Casio ISA550WBUN3K9 User Manual

ADMINISTRATION

GUIDE

Cisco Small Business

ISA500 Series Integrated Security Appliances
(ISA550, ISA550W, ISA570, ISA570W)

© 2013 Cisco Systems, Inc. All rights reserved. 78-20776-03

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)

Federal Communication Commission Interference Statement

(For ISA570 and ISA570W)

This equipment has been tested and found to comply with the limits for a Class A digital
device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference when the equipment is operated in a
commercial environment. This equipment generates, uses, and can radiate radio frequency
energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference in which case the user will be required to correct
the interference at his own expense.

(For ISA550 and ISA550W)

This equipment has been tested and found to comply with the limits for a Class B digital
device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference in a residential installation. This
equipment generates, uses and can radiate radio frequency energy and, if not installed and
used in accordance with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will not occur in a
particular installation. If this equipment does cause harmful interference to radio or television
reception, which can be determined by turning the equipment off and on, the user is
encouraged to try to correct the interference by one of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the

receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

FCC Caution: Any changes or modifications not expressly approved by the party responsible
for compliance could void the user's authority to operate this equipment.

This device complies with Part 15 of the FCC Rules. Operation is subject to the following two
conditions: (1) This device may not cause harmful interference, and (2) this device must
accept any interference received, including interference that may cause undesired operation.

IMPORTANT NOTE:

FCC Radiation Exposure Statement: (For ISA550W and ISA570W)

This equipment complies with FCC radiation exposure limits set forth for an uncontrolled
environment. This equipment should be installed and operated with minimum distance 20cm
between the radiator & your body.

This transmitter must not be co-located or operating in conjunction with any other antenna or
transmitter.

The availability of some specific channels and/or operational frequency bands are country
dependent and are firmware programmed at the factory to match the intended destination.
The firmware setting is not accessible by the end user.

Industry Canada statement:

This device complies with RSS-210 of the Industry Canada Rules. Operation is subject to the
following two conditions: (1) This device may not cause harmful interference, and (2) this
device must accept any interference received, including interference that may cause
undesired operation.

Ce dispositif est conforme à la norme CNR-210 d'Industrie Canada applicable aux appareils
radio exempts de licence. Son fonctionnement est sujet aux deux conditions suivantes: (1) le
dispositif ne doit pas produire de brouillage préjudiciable, et (2) ce dispositif doit accepter
tout brouillage reçu, y compris un brouillage susceptible de provoquer un fonctionnement
indésirable.

IMPORTANT NOTE:

Canada Radiation Exposure Statement: (For ISA550W and ISA570W)

This equipment complies with Canada radiation exposure limits set forth for an uncontrolled
environment. This equipment should be installed and operated with minimum distance 20 cm
between the radiator and your body.

NOTE IMPORTANTE: (Pour l'utilisation de dispositifs mobiles)

Déclaration d'exposition aux radiations:

Cet équipement est conforme aux limites d'exposition aux rayonnements IC établies pour un
environnement non contrôlé. Cet équipement doit être installé et utilisé avec un minimum de
20 cm de distance entre la source de rayonnement et votre corps.

This device has been designed to operate with an antenna having a maximum gain of 1.8 dBi.
Antenna having a higher gain is strictly prohibited per regulations of Industry Canada. The
required antenna impedance is 50 ohms.

Under Industry Canada regulations, this radio transmitter may only operate using an antenna
of a type and maximum (or lesser) gain approved for the transmitter by Industry Canada. To
reduce potential radio interference to other users, the antenna type and its gain should be so
chosen that the equivalent isotropically radiated power (e.i.r.p.) is not more than that
necessary for successful communication.

(Le manuel d'utilisation de dispositifs émetteurs équipés d'antennes amovibles doit contenir
les informations suivantes dans un endroit bien en vue:)

Ce dispositif a été conçu pour fonctionner avec une antenne ayant un gain maximal de 1.8
dBi. Une antenne à gain plus élevé est strictement interdite par les règlements d'Industrie
Canada. L'impédance d'antenne requise est de 50 ohms.

