for the secondary WAN port depending on the requirements of your ISP. For complete details, see Configuring the Network Addressing Mode, page 106. STEP 6 After you are finished, click Next. The WAN Redundancy window opens. From this page you can determine how the two ISP links are used. •Use the Loab Balancing mode if you want to use both ISP links simultaneously. The two links will carry data for the protocols that are bound to them. Enter the following information: -Equal Load Balancing (Round Robin): Re-orders the WAN interfaces for Round Robin selection. The order is as follows: WAN1 and WAN2. The Round Robin will then repeat back to WAN1 and continue the order. -Weighted Load Balancing: Distributes the bandwidth to two WAN ports by the weighted percange or by the weighted link bandwidth. If you choose this mode, then choose one of the following options and finish the setting: Weighted By percentage: Allows you to set the percentage for each WAN, such as 80% percentage bandwidth for WAN1 and lest 20% percentage bandwidth for WAN2. Weighted By Link Bandwidth: Allows you to set the rate limiting for each WAN, such as 10 Mbps for WAN1 and 5 Mbps for WAN2. •Use the Failover mode if you want to use one ISP link as a backup. If a failure is detected on the primary link, then the security appliance directs all Internet traffic to the backup link. When the primary link regains connectivity, all Internet traffic is directed to the primary link, and the backup link becomes idle. Enter the following information: -Auto Failover to: Choose either WAN1 or WAN2 as the primary link. By default, WAN1 is set as the primary link and WAN2 is set as the backup link. You can also set WAN2 as the primary link. -Preempt Delay Timer: Enter the time in seconds that the system will preempt the primary link from the backup link when the primary link is up again. The default is 5 seconds. STEP 7 After you are finished, click Next. The LAN Configuration window opens. From this page you can configure the default LAN settings.

WizardsUsing the Startup WizardCisco ISA500 Series Integrated Security Appliance Administrator Guide 372 •IP: Enter the IP address of the default LAN. •Netmask: Enter the IP address of the netmask. •DHCP Server: Choose one of the following DHCP modes:-Disable: Choose this option if the computers on the VLAN are configured with static IP addresses or are configured to use another DHCP server. -DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the DEFAULT VLAN. Any new DHCP client joining the DEFAULT VLAN is assigned an IP address of the DHCP pool. -DHCP Relay: Allows the security appliance to use a DHCP Relay. If you choose DHCP Relay, enter the IP address of the remote DHCP server in the Relay IP field. If you choose DHCP Server as the DHCP mode, enter the following information: •Start IP: Enter the starting IP address of the DHCP pool. •End IP: Enter the ending IP address of the DHCP pool. NOTE The starting and ending IP addresses should be in the same range as the LAN’s subnet address.•Lease Time: Enter the maximum connection time that a dynamic IP address is “leased” to a network user. When the time elapses, the user is automatically renewed the dynamic IP address. •DNS 1: Enter the IP address of the primary DNS server. •DNS 2: Optionally, enter the IP address of the secondary DNS server. •WINS 1: Enter the IP address for the primary WINS server.•WINS 2: Optionally, enter the IP address of the secondary WINS server. •Domain Name: Optionally, enter the domain name for the default LAN.•Default Gateway: Enter the IP address of default gateway. STEP 8 After you are finished, click Next. If you have no DMZ port, skip the next two steps and proceed to the step 10.

WizardsUsing the Startup WizardCisco ISA500 Series Integrated Security Appliance Administrator Guide 382 If you have a DMZ port, the DMZ Configuration window opens. To host public services, you need to configure a DMZ network in this page and specify the relevant DMZ services from the next DMZ Service page. •IP: Enter the subnet IP address of the DMZ. •Netmask: Enter the subnet mask of the DMZ.•DHCP Service: Choose one of the following options:-Disable: Choose this option if the computers on the DMZ are configured with static IP addresses or are configured to use another DHCP server. -DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the DMZ. Any new DHCP client joining the DMZ is assigned an IP address of the DHCP pool. -DHCP Relay: Allows the security appliance to use a DHCP Relay. If you choose DHCP Relay, enter the IP address of the remote DHCP server in the Relay IP field. If you choose DHCP Server as the DHCP mode, enter the following information: •Start IP: Enter the starting IP address of the DHCP pool. •End IP: Enter the ending IP address of the DHCP pool. NOTE The starting and ending IP addresses should be in the same range as the DMZ’s subnet address.•Lease Time: Enter the maximum connection time that a dynamic IP address is “leased” to a network user. When the time elapses, the user is automatically renewed the dynamic IP address. •DNS 1: Enter the IP address of the primary DNS server. •DNS 2: Optionally, enter the IP address of the secondary DNS server. •WINS 1: Enter the IP address for the primary WINS server.•WINS 2: Optionally, enter the IP address of the secondary WINS server. •Domain Name: Optionally, enter the domain name for the DMZ.•Default Gateway: Enter the IP address of default gateway.

WizardsUsing the Startup WizardCisco ISA500 Series Integrated Security Appliance Administrator Guide 392 STEP 9 After you are finished, click Next. The DMZ Service window opens. From this page you can configure the DMZ services. For complete details, see Configuring the DMZ Services, page 49.NOTE After you configure the DMZ services, the firewall access rules will automatically generated by the security appliance to allow the access to the services on your DMZ. STEP 10 After you are finished, click Next. The Wireless Radio Setting window opens. From this page you can configure the wireless radio settings. NOTE The wireless configurations such as wireless radio settings and Intranet WLAN access (see next step) are only available for the ISA550W and ISA570W. If your security appliance is not a wireless device, proceed to the step 12. •Wireless Network Mode: Choose the 802.11 modulation technique. The ISA550W and ISA550W supports the following radio modes: -802.11b only: Choose this mode if all devices in the wireless network use 802.11b. Only 802.11b clients can connect to the access point. -802.11g only: Choose this mode if all devices in the wireless network use 802.11g. Only 802.11g clients can connect to the access point. -802.11b/g mixed: Choose this mode if some devices in the wireless network use 802.11b and others use 802.11g. Both 802.11b and 802.11g clients can connect to the access point. -802.11n only: Choose this mode if all devices in the wireless network can support 802.11n. Only 802.11n clients operating in the 2.4 GHz frequency can connect to the access point. -802.11g/n mixed: Choose this mode to allow 802.11g and 802.11n clients operating in the 2.4 GHz frequency to connect to the access point. -802.11b/g/n mixed: Choose this mode to allow 802.11b, 802.11g, and 802.11n clients operating in the 2.4 GHz frequency to connect to the access point.

WizardsUsing the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570WCisco ISA500 Series Integrated Security Appliance Administrator Guide 402 •Wireless Channel: Choose a channel or choose Auto to let the system determine the best channel to use based on the environmental noise levels for the available channels.STEP 11 After you are finished, click Next. The Wireless Connectivity Type - Intranet WLAN Access window opens. From this page you can configure the wireless connectivity settings for the SSID1. NOTE The ISA550W and ISA570W support four SSIDs. To configure the wireless connectivity settings for other SSIDs, go to the Wireless -> Basic Settings page or use the Wireless wizard. For more information, see Configuring the Access Points, page 151 or Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W, page 40. •SSID Name: The SSID name. •Security Mode: Choose the encryption algorithm for data encryption for this SSID. Depending on the selected security mode, configure the corresponding settings. See Configuring the Security Mode, page 162. •VLAN Name: Choose the VLAN to which this SSID is mapped. All traffic from the wireless clients that are connected to this SSID will be directed to the selected VLAN. STEP 12 After you are finished, click Next. The Summary window opens. The Summary page displays the summary information for all configurations you made. STEP 13 Click Submit to save the settings. Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570WUse the Wireless Wizard to configure the wireless radio and Intranet connectivity settings for the ISA550W and ISA570W. It includes the following sections: •Using the Wireless Wizard to Configure the Wireless Settings, page 41

WizardsUsing the DMZ Wizard to Configure the DMZ SettingsCisco ISA500 Series Integrated Security Appliance Administrator Guide 462 -Internal: Allows you to use the default web authentication login page to authenticate the wireless users. If you choose this option, enter the URL of the portal in the Redirect URL After Login field and specify the monitored HTTP port list. If you do not specify the portal, the wireless user can access the original web site directly. -External Web Server: Allows you to use a customized web authentication login page on an external web server to authenticate the wireless users. If you choose this option, enter the IP address of the external web server in the Authentication Web Server field and the key in the Authentiation Web Key field. The authentication web key is used to protect the user name and password that the external web server sends to your security appliance for authentication. For example, if you select Internal for authentication and the web portal is set to www.ABcompanyC.com, when a wireless user tries to access the website www.google.com, the default web authentication login page opens. The user needs to enter the user name and password, and then click Submit. After login, the user is directed to the www.ABcompanyC.com and can then access the www.google.com. STEP 6 In the Advanced Settings area, enter the following information: •VLAN Mapping: Choose the VLAN to which the SSID is mapped. All traffic from the wireless clients that are connected to this SSID will be directed to the selected VLAN. •User Limit: Specify the maximum number of users that can simultaneously connect to this SSID. Using the DMZ Wizard to Configure the DMZ SettingsUse the DMZ Wizard to configure the DMZ and DMZ services if you need to host public services. It includes the following sections: •Using the DMZ Wizard to Configure the DMZ Settings, page 47•Configuring the DMZ, page 48•Configuring the DMZ Services, page 49

WizardsUsing the DMZ Wizard to Configure the DMZ SettingsCisco ISA500 Series Integrated Security Appliance Administrator Guide 472 Using the DMZ Wizard to Configure the DMZ SettingsSTEP 1 Click Wizards -> DMZ Wizard. The Getting Started window opens. STEP 2 Click Begin.The DDNS Setup window opens. From this page you can optionlly configure the DDNS for the remote management of the DMZ network. Enter the following information: •Service: Choose either DynDNS or No-IP service.•Active on Startup: Click On to activate the DDNS setting when the security appliance starts up. •User Name: Enter the user name of the account that you registered in the DDNS provider. •Password: Enter the password of the account that you registered in the DDNS provider.•Host & Domain Name: Specify the complete host name and domain name for the DDNS service. STEP 3 After you are finised, click Next.The DMZ Configure window opens. From this page you can the DMZ network. For complete details, see Configuring the DMZ, page 48.STEP 4 After you are finished, click Next.The DMZ Service window opens. From this page you can configure the DMZ services. For complete details, see Configuring the DMZ Services, page 49.NOTE After you configure the DMZ services, the firewall access rules will automatically generated by the security appliance to allow the access to the services on your DMZ. STEP 5 After you are finished, click Next.The Summary window opens. The Summary window displays the summary information for all configurations you made.

WizardsUsing the DMZ Wizard to Configure the DMZ SettingsCisco ISA500 Series Integrated Security Appliance Administrator Guide 482 STEP 6 Click Submit to save your settings and exit the DMZ Wizard. Configuring the DMZIn the DMZ Configure window, follow these procedures to create a DMZ network. STEP 1 Click Add to create a DMZ network. Other Options: To edit an entry, click Edit. To delete an entry, click Delete. The DMZ - Add/Edit window opens. STEP 2 In the Basic Setting tab, enter the following information: •Name: Enter a descriptive name for the DMZ.•IP: Enter the subnet IP address of the DMZ. •Netmask: Enter the subnet mask of the DMZ.•Spanning Tree: Check the box to enable the Spanning Tree feature to determine if there are loops in the network topology. •Port: Choose a configurable port from the Port list and click ->Access to add it to the Member list. The selected configurable port will be set to a DMZ port with Access mode. •Zone: Choose the default or custom DMZ zone to which the DMZ is mapped. STEP 3 In the DHCP Pool Settings tab, choose the DHCP mode from the DHCP Server drop-down list. •Disable: Choose this option if the computers on the DMZ are configured with static IP addresses or are configured to use another DHCP server. •DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the DMZ. Any new DHCP client joining the DMZ is assigned an IP address of the DHCP pool. •DHCP Relay: Allows the security appliance to use a DHCP Relay. If you choose DHCP Relay, enter the IP address of the remote DHCP server in the Relay IP field.STEP 4 If you choose DHCP Server as the DHCP mode, enter the following information: •Start IP: Enter the starting IP address of the DHCP pool.

WizardsUsing the DMZ Wizard to Configure the DMZ SettingsCisco ISA500 Series Integrated Security Appliance Administrator Guide 492 •End IP: Enter the ending IP address of the DHCP pool. NOTE The starting and ending IP addresses should be in the same range as the DMZ’s subnet address.•Lease Time: Enter the maximum connection time that a dynamic IP address is “leased” to a network user. When the time elapses, the user is automatically assigned a new dynamic IP address. •DNS 1: Enter the IP address of the primary DNS server. •DNS 2: Optionally, enter the IP address of a secondary DNS server. •WINS 1: Enter the IP address for the primary WINS server.•WINS 2: Optionally, enter the IP address of a secondary WINS server. •Domain Name: Optionally, enter the domain name for the DMZ. •Default Gateway: Enter the IP address of default gateway. STEP 5 Click OK to save your settings. STEP 6 Connect your local server to the specified DMZ port, and then configure the DMZ service. Configuring the DMZ ServicesIn the DMZ Service window, follow these procedures to configure the DMZ services. NOTE After you configure the DMZ services, the firewall access rules will automatically generated by the security appliance to allow the access to the services on your DMZ. STEP 1 Click Add to create a DMZ service. Other Options: To edit an entry, click Edit. To delete an entry, click Delete. To delete multiple entries, check the boxes of multiple entries and click Delete Selection.

WizardsUsing the DMZ Wizard to Configure the DMZ SettingsCisco ISA500 Series Integrated Security Appliance Administrator Guide 502 The DMZ Service - Add/Edit window opens. STEP 2 Enter the following information: •Original Service: Choose a service as the incoming service. •Translated Service: Choose a service as the translated service that you will host. If the service you want is not in the list, choose Create a Service to create a new service object. To maintain the service objects, go to the Networking -> Service Management page. See Service Management, page 154. •Translated IP: Choose the IP address of your local server that will need to be translated. You can get the IP address after you connect your local server to the specified DMZ port. If the IP address you want is not in the list, choose Create an IP Address to create a new IP address object. To maintain the IP address objects, go to the Networking -> Address Object Management page. See Address Management, page 152.•WAN: Choose either WAN1 or WAN2, or both as the incoming WAN interface. •WAN IP: Specify the public IP address of the server. You can use the WAN’s IP address or a public IP address that is provided by your ISP. When you choose Both as the incoming WAN interface, this option is grayed out.•Enable DMZ Service: Click On to enable the DMZ service, or click Off to create only the DMZ service. •Description: Enter the name for the DMZ service.STEP 3 Click OK to save your settings.

WizardsUsing the Dual WAN Wizard to Configure the WAN Redundancy SettingsCisco ISA500 Series Integrated Security Appliance Administrator Guide 512 Using the Dual WAN Wizard to Configure the WAN Redundancy SettingsIf you have two ISP links, a backup WAN is required so that you can provide backup connectivity or load balancing. Use the Dual WAN Wizard to configure the WAN redundancy settings. NOTE When the security appliance is working in the Load Balancing or Failover mode, if one WAN link is down such as the cable is plug out, the WAN redundancy and Policy-based Routing settings are ignored, and all traffic is handled by the active WAN port. The WAN link means STEP 1 Click Wizards -> Dual WAN Wizard. The Getting Started window opens. STEP 2 Click Begin.The Port Configuration window opens. Specify a configurable port (from GE 6 to GE10) as the secondary WAN interface. The dedicated physical port GE1 is set as the primary WAN interface. STEP 3 After you are finished, click Next.The Primary WAN Connection window opens. Depending on the requirements of your ISP, choose the network addressing mode from the IP Address Assignment drop-down list for the primary WAN port and complete the corresponding fields. The security appliance supports DHCPC, Static IP, PPPoE, PPTP, and L2TP. For complete details, see Configuring the Network Addressing Mode, page 106. STEP 4 After you are finished, click Next.The Secondary WAN Connection window opens. Depending on the requirements of your ISP, choose the network addressing mode from the IP Address Assignment drop-down list for the secondary WAN port and complete the corresponding fields. For complete details, see Configuring the Network Addressing Mode, page 106. STEP 5 After you are finished, click Next.The WAN Redundancy Configuration window opens. From this page you can determine how the two ISP links are used.

