Administration Guide
Cisco Systems, Inc. All rights reserved 78-20776-03
Important Note
FCC Radiation Exposure Statement For ISA550W and ISA570W
Industry Canada statement
Canada Radiation Exposure Statement For ISA550W and ISA570W
Déclaration dexposition aux radiations
UL/CB
Configuration Wizards
Getting Started
Using Remote Access VPN Wizard for SSL Remote Access
Status
Networking 115
Understanding Dscp Values 171
Wireless for ISA550W and ISA570W only 206
Vlan Setup 180 Wireless Setup 181 User Authentication
Vlan Setup 222 Wireless Setup 223 User Authentication
Firewall 251
Security Services 291
General Application Control Settings 314
VPN 333
Client Mode 366 Network Extension Mode 367
User Management 388
Device Management 403
Contents
Appendix a Troubleshooting 453
Appendix D Where to Go From Here 479
Getting Started
Getting Started
Model Description Configuration
Introduction
ISA550W
Product Overview
Front Panel
Front Panel, Back Panel,
VPN
POWER/SYS
Light Description
USB
LINK/ACT
Back Panel
Speed
ISA550 and ISA550W Back Panel
Feature Description
ANT01/ANT02
Power Switch
Getting Started with the Configuration Utility
Reset Button
Power
Logging in to the Configuration Utility
Navigating Through the Configuration Utility
Number Component Description
Using the Help System
Configuration Utility Icons
Icon Description Action
Getting Started
Factory Default Settings
Default Settings of Key Features
Restoring the Factory Default Settings
Performing Basic Configuration Tasks
Changing the Default Administrator Password
Parameter Default Value
Upgrading your Firmware After your First Login
Click Continue
Backing Up Your Configuration
Configuration Wizards
Using the Setup Wizard for the Initial Configuration
Configuration Wizards
Starting the Setup Wizard
Enabling Firmware Upgrade
Validating Security License
Enabling Bonjour and CDP Discovery Protocols
Configuring Remote Administration
Configuring Physical Ports
Configuring the Primary WAN
Configuring the Secondary WAN
Configuring WAN Redundancy
Configuring Default LAN Settings
Configuring DMZ
Configuring DMZ Services
Configuration Wizards
Configuring Wireless Radio Settings
WAN
WAN IP
Configuring Intranet Wlan Access
Configure Security Services
Security Services
Viewing Configuration Summary
Configuring a Configurable Port as a Secondary WAN Port
Click Configuration Wizards Dual WAN Wizard
Starting the Dual WAN Wizard
Configuring the Primary WAN
Configuring Network Failure Detection
Using the Remote Access VPN Wizard
Using the Remote Access VPN Wizard for IPsec Remote
Starting the Remote Access VPN Wizard
Configuring IPsec Remote Access Group Policy
Click Configuration Wizards Remote Access VPN Wizard
Configuring WAN Settings
Configuring Operation Mode
Configuring Access Control Settings
Configuring DNS and Wins Settings
Configuring Backup Servers
Configuring Split Tunneling
Viewing Group Policy Summary
Configuring IPsec Remote Access User Groups
Viewing IPsec Remote Access Summary
Using Remote Access VPN Wizard for SSL Remote Access
Configuring SSL VPN Gateway
Client Netmask Client Address Pool
Configuring SSL VPN Group Policy
Configuration Wizards
Configuration Wizards
Configuring SSL VPN User Groups
Using the Site-to-Site VPN Wizard to Configure Site-to-Site
Viewing SSL VPN Summary
Configuring VPN Peer Settings
Click Configuration Wizards Site-to-Site VPN Wizard
Starting the Site-to-Site VPN Wizard
Configuring IKE Policies
Configuring Transform Policies
Configuring Local and Remote Networks
Click Configuration Wizards DMZ Wizard
Using the DMZ Wizard to Configure DMZ Settings
Configuring Ddns Profiles
Starting the DMZ Wizard
Configuring DMZ Network
Configuration Wizards
Configuring DMZ Services
WAN
Using the Wireless Wizard for ISA550W and ISA570W only