Conformément à la réglementation d'Industrie Canada, le présent émetteur radio
peutfonctionner avec une antenne d'un type et d'un gain maximal (ou inférieur) approuvé
pourl'émetteur par Industrie Canada. Dans le but de réduire les risques de brouillage
radioélectriqueà l'intention des autres utilisateurs, il faut choisir le type d'antenne et son gain
de sorte que lapuissance isotrope rayonnée équivalente (p.i.r.e.) ne dépasse pas l'intensité
nécessaire àl'établissement d'une communication satisfaisante.

UL/CB

Rack Mount Instructions - The following or similar rack-mount instructions are included with
the installation instructions:

A) Elevated Operating Ambient - If installed in a closed or multi-unit rack assembly, the
operating ambient temperature of the rack environment may be greater than room ambient.
Therefore, consideration should be given to installing the equipment in an environment
compatible with the maximum ambient temperature (Tma) 40 degree C specified by the
manufacturer.

B) Reduced Air Flow - Installation of the equipment in a rack should be such that the amount
of air flow required for safe operation of the equipment is not compromised.

C) Mechanical Loading - Mounting of the equipment in the rack should be such that a
hazardous condition is not achieved due to uneven mechanical loading.

D) Circuit Overloading - Consideration should be given to the connection of the equipment to
the supply circuit and the effect that overloading of the circuits might have on overcurrent
protection and supply wiring. Appropriate consideration of equipment nameplate ratings
should be used when addressing this concern.

Contents

Chapter 1: Getting Started 19

Introduction 20

Product Overview 21

Front Panel 21

Back Panel 23

Getting Started with the Configuration Utility 25

Logging in to the Configuration Utility 26

Navigating Through the Configuration Utility 27

Using the Help System 28

Configuration Utility Icons 28

Factory Default Settings 30

Default Settings of Key Features 30

Restoring the Factory Default Settings 31

Performing Basic Configuration Tasks 32

Changing the Default Administrator Password 32

Upgrading your Firmware After your First Login 33

Backing Up Your Configuration 34

Chapter 2: Configuration Wizards 35

Using the Setup Wizard for the Initial Configuration 36

Starting the Setup Wizard 37

Configuring Cisco.com Account Credentials 37

Enabling Firmware Upgrade 38

Validating Security License 39

Enabling Bonjour and CDP Discovery Protocols 39

Configuring Remote Administration 40

Configuring Physical Ports 41

Configuring the Primary WAN 42

Configuring the Secondary WAN 42

Configuring WAN Redundancy 42

Configuring Default LAN Settings 43

Configuring DMZ 44

Cisco ISA500 Series Integrated Security Appliances Administration Guide 6

Contents

Configuring DMZ Services 45

Configuring Wireless Radio Settings 47

Configuring Intranet WLAN Access 48

Configure Security Services 49

Viewing Configuration Summary 50

Using the Dual WAN Wizard to Configure WAN Redundancy Settings 51

Starting the Dual WAN Wizard 51

Configuring a Configurable Port as a Secondary WAN Port 51

Configuring the Primary WAN 52

Configuring the Secondary WAN 52

Configuring WAN Redundancy 52

Configuring Network Failure Detection 53

Viewing Configuration Summary 54

Using the Remote Access VPN Wizard 54

Using the Remote Access VPN Wizard for IPsec Remote Access 54

Starting the Remote Access VPN Wizard 55
Configuring IPsec Remote Access Group Policy 55
Configuring WAN Settings 56
Configuring Operation Mode 56
Configuring Access Control Settings 57
Configuring DNS and WINS Settings 57
Configuring Backup Servers 58
Configuring Split Tunneling 58
Viewing Group Policy Summary 58
Configuring IPsec Remote Access User Groups 59
Viewing IPsec Remote Access Summary 59

Using Remote Access VPN Wizard for SSL Remote Access 60

Starting the Remote Access VPN Wizard with SSL Remote Access 60
Configuring SSL VPN Gateway 60
Configuring SSL VPN Group Policy 62
Configuring SSL VPN User Groups 65
Viewing SSL VPN Summary 66

Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN 66

Starting the Site-to-Site VPN Wizard 67

Configuring VPN Peer Settings 67

Configuring IKE Policies 68

Cisco ISA500 Series Integrated Security Appliances Administration Guide 7

Configuring Transform Policies 69

Configuring Local and Remote Networks 70

Viewing Configuration Summary 70

Using the DMZ Wizard to Configure DMZ Settings 71

Starting the DMZ Wizard 71

Configuring DDNS Profiles 71

Configuring DMZ Network 72

Configuring DMZ Services 74

Viewing Configuration Summary 76

Using the Wireless Wizard (for ISA550W and ISA570W only) 76

Starting the Wireless Wizard 76

Configuring Wireless Radio Settings 76

Configuring Wireless Connectivity Types 77

Contents

Specify Wireless Connectivity Settings for All Enabled SSIDs 78

Viewing Configuration Summary 78

Configuring the SSID for Intranet WLAN Access 78

Configuring the SSID for Guest WLAN Access 80

Chapter 3: Status 84

Device Status Dashboard 84

Network Status 88

Status Summary 88

Traffic Statistics 91

Usage Reports 92

WAN Bandwidth Reports 94

ARP Table 95

DHCP Bindings 95

STP Status 96

CDP Neighbor 98

Wireless Status (for ISA550W and ISA570W only) 99

Wireless Status 99

Client Status 100

Cisco ISA500 Series Integrated Security Appliances Administration Guide 8

NAT Status 100

VPN Status 101

IPsec VPN Status 101

SSL VPN Status 103

Active User Sessions 105

Security Services Reports 106

Web Security Report 106

Anti-Virus Report 107

Email Security Report 108

Network Reputation Report 109

IPS Report 110

Application Control Report 111

System Status 112

Contents

Processes 112

Resource Utilization 113

Chapter 4: Networking 115

Viewing Network Status 116

Configuring IPv4 or IPv6 Routing 116

Managing Ports 116

Viewing Status of Physical Interfaces 117

Configuring Physical Ports 118

Configuring Port Mirroring 119

Configuring Port-Based (802.1x) Access Control 120

Configuring the WAN 122

Configuring WAN Settings for Your Internet Connection 122

Configuring WAN Redundancy 130

Dual WAN Settings 130

Configuring Link Failover Detection 132

Load Balancing with Policy-Based Routing Configuration Example 133

Configuring Dynamic DNS 134

Measuring and Limiting Traffic with the Traffic Meter 135

Configuring a VLAN 137

Cisco ISA500 Series Integrated Security Appliances Administration Guide 9

Contents

Configuring DMZ 141

Configuring Zones 146

Security Levels for Zones 146

Predefined Zones 147

Configuring Zones 147

Configuring DHCP Reserved IPs 149

Configuring Routing 149

Viewing the Routing Table 150

Configuring Routing Mode 150

Configuring Static Routing 151

Configuring Dynamic Routing - RIP 152

Configuring Policy-Based Routing 153

Configuring Quality of Service 155

General QoS Settings 155

Configuring WAN QoS 156

Managing WAN Bandwidth for Upstream Traffic 156
Configuring WAN Queue Settings 157
Configuring Traffic Selectors 158
Configuring WAN QoS Policy Profiles 160
Configuring WAN QoS Class Rules 160
Mapping WAN QoS Policy Profiles to WAN Interfaces 161
WAN QoS Configuration Example 162
Configure WAN QoS for Voice Traffic from LAN to WAN 164
Configuring WAN QoS for Voice Traffic from WAN to LAN 165

Configuring LAN QoS 166

Configuring LAN Queue Settings 167
Configuring LAN QoS Classification Methods 167
Mapping CoS to LAN Queue 168
Mapping DSCP to LAN Queue 168
Configuring Default CoS 169

Configuring Wireless QoS 169

Default Wireless QoS Settings 169
Configuring Wireless QoS Classification Methods 170
Mapping CoS to Wireless Queue 171
Mapping DSCP to Wireless Queue 171