WizardsUsing the Site-to-Site Wizard to Establish the Site-to-Site VPN TunnelsCisco ISA500 Series Integrated Security Appliance Administrator Guide 552 •Local Network: Choose the IP address of the local network. If you want to enable zone access control settings for the IPSec VPN tunnels, choose Any for the local network. •Remote Network: Choose the IP address of the remote network. You must know the IP address of the remote network before connecting the IPSec VPN tunnel. If the IP address object you want is not in the list, choose Create an IP Address to add a new address object. To maintain the IP address objects, go to the Networking -> Address Object Management page. See Address Management, page 152. NOTE The security appliance can support multiple subnets for IPSec VPN tunnel, you may need to select a group address object including multiple VLANs for local and remote network.STEP 6 After you are finished, click Next.The Summary window opens. The Summary window displays the summary information for all configurations you made. STEP 7 Click Submit to save your settings and exit the Site-to-Site Wizard. Configuring the IKE PoliciesIn the IKE Policy window, follow these procedures to create a new IKE policy. STEP 1 To add an IKE policy, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete.After you click Add, the IKE Policy - Add/Edit window opens. STEP 2 Enter the following information:•Name: Enter an unique name for the IKE policy. •Encryption: Choose the algorithm used to negotiate the security association. There are four algorithms supported by the security appliance: ESP_3DES, ESP_AES-128, ESP_AES-192, and ESP_AES-256.

WizardsUsing the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote AccessCisco ISA500 Series Integrated Security Appliance Administrator Guide 582 Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote AccessThe Remote Access Wizard helps you configure your security appliance as a Cisco IPSec VPN server or as a SSL VPN gateway so that remote users can securely access the corporate network resources over the VPN tunnels. It includes the following sections: •Using Cisco IPSec VPN to Establish the IPSec VPN Tunnels, page 58•Configuring the Cisco IPSec VPN User Groups, page 63•Using SSL VPN to Establish the SSL VPN Tunnels, page 63•Configuring the SSL VPN Group Policies, page 66•Configuring the SSL VPN User Groups, page 69Using Cisco IPSec VPN to Establish the IPSec VPN TunnelsThe security appliance can function as a Cisco IPSec VPN server to allow the remote users to establish the IPSec tunnels and securely access the corporate network resources. The Cisco IPSec VPN server pushes the security policies to remote clients so that remote clients have up-to-date policies in place before establishing the connections. This flexibility allows mobile and remote users to access critical data and applications on the corporate Intranet. The remote client can be a Cisco device that supports the Cisco VPN hardware client or a PC running the Cisco VPN Client software (v4.x or v5.x).

3Cisco ISA500 Series Integrated Security Appliance Administrator Guide 70 StatusThis chapter describes how to monitor the system status and performance for your security appliance.•System Status, page 70•Interface Status, page 74•Wireless Status for ISA550W and ISA570W, page 79•Active Users, page 81•VPN Status, page 81•Reports, page 85•Process Status, page 92•Resource Utilization, page 92To access the Status pages, click Status in the left hand navigation pane.System StatusThe Dashboard page displays the current system status. To open this page, click Status -> Dashboard. Router InformationSystem Name The device name of your security appliance.

StatusSystem StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 713 Resource UtilizationTo see complete details for resource utilization, click Details. LicensesDisplay the security license status. To manage the security license, click Manage.Syslog SummaryDisplay the summary of the system event logs. Syslog entries are defined by different severity levels. To see complete logs, click details.Firmware (Primary/Secondary)The firmware version that the security appliance is currently using (primary) and the firmware version that was previously running (secondary). By default, the security appliance boots up with the primary firmware. To switch to the secondary firmware, see Using the Secondary Firmware, page 300.Bootloader VersionThe bootloader version. Serial Number The security appliance serial number.PID The product identifier (PID) of the security appliance, also known as product name, model name, and product number.UDI The Unique Device Identifier (UDI) of the security appliance. UID is Cisco’s product identification standard for hardware products. CPU Utilization The CPU usage.Memory UtilizationThe allocated memory space after the security appliance boots. System Up Time How long the security appliance has been running.Emergency Total number of Emergency logs. Click the number link for details.Alert Total number of Alert logs. Click the number link for details.

StatusSystem StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 723 Site-to-Site VPNDisplay the total number of Site-to-Site VPN sessions. To see complete details, click details.Remote Access VPNRouting ModeDisplay the routing mode between WAN and LAN. By default, the NAT mode is enabled. Click details to enable or disable the Routing mode. Physical PortsTo see complete details for all physical ports, click details. Critical Total number of Critical logs. Click the number link for details.Error Total number of Error logs. Click the number link for details.Warning Total number of Warning logs. Click the number link for details.Notification Total number of Notification logs. Click the number link for details.Information Total number of Information logs.SSL Users Total number of active SSL VPN sessions. Click the SSL Users link for details.IPSec Users Total number of active IPSec VPN sessions that initiated by your security appliance. Click the IPSec Users link for details. This option is available when your security appliance is set as the Cisco IPSec VPN Server or Cisco IPSec VPN Client.Single - Dedicated PortHow many WAN interfaces are set, for example, Single - Dedicated Port. Name The name of the physical interface.Port Type The port type of the physical interface.

StatusSystem StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 733 WAN ModeDisplay the WAN configuration mode of the security appliance (Single WAN port, Failover, or Load Balancing). To see complete details for WAN redundancy, click details. WAN InterfacesTo see complete details for all WAN interfaces, click details. LAN InterfaceTo see complete details for all VLANs, click details. DMZ InterfaceTo see complete details for DMZ, click details. Wireless InterfaceTo see complete details for all SSIDs, click details. Mode The link status of the physical interface. WAN1 to WANxThe name of the WAN interface.IP Address The IP addresses assigned to the WAN interface. Index The VLAN ID.Name The VLAN name.DHCP Mode The DHCP mode of the VLAN. IP Address The subnet IP address of the VLAN.Port The configurable interface that is set as the DMZ interface.Name The name of the DMZ interface.IP Address The subnet IP address of the DMZ interface.

StatusInterface StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 743 Interface StatusThe Interface Status pages display the ARP entries, IP address assignment of DHCP pool, and the status and statistic information for all Ethernet ports, WANs, VLANs, and DMZs. It includes the following sections: •ARP Table, page 74•DHCP Pool Assignment, page 75•Interface, page 75•Interface Statistics, page 77ARP TableThe Address Resolution Protocol (ARP) is a computer networking protocol that determines a network host’s Link Layer or hardware address when only the Internet Layer (IP) or Network Layer address is known.The ARP table displays the IP addresses and corresponding MAC addresses of the devices under your local network. To open this page, click Status -> Interface Status -> Show ARP Table. SSID Number The SSID ID.SSID Name The SSID name.VLAN The VLANs to which the SSID is mapped.Client List The number of client stations that are connected to the SSID.IP Address Indicates the station IP address, which is associated with the MAC address.MAC Address Indicates the station MAC address, which is associated with the IP address.Flag Indicates the ARP entry status.

StatusInterface StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 753 DHCP Pool AssignmentThe DHCP Pool Assignment page displays the IP address assignment by the DHCP server on your security appliance. Click Refresh to refresh the data. To open this page, click Status -> Interface Status -> DHCP Pool Assignment. InterfaceThe Interface page displays the status for all Ethernet ports, WANs, VLANs, and DMZs. To open this page, click Status -> Interface Status -> Interface.Ethernet TableThe Ethernet table displays the following information for all physical ports: Device Indicates the interface for which the ARP parameters are defined.IP Address The IP address assigned to the host or the remote device.MAC Address The MAC address of the host or the remote device.Lease Start TimeThe lease starting time of the IP address.Lease End Time The lease ending time of the IP address.Port The number of the physical port.Name The name of the physical port.Enable Shows if the physical port is enabled or disabled.Port Type The physical port type, such as WAN, LAN, or DMZ. Mode The physical port access mode. A WAN or DMZ port is always set to Access mode and a LAN port can be set to Access or Trunk mode.VLAN The VLANs to which the physical port is mapped.

StatusInterface StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 763 WAN TableThe WAN table displays the following information of all WAN interfaces: VLAN TableThe VLAN table displays the following VLAN information:PVID The Port VLAN ID (PVID) to be used to forward or filter the untagged packets coming into the port. The PVID of a Trunk port is fixed to the DEFAULT VLAN (1).Speed/Duplex The duplex mode (speed and duplex setting) of the physical port.Link Status Shows if the physical port is connected or not.Name The name of the WAN interface.WAN Type The network addressing mode used to connect to the Internet for the WAN interface.Connection Time How long the WAN interface is connected, in seconds.Connection StatusShows if the WAN interface obtains an IP address successfully or not. If yes, the connection status shows as “Connected”. MAC Address The MAC address of the WAN interface.IP Address The IP address of the WAN interface that is accessible from the Internet.Netmask The IP address of subnet mask for the WAN interface.Gateway The IP address of default gateway for the WAN interface.DNS Server The IP address of the DNS server for the WAN interface.Physical Port The physical interface that is associated with the WAN interface.Link Status Shows if the cable is inserted to the WAN interface or not. If the link status shows as “Not Link”, the cable may be loose or malfunctioning. Zone The zone to which the WAN interface is assigned.

StatusInterface StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 773 DMZ TableThe DMZ table displays the following DMZ information:Interface Statistics The Interface Statistics page displays the traffic data for active physical ports, WANs, VLANs, and DMZs. This page is automatically updated every 10 seconds. To open this page, click Status -> Interface Status -> Interface Statistics.Ethernet TableThe Ethernet table displays the traffic data for all active physical ports: Name The VLAN name.VID The VLAN ID.Address The subnet IP address and netmask of the VLAN.Physical Port The physical ports that are assigned to the VLAN.Zone The zone to which the VLAN is mapped.Name The DMZ name.VID The VLAN ID.Address The subnet IP address and netmask of the DMZ.Physical Port The physical port that is assigned to the DMZ.Zone The zone to which the DMZ is mapped.Port The name of the physical port.Link Status Shows if the port is connected or not.Tx Pxts The number of IP packets going out of the port.Rx Pxts The number of IP packets received by the port.

StatusInterface StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 783 WAN TableThe WAN table displays the traffic statistic information for all WAN ports: VLAN TableThe VLAN table displays the flow statistic information for all VLANs: Collisions The number of signal collisions that have occurred on this port. A collision occurs when the port tries to send data at the same time as a port on the other router or computer that is connected to this port.Tx B/s The number of bytes going out of the port per second.Rx B/s The number of bytes received by the port per second.Up Time How long the port has been active. The uptime is reset to zero when the security appliance or the port is restarted.Name The name of the WAN port.Tx Pkts The number of IP packets going out of the WAN port.Rx Pkts The number of IP packets received by the WAN port.Collisions The number of signal collisions that have occurred on this WAN port. Tx B/s The number of bytes going out of the WAN port per second.Rx B/s The number of bytes received by the WAN port per second.Up Time How long the WAN port has been active. The uptime is reset to zero when the security appliance or the WAN port is restarted.Name The VLAN name.Tx Pkts The number of IP packets going out of the VLAN.Rx Pkts The number of IP packets received by the VLAN.

StatusWireless Status for ISA550W and ISA570WCisco ISA500 Series Integrated Security Appliance Administrator Guide 793 DMZ TableThe DMZ table displays the flow statistic information for all DMZs: Poll Interval Enter a value in seconds for the poll interval. This causes the page to re-read the statistic information from the security appliance and refreshes the page automatically. To modify the poll interval, click Stop and then click Start to restart the automatic refresh by using the specified poll interval.Wireless Status for ISA550W and ISA570WUse the Wireless pages to view the wireless status and the number of client stations that are connected to the SSIDs. It includes the following sections: •Wireless Status, page 80 •Client Status, page 81Collisions The number of signal collisions that have occurred on this VLAN.Tx B/s The number of bytes going out of the VLAN per second.Rx B/s The number of bytes received by the VLAN per second.Up Time How long the LAN port has been active. Name The name of the DMZ.Tx Pkts The number of IP packets going out of the DMZ.Rx Pkts The number of IP packets received by the DMZ.Collisions The number of signal collisions that occurred on the DMZ.Tx B/s The number of bytes going out of the DMZ per second.Rx B/s The number of bytes received by the DMZ per second.Up Time How long the DMZ port has been active.

StatusWireless Status for ISA550W and ISA570WCisco ISA500 Series Integrated Security Appliance Administrator Guide 803 Wireless StatusThe Wireless Status page displays the cumulative total of relevant wireless statistics for all active SSIDs. The counters is reset when the security appliance reboots. To open this page, click Status -> Wireless -> Wireless Status.Wireless TableThe security appliance may have multiple SSIDs enabled and configured concurrently. This table displays the following information of all active SSIDs.Wireless Statistics TableThis table displays the traffic data for a given SSID. SSID Number The SSID ID.SSID Name The SSID name.MAC The MAC address of the SSID. VLAN The VLAN to which the SSID is mapped.Client List The number of client stations that are connected to the SSID.Name The SSID name.Tx Pkts The number of transmitted packets on the SSID.Rx Pkts The number of received packets on the SSID. Collisions The number of packet collisions reported to the SSID.Tx B/s The number of transmitted bytes of information on the SSID.Rx B/s The number of received bytes of information on the SSID.Up Time How long the SSID has been active.

StatusActive UsersCisco ISA500 Series Integrated Security Appliance Administrator Guide 813 Client StatusThe Client Status page displays the MAC address and IP address of all client stations that are already connected to each SSID. Click Refresh to refresh the data. To open this page, click Status -> Wireless -> Client Status.Active UsersThe Active Users page displays all active users who are currently logged into the security appliance. Click the Logout button to terminate an active user session. To open this page, click Status -> Active Users. You can check the following user session information. VPN StatusThe VPN Status pages display the status and statistic information of IPSec and SSL VPN sessions. You can manually connect or disconnect the VPN tunnels. It includes the following sections: •IPSec VPN Status, page 82•SSL VPN Status, page 83User Name The name of the logged user.Address InformationThe host IP address from which the user accessed the security appliance.Login Method How the user logs into the security appliance, such as web login, SSL VPN, or Cisco IPSec VPN.Session Time How long the user logged into the security appliance.

StatusVPN StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 823 IPSec VPN StatusThe VPN Table page displays the status and statistic information for IPsec VPN sessions. To open this page, click Status -> VPN Status -> VPN Table. Status for all IPSec VPN SessionsThe Active Sessions tab displays the following IPsec VPN session information: Statistics for all active IPSec VPN SessionsThe IPSec VPN Statistic tab displays the statistic information for all active IPsec VPN sessions: Name The name of the IPSec VPN policy that is used for the VPN session.VPN Type The connection type of the IPSec VPN session, such as Site-to-Site, Cisco IPSec VPN Server, or Cisco IPSec VPN Client.WAN Interface The WAN interface used for the IPSec VPN session.Remote GatewayThe IP address of the remote gateway for a Site-to-Site VPN session or the IP address of the remote VPN client for a Cisco IPSec VPN session.Local Network The subnet IP address and netmask of your local network.Remote Network The subnet IP address and netmask of the remote network.Connect Click this button to manually establish a VPN connection.Disconnect Click this button to manually terminate an active VPN connection.Name The name of the IPSec VPN policy used for the VPN session.VPN Type The connection type of the IPSec VPN session. WAN Interface The WAN interface used for the IPSec VPN session.

StatusVPN StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 833 SSL VPN StatusThe SSL VPN Monitoring page displays the status and traffic statistic information of all SSL VPN sessions. To open this page, click Status -> VPN Status -> SSLVPN Monitoring. Status of all Active SSL VPN SessionsThe Sessions tab displays the following information of all active SSL VPN sessions: Remote GatewayThe IP address of the remote gateway for a Site-to-Site VPN session or the IP address of the remote VPN client for a Cisco IPSec VPN session.Tx Bytes The volume of traffic in Kilobytes transmitted from the VPN tunnel.Rx Bytes The volume of traffic in Kilobytes received from the VPN tunnel.Tx Pkts The number of IP packets transmitted from the VPN tunnel.Rx Pkts The number of IP packets received from the VPN tunnel.Session ID The SSL VPN session ID. User Name The name of the connected SSL VPN user.Client IP (Actual) The actual IP address used by the SSL VPN client.Client IP (VPN) The virtual IP address assigned by the SSL VPN gateway.Time Connected The amount of time since the user first established the connection.Disconnect Click this button to terminate an active SSL VPN session and hence the associated SSL VPN tunnel. Disconnect All Click this button to terminate all active SSL VPN sessions and hence the associated SSL VPN tunnels.