Starting the Wireless Wizard
Click Configuration Wizards Wireless Wizard
Configuring Wireless Connectivity Types
Specify Wireless Connectivity Settings for All Enabled SSIDs
Configuring the Ssid for Intranet Wlan Access
Configuring Wireless Security,
Configuring the Ssid for Guest Wlan Access
Configuration Wizards
Configuration Wizards
Configuration Wizards
Field Description
Device Status Dashboard
Status Dashboard
System Information
Licenses
Status
Resource Utilization
Syslog Summary
Site-to-Site VPN
Remote Access VPN
Routing Mode
Physical Ports
Field
Status Summary
Network Status
Status Summary
Ethernet
Vlan Pvid
Vlan
DMZ
Traffic Statistics
Traffic Statistics
Usage Reports
Status
WAN Bandwidth Reports
ARP Table
ARP Table
Dhcp Bindings
Dhcp Bindings
STP Status
STP Status Global Status
Interface Status Table
Status
CDP Neighbor
Wireless Status for ISA550W and ISA570W only
Wireless Status
Wireless Status, Client Status,
NAT Status
Client Status
NAT Status
IPsec VPN Status, SSL VPN Status,
VPN Status
IPsec VPN Status
VPN Status IPsec VPN Status
Statistics
SSL VPN Status
Teleworker VPN Client
VPN Status SSL VPN Status
SSL VPN Statistics
Active User Sessions
Active User Sessions
Security Services Reports
Web Security Report
Anti-Virus Report
Email Security Report
Network Reputation Report
IPS Report
Application Control Report
Processes, Resource Utilization,
System Status
Processes
System Status Processes
CPU Utilization
Resource Utilization
System Status Resource Utilization
Memory Utilization
Status
Networking
Managing Ports
Configuring IPv4 or IPv6 Routing
Viewing Network Status
Networking
Viewing Status of Physical Interfaces
Configuring Physical Ports
Configuring Port Mirroring
Configuring Port-Based 802.1x Access Control
Networking
Configuring the WAN
Configuring WAN Settings for Your Internet Connection
Release or renew a Dhcp WAN connection,
Configure the primary WAN
Networking
Network Addressing Configuration Mode
Configure a secondary WAN
Network Addressing Mode
Dhcp Client
Static IP
PPPoE
ISP
Pptp
L2TP
Dual WAN Settings
Networking
Configuring Link Failover Detection
Networking
Configuring Dynamic DNS
Ddns Services Table
Adding or modifying a Ddns service
Measuring and Limiting Traffic with the Traffic Meter
Networking
Configuring a Vlan
Networking
Networking
Networking
Configuring DMZ
About DMZ networks
Example DMZ with One Public IP Address for WAN and DMZ
Configuring a DMZ
Example DMZ with Two Public IP Addresses
Networking
Networking
Configuring Zones
Security Levels for Zones
Configuring Zones
Predefined Zones
Services
Configuring Dhcp Reserved IPs
Configuring Routing
Configuring Routing Mode
Viewing the Routing Table
Configuring Static Routing
Configuring Dynamic Routing RIP
Configuring Policy-Based Routing
Networking
Configuring Quality of Service
General QoS Settings
Click Networking QoS General Settings
Configuring WAN QoS
Managing WAN Bandwidth for Upstream Traffic
Click Networking QoS WAN QoS Bandwidth
Configuring WAN Queue Settings
Configuring Traffic Selectors
Click Networking QoS WAN QoS Queue Settings
Networking
Configuring WAN QoS Policy Profiles
Configuring WAN QoS Class Rules
Click Networking QoS WAN QoS QoS Policy Profile
Mapping WAN QoS Policy Profiles to WAN Interfaces
WAN QoS Configuration Example
WAN1
WAN1IP
Source Address
Configure WAN QoS for Voice Traffic from LAN to WAN
Class Name
Policy Name
Configuring WAN QoS for Voice Traffic from WAN to LAN
QoS Class Rule
QoS Class Rules
Configuring LAN QoS
Click Networking QoS LAN QoS Queue Settings
Configuring LAN Queue Settings
Configuring LAN QoS Classification Methods
Click Networking QoS LAN QoS Classification Methods
LAN Queue CoS Value
Mapping CoS to LAN Queue
Mapping Dscp to LAN Queue
Click Networking QoS LAN QoS Mapping CoS to Queue