Understanding DSCP Values 171

Cisco ISA500 Series Integrated Security Appliances Administration Guide 10

Configuring IGMP 172

Configuring VRRP 173

Address Management 175

Configuring Addresses 175

Configuring Address Groups 176

Service Management 177

Configuring Services 177

Configuring Service Groups 178

Configuring Captive Portal 179

Requirements 179

Before You Begin 180

VLAN Setup 180

Wireless Setup 181

Contents

User Authentication 181

Configuring a Captive Portal 181

Troubleshooting 185

Using External Web-Hosted CGI Scripts 186

CGI Source Code Example: No Authentication and Accept Button 195

Related Information 204

Chapter 5: Wireless (for ISA550W and ISA570W only) 206

Viewing Wireless Status 207

Viewing Wireless Statistics 207

Viewing Wireless Client Status 208

Configuring the Basic Settings 208

Configuring SSID Profiles 210

Configuring Wireless Security 211

Controlling Wireless Access Based on MAC Addresses 217

Mapping the SSID to VLAN 218

Configuring SSID Schedule 218

Configuring Wi-Fi Protected Setup 219

Configuring Captive Portal 221

Cisco ISA500 Series Integrated Security Appliances Administration Guide 11

Requirements 222

Before You Begin 222

VLAN Setup 222

Wireless Setup 223

User Authentication 223

Configuring a Captive Portal 223

Troubleshooting 227

Using External Web-Hosted CGI Scripts 228

CGI Source Code Example: No Authentication and Accept Button 237

Related Information 246

Configuring Wireless Rogue AP Detection 247

Advanced Radio Settings 248

Contents

Chapter 6: Firewall 251

Configuring Firewall Rules to Control Inbound and Outbound Traffic 252

About Security Zones 252

Default Firewall Settings 254

Priorities of Firewall Rules 255

Preliminary Tasks for Configuring Firewall Rules 255

General Firewall Settings 256

Configuring a Firewall Rule 257

Configuring a Firewall Rule to Allow Multicast Traffic 259

Configuring Firewall Logging Settings 260

Configuring NAT Rules to Securely Access a Remote Network 261

Viewing NAT Translation Status 262

Priorities of NAT Rules 263

Configuring Dynamic PAT Rules 264

Configuring Static NAT Rules 265

Configuring Port Forwarding Rules 266

Configuring Port Triggering Rules 268

Configuring Advanced NAT Rules 269

Configuring IP Alias for Advanced NAT rules 270

Cisco ISA500 Series Integrated Security Appliances Administration Guide 12

Configuring an Advanced NAT Rule to Support NAT Hairpinning 272

Firewall and NAT Rule Configuration Examples 274

Allowing Inbound Traffic Using the WAN IP Address 274

Allowing Inbound Traffic Using a Public IP Address 276

Allowing Inbound Traffic from Specified Range of Outside Hosts 279

Blocking Outbound Traffic by Schedule and IP Address Range 280

Blocking Outbound Traffic to an Offsite Mail Server 280

Configuring Content Filtering to Control Internet Access 281

Configuring Content Filtering Policy Profiles 281

Configuring Website Access Control List 282

Mapping Content Filtering Policy Profiles to Zones 283

Configuring Advanced Content Filtering Settings 284

Configuring MAC Address Filtering to Permit or Block Traffic 285

Contents

Configuring IP-MAC Binding to Prevent Spoofing 286

Configuring Attack Protection 287

Configuring Session Limits 288

Configuring Application Level Gateway 289

Chapter 7: Security Services 291

About Security Services 292

Activating Security Services 293

Priority of Security Services 293

Security Services Dashboard 294

Viewing Security Services Reports 295

Viewing Web Security Report 296

Viewing Anti-Virus Report 297

Viewing Email Security Report 298

Viewing Network Reputation Report 299

Viewing IPS Report 300

Viewing Application Control Report 301

Configuring Anti-Virus 302

General Anti-Virus Settings 303

Cisco ISA500 Series Integrated Security Appliances Administration Guide 13

Contents

Configuring Advanced Anti-Virus Settings 306

Configuring HTTP Notification 307

Configuring Email Notification 307

Updating Anti-Virus Signatures 308

Configuring Application Control 309

Configuring Application Control Policies 310

General Application Control Policy Settings 310
Adding an Application Control Policy 311
Permitting or Blocking Traffic for all Applications in a Category 312
Permitting or Blocking Traffic for an Application 313

General Application Control Settings 314

Enabling Application Control Service 315
Mapping Application Control Policies to Zones 315
Configuring Application Control Policy Mapping Rules 316
Updating Application Signature Database 317