StatusVPN StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 843 Statistics for all SSL VPN Sessions or for a single SSL VPN sessionThe Statistic tab displays the global statistic information for all active SSL VPN sessions or for each SSL VPN session. In the Global Status area, the global statistic information is displayed. To clear the global statistic information, click Clear Global. The following statistic information for each SSL VPN session is displayed in the table. To clear the statistic information of a single SSL VPN session, click Clear.Active Users The number of all connected SSL VPN users. In CSTP frames The number of CSTP frames received from all clients.In CSTP bytes The total number of bytes in the CSTP frames received from all clients.In CSTP data The number of CSTP data frames received from all clients.In CSTP control The number of CSTP control frames received from all clients.Out CSTP framesThe number of CSTP frames sent to all clients.Out CSTP bytes The total number of bytes in the CSTP frames sent to all clients.Out CSTP data The number of CSTP data frames sent to all clients.Out CSTP controlThe number of CSTP control frames sent to all clients.Session ID The SSL VPN session ID. In CSTP frames The number of CSTP frames received from the client.In CSTP bytes The total number of bytes in the CSTP frames received from the client.In CSTP data The number of CSTP data frames received from the client.In CSTP control The number of CSTP control frames received from the client.

StatusReportsCisco ISA500 Series Integrated Security Appliance Administrator Guide 853 NOTE CSTP is a Cisco proprietary protocol for SSL VPN tunneling. “In” means “from the client” and “Out” means “to the client”. The client is the PC running the Cisco AnyConnect VPN Client software that connects to the security appliance running the SSL VPN server. A CSTP frame is a packet that carrying CSTP protocol information. There are two major frame types, control frames and data frames. Control frames implement control functions within the protocol. Data frames carry the client data, such as the tunneled payload.ReportsThe security appliance provides the report ability to help the operator or administrator analyze the system performance and security. It includes the following sections: •Reports of Event Logs, page 86•Reports of WAN Bandwidth, page 87•Reports of Security Services, page 87Out CSTP framesThe number of CSTP frames sent to the client.Out CSTP bytes The total number of bytes in the CSTP frames sent to the client.Out CSTP data The number of CSTP data frames sent to the client.Out CSTP controlThe number of CSTP control frames sent to the client.

StatusReportsCisco ISA500 Series Integrated Security Appliance Administrator Guide 863 Reports of Event LogsThe security appliance can perform a rolling analysis of the event logs. The Report page displays the top 25 most frequently accessed websites, the top 25 users of bandwidth usage, and the top 25 services that consume the most bandwidth. !CAUTION Enabling the IP Bandwidth, Service Bandwidth, and TopN Web reports consumes additional system resources and may impact the system performance. Go to the Status -> Dashboard page to view the CPU and memory utilization. To conserve the system resources, disable the reports when they are no longer needed. STEP 1 To open the Report page, click Status -> Report -> Report.STEP 2 Click On to enable a report, or click Off to disable a report. STEP 3 Click Save to save your settings. STEP 4 If you enable a report, choose this report from the Type drop-down list, the corresponding statistic information is displayed. •IP Bandwidth: This report lists the top 25 users of bandwidth usage. It displays the number of megabytes transmitted per IP address since the system is up. •Service Bandwidth: This report lists the top 25 Internet services that consume the most bandwidth. It displays the number of megabytes received from the service since the system is up. This report is helpful to determine whether the services being used are appropriate for your organization. If the services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can block them.•Web Vistor: This report lists the top 25 most frequently accessed websites. It displays the number of hits to a website since the system is up. This report ensures that the majority of web access is to appropriate websites. If inappropriate sites appear in this report, you can block the websites. For more information on blocking inappropriate websites, see Configuring the Content Filtering to Control Access to Internet, page 201, or Web URL Filter, page 226. Click on the domain name or site name of a website to open that site in a new prompt window to see what this website is about.

StatusReportsCisco ISA500 Series Integrated Security Appliance Administrator Guide 873 STEP 5 Click Refresh Data to update the data on the screen or click Reset Data to reset the values to zero.Reports of WAN BandwidthThe WAN Bandwidth report displays the run-time WAN network bandwidth usage by hour in the past 24 hours. STEP 1 Click Status -> Report -> WAN Bandwidth.STEP 2 Check the Enable WAN Bandwidth box to enable this report. STEP 3 Click Save to save your settings.STEP 4 After you enable this report, in the Primary WAN tab, you can see the run-time network bandwidth usage for the primary WAN interface by hour in the past 24 hours. STEP 5 If a secondary WAN interface is configured, in the Secondary WAN tab, you can see the run-time network bandwidth usage for the secondary WAN interface by hour in the past 24 hours. STEP 6 Click Reset to reset the network bandwidth usages for both the primary WAN and secondary WAN interfaces. Reports of Security ServicesThe Security Services page displays the statistical information for all enabled security services. To open the pages, click Status -> Report -> Security Services. It includes the following sections: •Web Security Blocked Report, page 88•Anti-Virus Report, page 88•Email Security Report, page 89•Network Reputation Report, page 90•IPS Policy Protocol Inspection Report, page 90•IM and P2P Blocking Report, page 91

StatusReportsCisco ISA500 Series Integrated Security Appliance Administrator Guide 883 NOTE The reports for the security services are provided only if the corresponding security services are enabled. Web Security Blocked ReportThis report displays the number of web access requests logged and the number of websites blocked by the Web URL Filter service, Web Reputation Filter service, or both. In the Web Security Blocked Report tab, check the Enable Web Security Blocked Report box to enable this report, and then click Save to save your settings.After you enable this report, the corresponding statistic information is displayed. Anti-Virus ReportThis report displays the number of files checked and the number of viruses detected by the Anti-Virus service. In the Anti-Virus tab, check the Enable Anti-Virus Report box to enable this report, and then click Save to save your settings.After you enable this report, the corresponding statistic information is displayed. Device System DateThe current date for counting the data.Total since the service was activedThe total number of web access requests processed and the total number of websites blocked since the Web URL Filter service, Web Reputation Filter service, or both were enabled. Total for las t 7 daysThe total number of web access requests processed and the total number of websites blocked in last seven days.Total for today The total number of web access requests processed and the total number of websites blocked in one day.Graph Shows the total number of web access requests processed and the total number of websites blocked by day for last seven days.

StatusReportsCisco ISA500 Series Integrated Security Appliance Administrator Guide 893 Email Security ReportThis report displays the number of emails checked and the number of spams or supposed spams detected by the Email Reputation Filter service. In the Email Security Report tab, check the Enable Email Security Report box to enable this report, and then click Save to save your settings. After you enable this report, the corresponding statistic information is displayed. Device System DateThe current date for counting the data.Total since the service was activedThe total number of files checked and the total number of viruses detected since the Anti-Virus service was enabled. Total for las t 7 daysThe total number of files checked and the total number of viruses detected in last seven days.Total for today The total number of files checked and the total number of viruses detected in one day.Graph Shows the total number of files checked and the total number of viruses detected by day for last seven days.Device System DateThe current date for counting the data.Total since the service was activedThe total number of emails checked and the total number of spams or supposed spams detected since the Email Reputation Filter service was enabled. Total for las t 7 daysThe total number of emails checked and the total number of spams or supposed spams detected in last seven days.Total for today The total number of emails checked and the total number of spams or supposed spams detected in one day.Graph Shows the total number of emails checked and the total number of spams or supposed spams detected by day for last seven days.

StatusReportsCisco ISA500 Series Integrated Security Appliance Administrator Guide 903 Network Reputation ReportThis report displays the total number of packets checked and the number of packets blocked by the Network Reputation service. In the Network Reputation Report tab, check the Enable Network Reputation Report box to enable this report, and then click Save to save your settings. After you enable this report, the corresponding statistic information is displayed. IPS Policy Protocol Inspection ReportThis report displays the total number of packets for suspicious behaviors and attacks (such as Denial-of-Service attacks, malware, and backdoor exploits) detected and the number of packets dropped by the IPS service. In the IPS Policy Protocol Inspection tab, check the Enable IPS Policy Protocol Inspection Report box to enable this report, and then click Save to save your settings. After you enable this report, the corresponding statistic information is displayed. Device System DateThe current date for counting the data.Total since the service was activedThe total number of packets checked and the total number of packets blocked since the Network Reputation service was enabled. Total for las t 7 daysThe total number of packets checked and the total number of packets blocked in last seven days.Total for today The total number of packets checked and the total number of packets blocked in one day.Graph Shows the total number of packets checked and the total number of packets blocked by day for last seven days.Device System DateThe current date for counting the data.

StatusReportsCisco ISA500 Series Integrated Security Appliance Administrator Guide 913 IM and P2P Blocking ReportThis report displays the number of packets for the predefined Instant Message (IM) and Peer-to-Peer (P2P) applications detected, and the number of packets blocked by the IPS service. In the IM and P2P Blocking tab, check the Enable IM and P2P Blocking Report box to enable this report, and then click Save to save your settings. After you enable this report, the corresponding statistic information is displayed. Total since the service was activedThe total number of packets for suspicious behaviors and attacks detected and the total number of packets dropped since both the IPS service and the IPS Policy and Protocol Inspection were enabled. Total for las t 7 daysThe total number of packets for suspicious behaviors and attacks detected and the total number of packets dropped in last seven days.Total for today The total number of packets for suspicious behaviors and attacks detected and the total number of packets dropped in one day.Graph Shows the total number of packets for suspicious behaviors and attacks detected and the total number of packets dropped by day for last seven days.Device System DateThe current date for counting the data.Total since the service was activedThe total number of packets for the predefined IM and P2P applications detected and the total number of packets blocked since both the IPS service and the IM & P2P Blocking were enabled. Total for las t 7 daysThe total number of packets for the predefined IM and P2P applications detected and the number of packets blocked in the last seven days.Total for today The total number of packets for the predefined IM and P2P applications detected and the number of packets blocked in one day.

StatusProcess StatusCisco ISA500 Series Integrated Security Appliance Administrator Guide 923 Process StatusThe Process Status page displays the status for all sockets and the processes to which each socket belongs. To open this page, click Status -> Process Status.Resource UtilizationThe Resource Utilization page displays the overall CPU and memory utilizations. To open this page, click Status -> Resource Utilization.Graph Shows the total number of packets for the predefined IM and P2P applications detected and the total number of packets blocked by day for last seven days.Name The process name that is running on your security appliance.Description A brief description for the running process. Protocol The protocol that is used by the socket. Port The port number of the local end of the socket. Local Address The IP address of the local end of the socket. Foreign Address The IP address of the remote end of the socket. CPU UtilizationCPU Usage by User The percentage of CPU resource used by user space processes since the security appliance boots up.CPU Usage by kernal The percentage of CPU resource used by kernel space processes since the security appliance boots up.CPU Idle The percentage of CPU idle since the security appliance boots up.

StatusResource UtilizationCisco ISA500 Series Integrated Security Appliance Administrator Guide 933 CPU Waiting for I/O The percentage of CPU waiting for I/O since the security appliance boots up.Memory UtilizationTotal Memory The total amount of memory space available on the security appliance.Used Memory The amount of memory space used by the processes at current time.Free Memory The amount of memory space not used by the processes at current time.Cached Memory The amount of memory space used as cache at current time.Buffer Memory The amount of memory space used as buffers at current time.

4Cisco ISA500 Series Integrated Security Appliance Administrator Guide 94 NetworkingThis chapter describes how to configure your Internet connection, VLAN, DMZ, zones, routing, Quality of Service, and related features. It includes the following sections: •Configuring IP Routing Mode, page 95•Port Management, page 95•Configuring the WAN, page 101•Configuring the WAN Redundancy, page 112•Configuring the VLAN, page 118•Configuring the DMZ, page 123•Configuring the Zones, page 127•Configuring the Routing, page 130•Dynamic DNS, page 136•IGMP, page 138•VRRP, page 139•Configuring the Quality of Service, page 140•Address Management, page 152•Service Management, page 154To access the Networking pages, click Networking in the left hand navigation pane.

NetworkingConfiguring IP Routing ModeCisco ISA500 Series Integrated Security Appliance Administrator Guide 954 Configuring IP Routing ModeInternet Protocol Version 6 (IPv6) is a new IP protocol designed to replace IPv4, the Internet protocol that is predominantly deployed and extensively used throughout the world. IPv6 quadruples the number of network address bits from 32 bits (in IPv4) to 128 bits, resulting in an exponentially larger address space. You can configure the security appliance to support IPv6 addressing on the WAN, LAN, and DMZ. By default, only IPv4 addressing is supported. If you need to configure IPv6 addressing, enable the IPv4/IPv6 mode. STEP 1 Click Networking -> IPv4/IPv6 Routing Mode.The IPv4/IPv6 Routing Mode window opens.STEP 2 Click IPv4/IPv6 mode to enable both IPv4 and IPv6 addressing, or click IPv4 only mode to enable only IPv4 addressing. STEP 3 Click Save to save your settings.Port ManagementThis section describes how to configure the physical ports, enable or disable the port mirroring, and configure 802.1X access control settings on the physical ports. It includes the following topics:•Viewing the Status of Physical Interfaces, page 95•Configuring the Physical Interfaces, page 96•Configuring 802.1X Access Control on Physical Ports, page 98•Configuring the Port Mirroring, page 100Viewing the Status of Physical InterfacesSTEP 1 Click Networking -> Port -> Physical Interface.The Physical Interface window opens.

NetworkingPort ManagementCisco ISA500 Series Integrated Security Appliance Administrator Guide 964 In the Physical Interfaces area, all physical ports available on your security appliance are listed in the table. The following information is displayed: •Name: The name of the physical port.•Enable: Shows if the physical port is enabled or disabled.•Port Type: The physical port type, such as WAN, LAN, or DMZ. The type of the dedicated WAN and LAN ports cannot be changed, but the type of the configurable ports can be set to LAN, WAN, or DMZ.•Mode: The physical port access mode. A WAN or DMZ port is always set to Access mode. A LAN port can be set to Access or Trunk mode.•VLAN: The VLANs to which the physical port is mapped.•PVID: The Port VLAN ID (PVID) to be used to forward or filter the untagged packets coming into port. The PVID of a trunk port is fixed to the DEFAULT VLAN (1). •Speed/Duplex: The duplex mode (speed and duplex setting) of the physical port.•Link Status: Shows if the physical port is connected or not.If you are using the ISA550W or ISA570W, in the Wireless Interfaces area, all active SSIDs available on your security appliance are listed in the table. The following information is displayed: •SSID Name: The SSID name. •VLAN: The VLAN to which the SSID is mapped.•Client List: The number of client stations that are connected to the SSID.To configure the wireless radio and connectivity settings, go to the Wireless pages. See Wireless Configuration for ISA550W and ISA570W. Configuring the Physical InterfacesYou can enable or disable a physical interface, assign the physical interfaces to VLANs, and configure the duplex mode. STEP 1 Click Networking -> Port -> Physical Interface.The Physical Interface window opens.

NetworkingPort ManagementCisco ISA500 Series Integrated Security Appliance Administrator Guide 974 STEP 2 To edit the setting of a physical port, click Edit. After you click Edit, the Ethernet Configuration - Add/Edit window opens.STEP 3 Enter the following information: •Name: The name of the physical port.•Port Type: The physical port type, such as WAN , LAN, or DMZ.•Mode: Choose either Access or Trunk mode for a LAN port, and choose Access mode for a WAN or DMZ port. By default, all ports are set to Access mode.-Access: All data going into and out of the Access port is untagged. Access mode is recommended if the port is connected to a single end-user device which is VLAN unaware.-Trunk: All data going into and out of the Trunk port is tagged. Untagged data coming into the port is not forwarded, except for the DEFAULT VLAN, which is untagged. Trunk mode is recommended if the port is connected to a VLAN-aware switch or router.•Port: Click On to enable the port, or click Off to disable it. By default, all ports are enabled.•VLAN: You can assign the physical port to VLANs. -To assign the port to a VLAN, choose an existing VLAN from the Availbale VLAN list and click the right arrows >> to add it to the VLAN list. -To release the port from a VLAN, choose a VLAN from the VLAN list and click the left arrows <<. NOTE A LAN port can be assigned to multiple VLANs, but an Access LAN port can only be assigned to one VLAN. A DMZ port must be assigned to a DMZ network. NOTE To create new VLANs, click Create VLAN. For more information about how to configure the VLANs, see Configuring the VLAN, page 118. •Flow Control: Click On to control the flow on the port, or click Off to disable it.

NetworkingPort ManagementCisco ISA500 Series Integrated Security Appliance Administrator Guide 984 •Speed: Choose one of these options: AUTO, 10 Mbps, 100 Mbps, and 1000 Mbps. The default is AUTO for all ports. The AUTO option lets the system and network determine the optimal port speed.•Duplex: Choose either Half Duplex or Full Duplex based on the port support. The default is Full Duplex for all ports. -Full: Indicates that the port supports transmissions between the device and the client in both directions simultaneously.-Half: Indicates that the port supports transmissions between the device and the client in only one direction at a time.STEP 4 Click OK to save your settings.STEP 5 Repeat the above steps to edit the settings for other physical ports. STEP 6 Click Save to apply your settings.Configuring 802.1X Access Control on Physical PortsPort-Based Access Control configures IEEE 802.1X port-based authentication to prevent unauthorized devices (802.1X-capable clients) from gaining access to the network. The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client (supplicant in Windows 2000, XP, Vista, Windows 7, and Mac OS) connected to a port before making available any service offered by the security appliance or the LAN. Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port. This feature simplifies the security management by allowing you to control access from a master database in a single server (although you can use up to three RADIUS servers to provide backups in case access to the primary server fails). It also means that user can enter the same authorized RADIUS username and password pair for authentication, regardless of which switch is the access point into the LAN.