Default Wireless QoS Settings
Configuring Wireless QoS
Configuring Default CoS
802.1p Priority 802.11e Priority
Ieee 802.11e to 802.1p Mapping
Configuring Wireless QoS Classification Methods
Click Networking QoS Wireless QoS Classification Methods
802.11e Priority 802.1p Priority
Understanding Dscp Values
Mapping CoS to Wireless Queue
Mapping Dscp to Wireless Queue
Dscp Value Decimal Value Meaning
100
Configuring Igmp
011
Click Networking Igmp
Configuring Vrrp
Click Networking Vrrp
Networking
Address Management
Configuring Addresses
Configuring Addresses, Configuring Address Groups,
Click Networking Address Management
Configuring Address Groups
Configuring Services, Configuring Service Groups,
Service Management
Configuring Services
Click Networking Service Management
Configuring Service Groups
Configuring Captive Portal
Requirements
Vlan Setup
Before You Begin
Configuring a Captive Portal
Wireless Setup
User Authentication
Networking
Networking
Networking
Troubleshooting
Using External Web-Hosted CGI Scripts
Networking
Networking
Networking
Networking
Networking
Networking
Networking
Networking
CGI Source Code Example No Authentication and Accept Button
Networking
Networking
Networking
Networking
Networking
If result == 2 result == 5 //document.form1.UserName.focus
Networking
Networking
Documentation
Related Information
Support
Cisco Small Business
Cisco Small Business Home
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Viewing Wireless Status
Viewing Wireless Statistics
Wireless Wireless Status Wireless Status
Configuring the Basic Settings
Viewing Wireless Client Status
Click Wireless Basic Settings
Wireless for ISA550W and ISA570W only
Configuring Ssid Profiles
Configuring Wireless Security
Security Mode Description
Open
WEP
WPA
WPA/WPA2-Personal mixed Supports
WPA2
WPA + WPA2
WPA/WPA2-Enterprise mixed Supports
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Controlling Wireless Access Based on MAC Addresses
Configuring Ssid Schedule
Mapping the Ssid to Vlan
Configuring Wi-Fi Protected Setup
Click Wireless Wi-Fi Protected Setup
Wireless for ISA550W and ISA570W only
Configuring Captive Portal
Requirements
Configuring a Captive Portal
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Troubleshooting
Using External Web-Hosted CGI Scripts
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
CGI Source Code Example No Authentication and Accept Button
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
If result == 2 result == 5 //document.form1.UserName.focus
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Related Information
Configuring Wireless Rogue AP Detection
Click Wireless Rogue AP Detection
Advanced Radio Settings
Click Wireless Advanced Settings
Wireless for ISA550W and ISA570W only
Wireless for ISA550W and ISA570W only
Firewall
About Security Zones
Firewall
Security Levels and Predefined Zones Description
Default Firewall Settings
Click Firewall Access Control Default Policies
Preliminary Tasks for Configuring Firewall Rules
Priorities of Firewall Rules
General Firewall Settings
Click Firewall Access Control ACL Rules
Configuring a Firewall Rule
Configuration Examples,
Firewall
Configuring a Firewall Rule to Allow Multicast Traffic
MAC Address Filtering to Permit or Block Traffic,
Configuring Firewall Logging Settings
Configuring NAT Rules to Securely Access a Remote Network
Viewing NAT Translation Status
Firewall NAT NAT Status
Priorities of NAT Rules
Inbound Traffic
Outbound Traffic
Configuring Dynamic PAT Rules
Click Firewall NAT Dynamic PAT
Configuring Static NAT Rules
Click Firewall NAT Static NAT
Configuring Port Forwarding Rules
Click Firewall NAT Port Forwarding
Firewall
Configuring Port Triggering Rules
Click Firewall NAT Port Triggering
Configuring Advanced NAT Rules