Advanced Application Control Settings 318

Configuring Spam Filter 319

Configuring Intrusion Prevention 321

Configuring Signature Actions 323

Updating IPS Signature Database 324

Configuring Web Reputation Filtering 325

Configuring Web URL Filtering 327

Configuring Web URL Filtering Policy Profiles 328

Configuring Website Access Control List 329

Mapping Web URL Filtering Policy Profiles to Zones 330

Configuring Advanced Web URL Filtering Settings 330

Network Reputation 332

Chapter 8: VPN 333

About VPNs 334

Viewing VPN Status 335

Viewing IPsec VPN Status 335

Viewing SSL VPN Status 337

Configuring a Site-to-Site VPN 340

Cisco ISA500 Series Integrated Security Appliances Administration Guide 14

Contents

Configuration Tasks to Establish a Site-to-Site VPN Tunnel 341

General Site-to-Site VPN Settings 341

Configuring IPsec VPN Policies 343

Configuring IKE Policies 349

Configuring Transform Sets 351

Remote Teleworker Configuration Examples 352

Configuring IPsec Remote Access 355

Cisco VPN Client Compatibility 356

Enabling IPsec Remote Access 357

Configuring IPsec Remote Access Group Policies 357

Allowing IPsec Remote VPN Clients to Access the Internet 360

Configuring Teleworker VPN Client 363

Required IPsec VPN Servers 364

Benefits of the Teleworker VPN Client Feature 365

Modes of Operation 365

Client Mode 366
Network Extension Mode 367

General Teleworker VPN Client Settings 368

Configuring Teleworker VPN Client Group Policies 369

Configuring SSL VPN 372

Elements of the SSL VPN 373

Configuration Tasks to Establish a SSL VPN Tunnel 374

Installing Cisco AnyConnect Secure Mobility Client 375

Importing Certificates for User Authentication 376

Configuring SSL VPN Users 376

Configuring SSL VPN Gateway 376

Configuring SSL VPN Group Policies 379

Accessing SSL VPN Portal 382

Allowing SSL VPN Clients to Access the Internet 382

Configuring L2TP Server 385

Configuring VPN Passthrough 387

Cisco ISA500 Series Integrated Security Appliances Administration Guide 15

Contents

Chapter 9: User Management 388

Viewing Active User Sessions 388

Configuring Users and User Groups 389

Default User and User Group 389

Available Services for User Groups 389

Preempt Administrators 390

Configuring Local Users 390

Configuring Local User Groups 391

Configuring User Authentication Settings 393

Using Local Database for User Authentication 394

Using RADIUS Server for User Authentication 394

Using Local Database and RADIUS Server for User Authentication 397

Using LDAP for User Authentication 398

Using Local Database and LDAP for Authentication 400

Configuring RADIUS Servers 401

Chapter 10: Device Management 403

Viewing System Status 404

Viewing Process Status 404

Viewing Resource Utilization 404

Administration 405

Configuring Administrator Settings 406

Configuring Remote Administration 407

Configuring Email Alert Settings 408

Configuring SNMP 415

Backing Up and Restoring a Configuration 416

Managing Certificates for Authentication 418

Viewing Certificate Status and Details 419

Exporting Certificates to Your Local PC 420

Exporting Certificates to a USB Device 421

Importing Certificates from Your Local PC 421

Importing Certificates from a USB Device 422

Cisco ISA500 Series Integrated Security Appliances Administration Guide 16

Generating New Certificate Signing Requests 422

Importing Signed Certificate for CSR from Your Local PC 423

Configuring Cisco Services and Support Settings 424

Configuring Cisco.com Account 424

Configuring Cisco OnPlus 425

Configuring Remote Support Settings 426

Sending Contents for System Diagnosis 426

Configuring System Time 427

Configuring Device Properties 428

Diagnostic Utilities 428

Ping 429

Traceroute 429

DNS Lookup 430

Contents

Packet Capture 430

Device Discovery Protocols 430

UPnP Discovery 431

Bonjour Discovery 432

CDP Discovery 432

LLDP Discovery 433

Firmware Management 434

Viewing Firmware Information 435

Using the Secondary Firmware 435

Upgrading your Firmware from Cisco.com 436

Upgrading Firmware from a PC or a USB Device 437

Firmware Auto Fall Back Mechanism 438

Using Rescue Mode to Recover the System 438

Managing Security License 439

Checking Security License Status 440

Installing or Renewing Security License 441

Log Management 442

Viewing Logs 442

Configuring Log Settings 444

Cisco ISA500 Series Integrated Security Appliances Administration Guide 17