NetworkingPort ManagementCisco ISA500 Series Integrated Security Appliance Administrator Guide 994 STEP 1 Click Networking -> Port -> Port-Based Access Control.The Port-Based Access Control window opens. STEP 2 Specify the RADIUS servers for authentication. The security appliance predefines three RADIUS groups. You can choose a predefined RADIUS group from the RADIUS Index drop-down list to authenticate the users on 802.1X-capable clients. The RADIUS server settings of the selected group are displayed. You can also edit the RADIUS server settings here but the settings that you specify will replace the default settings of the selected group. For more information, see Configuring the RADIUS Servers, page 319.STEP 3 To configure the access control settings for a physical port, click Edit in the Action column. The Port-Base Access Control window opens. STEP 4 Enter the following information:•Access Control: Check the box to enable 802.1X access control. This feature is not available for Trunk ports. •Authenticated VLAN: If you enable 802.1X access control, choose the authenticated VLAN to which this port is assigned. The users who authenticated successfully can access the authenticated VLAN through the port. If the authentication fails, block the access on the port. •Guest Authenticated: If you enable 802.1X access control, check the box to enable Guest Authentication. •Authenticated VLAN: If you enable Guest Authentication, choose the guest VLAN to be associated with the port. If the authentication fails, the port is assigned to the selected guest VLAN instead of shutting down. For 802.1X-incapable clients, the port is also assigned to the selected guest VLAN when Guest Authentication is enabled. STEP 5 You can perform other actions as follows: •Access Control: Check the box in this column to enable 802.1X access control, or uncheck the box to disable it. •Guest Authentication: After you enable 802.1X access control, check the box in this column to enable Guest Authentication, or uncheck the box to disable it.

NetworkingPort ManagementCisco ISA500 Series Integrated Security Appliance Administrator Guide 1004 •Forced Authentication: Disables 802.1X access control and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1X-based authentication of the client. •Forced Unauthentication: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The security appliance cannot provide authentication services to the client through the port. •Auto: Enables 802.1X access control and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up, or when an EAPOL-start frame is received. The security appliance requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the security appliance by using the client's MAC address. STEP 6 Click Save to apply your settings.Configuring the Port MirroringPort Mirroring allows the traffic on one port to be visible on other ports. This feature is useful for debugging or traffic monitoring. NOTE The dedicated WAN port (GE1 ) can not be set as a destination or monitored port.STEP 1 Click Networking -> Port -> Port Mirroring.The Port Mirroring window opens.STEP 2 Click On to enable port mirroring, or click Off to disable it. STEP 3 If you enable port mirroring, enter the following information:•TX Destination: Choose the port that monitors the tranmitted traffic for other ports.

NetworkingConfiguring the WANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1014 •TX Monitored Ports: Check the boxes of the ports that are monitored. The port that you set as a TX Destination port cannot be selected as a monitored port. •RX Destination: Choose the port that monitors the received traffic for other ports.•RX Monitored Ports: Check the boxes of the ports that are monitored. The port that you set as a RX Destination port cannot be selected as a monitored port. STEP 4 Click Save to apply your settings.Configuring the WANBy default, the security appliance is configured to receive a public IP address from your ISP automatically through DHCP. Depending on the requirements of your ISP, you may need to modify the WAN settings to ensure Internet connectivity. This section describes how to configure the WAN connections by using the account information provided by your ISP. It includes the following sections:•Configuring the Primary WAN, page 101•Configuring the Secondary WAN, page 104•Configuring the Network Addressing Mode, page 106•Configuring the PPPoE Profiles, page 111Configuring the Primary WANSTEP 1 Click Networking -> WAN. The WAN window opens. STEP 2 To edit the settings of the primary WAN, click Edit. After you click Edit, the WAN - Add/Edit window opens. STEP 3 In the IPv4 tab, enter the following information: •Physical Port: The physical port associated with the primary WAN.

NetworkingConfiguring the WANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1024 •WAN Name: The name of the primary WAN (WAN1). •IP Address Assignment: Choose the network addressing mode for the primary WAN depending on the requirements of your ISP. The security appliance supports DHCPC, Static IP, PPPoE, PPTP, and L2TP. For complete details to configure the network addressing mode, see Configuring the Network Addressing Mode, page 106. •DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. -Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.-Use These DNS Servers: Choose this option if your ISP assigned a static DNS IP address. Also enter the addresses for the DNS1 and DNS2 fields.•MAC Address Source: Specify the MAC address for the primary WAN. Typically, you can use the unique 48-bit local Ethernet address of the security appliance as your MAC address source.-Use Default MAC Address: Choose this option to use the default MAC address. -Use the Following MAC Address: If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, choose this option and enter the MAC address that your ISP requires for this connection. •MAC Address: Enter the MAC Address in the format xx:xx:xx:xx:xx:xx where x is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive), for example, 01:23:45:67:89:ab.•Zone: The primary WAN must be mapped to an untrusted zone. The WAN zone is the default unstrusted zone. Click Create Zone to create other untrusted zones. See Configuring the Zones, page 127. STEP 4 In the IPv6 tab, specify the IPv6 addressing if you enable the IPv4/IPv6 mode. •IP Address Assignment: Choose Static IP if your ISP assigned a fixed (static or permanent) IP address. If you were not assigned a static IP address, choose SLAAC. By default, your security appliance is configured to be a DHCPv6 client of the ISP, with stateless address auto-configuration (SLAAC).

NetworkingConfiguring the WANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1044 Configuring the Secondary WANA secondary WAN is required to set up two ISP links for your network. You can use one link as the primary link and another link for backup purposes, or you can configure the load balancing to use both links simultaneously. STEP 1 Click Networking -> WAN. The WAN window opens. STEP 2 To add the secondary WAN, click Add. After you click Add, the WAN - Add/Edit window opens. STEP 3 In the IPv4 tab, enter the following information: •Physical Port: Choose a configurable port for the secondary WAN. The selected configurable port is set to a WAN port. Up to two WAN interfaces can be configured for the security appliance, which means that only one configurable port can be set as a WAN port. •WAN Name: The name of the secondary WAN (WAN2).•IP Address Assignment: Choose the network addressing mode for the secondary WAN depending on the requirements of your ISP. For complete details, see Configuring the Network Addressing Mode, page 106. •DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. -Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.-Use These DNS Servers: Choose this option if your ISP assigned a static DNS IP address. Also enter the addresses for the DNS1 and DNS2 fields.•MAC Address Source: Specify the MAC address for the secondary WAN. Typically, you can use the unique 48-bit local Ethernet address of the security appliance as your MAC address source. -Use Default MAC Address: Choose this option to use the default MAC address-Use the Following MAC Address: If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, choose this option and enter the MAC address that your ISP requires for this connection.

NetworkingConfiguring the WANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1054 •MAC Address: Enter the MAC address in the format xx:xx:xx:xx:xx:xx where x is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive), for example, 01:23:45:67:89:ab.•Zone: Maps the secondary WAN to an untrusted zone. The WAN zone is the default unstrusted zone. Click Create Zone to create other untrusted zones. See Configuring the Zones, page 127. STEP 4 In the IPv6 tab, specify the IPv6 addressing settings for the secondary WAN connection if you enable the IPv4/IPv6 mode. •IP Address Assignment: Choose Static IP if your ISP assigned a fixed (static or permanent) IP address. If you were not assigned a static IP address, choose SLAAC. -SLAAC: If you choose SLAAC, the security appliance can generate its own addresses using a combination of locally available information and information advertised by routers.-Static IP: If your ISP assigned a static IPv6 address, configure the IPv6 WAN connection in the following fields: IPv6 Address: Enter the static IP address that was provided by your ISP. IPv6 Prefix Length: The IPv6 network (subnet) is identified by the initial bits of the address called the prefix. All hosts in the network have the identical initial bits for their IPv6 address. Enter the number of common initial bits in the network’s addresses. The default prefix length is 64. Default IPv6 Gateway: Enter the IPv6 address of the gateway for your ISP. This is usually provided by the ISP or your network administrator.Primary DNS Server: Enter a valid IP address of the primary DNS Server.Secondary DNS Server (Optional): Optionally, enter a valid IP address of the secondary DNS Server. STEP 5 Click OK to save your settings.STEP 6 Click Save to apply your settings.

NetworkingConfiguring the WANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1064 Configuring the Network Addressing ModeThe security appliance supports five types of network addressing modes. Specify the network addressing mode for the primary WAN and the secondary WAN depending on your ISP requirements. Network Addressing ModeConfigurationsDHCPC DHCP is the default settting. If you use DHCP, the WAN port will be the DHCP client and get the IP address from your ISP or the peer router. Choose DHCP for most of Internet service providers that use the cable modem.Choose this option if your ISP automatically assigns you a dynamic IP address, and enter the following information: •MTU: The Maximum Transmission Unit is the size, in bytes, of the largest packet that can be passed on. Choose Auto to use the default MTU size, or choose Manual if you want to specify another size.•MTU Value: If you choose Manual, enter the custom MTU size in bytes. NOTE Unless a change is required by your ISP, it is recommended that the MTU values be left as is.

NetworkingConfiguring the WANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1074 Static IP Choose this option if your ISP assigns you a specific IP address or a group of addresses. Use the corresponding information from your ISP to complete the following fields: •IP Address: Enter the IP address of the WAN port that can be accessable from the Internet. •Netmask: Enter the IP address of the subnet mask. •Gateway: Enter the IP address of default gateway. •DNS0: Enter the IP address of the primary DNS server. •DNS1: Enter the IP address of the secondary DNS server. •MTU: The Maximum Transmission Unit is the size, in bytes, of the largest packet that can be passed on. Choose Auto to use the default MTU size, or choose Manual if you want to specify another size.•MTU Value: If you choose Manual, enter the custom MTU size in bytes. NOTE Unless a change is required by your ISP, it is recommended that the MTU values be left as is.Network Addressing ModeConfigurations

NetworkingConfiguring the WANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1094 PPTP The PPTP protocol is typically used for VPN connection. Use the necessary information from your ISP to complete the PPTP configurations: •IP Address: Enter the IP address of the WAN port that can be accessable from the Internet. •Netmask: Enter the IP address of the subnet mask. •Gateway: Enter the IP address of default gateway. •User Name/Password: Enter the user name and password that are required to log into the PPTP server.•PPTP Server IP Address: Enter the IP address of the PPTP server. •MPPE Encryption: Microsoft Point-to-Point Encryption (MPPE) encrypts data in PPP-based dial-up connections or PPTP VPN connections. Check the box to enable the MPPE encryption to provide data security for the PPTP connection that is between the VPN client and VPN server. •Connect Idle Time: Choose this option to let the security appliance disconnect from the Internet after a specified period of inactivity (Idle Time). This choice is recommended if your ISP fees are based on the time that you spend online.•Keep Live: Choose this option to keep the connection always on, regardless of the level of activity. This choice is recommended if you pay a flat fee for your Internet service.•MTU: Choose Auto to use the default MTU size, or choose Manual if you want to specify another size.•MTU Value: If you choose Manual, enter the custom MTU size in bytes. NOTE Unless a change is required by your ISP, it is recommended that the MTU values be left as is.Network Addressing ModeConfigurations

NetworkingConfiguring the WANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1104 L2TP Choose this option if you want to use IPSec to connect a L2TP (Layer 2 Tunneling Protocol) server and encrypt all data transmitted from the client to the server. However, it does not encrypt network traffic to other destinations. Use the necessary information from your ISP to complete the L2TP configurations: •IP Address: Enter the IP address of the WAN port that can be accessable from the Internet. •Netmask: Enter the IP address of the subnet mask. •Gateway: Enter the IP address of default gateway. •User Name/Password: Enter the user name and password that are required to log into the L2TP server.•L2TP Server IP Address: Enter the IP address of the L2TP server. •Secret (Optional): L2TP incorporates a simple, optional, CHAP-like tunnel authentication system during control connection establishment. Enter the secret for tunnel authentication if necessary. •Connect Idle Time: Choose this option to let the security appliance disconnect from the Internet after a specified period of inactivity (Idle Time). This choice is recommended if your ISP fees are based on the time that you spend online.•Keep Live: Choose this option to keep the connection always on, regardless of the level of activity. This choice is recommended if you pay a flat fee for your Internet service.•MTU: Choose Auto to use the default MTU size, or choose Manual if you want to specify another size.•MTU Value: If you choose Manual, enter the custom MTU size in bytes. NOTE Unless a change is required by your ISP, it is recommended that the MTU values be left as is.Network Addressing ModeConfigurations

NetworkingConfiguring the WAN RedundancyCisco ISA500 Series Integrated Security Appliance Administrator Guide 1124 -MS-CHAPv2: MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet.•Keep Live: Keeps the connection always on, regardless of the level of activity. This option is recommended if you pay a flat fee for your Internet service.•Max Idle Time: Lets the security appliance disconnect from the Internet after a specified period of inactivity (Idle Time). If you choose this option, enter the value in minutes in the Maximum Idle Time field. This option is recommended if your ISP fees are based on the time that you spend online.•MTU: The Maximum Transmission Unit (MTU) is the size, in bytes, of the largest packet that can be passed on. Choose Auto to use the default MTU size, or choose Manual if you want to specify another size. •MTU Size: If you choose Manual, enter the custom MTU size in bytes. NOTE For PPPoE connections, the default MTU size is 1492 bytes. Unless a change is required by your ISP, it is recommended that the MTU values be left as is.STEP 4 Click OK to save your settings.STEP 5 Click Save to apply your settings.Configuring the WAN RedundancyIf you have two ISP links, one for WAN1 and another for WAN2, you can configure the WAN redundancy to determine how the two ISP links are used. NOTE Before you configure the WAN redundancy, you must configure the secondary WAN connection. See Configuring the Secondary WAN, page 104.

NetworkingConfiguring the WAN RedundancyCisco ISA500 Series Integrated Security Appliance Administrator Guide 1134 NOTE When the security appliance is working in Dual WAN mode, if one WAN link is down, the WAN redundancy and Policy-based Routing settings are ignored and all traffic is handled by the active WAN port. This section describes how to configure the WAN redundancy and the link failover detection settings. It includes the following topics: •Loading Balancing for WAN Redundancy, page 113•Load Balancing with Policy-based Routing Configuration Example, page 115•Failover for WAN Redundancy, page 116•Routing Table for WAN Redundancy, page 117•Configuring the Link Failover Detection, page 117Loading Balancing for WAN RedundancyThe Load Balancing can segregate traffic between links that are not of the same speed. For example, you can bind the high-volume services through the port that is connected to a high speed link, and bind the low-volume services to the port that is connected to the slower link. The Load Balancing is implemented for outgoing traffic and not for incoming traffic. To maintain better control of WAN port traffic, consider making the WAN port Internet address public and keeping the other one private. Figure?2 shows an example of Dual WAN configured with the Load Balancing.Figure 2 Example of Dual WAN Ports with Load BalancingISA500yourcompany2.dyndns.orgyourcompany1.dyndns.orgInternetDual WAN Ports (Load Balancing)WAN2 IPWAN1 IP197402

NetworkingConfiguring the WAN RedundancyCisco ISA500 Series Integrated Security Appliance Administrator Guide 1144 NOTE To configure the Loading Balancing, make sure that you configure both WAN ports to Keep Live. If the WAN port is configured to time out after a specified period of inactivity, then the Loading Balancing is not applicable.STEP 1 Click Networking -> WAN Redundancy -> WAN Redundancy Operation Configuration.The WAN Redundancy Operation Configuration opens. STEP 2 Use the Load Balancing mode if you want to use both ISP links simultaneously. The two links will carry data for the protocols that are bound to them. Enter the following information: •Equal Load Balancing (Round Robin): Re-orders the WAN interfaces for Round Robin selection. The order is as follows: WAN1 and WAN2. The Round Robin will then repeat back to WAN1 and continue the order. This is the default setting.•Weighted Load Balancing: Distributes the bandwidth to two WAN ports by the weighted percange or by the weighted link bandwidth. If you choose this mode, choose one of the following options and finish the setting: -Weighted By Percentage: Allows you to set the percentage for each WAN, such as 80% percentage bandwidth for WAN1 and lest 20% percentage bandwidth for WAN2. -Weighted By Link Bandwidth: Allows you to set the rate limiting for each WAN, such as 10 Mbps for WAN1 and 5 Mbps for WAN2. STEP 3 If you choose Load Balancing as the WAN redundancy operation mode, you can optionally enable the Policy-based Routing (PBR) settings to determine how the traffic is balanced between the two ISP links. The PBR settings specify the internal IP and/or service going through a specified WAN port to provide more flexbile and granular traffic handling capabilities. •Policy Based Routing Enable: Click On to enable the PBR settings, or click Off to disable it. To configure the PBR settings, click Configure PBR.NOTE If you enable PBR, the PBR settings will be applied first and then the load balancing settings next.