Click Firewall NAT Advanced NAT
Configuring IP Alias for Advanced NAT rules
As Any
Http
Configuring an Advanced NAT Rule to Support NAT Hairpinning
From Any
FTP-CONTROL
Default
Defaultnetwork
WAN WAN1 WAN IP WAN1IP
Firewall and NAT Rule Configuration Examples
Allowing Inbound Traffic Using the WAN IP Address
Enable Port Forwarding
Translated IP InternalFTP
ANY
Translated IP RDPServer
Allowing Inbound Traffic Using a Public IP Address
RDP
WAN WAN1 WAN IP
Address Original Destination PublicIP Original Services
Port
Name
Netmask
Zone
Enable Port Forwarding Create Firewall Rule Off
CU-SEEME
Translated IP InternalIP
Blocking Outbound Traffic by Schedule and IP Address Range
Blocking Outbound Traffic to an Offsite Mail Server
Schedule
Configuring Content Filtering to Control Internet Access
Configuring Content Filtering Policy Profiles
Click Firewall Content Filtering Content Filtering Policies
Configuring Website Access Control List
Mapping Content Filtering Policy Profiles to Zones
Click Firewall Content Filtering Policy to Zone Mapping
Configuring Advanced Content Filtering Settings
Click Firewall Content Filtering Advanced Settings
Configuring MAC Address Filtering to Permit or Block Traffic
Click Firewall MAC Filtering MAC Address Filtering
Configuring IP-MAC Binding to Prevent Spoofing
Click Firewall MAC Filtering IP MAC Binding Rules
Configuring Attack Protection
Click Firewall Attack Protection
Configuring Session Limits
Click Firewall Session Limits
Configuring Application Level Gateway
Click Firewall Application Level Gateway
Firewall
Security Services
About Security Services
IPS
Activating Security Services
Priority of Security Services
Security Services Dashboard
Click Security Services Dashboard
Viewing Security Services Reports
Viewing Web Security Report
Viewing IPS Report, Viewing Application Control Report,
Viewing Anti-Virus Report
Viewing Email Security Report
Total Since Activated
Viewing Network Reputation Report
System Date
Total Last 7 Days
Viewing IPS Report
Total Today
Graph
Viewing Application Control Report
Configuring Anti-Virus
General Anti-Virus Settings
Click Security Services Anti-Virus General Settings
Http Notification,
Protocol Action
Notify + Drop Connection Drop the connection
FTP
Netbios
Notification,
Cifs
Configuring Advanced Anti-Virus Settings
Click Security Services Anti-Virus Advanced Settings
Click Security Services Anti-Virus Http Notification
Configuring Http Notification
Configuring Email Notification
Click Security Services Anti-Virus Email Notification
Updating Anti-Virus Signatures
Configuring Application Control
Updating Application Signature Database,
Configuring Application Control Policies
General Application Control Policy Settings
Important Tips
Adding an Application Control Policy
Security Services
Permitting or Blocking Traffic for an Application
General Application Control Settings
Enabling Application Control Service
Mapping Application Control Policies to Zones
Configuring Application Control Policy Mapping Rules
Updating Application Signature Database
Advanced Application Control Settings
Click Update Database
Configuring Spam Filter
Click Security Services Spam Filter
Security Services
Configuring Intrusion Prevention
Security Services
Configuring Signature Actions
Updating IPS Signature Database
Configuring Web Reputation Filtering
Click Security Services Web Reputation Filtering
Configuring Web URL Filtering
Configuring Web URL Filtering Policy Profiles
Click Security Services Web URL Filtering Policy Profile
Configuring Website Access Control List
Configuring Advanced Web URL Filtering Settings
Click Security Services Web URL Filtering Advanced Settings
Mapping Web URL Filtering Policy Profiles to Zones
Security Services