Configuring Log Facilities 447

Rebooting and Resetting the Device 448

Restoring the Factory Default Settings 448

Rebooting the Security Appliance 449

Configuring Schedules 449

Contents

Appendix A: Troubleshooting 453

Internet Connection 453

Date and Time 456

Pinging to Test LAN Connectivity 457

Testing the LAN Path from Your PC to Your Security Appliance 457

Testing the LAN Path from Your PC to a Remote Device 458

Appendix B: Technical Specifications and Environmental Requirements 459

Appendix C: Factory Default Settings 461

Device Management 461

User Management 463

Networking 464

Wireless 468

VPN 469

Security Services 471

Firewall 471

Reports 473

Default Service Objects 474

Default Address Objects 478

Appendix D: Where to Go From Here 479

Cisco ISA500 Series Integrated Security Appliances Administration Guide 18

Getting Started

This chapter provides an overview of the Cisco ISA500 Series Integrated Security
Appliance and describes basic configuration tasks to help you configure your
security appliance. It includes the following sections:

• Introduction, page 20

• Product Overview, page 21

• Getting Started with the Configuration Utility, page 25

• Factory Default Settings, page 30

• Performing Basic Configuration Tasks, page 32

NOTE For information about how to physically install your security appliance, see the

Cisco ISA500 Series Integrated Security Appliances Quick Start Guide at:

www.cisco.com/go/isa500resources.

1

Cisco ISA500 Series Integrated Security Appliances Administration Guide 19

Getting Started

Introduction

Introduction

1

Thank you for choosing the Cisco ISA500 Series Integrated Security Appliance, a
member of the Small Business Family. The ISA500 Series is a set of Unified Threat
Management (UTM) security appliances that provide business-class security
gateway solutions with dual WAN, DMZ, zone-based firewall, site-to-site and
remote access VPN (including IPsec Remote Access, Teleworker VPN Client, and
SSL VPN) support, and Internet threat protection, such as Intrusion Prevention
(IPS), Anti-Virus, Application Control, Web URL Filtering, Web Reputation Filtering,
Spam Filter, and Network Reputation. The ISA550W and ISA570W include

802.11b/g/n access point capabilities.

The following table lists the available model numbers.

Model Description Configuration

ISA550 Cisco ISA550 Integrated

Security Appliance

ISA550W Cisco ISA550 Integrated

Security Appliance with
Wi-Fi

ISA570 Cisco ISA570 Integrated

Security Appliance

ISA570W Cisco ISA570 Integrated

Security Appliance with
Wi-Fi

NOTE Any configurable port can be configured to be a WAN, DMZ, or LAN port. Only one

configurable port can be configured as a WAN port at a time. Up to 4 configurable
ports can be configured as DMZ ports.

1 WAN port, 2 LAN ports,
4 configurable ports, and 1 USB 2.0
port

1 WAN port, 2 LAN ports,
4 configurable ports, 1 USB 2.0 port,
and 802.11b/g/n

1 WAN port, 4 LAN ports,
5 configurable ports, and 1 USB 2.0
port

1 WAN port, 4 LAN ports,
5 configurable ports, 1 USB 2.0 port,
and 802.11b/g/n

Cisco ISA500 Series Integrated Security Appliances Administration Guide 20

Getting Started

282351

Small Business

1

VPN

USB

WAN LAN

CONFIGURABLEPOWER/SYS

SPEED

LINK /ACT

234

56

7

ISA550

Cisco

281983

Small Business

1

VPN

USB

WAN LAN

CONFIGURABLEPOWER/SYS

SPEED

LINK /ACT

234

56

7

WLAN

ISA550W

Cisco

Small Business

1

VPN

USB

WAN LAN

CONFIGURABLEPOWER/SYS

SPEED

LINK /ACT

910

234

56

7

8

WLAN

281980

ISA570W

Cisco

Product Overview

Product Overview

Before you use the security appliance, become familiar with the lights on the front
panel and the ports on the rear panel.

• Front Panel, page 21

• Back Panel, page 23

Front Panel

ISA550 Front Panel

1

ISA550W Front Panel

ISA570 Front Panel

ISA570

USB

VPN

ISA570W Front Panel

SPEED

LINK /ACT

1

WAN LAN

234

56

Small Business

Cisco

8

7

910

CONFIGURABLEPOWER/SYS

282350

Cisco ISA500 Series Integrated Security Appliances Administration Guide 21

Getting Started

Product Overview

1

Front Panel Lights

The following table describes the lights on the front panel of the security
appliance. These lights are used for monitoring system activity.

Light Description

POWER/SYS Indicates the power and system status.

• Solid green when the system is powered on and is
operating normally.