NetworkingConfiguring the WAN RedundancyCisco ISA500 Series Integrated Security Appliance Administrator Guide 1154 STEP 4 Click Save to apply your settings.STEP 5 To check the connection of both links at regular intervals after you enable the Load Balancing mode, you first need to enable the Link Failover Detection feature. To configure the Link Failover Detection settings, go to the Networking -> Link Failover Detection Settings page. See Configuring the Link Failover Detection, page 117. Load Balancing with Policy-based Routing Configuration ExampleUse Cases: The customer has two lines, one is a cable link and another is a DSL link. The majority of trafffic goes through the cable link since it has larger bandwidth, and the rest traffic goes through the DSL link. As lots of secure websites (such as bank, or online shopping) are sensitive to flip flop the source IP address, let the traffic for https, ftp, video, and game go through the cable link. Configuration Tasks: •Configure a configurable port as the secondary WAN port (WAN2). See Configuring the Secondary WAN, page 104. •Connect the cable modem to the primary WAN port (WAN1), and connect the DSL modem to the secondary WAN port (WAN2). •Enable the Weighted Load Balancing mode, and set the weighted value of WAN1 to 80% and the weighted value of WAN2 to 20%. See Loading Balancing for WAN Redundancy, page 113. •Enable the Policy-based Routing (PBR) feature, and configure PBR rules so that the traffic for https, ftp, video, and game is directed to the WAN1 port. See Configuring Policy-based Routing Settings, page 134. •Enable the IP Bandwidth, Service Bandwidth, and WAN Bandwidth reports so that you can check the WAN bandwidth usage by IP address, service, and time. See Reports, page 85.

NetworkingConfiguring the WAN RedundancyCisco ISA500 Series Integrated Security Appliance Administrator Guide 1164 Failover for WAN RedundancyUse the Failover mode when you want to use one ISP link as a backup. If a failure is detected on the primary link, then the security appliance directs all Internet traffic to the backup link. When the primary link regains connectivity, all Internet traffic is directed to the primary link and the backup link becomes idle. By default, the primary WAN is set as the primary link and the secondary WAN is set to the backup link. NOTE When the security appliance is working in the Failover mode, the Policy-based Routing settings will be ignored.Figure?3 shows an example of Dual WAN configured with Failover.Figure 3 Example Dual WAN Ports with Failover STEP 1 Click Networking -> WAN Redundancy -> WAN Redundancy Operation Configuration.The WAN Redundancy Operation Configuration opens. STEP 2 Choose Failover if you want to use one ISP link as a backup and enter the following information:•Auto Failover to: Choose either WAN1 or WAN2 as the primary link. By default, WAN1 is set as the primary link and WAN2 is set as the backup link. You can also set WAN2 as the primary link. •Preempt Delay Timer: Enter the time in seconds that the system will preempt the primary link from the backup link when the primary link is up again. The default is 5 seconds.STEP 3 Click Save to apply your settings.ISA500yourcompany.dyndns.orgXXWAN2 port inactiveWAN2 IP (N/A)InternetDual WAN Ports (Before Rollover)ISA500yourcompany.dyndns.orgXXWAN1 IP (N/A)WAN1 port inactiveInternetDual WAN Ports (After Rollover)WAN1 IPWAN2 IP197401

NetworkingConfiguring the WAN RedundancyCisco ISA500 Series Integrated Security Appliance Administrator Guide 1174 STEP 4 To check the connection of both links at regular intervals after you enable the Failover mode, you first need to enable the Link Failover Detection feature. To configure the Link Failover Detection settings, go to the Networking -> Link Failover Detection Settings page. See Configuring the Link Failover Detection, page 117. Routing Table for WAN RedundancyThe Routing Table feature allows the traffic to meet the static routing policies you defined on your security appliance to pass through different WAN interfaces. You need to add default routing policies that forward the traffic to the primary WAN. The traffic for other static routings are forwarded to the secondary WAN. For more inforamtion to configure the static routing policies, see Configuring the Static Routing, page 132. NOTE The Link Failover Detection settings will be ignored if you enable the Routing Table feature.Configuring the Link Failover DetectionThe Link Failover Detection feature detects the link failure. If a failure occurs, traffic for the unavailable link is diverted to the active link.NOTE The Link Failover Detection settings are only available when the WAN redundancy is set to Load Balancing or Failover. STEP 1 Click Networking -> WAN Redundancy -> Link Failover Detection Settings.The Link Failover Detection Settings window opens. STEP 2 Enter the following information:•Failover Detection: Click On to enable the Link Failover Detection feature, or click Off to disable it.

NetworkingConfiguring the VLANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1184 •Retry Count: Enter the number of retries. The security appliance repeatedly tries to connect to the ISP after the link failure is detected. The default is 5.•Retry Timeout: If the connection to the ISP is down, the security appliance tries to connect to the ISP after a specified timeout. Enter the timeout in seconds to re-connect to the ISP. The default is 5 seconds. •Ping Detection: Choose this option to detect the WAN failure by pinging the IP address that you specify in the following fields: -Ping using WAN Default Gateway: Ping the IP address of the WAN default gateway. If the default WAN gateway can be detected, the network connection is active. -Ping using these Hosts: Ping the specified remote hosts. Enter the IP addresses in the Primary WAN Remote Host and Secondary WAN Remote Host fields. In Failover mode, if the primary WAN remote host can be detected, the network connection is active. In Load Balancing mode, if the primary WAN and secondary WAN remote hosts can be detected, the WAN connection is active. •DNS Detection: Choose this option to detect the WAN failure by looking up the DNS servers that you specify in the following fields: -DNS Lookup using WAN DNS Servers: The security appliance sends the DNS query for www.cisco.com to the default WAN DNS server. If the DNS server can be detected, the network connection is active. -DNS Lookup using these DNS Servers: The security appliance sends the DNS query for www.cisco.com to the specified DNS servers. Enter the IP addresses in the Primary WAN DNS Server and Secondary WAN DNS Server fields. If the primary or secondary DNS server can be detected, the network connection is active. STEP 3 Click Save to apply your settings.Configuring the VLANThe Virtual LANs (VLANs) allow you to segregate the network into LANs that are isolated from one another. Any PC that is connected to the specified LAN port is on a separate VLAN and cannot access other VLANs. You can add up to 16 VLANs.

NetworkingConfiguring the VLANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1194 This section describes how to configure the VLANs. It includes the following topics:•Configuring the VLANs, page 119•Configuring DHCP Reserved IPs, page 122Configuring the VLANsThe security appliance predefines a native VLAN (DEFAULT) and a guest VLAN (GUEST). You can change the settings for the predefined VLANs, or add new VLANs, for up to a total of 16 VLANs. Any PC that is connected to the specified LAN port is on a separate VLAN and cannot access other VLANs.STEP 1 Click Networking -> VLAN.The VLAN window opens.STEP 2 To add a new VLAN, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete. The default VLANs can not be deleted. After you click Add or Edit, the VLAN - Add/Edit window opens.STEP 3 In the Basic Setting tab, enter the following information:•Name: Enter a descriptive name for the VLAN.•VID: Enter an unique identification number for the VLAN, which can be any number from 3 to 4089. The VLAN ID 1 is reserved for the DEFAULT VLAN and the VLAN ID 2 is reserved for the GUEST VLAN. •IP: Enter the subnet IP address for the VLAN. •Netmask: Enter the subnet mask for the VLAN. •Spanning Tree: Check the box to enable the Spanning Tree feature to determine if there are loops in the network topology. The Spanning Tree Protocol (STP) is a link layer network protocol that ensures a loop-free topology for any bridged LAN. The STP is used to prevent bridge loops and to ensure broadcast radiation.•Port: Assigns the LAN ports to the VLAN. The traffic through the selected LAN ports is directed to the VLAN. All available ports including the dedicated LAN ports and configurable ports appear in the Port list.

NetworkingConfiguring the VLANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1204 Choose the ports from the Port list and click ->Access to add them to the Member list and set the selected ports as Access mode. All packets going into and out of the Access ports are untagged. Access mode is recommended if the port is connected to a single end-user device which is VLAN unaware. Alternatively, you can choose the ports from the Port list and click ->Trunk to add them to the Member list and set the selected ports as Trunk mode. All packets going into and out of the Trunk port are tagged. Untagged data coming into the port is not forwarded. Trunk mode is recommended if the port is connected to a VLAN-aware switch or router.NOTE This setting will change the port type and access mode of the selected physical ports. For example, choose a port that was set as a DMZ port and add it to the Member list. The DMZ port will be changed to a LAN port. Changing the port type will wipe out all configurations relative to the physical port. •Zone: Choose the zone to which the VLAN is mapped. By default, the DEFAULT VLAN is mapped to the LAN zone and the GUEST VLAN is mapped to the GUEST zone. STEP 4 In the DHCP Pool Settings tab, choose the DHCP mode from the DHCP Server drop-down list. •Disable: Choose this option if the computers on the VLAN are configured with static IP addresses or are configured to use another DHCP server. •DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the VLAN. Any new DHCP client joining the VLAN is assigned an IP address of the DHCP pool. •DHCP Relay: Allows the security appliance to use a DHCP Relay. If you choose DHCP Relay, enter the IP address of the remote DHCP server in the Relay IP field. STEP 5 If you choose DHCP Server as the DHCP mode, enter the following information: •Start IP: Enter the first IP address in the DHCP range. •End IP: Enter the last IP address in the DHCP range. Any new DHCP client joining the VLAN is assigned an IP address between the Start IP address and End IP address.

NetworkingConfiguring the VLANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1214 NOTE The Start and End IP addresses must be in the same subnet with the VLAN IP address.•Lease Time: Enter the maximum connection time that a dynamic IP address is “leased” to a network user. When the time elapses, the user will be automatically renewed the dynamic IP address. •DNS 1: Enter the IP address of the primary DNS server. •DNS 2: Optionally, enter the IP address of the secondary DNS server. •WINS 1: Enter the IP address for the primary WINS server.•WINS 2: Optionally, enter the IP address of the secondary WINS server. •Domain Name: Optionally, enter the domain name for the VLAN•Optional 66: Only supports the IP address or host name of a single TFTP server. Enter the IP address of the single TFTP server for the VLAN.•Optional 67: Enter the boot file name or configuration file name on the specified TFTP server. •Optional 150: Supports a list of TFTP servers (2 TFTP servers). Enter the IP addresses of TFTP servers. Separate multiple entries with commas (,).NOTE Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch offices. This implementation allows centralized call processing, reduces the equipment required, and eliminates the administration of additional Cisco CallManager and other servers at branch offices. Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address pre-configured, it sends a request with option 150 or 66 to the DHCP server to obtain this information. STEP 6 In the IPv6 Setting tab, specify the IPv6 addressing for the VLAN if you enable the IIPv4/Pv6 mode. •IPv6 Address: Enter the IPv6 address based on your network requirements.

NetworkingConfiguring the VLANCisco ISA500 Series Integrated Security Appliance Administrator Guide 1224 •IPv6 Prefix Length: Enter the number of characters in the IPv6 prefix. The IPv6 network (subnet) is identified by the prefix, which consists of the initial bits of the address. The default prefix length is 64 bits. All hosts in the network have the identical initial bits for the IPv6 address. The number of common initial bits in the addresses is set by the prefix length field.STEP 7 Click OK to save your settings.STEP 8 Click Save to apply your settings.Configuring DHCP Reserved IPsEven when the security appliance is configured to act as a DHCP server, you can reserve certain IP addresses to always be assigned to specified devices. Use the Static IP Reservations page to bind the MAC address of the device with the desired IP address. Whenever the DHCP server receives a request from a device, the hardware address is compared with the database. If the device is found, then the reserved IP address is used. Otherwise, an IP address is assigned automatically from the DHCP pool.STEP 1 Click Networking -> Static IP Reservations.The Static IP Reservations window opens. STEP 2 To add a new reserved IP, click Add.Other Options: To edit an entry, click Edit. To delete an entry, click Delete. After you click Add or Edit, the Static IP Reservations - Add/Edit window opens.STEP 3 Enter the following information:•Name: Enter the name for the static IP reservation rule. •MAC Address: Enter the MAC address of the host under a VLAN. •IP Address: Enter the IP address within the VLAN’s DHCP pool that is assigned to the host. STEP 4 Click OK to save your settings.STEP 5 Click Save to apply your settings.

NetworkingConfiguring the DMZCisco ISA500 Series Integrated Security Appliance Administrator Guide 1234 Configuring the DMZA DMZ (Demarcation Zone or Demilitarized Zone) is a subnetwork that is behind the firewall but that is open to the public. By placing your public services on a DMZ, you can add an additional layer of security to the LAN. The public can connect to the services on the DMZ but cannot penetrate the LAN. You should configure your DMZ to include any hosts that must be exposed to the WAN (such as web or email servers).The DMZ configuration is identical to the VLAN configuration. There are no restrictions on the IP address or subnet assigned to the DMZ port, except it cannot be identical to the IP address given to the predefined VLANs. Figure 4 Example DMZ with One Public IP Address for WAN and DMZ235140www.example.comInternetPublic IP Address209.165.200.225ISA500User192.168.75.10LAN Interface192.168.75.1DMZ Interface172.16.2.1Web ServerPrivate IP Address: 172.16.2.30Public IP Address: 209.165.200.225User192.168.75.11Source Address Translation209.165.200.225 172.16.2.30

NetworkingConfiguring the DMZCisco ISA500 Series Integrated Security Appliance Administrator Guide 1244 In this scenario, the business has one public IP address, 209.165.200.225, which is used for both the security appliance’s public IP address and the web server’s public IP address. The administrator configures the configurable port to be used as a DMZ port. A firewall access rule allows inbound HTTP traffic to the web server at 172.16.2.30. Internet users enter the domain name that is associated with the IP address 209.165.200.225 and can then connect to the web server. The same IP address is used for the WAN interface.Figure 5 Example DMZ with Two Public IP AddressesIn this scenario, the ISP has supplied two static IP addresses: 209.165.200.225 and 209.165.200.226. The address 209.165.200.225 is used for the security appliance’s public IP address. The administrator configures the configurable port to be used as a DMZ port and created a firewall access rule to allow inbound User192.168.75.10235610www.example.comInternetPublic IP Addresses209.165.200.225 (router)209.165.200.226 (web server)LAN Interface192.168.75.1ISA500DMZ interface172.16.2.1Web ServerPrivate IP Address: 172.16.2.30Public IP Address: 209.165.200.226Source Address Translation209.165.200.226 172.16.2.30User192.168.75.11

NetworkingConfiguring the DMZCisco ISA500 Series Integrated Security Appliance Administrator Guide 1254 HTTP traffic to the web server at 172.16.2.30. The firewall rule specifies an external IP address of 209.165.200.226. Internet users enter the domain name that is associated with the IP address 209.165.200.226 and can then connect to the web server.STEP 1 Click Networking -> DMZ.The DMZ window opens.STEP 2 To add a DMZ, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete. After you click Add or Edit, the DMZ - Add/Edit window opens.STEP 3 In the Basic Setting tab, enter the following information:•Name: Enter the name for the DMZ.•IP Address: Enter the subnet IP address for the DMZ. •Netmask: Enter the subnet mask for the DMZ.•Spanning Tree: Check the box to enable the Spanning Tree feature to determine if there are loops in the network topology. •Port: Specify a configurable port as a DMZ port. The traffic through the DMZ port is directed to the DMZ. All available configurable ports appears in the Port list, choose a port and click ->Access to add it to the Member list. The selected configurable port will be set to a DMZ port with Access mode. All data going into and out of the Access port is untagged. NOTE This setting will change the port type and access mode of the selected configurable port. Changing the port type will wipe out all configurations relative to the physical port. NOTE Up to five DMZ interfaces can be configured for ISA570 and ISA570W. Up to four DMZ interfaces can be configured for ISA550 and ISA550W. •Zone: Choose the default or custom DMZ zone to which the DMZ is mapped.