Network Reputation
VPN
About VPNs
Viewing IPsec VPN Status, Viewing SSL VPN Status,
Viewing VPN Status
Viewing IPsec VPN Status
VPN VPN Status IPsec VPN Status
Field Description
Viewing SSL VPN Status
VPN VPN Status SSL VPN Status
SSL VPN Statistics
VPN
Configuring a Site-to-Site VPN
Site-to-Site VPN
Configuration Tasks to Establish a Site-to-Site VPN Tunnel
General Site-to-Site VPN Settings
Click VPN Site-to-Site IPsec Policies
VPN
Configuring IPsec VPN Policies
VPN
VPN
VPN
283058
VPN
Click VPN Site-to-Site IKE Policies
VPN
Configuring Transform Sets
Click VPN Site-to-Site Transform Policies
Remote Network
Remote Teleworker Configuration Examples
Field Setting
IKE Policy
Name Enable From
Transform
Destination Address Translated Services
Address Translated
Configuring IPsec Remote Access
Cisco VPN Client Compatibility
Then choose Cisco VPN Client
Enabling IPsec Remote Access
Configuring IPsec Remote Access Group Policies
Click VPN IPsec Remote Access
VPN
VPN
Group Name
Allowing IPsec Remote VPN Clients to Access the Internet
IKE Authentication
WAN Interface
Name VPNClienttoWAN1 Enable From Any
Mode Client Pool Range for Client Start IP
Client Internet Disable Access WAN Failover
LAN
Name VPNClienttoWAN2 Enable From Any
WAN2
WAN2IP
Configuring Teleworker VPN Client
Translated Any Destination Address Translated Services
Required IPsec VPN Servers
Transform Set
Benefits of the Teleworker VPN Client Feature
Modes of Operation
Client Mode,
Client Mode
Network Extension Mode,
Network Extension Mode
IPsec VPN Network Extension Connection
General Teleworker VPN Client Settings
Click VPN Teleworker VPN Client
Configuring Teleworker VPN Client Group Policies
VPN
VPN
Configuring SSL VPN
SSL Remote User Access
Elements of the SSL VPN
Configuration Tasks to Establish a SSL VPN Tunnel
Installing Cisco AnyConnect Secure Mobility Client
Configuring SSL VPN Gateway
Importing Certificates for User Authentication
Configuring SSL VPN Users
Click VPN SSL Remote User Access SSL VPN Configuration
Client Netmask Client Address Pool
VPN
Configuring SSL VPN Group Policies
Click VPN SSL Remote User Access SSL VPN Group Policies
VPN
VPN
Accessing SSL VPN Portal
Allowing SSL VPN Clients to Access the Internet
Address Original Destination Any Original Services
Enable From Any
Name SSLVPNtoWAN1 Enable From Any
Sslvpnaddresspool
Name SSLVPNtoWAN2 Enable From Any
Configuring L2TP Server
Click VPN L2TP Server
Service
Configuring VPN Passthrough
Click VPN VPN Passthrough
Viewing Active User Sessions
Users Active User Sessions
Available Services for User Groups
Configuring Users and User Groups
Default User and User Group
User Management
Preempt Administrators
Configuring Local Users
Click Users Users and Groups
Configuring Local User Groups
User Management
Configuring User Authentication Settings
Using Local Database for User Authentication
Using Radius Server for User Authentication
Click Users User Authentication
Local Database Settings Radius Server Settings
Local Radius Server Settings Database
Click Users User Authentication
Using Ldap for User Authentication
User Management
Using Local Database and Ldap for Authentication
Configuring Radius Servers
Click Users Radius Servers
User Management
Device Management
Viewing System Status
Viewing Process Status
Viewing Resource Utilization
Administration
Configuring Administrator Settings
Example https//209.165.201.18080
Configuring Email Alert Settings
Click Device Management Administration Email Alert
New Firmware Alert
Event Description
CPU Overload Alert
Your Firmware from Cisco.com,
Settings page. See Configuring Log Settings,
Security License,
Log Facilities,
Check Site-to-Site VPN Up/Down Alert in the Enable column
Up/Down Alert
WAN Up/Down Alert
Traffic Meter Alert
Anti-Virus Alert
