Cisco Systems ISA550 Configuring Port Triggering Rules

Firewall

Configuring NAT Rules to Securely Access a Remote Network

Cisco ISA500 Series Integrated Security Appliances Administration Guide 268

Configuring Port Triggering Rules

Port triggering opens an incoming port for a specified type of traffic on a defined

outgoing port. When a LAN device makes a connection on one of the defined

outgoing ports, the security appliance opens the specified incoming por t to

support the exchange of data. The open ports will be closed again after 600

seconds when the data exchange is complete.

Port triggering is more flexible and secure than port forwarding, because the

incoming ports are not open all the time. They are open only when a program is

actively using the trigger port.

Some applications may require port triggering. Such applications require that,

when external devices connect to them, they receive data on a specific port or

range of ports in order to function properly. The security appliance must send all

incoming data for that application only on the required port or range of ports. You

can specify a port triggering rule by defining the type of traffic (TCP or UDP) and

the range of incoming and outgoing ports to open when enabled.

NOTE Up to 15 port triggering rules can be configured on the security appliance. Port

triggering is not appropriate for servers on the LAN, since the LAN device must

make an outgoing connection before an incoming port is opened. In this case, you

can create the port forwarding rules for this purpose.

STEP 1 Click Firewall > NAT > Port Triggering.

STEP 2 To enable a port triggering rule, check the box in the Enable column.

STEP 3 To add a new port triggering rule, click Add.

Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click

the Delete (x) icon. To delete multiple entries, check them and click Delete.

The Port Triggering Rule - Add/Edit window opens.

STEP 4 Enter the following information:

•Description: Enter the name for the port triggering rule.

•Triggered Service: Choose an outgoing TCP or UDP service.

•Opened Service: Choos e an incoming TCP or UDP service.

If the service that you want is not in the list, choose Create a new service to

create a new service object. To maintain the service objects, go to the

Networking > Service Management page. See Serv ice Management,

page177.