NetworkingConfiguring the DMZCisco ISA500 Series Integrated Security Appliance Administrator Guide 1264 STEP 4 In the DHCP Pool Settings tab, choose the DHCP mode from the DHCP Server drop-down list. •Disable: Choose this option if the computers on the DMZ are configured with static IP addresses or are configured to use another DHCP server. •DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the DMZ. Any new DHCP client joining the DMZ is assigned an IP address of the DHCP pool. •DHCP Relay: Allows the security appliance to use a DHCP Relay. If you choose DHCP Relay, enter the IP address of the remote DHCP server in the Relay IP field.STEP 5 If you choose DHCP Server as the DHCP mode, enter the following information: •Start IP: Enter the first IP address in the DHCP range. •End IP: Enter the last IP address in the DHCP range. Any new DHCP client joining the DMZ is assigned an IP address between the Start IP address and the End IP address.NOTE The Start and End IP addresses must be in the same subnet with the DMZ’s subnet IP address .•Lease Time: Enter the maximum connection time that a dynamic IP address is “leased” to a network user. When the time elapses, the user will be automatically renewed the dynamic IP address. •DNS 1: Enter the IP address of the primary DNS server. •DNS 2: Enter the IP address of the secondary DNS server. •WINS 1: Enter the IP address for the primary WINS server.•WINS 2: Enter the IP address of the secondary WINS server. •Domain Name: Enter the domain name for the DMZ.•Default Gateway: Enter the IP address of default gateway. STEP 6 In the IPv6 Setting tab, specify the IPv6 addressing for the DMZ if you enable the IPv4/IPv6 mode. •IPv6 Address: Enter the IPv6 address based on your network requirements. •IPv6 Prefix Length: Enter the number of characters in the IPv6 prefix.

NetworkingConfiguring the ZonesCisco ISA500 Series Integrated Security Appliance Administrator Guide 1274 The IPv6 network (subnet) is identified by the prefix, which consists of the initial bits of the address. The default prefix length is 64 bits. All hosts in the network have the identical initial bits for the IPv16 address. The number of common initial bits in the addresses is set by the prefix length field.STEP 7 Click OK to save your settings.STEP 8 Click Save to apply your settings.NOTE Next steps:•After you configure the DMZ, connect the local server that you want to public to Internet to the specified DMZ port, and then configure a port forwarding rule or an advanced NAT rule to specify the public IP address of the server (see Configuring Port Forwarding Rules, page 195 or Configuring Advanced NAT Rules, page 197), and create a firewall access rule to allow the inbound access to the server (see Configuring a Firewall Access Rule, page 183). •If you want to reserve certain IP addresses for specified devices, go to the Networking -> Static IP Reservations page. See Configuring DHCP Reserved IPs, page 122. You must enable DCHP Server mode or DHCP Relay mode for this purpose. Configuring the ZonesA zone is a group of interfaces to which a security policy can be applied. The interfaces in a zone share common functions or features. The interfaces are IP-based interfaces (VLANs, WAN1, WAN2, and so forth). Each interface can only join one zone, but each zone with specific security level can have multiple interfaces. This section describes the security level definition for zones, the predefined zones, and how to create new zones. It includes the following topics:•Security Levels for Zones, page 128•Predefined Zones, page 128•Configuring the Zones, page 129

NetworkingConfiguring the ZonesCisco ISA500 Series Integrated Security Appliance Administrator Guide 1284 NOTE We recommend that you configure the zones before configuring the WAN, VLAN, DMZ, and the security features such as zone-based firewall and UTM security services.Security Levels for ZonesThe security appliance supports five security levels for zones as described below. The greater value, the higher the permission level. The VPN and SSLVPN zones have the same security level. •Trusted (100): Offers the highest level of trust. The LAN zone is always trusted. •VPN (75): Used exclusively by the predefined VPN and SSLVPN zones. All traffic to and from a VPN zone is encrypted. •Public (50): Offers a higher level of trust than a Guest zone, but a lower level of trust than a VPN zone. The DMZ zone is a public zone. •Guest (25): Offers a higher level of trust than an untrusted zone, but a lower level of trust than a public zone. Guest zones can only be used for guest access. •Untrusted (0): Offers the lowest level of trust. It is used by both the WAN and the virtual multicast zones. You can map one or multiple WAN interfaces to an untrusted zone. Predefined ZonesThe security appliance predefines the following zones with different security levels: •WAN: The WAN zone is an untrusted zone. By default, the WAN1 interface is mapped to the WAN zone. If the secondary WAN (WAN2) is applicable, it can be mapped to the WAN zone or other untrusted zones. •LAN: The LAN zone is a trusted zone. You can map one or multiple VLANs to a trusted zone. By default, the DEFAULT VLAN is mapped to the LAN zone. •DMZ: The DMZ zone is a public zone used for accessible servers.

NetworkingConfiguring the ZonesCisco ISA500 Series Integrated Security Appliance Administrator Guide 1294 •SSLVPN: The SSLVPN zone is a virtual zone used for simplifying secure and remote SSL VPN connections. This zone does not have an assigned physical interface. •VPN: The VPN zone is a virtual zone used for simplifying secure IPSec VPN connections. This zone does not have an assigned physical interface. •GUEST: The GUEST zone can only be used for guest access. By default, the GUEST VLAN is mapped to this zone. •VOICE: The VOICE zone is a security zone designed for voice traffic. Traffic coming and outgoing from this zone will be optimized for voice operations. If you have voice devices, such as a Cisco IP Phone, it is desirable to place the devices into the VOICE zone. Configuring the ZonesYou can custom new zones for your specific business needs. STEP 1 Click Networking -> Zone.The Zone window opens. All predefined and custom zones are listed in the table. STEP 2 Click Reset Zone Configuration to restore your zone configurations to the factory default settings. All custom zones will be removed and the relevant settings to these custom zones will be cleaned up after you perform this operation. STEP 3 To add a new zone, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete. To delete multiple entires, check the boxes of multiple entries and then click Delete Selection.NOTE All predefined zones (except for the VOICE zone) cannot be deleted. Only the associated interfaces and VLANs for the predefined zones can be edited. The VPN and SSLVPN zones cannot be edited. After you click Add or Edit, the Zone - Add/Edit window opens. STEP 4 Enter the following information: •Name: Enter the name for the zone. •Security Level: Specify the security level for the zone.

NetworkingConfiguring the RoutingCisco ISA500 Series Integrated Security Appliance Administrator Guide 1304 -For VLANs, all security levels are selectable. -For DMZs, choose Public (50). -For WAN interfaces, choose Untrusted (0).•Map VLANs to This Zone: Choose the existing VLANs or WAN interfaces from the Available VLANs list, and click the right arrow -> to add them to the Mapped to Zone list. You can create new VLANs by clicking Create VLAN. STEP 5 Click OK to save your settings.STEP 6 Click Save to apply your settings.NOTE Next Steps:•After you create a new zone, a certain of firewall access rules are automatically generated to permit or block the traffic from the new zone to any other zone or from any other zone to the new zone. The permit or block action is determined by the security level of the new zone. By default, the firewall prevents all inbound traffic and allows all outbound traffic. To customize firewall access rules for the new zone, go to the Firewall -> ACL Rules -> Rule page. For more information, see Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic, page 178. •Map the security services to zones. If you enabled the security services such as IPS and Anti-Virus on your security appliance, you need to map the security services to the zones. By default, the IPS and Anti-Virus services are mapped to the WAN zone. To specify the mapping relationships between the security services and zones, go to the Security Services pages. See Security Services, page 210. Configuring the RoutingUse the Routing pages to change the routing mode between WAN and LAN, view the routing table, configure the static routing, dynamic routing, and Policy-based Routing settings. It includes the following sections: •Configuring the Routing Mode, page 131

NetworkingConfiguring the RoutingCisco ISA500 Series Integrated Security Appliance Administrator Guide 1314 •Viewing the Routing Table, page 131•Configuring the Static Routing, page 132•Configuring the Dynamic Routing, page 133•Configuring Policy-based Routing Settings, page 134•Priority of Routing Rules, page 136Configuring the Routing ModeDepending on the requirements of your ISP, you can configure your security appliance to operate in NAT mode or Routing mode. By default, NAT mode is enabled. STEP 1 Click Networking -> Routing -> Routing.The Routing window opens.STEP 2 If your ISP assigns an IP address for each of the computers that you use, click On to enable the Routing mode. When you enable the Routing mode, the NAT settings are disabled. STEP 3 If you are sharing IP addresses across several devices such as your LAN and using other dedicated devices for the DMZ, click Off to disable the Routing mode. STEP 4 Click Save to apply your settings.Viewing the Routing TableSTEP 1 Click Networking -> Routing -> Routing Table.The Routing Table window opens. The Routing table displays the following routing information: •Destination Address: The IP address of the host or the network that the route leads to. •Netmask: The subnet mask of the destination network. •Gateway: The IP address of the gateway through which the destination host or network can be reached.

NetworkingConfiguring the RoutingCisco ISA500 Series Integrated Security Appliance Administrator Guide 1324 •Symbol: The routing status flags. •Metric: The cost of a route. Routing metrics are assigned to routes by routing protocols to provide measurable values that can be used to judge how useful (or how low cost) a route will be. •Interface: The physical network interface through which this route is accessible.STEP 2 Click Refresh to refresh the routing table.Configuring the Static RoutingTo configure static routes, specify the IP address and related information for the destination. You must also assign a priority, which determines the selected route when there are multiple routes travelling to the same destination.STEP 1 Click Networking -> Routing -> Static Routing.The Static Routing window opens.STEP 2 To add a static route, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete. To delete multiple entries, check the boxes of multiple entries and click Delete Selection. After you click Add or Edit, the Static Routing - Add/Edit window opens.STEP 3 Enter the following information:•Destination Address: Choose an existing IP address object of the host or of the network that the route leads to. If the address object is not in the list, choose Create an IP Address/Network to create a new address object. To main the address objects, go to the Networking -> Address Object Management page. See Address Management, page 152. •Setting as Default Route: Check this box to set this static route as the default route. •Next Hop: Choose an interface or an IP address as the next hop for this static route.-Interface: Choose either WAN1 or WAN2 as the next hop.

NetworkingConfiguring the RoutingCisco ISA500 Series Integrated Security Appliance Administrator Guide 1334 -IP Address: Choose an IP address of the gateway through which the destination host or network can be reached. •Metric: If needed, enter a number to manage the route priority. If multiple routes to the same destination exist, the route with the lowest metric is selected. STEP 4 Click OK to save your settings.STEP 5 Click Save to apply your settings.Configuring the Dynamic RoutingDynamic Routing or RIP, is an Interior Gateway Protocol (IGP) that is commonly used in internal networks. It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network.STEP 1 Click Networking -> Routing -> Dynamic-RIP.The Dynamic-RIP window opens.STEP 2 Enter the following information: •RIP Enable: Click On to enable RIP, or click Off to disable it. By default, RIP is disabled. •RIP Version: If you enable RIP, specify the RIP version. The security appliance supports RIPv1 and RIPv2. -RIPv1 is a class-based routing version that does not include subnet information. This is the most commonly supported version. -RIPv2 includes all the functionality of RIPv1 plus it supports subnet information. -Default: The data is sent in RIPv1 format and received in RIPv1 and RIPv2 format. This is the default setting. STEP 3 Specify the RIP setting for each available interface:•RIP Enable: Check this box to enable the RIP settings on the interface or VLAN.

NetworkingConfiguring the RoutingCisco ISA500 Series Integrated Security Appliance Administrator Guide 1344 •Port Passive: Determines how the security appliance receives RIP packets. Check this box to enable this feature on the interface or VLAN. •Authentication: If you are using RIPv2, click Edit to specify the authentication method for the interface or VLAN. -None: Choose this option to invalidate the authentication.-Simple Password Authentication: Choose this option to validate the simple password authentication. Enter the password in the field.-MD5 Authentication: Choose this option to validate the MD5 authentication. Enter the unique key ID in the MD5 Key ID field and the Key in the MD5 Auth Key field. STEP 4 Click Save to apply your settings.Configuring Policy-based Routing SettingsPolicy-based Routing (PBR) allows users to specify the internal IP and/or service going through a specified WAN port to provide more flexbile and granular traffic handling capabilities. This feature can be used to segregate traffic between links that are not of the same speed. High volume traffic can be routed through the port connected to a high speed link and low volume traffic can be routed through the port connected to the slow link.For example, although HTTP traffics is typically routed through WAN1, by using PBR you can bind the HTTP protocol to WAN1 and bind the FTP protocol to WAN2. In this case, the security appliance automatically channels FTP data through WAN2. NOTE Make sure that you configure a secondary WAN connection and that the WAN redundancy is set to the Load Balancing or Routing Table mode before you configure the policy-based routing settings. See Configuring the Secondary WAN, page 104 and Configuring the WAN Redundancy, page 112. NOTE The security appliance supports up to 100 PBR rules.

NetworkingConfiguring the RoutingCisco ISA500 Series Integrated Security Appliance Administrator Guide 1354 STEP 1 Click Networking -> Routing -> Policy Based Routing.The Policy-based Routing window opens. STEP 2 Click On to enable PBR, or click Off to disable it. STEP 3 To add a new PBR rule, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete. The Policy-based Routing - Add/Edit window opens.STEP 4 Enter the following information; •From VLAN: Choose the VLAN for the outbound traffic.•Service: For service binding only, choose an existing service or choose Create New Service to create a new service. For IP binding only, choose All Traffic. •Source IP: For service binding only, choose Any. For IP binding only, choose an internal IP address that passes through the specific WAN port. •Dest IP: For service binding only, choose Any. For IP binding only, choose an IP address as the destination IP address of the outbound traffic. If the address object is not in the list, choose Create New Address to create a new address object. To main the address objects, go to the Networking -> Address Object Management page. See Address Management, page 152. •DCSP: Choose the DCSP remarking value to assign the traffic priority. •Route to: Choose the WAN interface that the outbound traffic passes through. •Failover: Click On to enable WAN Failover, or click Off to disable it. When the selected WAN interface for routing is down, enabling Failover will forward the traffic to the backup WAN. NOTE If one WAN connection is down (a connection failure is detected by ping the host or DNS server) and the PBR Failover is “Off”, the traffic will be dropped. STEP 5 Click OK to save your settings.

NetworkingDynamic DNSCisco ISA500 Series Integrated Security Appliance Administrator Guide 1364 STEP 6 Click Save to apply your settings.Priority of Routing RulesIf multiple routing features operate simultaneously, the security appliance first matches up with the Policy-based Routing rules, and then matches up with the Static Routing and default Routing rules.For example, if WAN redundancy is set to the Weighted Loading Balancing mode, and the PBR and Static Routing rules are configured, the routing priority works as follows:1. If all traffic cannot match up with the PBR or Static Routing rules, all traffic follows the Weighted Loading Balance settings. 2. If traffic A matches up with the PBR or Static Routing rules, traffic A will be firstly handled by the PBR or Static Routing rules, while other traffic follows the Weighted Loading Balance settings.Dynamic DNSDynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. If your ISP has not provided you with a static IP and your WAN connection is configured to use DHCP to obtain an IP address dynamically, then DDNS provides the domain name to map the dynamic IP address for your website. To use DDNS, you must set up an account with a DDNS provider such as DynDNS.com. STEP 1 Click Networking -> DDNS.The DDNS window opens. STEP 2 To add a new DDNS service, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete. After you click Add or Edit, the Edit window opens.STEP 3 Enter the following information:•Service: Choose either DynDNS or No-IP service.

NetworkingDynamic DNSCisco ISA500 Series Integrated Security Appliance Administrator Guide 1374 -DynDNS.org: Dynamic Network Services provides world-class DNS hosting and management services, domain registration, email services, network monitoring by hostname or IP address, and web redirection.-No-IP.com: No-IP is a dynamic DNS provider (DDNS), both free and paid, backed by our industry proven network of highly available name servers.•Active on Startup: Check this box to activate the DDNS service when the security appliance starts up. •WAN Interface: Choose the WAN interface for the DDNS service. The traffic for DDNS services will pass through the specified WAN interface. NOTE If the WAN redundancy is set to the Failover mode, this option is grayed out. When WAN failover occurs, DDNS will switch the traffic to the active WAN interface.•User Name: Enter the user name of the account you registered in the DDNS provider. •Password: Enter the password of the account you registered in the DDNS provider.•Host and Domain Name: Specify the complete host name and domain name for the DDNS service. •Use wildcards: Check this box to allow all subdomains of your DDNS host name to share the same public IP address as the host name. •Update every 30 mins: Check this box to update the host information every 30 minutes.•Status: Displays the status of DDNS service. -Non-active: Indicates that the DDNS service is not active (daemon does not start).-Active(initial): Indicates that the DDNS daemon starts but the DDNS updating process is NOT complete yet.-Active(updated WANx): Indicates that the DDNS updating process is complete and the address of WANx is updated to the user-specified domain name.STEP 4 Click OK to save your settings.