Settings. See Configuring Application Control,
IPS Alert
Configuring Snmp
Click Device Management Administration Snmp
Backing Up and Restoring a Configuration
Click Device Management Backup/Restore
Device Management
Managing Certificates for Authentication
Viewing Certificate Status and Details
Click Device Management Certificate Management
Exporting Certificates to Your Local PC
Certificate Type Details
Exporting Certificates to a USB Device
Importing Certificates from Your Local PC
Importing Certificates from a USB Device
Generating New Certificate Signing Requests
Importing Signed Certificate for CSR from Your Local PC
Configuring Cisco Services and Support Settings
Configuring Cisco OnPlus
Configuring Remote Support Settings
Sending Contents for System Diagnosis
Configuring System Time
Click Device Management Date and Time
Click Device Management Device Properties
Configuring Device Properties
Diagnostic Utilities
Ping, Traceroute, DNS Lookup, Packet Capture,
Ping
Click Device Management Diagnostic Utilities Ping
Click Device Management Diagnostic Utilities Traceroute
Traceroute
Packet Capture
Device Discovery Protocols
DNS Lookup
UPnP Discovery, Bonjour Discovery, CDP Discovery,
UPnP Discovery
Lldp Discovery,
Click Device Management Discovery Protocols UPnP
Click Device Management Discovery Protocols Bonjour
Bonjour Discovery
CDP Discovery
Click Device Management Discovery Protocols CDP
Lldp Discovery
Click Device Management Discovery Protocols Lldp
Firmware Management
View the firmware status. See Viewing Firmware Information,
Viewing Firmware Information
Using the Secondary Firmware
Firmware Version area, click Switch Firmware
Click Device Management Firmware
Upgrading your Firmware from Cisco.com
Upgrading Firmware from a PC or a USB Device
Using Rescue Mode to Recover the System
Firmware Auto Fall Back Mechanism
Managing Security License
Checking Security License Status
Click Device Management License Management
Installing or Renewing Security License
Log Management
Viewing Logs
Click Device Management Logs View Logs
Click Query
Configuring Log Settings
Click Device Management Logs Log Settings
Critical level
Severity Level Description
Emergency level
Notification level
Device Management
Configuring Log Facilities
Click Device Management Logs Logs Facilities
Rebooting and Resetting the Device
Click Device Management Reboot/Reset
Reset Device area, click Reset to Factory Defaults
Configuring Schedules
Rebooting the Security Appliance
Click Device Management Schedules
Device Management
Device Management
Device Management
Internet Connection
Recommended Actions
Troubleshooting
Click Status Dashboard
Recommended Actions Click Networking WAN WAN Settings
Enable the Daylight Saving Time Adjustment feature
Date and Time
Date and Time
Testing the LAN Path from Your PC to Your Security Appliance
Pinging to Test LAN Connectivity
Testing the LAN Path from Your PC to a Remote Device
Feature ISA550
ISA570
Internal Power Supply
Physical Specifications
Feature Setting
Remote Administration
Device Management
CDP
Factory Default Settings
Snmp
Lldp
User Management
User Groups
Local Users
IPv4 or IPv6 Routing
User Authentication Methods
Networking
Network Addressing Modes
Port-based Access Control
WAN Redundancy Operation Modes
VLANs
Zones
Routing
LAN QOS
Vrrp
Wireless
Captive Portal
Wi-Fi Protected Setup WPS
Rogue AP Detection
IKE Policies
IPsec Remote Access
SSL VPN
Security Services
Features Setting
Firewall
MAC Address Filtering
Content Filtering
NAT
IP MAC Binding
Reports
Default Service Objects
Service Name Protocol Port Description Start End
FTP-DATA TCP
IKE UDP
Rtelnet TCP
Default Address Objects
Address Name Type IP, IP/Netmask, or IP Range
Product Documentation
Product Resources
Support
Cisco Small Business