NetworkingIGMPCisco ISA500 Series Integrated Security Appliance Administrator Guide 1384 STEP 5 Click Save to apply your settings.IGMPThe Internet Group Management Protocol (IGMP) is a communication protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. IGMP can be used for online streaming video and gaming, and allows more efficient use of resources when supporting these types of applications.The IGMP Proxy mechanism enables hosts that are not directly connected to a downstream router to join a multicast group sourced from an upstream network. IGMP snooping constrains IPv4 multicast traffic at Layer 2 by configuring Layer 2 LAN ports dynamically to forward IPv4 multicast traffic only to those ports that want to receive it. The IGMP snooping is based on the IGMP version 3 that is backward compatible with the previous versions. NOTE By default, the multicast traffic from Any zone to Any zone is blocked by the default firewall access rules. When you enable IGMP Proxy and want to receive the multicast packets from WAN to LAN, you need to uncheck the Block Multicast Packets box in the Firewall -> Attack Protection page, and create a firewall access rule to permit the multicast traffic from WAN to LAN. For more information, see Configuring a Firewall Access Rule to Allow the Multicast Traffic, page 185.STEP 1 Click Networking -> IGMP.The IGMP window opens. STEP 2 Enter the following information:•IGMP Proxy: Click On to enable IGMP Proxy so that your security appliance can act as a proxy for all IGMP requests and communicate with the IGMP servers of the ISP, or click Off to disable it. •IGMP Version: Choose either IGMPv1&v2 or IGMPv3. -IGMPv1: Hosts can join multicast groups. There are no leave messages. Routers use a time-out based mechanism to discover the groups that are of no interest to the members.

NetworkingVRRPCisco ISA500 Series Integrated Security Appliance Administrator Guide 1394 -IGMPv2: Leave messages are added to the protocol. This allows group membership termination to be quickly reported to the routing protocol, which is important for high-bandwidth multicast groups and/or subnets with highly volatile group membership.-IGMPv3: Major revision of the protocol. It allows hosts to specify the lists of hosts from which they want to receive traffic. Traffic from other hosts is blocked inside the network. It also allows hosts to block packets inside the network that come from sources sending unwanted traffic.•IGMP Snooping: You can use IGMP snooping in subnets that receive IGMP queries from either IGMP or the IGMP snooping querier. Click On to enable IGMP Snooping, or click Off to disable it. STEP 3 Click Save to apply your settings.VRRPThe Virtual Router Redundancy Protocol (VRRP) is a redundancy protocol for LAN access device. VRRP configures a groups of routers (include a master router and several backup routers) as a virtual router.STEP 1 Click Networking -> VRRP.The VRRP window opens. STEP 2 Check the box of Enable Virutal Router Redundancy Protocol (VRRP) to enable VRRP, or uncheck the box to disable it.STEP 3 If you enable VRRP, enter the following information:•Interface: The default interface of the master virtual router (your security appliance). •Source IP: The source IP address of the master virtual router. NOTE If a VRRP router owns the IP address of the virtual router and the IP address of the physical interface, this router will function as a master virtual router .

NetworkingConfiguring the Quality of ServiceCisco ISA500 Series Integrated Security Appliance Administrator Guide 1404 •VRID: The master virtual router ID. A virtual router has an unique ID that will be represented as the unique virtual MAC address. Enter a value from 1 to 255. •Priority: The priority of the master virtual router. Priority determines the role that each VRRP router plays and what happens if the master virtual router fails. Enter a value from 1 to 254. •Advertisement Interval: Specify the interval in seconds between successive advertisements by the master virtual router in a VRRP group. By default, the advertisements are sent every second (1). The advertisements being sent by the master virtual router communicate the state and priority of the current master virtual router. NOTE All routers in a VRRP group must use the same advertisement interval value. If the interval values are not same, the routers in the VRRP group will not communicate with eachother and any misconfigured router will change its state to master. •Verify: Click On to enable the authentication, or click Off to disable it. If you enable the authentication, specify the authentication method. -Pass: Uses the simple text password as the authentication method. Enter the password in the field.-AH: Uses the IP authentication as the authentication method. •Virtual IP Address: Enter the virtual IP address used for all backup virtual routers in the same group. STEP 4 Click Save to apply your settings.Configuring the Quality of ServiceThe Quality of Service (QoS) feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and that the desired traffic receives preferential treatment.

NetworkingConfiguring the Quality of ServiceCisco ISA500 Series Integrated Security Appliance Administrator Guide 1414 QoS guarantees are important if the network capacity is insufficient, especially for real-time streaming multimedia applications such as voice over IP, online games, and IPTV, since these applications are delay sensitive and often require a fixed bit rate. This section describes how to configure the WAN, LAN, and WLAN QoS. It includes the following topics:•General QoS Settings, page 141•Configuring the WAN QoS, page 141•Configuring the LAN QoS, page 147•Configuring the Wireless QoS, page 150General QoS SettingsSTEP 1 Click Networking -> QoS -> General Settings.The General Settings window opens.STEP 2 Enter the following information: •WAN QoS: Check this box to enbale the WAN QoS feature. By default, WAN QoS is disabled.•LAN QoS: The LAN QoS specifies priority values that can be used to differentiate the traffic and give preference to higher-priority traffic, such as telephone calls. Check this box to enbale the LAN QoS feature. By default, LAN QoS is disabled.•Wireless QoS: The Wireless QoS controls priority differentiation for data packets in wireless egress direction. Check this box to enbale the Wireless QoS feature. By default, Wireless QoS is disabled.STEP 3 Click Save to apply your settings.Configuring the WAN QoSThis section describes how to configure the WAN QoS settings. It includes the following topics: •Managing the WAN Bandwidth for Upstream Traffic, page 142

NetworkingConfiguring the Quality of ServiceCisco ISA500 Series Integrated Security Appliance Administrator Guide 1434 STEP 1 Click Networking -> QoS -> WAN QoS -> Queue Settings.The Queue Settings window opens.STEP 2 Specify the way of determining how traffic in queues is handled for each WAN port. •SP: Set the order in which queues are serviced, traffic scheduling for the selected queue and all higher queues is based strictly on the queue priority, starting with Q1 (the highest priority queue) and going to the next lower queue when each queue is complete. •WRR: Enter the WRR weight, in percentage, assigned to the queues that you want to use. Traffic scheduling for the selected queue is based on WRR. •LLQ: Applies SP mode to Q1 and WRR mode to Q2 to Q6. Q1 has the highest priority and is always processed to completion before the lower priority queues. If you choose LLQ, enter the amount of bandwidth assigned to Q1, and enter the WRR weights for other queues that you want to use. •Random Early Detection: Check the box to enable the Random Early Detection (RED) mechanism. RED is a congestion avoidance mechanism that takes advantage of TCP's congestion control mechanism. By randomly dropping packets prior to periods of high congestion, RED tells the packet source to decrease its transmission rate. Assuming the packet source is using TCP, it will decrease its transmission rate until all the packets reach their destination, indicating that the congestion is cleared. SP Egress traffic from the highest-priority queue (Q1) is transmitted first. Traffic from the lower queues is processed only after the highest queue has been transmitted, thus providing the highest level of priority of traffic to the highest numbered queue.WRR Distributes the bandwidth between the classes using the weighted round robin scheme. The weights decide how fast each queue can send packets. In WRR mode the number of packets sent from the queue is proportional to the weight of the queue. The higher the weight, the more frames are sent.LLQ Integrates the SP and WRR queues to provide strict priority queuing (PQ) to Class-Based Weighted Fair Queuing (CBWFQ). LLQ allows delay-sensitive data (such as voice) to be given preferential treatment over other traffic by letting the data to be dequeued and sent first.

NetworkingConfiguring the Quality of ServiceCisco ISA500 Series Integrated Security Appliance Administrator Guide 1444 STEP 3 If needed, you can enter a brief description for each queue in the Queue Description field. STEP 4 Click Save to apply your settings.Configuring the Traffic Selectors for WAN InterfacesTraffic Selector (or Traffic Classification) is used to classify the traffic through WAN interfaces to a given traffic class so that traffic in need of management can be identified. NOTE The security appliance allows you to create up to 256 traffic selectors. STEP 1 Click Networking -> QoS -> WAN QoS -> Traffic Selector (Classification).The Traffic Selector window opens. All existing traffic selectors are listed in the table.STEP 2 To add a new traffic selector, click Add.Other options: To edit an entry, click Edit. To delete an entry, click Delete. After you click Add or Edit, the QoS Class - Add/Edit window opens.STEP 3 Enter the following information: •Class Name: Enter a descriptive name for the traffic class. •Source Address: Choose Any or choose an existing address or group address (network) that the traffic comes from. •Destination Address: Choose Any or choose an existing address or group address (network) that the traffic goes to. If the address objects you want are not in the list, choose Create a Group Address to create a new group address object or choose Create a Single Address to create a new address object. To maintain the address or group address objects, go to the Networking -> Address Object Management page. See Address Management, page 152. •Source Service: Choose Any or choose an existing service from the drop-down list.

NetworkingConfiguring the Quality of ServiceCisco ISA500 Series Integrated Security Appliance Administrator Guide 1484 •SP: Indicates that traffic scheduling for the selected queue is based strictly on the queue priority. •WRR: Indicates that traffic scheduling for the selected queue is based strictly on the WRR weights. If WRR is selected, the predefined weights 8, 4, 2 and 1 are assigned to queues 1, 2, 3 and 4 respectively.•SP+WRR: Integrates the SP and WRR queues. It applies SP to two groups. The first group contains the PQ and the second group contains other queues. If SP+WRR is selected, the PQ is assigned to the Q1 and the predefined weights 4, 2 and 1 are assigned to Q2, Q3, and Q4 respectively. There is no limit for PQ, indicating that WRR queues may be starved if PQ is always sending traffic greater than the maximum bandwidth of the LAN ports. STEP 4 Click Save to apply your settings.NOTE Next Steps:•To specify the LAN QoS classification method, go to the LAN QoS -> Classification Method page. See Configuring the LAN QoS Classification Methods, page 148.•To map the CoS to LAN queues, go to the LAN QoS -> Mapping CoS to Queue page. See Mapping CoS to LAN Queue, page 149.•To map the DSCP to LAN queues, go to the LAN QoS -> Mapping DSCP to Queue page. See Mapping DSCP to LAN Queue, page 149.•To configure the default CoS value and trust mode for traffic through each LAN interface, go to the LAN QoS -> Default CoS page. See Configuring Default CoS, page 149.Configuring the LAN QoS Classification MethodsTraffic Classification is used to classify the traffic through the LAN interfaces to a given traffic class so that the traffic in need of management can be identified. STEP 1 Click Networking -> QoS -> LAN QoS -> Classification Method.The Classification Method window opens.

NetworkingConfiguring the Quality of ServiceCisco ISA500 Series Integrated Security Appliance Administrator Guide 1494 STEP 2 Depending on your networking design, choose either DSCP or CoS remarking method for traffic through each LAN interface.STEP 3 Click Save to apply your settings.Mapping CoS to LAN QueueSTEP 1 Click Networking -> QoS -> LAN QoS -> Mapping CoS to Queue.The Mapping CoS to Queue window opens.STEP 2 Choose the traffic forwarding queue to which the CoS priority tag value is mapped. Four traffic priority queues are supported, where Q4 is the lowest and Q1 is the highest. STEP 3 Click Save to apply your settings.Mapping DSCP to LAN QueueSTEP 1 Click Networking -> QoS -> LAN QoS -> Mapping DSCP to Queue.The Mapping DSCP to Queue window opens.STEP 2 Choose the traffic forwarding queue to which the DSCP priority tag value is mapped. Four traffic priority queues are supported, where Q4 is the lowest and Q1 is the highest. STEP 3 Click Save to apply your settings.Configuring Default CoSUse the Default CoS page to configure the default CoS values for incoming packets through each LAN interface. The possible field values are 0 to 7. The default CoS value is 0.STEP 1 Click Networking -> QoS -> LAN QoS -> Default CoS.The Default CoS window opens.STEP 2 Enter the following information:

NetworkingConfiguring the Quality of ServiceCisco ISA500 Series Integrated Security Appliance Administrator Guide 1504 •Default CoS: Choose the default CoS priority tag value for the LAN interfaces, where 0 is the lowest and 7 is the highest.•Trust: Choose Ye s to keep the CoS tag value for packets through the LAN interfaces, or choose No to change the CoS tag value for packets through the LAN interface. STEP 3 Click Save to apply your settings.Configuring the Wireless QoSThe Wireless QoS controls priority differentiation for data packets in wireless egress direction. It includes the following topics: •Default Wireless QoS Settings, page 150•Configuring the Wireless QoS Classification Methods, page 151•Mapping CoS to Wireless Queue, page 151•Mapping DSCP to Wireless Queue, page 151Default Wireless QoS SettingsThe Wireless QoS uses the default queuing method for wireless traffic. Wireless traffic is always trusted. The wireless QoS treats all untagged packets as tagged packets with the default CoS value 0 so that the security appliance can refer to the CoS to Queue mapping settings to obtain the corresponding wireless egress queue.If you enable WMM for the SSIDs, the following table displays the default mapping settings between DSCP and WMM. The default mapping settings between CoS or DSCP and WMM cannot be changed, but the default mapping settings between CoS or DSCP and wireless queues are editable. 802.1p DSCP Wireless Queue WMM value 0 000xxx Q3 (Best Effort Priority) 0 1 001xxx Q4 (Background Priority) 1 2 010xxx Q4 (Background Priority) 2 3 011xxx Q3 (Best Effort Priority) 3

NetworkingConfiguring the Quality of ServiceCisco ISA500 Series Integrated Security Appliance Administrator Guide 1514 Configuring the Wireless QoS Classification MethodsTraffic Classification is used to classify the traffic through the SSIDs to a given traffic class so that traffic in need of management can be identified. Use the Classification Method page to specify the classification method that is used by each SSID individually. STEP 1 Click Networking -> QoS -> Wireless QoS -> Classification Method.The Wireless Classification Method window opens.STEP 2 Depending on your networking design, choose either DSCP or CoS remarking method for traffic through each active SSID. STEP 3 Click Save to apply your settings.Mapping CoS to Wireless QueueSTEP 1 Click Networking -> QoS -> Wireless QoS -> Mapping CoS to Queue.The Mapping CoS to Queue window opens.STEP 2 Choose the traffic forwarding queue to which the CoS priority tag value is mapped. STEP 3 Click Save to apply your settings.Mapping DSCP to Wireless QueueSTEP 1 Click Networking -> QoS -> Wireless QoS -> Mapping DSCP to Queue.The Mapping DSCP to Queue window opens.4 100xxx Q2 (Video Priority) 4 5 101xxx Q2 (Video Priority) 5 6 110xxx Q1 (Voice Priority) 6 7 111xxx Q1 (Voice Priority) 7 802.1p DSCP Wireless Queue WMM value

NetworkingAddress ManagementCisco ISA500 Series Integrated Security Appliance Administrator Guide 1524 STEP 2 Choose the traffic forwarding queue to which the DSCP priority tag value is mapped. STEP 3 Click Save to apply your settings.Address ManagementUse the Address Object Management page to manage the address and group address objects. The security appliance is configured with a long list of common address objects so that you can use to configure the firewall access rules, port forwarding rules, or other features. For more information, see Default Address Objects, page 363. This section includes the following topics: •Configuring the Addresses, page 152•Configuring the Group Addresses, page 153Configuring the AddressesSTEP 1 Click Networking -> Address Object Management.The Address Object Management window opens. All existing address objects are listed in the Address table. STEP 2 In the Address Table area, click Add to add a new address. Other options: To edit an entry, check the box and click Edit. To delete an entry, check the box and click Delete. To delete multiple entries, check the boxes of multiple entries and click Delete Selection. The default address object cannot be edited. After you click Add or Edit, the Address Table - Add/Edit window opens.STEP 3 Enter the following informaiton: •Name: Enter the name for the address object. •Type: Specify the address type and then enter the corresponding information.

NetworkingAddress ManagementCisco ISA500 Series Integrated Security Appliance Administrator Guide 1534 -Host: Defines a single host by its IP address. The netmask for a Host address object will automatically be set to 32-bit (255.255.255.255) to identify it as a single host. If you choose Host, enter the IP address of the host in the IP Address field. -Range: Defines a range of contiguous IP addresses. No netmask is associated with the Range address object, but internal logic generally treats each member of the specified range as a 32-bit masked host object. If you choose Range, enter the starting IP address in the IP Address field and the ending IP address in the End IP Address field. -Network: Network address object like the Range object comprises multiple hosts, but rather than being bound by specified upper and lower range delimiters, the boundaries are defined by a valid netmask. Network address objects must be defined by the network’s address and a corresponding netmask. As a general rule, the first address in a network (the network address) and the last address in a network (the broadcast address) are unusable. If you choose Network, enter the subnet IP address in the IP Address field and the broadcast address in the Netmask field. -MAC: Identifies a host by its hardware address or MAC (Media Access Control) address. MAC addresses are uniquely assigned to wired or wireless networking devices by their hardware manufacturers. MAC addresses are 48-bit values that are expressed in 6 byte hex-notation. If you choose MAC, enter the MAC address in the MAC field. STEP 4 Click OK to save your settings.STEP 5 Click Save to apply your settings.Configuring the Group AddressesA group address combines with multiple addresses. The security appliance can support up to 64 group addresses. A group address can include up to 64 address members. STEP 1 Click Networking -> Address Object Management.The Address Object Management window opens. All existing group address objects are listed in the Group Address table. STEP 2 In the Group Address Table area, click Add Group to add a new group address.

NetworkingService ManagementCisco ISA500 Series Integrated Security Appliance Administrator Guide 1544 Other options: To edit an entry, check the box and click Edit. To delete an entry, check the box and click Delete. To delete multiple entries, check the boxes of multiple entries and click Delete Group. After you click Add or Edit, the Address Table - Add/Edit window opens.STEP 3 Enter the name for the group address in the Group Name field.STEP 4 To add the address objects to the group, select the address objects from the left list and click the right arrow ->. STEP 5 To remove the address objects from the group, select the address objects from the right list and click the left arrow <-. STEP 6 Click OK to save your settings.STEP 7 Click Save to apply your settings.Service ManagementUse the Services page to maintain the service or group service objects. The security appliance is configured with a long list of standard services so you can use to configure the firewall access rules, port forwarding rules, or other features. For more information, see Default Service Objects, page 360. This section includes the following topics: •Configuring the Services, page 154•Configuring the Group Services, page 155Configuring the ServicesIf you need to configure a feature for a custom service that is not in the standard list, you must first define the service object. STEP 1 Click Network -> Services. The Services window opens. All existing service objects are listed in the Service table. STEP 2 In the Service Table area, click Add to add a new service.

NetworkingService ManagementCisco ISA500 Series Integrated Security Appliance Administrator Guide 1554 Other options: To edit an entry, click Edit. To delete an entry, click Delete. To delete multiple entries, check the boxs of multiple entries and click Delete Service. After you click Add or Edit, the Service Table - Add/Edit window opens.STEP 3 Enter the following information:•Name: Enter the name for the service.•Protocol: Specify the protocol and port range for the service: -IP: Uses only the predefined IP types. If you choose this option, enter the protocol number in the IP Type field. -ICMP: Internet Control Message Protocol (ICMP) is a TCP/IP protocol used to send error and control messages. If you choose this option, enter the ICMP type in the ICMP Type field. -TCP: Transmission Control Protocol (TCP) is a transport protocol in TCP/IP. TCP ensures that a message is sent accurately and in its entirety. If you choose this option, enter the starting port number in the Port Range Start field and the ending port number in the Port Range End field. -UDP: User Datagram Protocol (UDP) is a protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required. If you choose this option, enter the starting port number in the Port Range Start field and the ending port number in the Port Range End field. -Both (TCP/UDP): If you choose this option, enter the starting port number in the Port Range Start field and the ending port number in the Port Range End field. STEP 4 Click OK to save your settings.STEP 5 Click Save to apply your settings.Configuring the Group ServicesServices that apply to common applications are grouped as a group service object. The group service object is treated as a single service. A group service can include up to 64 service members. The security appliance can support up to 64 group services.

NetworkingService ManagementCisco ISA500 Series Integrated Security Appliance Administrator Guide 1564 STEP 1 Click Network -> Services. The Services window opens. All existing group service objects are listed in the Group Service table.STEP 2 In the Group Service Table area, click Add Group to add a new group service.Other options: To edit an entry, click Edit. To delete an entry, click Delete. To delete multiple entries, check the boxs of multiple entries and click Delete Group. After you click Add or Edit, the Service Table - Add/Edit window opens.STEP 3 Enter the name for the group service in the Name field. STEP 4 To add the services to the group, select the services from the Services list and click the right arrow -> to add them into the Member list. STEP 5 To remove the services from the group, select the services from the Member list and click the left arrow <-. STEP 6 Click OK to save your settings.STEP 7 Click Save to apply your settings.

5Cisco ISA500 Series Integrated Security Appliance Administrator Guide 157 Wireless Configuration for ISA550W and ISA570WThis chapter describes how to configure the the radio settings and SSIDs for the ISA550W and ISA570W. It includes the following sections: •Configuring the Radio Settings, page 157•Configuring the Access Points, page 162•Configuring Wi-Fi Protected Setup, page 172•Configuring Wireless Rogue AP Detection, page 173•Configuring Wireless Captive Portal, page 174To access the Wireless pages, click Wireless in the left hand navigation pane.Configuring the Radio SettingsThe ISA550W and ISA570W can function as an Internet or network gateway for the wireless clients. The ISA550W and ISA570W supports wireless protocols called IEEE 802.11b, 802.11g, and 802.11n. This section describes how to configure the wireless radio settings. It includes the following topics: •Basic Radio Settings, page 158•Advanced Radio Settings, page 160

Wireless Configuration for ISA550W and ISA570WConfiguring the Radio SettingsCisco ISA500 Series Integrated Security Appliance Administrator Guide 1585 Basic Radio SettingsYou can change the wireless network mode to suit the devices in your network, specify the wireless channel and bandwidth for operation to resolve issues with interference from other access points in the area, or enable the U-APSD and SSID Isolation if needed. STEP 1 Click Wireless -> Basic Settings.The Basic Settings window opens. STEP 2 Enter the following information: •Wireless Radio: Click On to turn the wireless radio on and hence enable the wireless network, or click Off to turn the wireless radio off. By default, the security appliance turns on the wireless radio with predefined standard settings.•Wireless Network Mode: Choose the 802.11 modulation technique. The ISA550W and ISA550W supports the following radio modes: -802.11b only: Choose this mode if all devices in the wireless network use 802.11b. Only 802.11b clients can connect to the access point. -802.11g only: Choose this mode if all devices in the wireless network use 802.11g. Only 802.11g clients can connect to the access point. -802.11b/g mixed: Choose this mode if some devices in the wireless network use 802.11b and others use 802.11g. Both 802.11b and 802.11g clients can connect to the access point. -802.11n only: Choose this mode if all devices in the wireless network can support 802.11n. Only 802.11n clients operating in the 2.4 GHz frequency can connect to the access point. -802.11g/n mixed: Choose this mode to allow 802.11g and 802.11n clients operating in the 2.4 GHz frequency to connect to the access point. -802.11b/g/n mixed: Choose this mode to allow 802.11b, 802.11g, and 802.11n clients operating in the 2.4 GHz frequency to connect to the access point.•Wireless Channel: Choose a channel or choose Auto to let the system determine the optical channel to use based on the environmental noise levels for the available channels.

Wireless Configuration for ISA550W and ISA570WConfiguring the Access PointsCisco ISA500 Series Integrated Security Appliance Administrator Guide 1625 Configuring the Access PointsThe ISA550W and ISA570W support four SSIDs. By default, each SSID has Open security and is identifying itself to all wireless devices that are in range. For security purposes, we strongly recommend that you configure each SSID with the highest level of security that is supported by the wireless devices that you want to allow into your network.Multiple SSIDs can segment the wireless LAN into multiple broadcast domains. This configuration helps you to maintain better control over broadcast and multicast traffic, which affects network performance. This section includes the following topics:•Configuring the Security Mode, page 162•Controlling the Wireless Access Based on MAC Addresses, page 169•Mapping the SSID to VLAN, page 170•Configuring the SSID Schedule, page 171Configuring the Security ModeThis section describes how to configure the security mode for the SSID. NOTE Cisco strongly recommends WPA2 for wireless security. Other security modes are vulnerable to attacks. NOTE If the security mode is set as WEP or as WPA with TKIP encryption algorithm for the SSID that supports 802.11n, the transmit rate for its associated client stations will not exceed 54 Mbps. STEP 1 Click Wireless -> Basic Settings.The Basic Settings window opens. STEP 2 In the SSID table area, click Edit to edit the settings for the SSID. After you click Edit, the SSID Configurations - Edit window opens.

Wireless Configuration for ISA550W and ISA570WConfiguring Wi-Fi Protected SetupCisco ISA500 Series Integrated Security Appliance Administrator Guide 1725 Configuring Wi-Fi Protected SetupThe Wi-Fi Protected Setup (WPS) protocol can simplify the process of configuring the security on wireless networks. The WPS protocol allows the home users who know little of wireless security and may be intimidated by the available security options to configure the Wi-Fi Protected Access, which is supported by all Wi-Fi certified devices.STEP 1 Click Wireless -> Wi-Fi Protected Setup.The Wi-Fi Protected Setup window opens.STEP 2 Click On to enable WPS, or click Off to disable it. Three WPS methods are available to the wireless clients. STEP 3 If the wireless client has a WPS button, follow these steps to estabilsh the wireless connection: a. Press the WPS button on the wireless client.b. Click the WPS button on this page.c. Verify that the wireless client is connected to the SSID. STEP 4 If the wireless client has a WPS PIN number, follow these steps to establish the wireless connection: a. Get the PIN number on the wireless client.b. Enter the PIN number on this page, and then click Enter. c. Verify that the wireless client is connected to the SSID. STEP 5 If the wireless client asks for the PIN number of the security appliance, follow these steps to establish the wireless connection: a. Click Generate to generate a PIN number.b. Enter the registered PIN number on the wireless client.c. Verify that the wireless client is connected to the SSID. STEP 6 Check the following WPS status: •WPS Config Status: If you enable WPS, it shows as “Configured”.•Network Name (SSID): Choose the SSID on which the WPS setting is applied.

Wireless Configuration for ISA550W and ISA570WConfiguring Wireless Rogue AP DetectionCisco ISA500 Series Integrated Security Appliance Administrator Guide 1735 •Security: The security mode used for the selected SSID.•Encryption: The encryption method used for the selected SSID.STEP 7 Click Save to apply your settings. Configuring Wireless Rogue AP DetectionA Rogue access point (Rogue AP) is any Wi-Fi access point connected to your network without authorization. It is not under the management of your network administrators and does not necessarily conform to your network security policies.A Rogue AP allows anyone with a Wi-Fi-equipped device to connect to your corporate network, leaving your IT assets wide open for the casual snooper or criminal hacker. Rogue APs can be a problem even if your company does not have its own wireless LAN. Often employees seeking to enhance their productivity will innocently install an access point for their personal use on your network without understanding the security risks. The security appliance is configurable by the network administrator to provide proactive rogue AP detection in the 2.4 GHz band. Rogue AP Detection (RAD) is able to discover, detect, and report an unauthorized AP. You can specify an authorized AP by its MAC address. STEP 1 Click Wireless -> Rogue AP Detection.The Rogue AP Detection window opens.STEP 2 Click On to enable the Rogue AP Detection feature, or click Off to disable it. STEP 3 After you enable Rogue AP Detection, Rogue APs detected by your security appliance appear in the Detected Rogue AP list. Click Refresh to update the Detected Rogue AP list. STEP 4 To set an AP as an authorized AP, click Grant Access. The granted AP is moved to the Known AP list. STEP 5 The security appliance will not detect the authorized APs. You can specify the authorized APs in the known AP list.

Wireless Configuration for ISA550W and ISA570WConfiguring Wireless Captive PortalCisco ISA500 Series Integrated Security Appliance Administrator Guide 1745 •To add an authorized AP in the known AP list, click Add.•To delete an authorized AP from the known AP list, click Delete. •To change the MAC address of an authorized AP, click Edit.•To export the known AP list to a file, click Export List.•To import the known AP list from a file, click Import List. -If you want to replace the current known AP list, choose Replace. Click Browse to locate the file, and then click OK.-If you want to merge with the current known AP list, choose Merge. click Browse to locate the file, and then click OK. STEP 6 Click Save to apply your settings. Configuring Wireless Captive PortalThe Captive Portal feature allows the wireless users who authenticated successfully to be directed to a specified web page (portal) before they can access the Internet. The wireless users will be directed to a specified web authentication login page to authenticate, and then be directed to the specified web portal after login. STEP 1 Click Wireless -> Captive Portal.The Captive Portal window opens.STEP 2 Enter the following information:•Enable Captive Portal: Click On to enable the captive portal feature, or click Off to disable it. •Apply On: Choose the SSID on which the captive portal settings are applied. NOTE The captive portal WLAN access can be only applied on one SSID.

6Cisco ISA500 Series Integrated Security Appliance Administrator Guide 177 FirewallThis chapter describes how to control network access through the security appliance by using the zone-based firewall access rules or other methods such as MAC Filtering and Content Filtering. It includes the following sections: •Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic, page 178•Configuring the Firewall Schedule, page 186•Firewall Access Rule Configuration Examples, page 187•Configuring the NAT Rules to Securely Access a Remote Network, page 192•Configuring the Session Settings, page 200•Configuring the Content Filtering to Control Access to Internet, page 201•Configuring the MAC Filtering to Permit or Block Traffic, page 205•Configuring the IP/MAC Binding to Prevent Spoofing, page 206•Configuring the Attack Protection, page 207•Configuring the Application Level Gateway, page 209To access the Firewall pages, click Firewall in the left hand navigation pane.

$FirewallConfiguring the Firewall Access Rules to Control Inbound and Outbound TrafficCisco ISA500 Series Integrated Security Appliance Administrator Guide 1786 Configuring the Firewall Access Rules to Control Inbound and Outbound TrafficThe zone-based firewall access rules can permit or deny inbound or outbound traffic based on the zone, service, source and destination address. It includes the following sections: •Default Firewall Settings, page 178•Priorities of Firewall Access Rules, page 180•Preliminary Tasks for Configuring the Firewall Access Rules, page 180•General Settings for Configuring the Firewall Access Rules, page 181•Configuring a Firewall Access Rule, page 183•Configuring a Firewall Access Rule to Allow the Multicast Traffic, page 185NOTE For detailed firewall configuration examples, see Firewall Access Rule Configuration Examples, page 187.Default Firewall SettingsBy default, your firewall prevents all traffic from a lower security level to a higher security level (commonly known as Inbound) and allows all traffic from a higher security level to a lower security level (commonly known as Outbound). If you want to allow some inbound access or prevent some outbound access, you must configure the firewall access rules. The following table lists the default access control settings for the traffic between different security levels. For more information about the security level definition for zones, see Security Levels for Zones, page 128. From\To Trusted(100) VPN(75) Public(50) GUEST(25) Untrust(0)Trusted(100) Deny Permit Permit Permit PermitVPN(75) Deny Deny Permit Permit Permit$

$FirewallConfiguring the Firewall Access Rules to Control Inbound and Outbound TrafficCisco ISA500 Series Integrated Security Appliance Administrator Guide 1796 The default access behaviors for all predefined zones and new zones follow the above settings depending on their security levels. For example, if you create a new trusted zone called “Data”, a certain of firewall access rules are automatically generated to permit or block the traffic from the Data zone to other zones or from other zones to the Data zone. The permit or block action is determined by the security levels of the From and To zones. For example, the traffic from the Data zone to the predefined WAN zone is permitted, but the traffic from the Data zone to the predefined LAN zone is blocked. Use the Default Policy page to view the default firewall access settings for all predefined zones. STEP 1 Click Firewall -> ACL Rules -> Default Policy. The Default Policy window opens. The default access settings for all predefined zones are listed in the table. STEP 2 To expand the default access settings for a specific zone, click the Expand button. To hide the default access settings for a specific zone, click the Collapse button. The following behaviors are predefined on the security appliance. Public(50) Deny Deny Deny Permit PermitGUEST(25) Deny Deny Deny Deny PermitUntrust(0) Deny Deny Deny Deny DenyFrom\To Trusted(100) VPN(75) Public(50) GUEST(25) Untrust(0)From \To LAN VIOCE VPN SSLVPN DMZ GUEST WANLAN NA Deny Permit Permit Permit Permit PermitVOICE Deny NA Permit Permit Permit Permit PermitVPN Deny Deny NA Deny Permit Permit PermitSSLVPN Deny Deny Deny NA Permit Permit PermitDMZ Deny Deny Deny Deny NA Permit PermitGUEST Deny Deny Deny Deny Deny NA PermitWAN Deny Deny Deny Deny Deny Deny NA$