• Flashes green when the system is booting.

• Solid amber when the system has a booting problem,
a device error occurs, or the system has a problem.

VPN Indicates the site-to-site VPN connection status.

• Solid green when there are active site-to-site VPN
connections.

• Flashes green when attempting to establish a
site-to-site VPN tunnel.

• Flashes amber when the system is experiencing
problems setting up a site-to-site VPN connection
and there is no VPN connection.

USB Indicates the USB device status.

• Solid green when a USB device is detected and is
operating normally.

• Flashes green when the USB device is transmitting
and receiving data.

WLAN

(ISA550W and
ISA570W only)

Indicates the WLAN status.

• Solid green when the WLAN is up.

• Flashes green when the WLAN is transmitting and
receiving data.

Cisco ISA500 Series Integrated Security Appliances Administration Guide 22

Getting Started

281984

ANT02ANT01

RESET

I

/

O

POWER

12VDC

4

5

6

7

CONFIGURABLE

2

3

LAN

1

WAN

ANT01 ANT02

Reset

Button

Power

Switch

Power

Connector

WAN

Por t

USB

Por t

Configurable

Por ts

LAN

Por ts

Product Overview

1

Light Description

SPEED Indicates the traffic rate of the associated port.

• Off when the traffic rate is 10 or 100 Mbps.

• Solid green when the traffic rate is 1000 Mbps.

LINK/ACT Indicates that a connection is being made through the port.

• Solid green when the link is up.

• Flashes green when the port is transmitting and
receiving data.

Back Panel

The back panel is where you connect the network devices. The ports on the panel
vary depending on the model.

ISA550 and ISA550W Back Panel

Cisco ISA500 Series Integrated Security Appliances Administration Guide 23

Getting Started

281981

I

/

O

RESET

ANT02ANT01

1

6

7

8910

WAN

CONFIGURABLE

POWER

12VDC

2

3

4

5

LAN

ANT01 ANT02

Reset

Button

Power

Switch

Power

Connector

WAN

Por t

USB

Por t

Configurable

Por ts

LAN

Por ts

Product Overview

1

ISA570 and ISA570W Back Panel

Back Panel Descriptions

Feature Description

ANT01/ANT02 Threaded connectors for the antennas (for ISA550W and

ISA570W only).

USB Port Connects the unit to a USB device. You can use a USB

device to save and restore system configuration, or to
upgrade the firmware.

Configurable
Ports

Can be set to operate as WAN, LAN, or DMZ ports. ISA550
and ISA550W have 4 configurable ports. ISA570 and
ISA570W have 5 configurable ports.

NOTE: Only one configurable port can be configured as a
WAN port at a time. Up to 4 configurable ports can be
configured as DMZ ports.

LAN Ports Connects PCs and other network appliances to the unit.

ISA550 and ISA550W have 2 dedicated LAN ports. ISA570
and ISA570W have 4 dedicated LAN ports.

WAN Port Connects the unit to a DSL or a cable modem, or other WAN

connectivity device.

Cisco ISA500 Series Integrated Security Appliances Administration Guide 24

Getting Started

Getting Started with the Configuration Utility

Feature Description

RESET Button To reboot the unit, push and release the RESET button for

Power Switch Powers the unit on or off.

1

less than 3 seconds.

To restore the unit to its factory default settings, push and
hold the RESET button for more than 3 seconds while the
unit is powered on and the POWER/SYS light is solid green.
The POWER/SYS light will flash green when the system is
rebooting.

Power
Connector

Connects the unit to power using the supplied power cord
and adapter.

Getting Started with the Configuration Utility

The ISA500 Series Configuration Utility is a web-based device manager that is
used to provision the security appliance. To use this utility, you must be able to
connect to the security appliance from a PC or laptop. You can access the
Configuration Utility by using the following web browsers:

• Microsoft Internet Explorer 8 and 9

• Mozilla Firefox 3.6.x, 5, and 6

NOTE The minimum recommended display resolution for the PC running the Web

browser used to access the Configuration Utility is 1024 x 768.

This section includes the following topics:

• Logging in to the Configuration Utility, page 26

• Navigating Through the Configuration Utility, page 27

• Using the Help System, page 28

• Configuration Utility Icons, page 28

Cisco ISA500 Series Integrated Security Appliances Administration Guide 25

Getting Started

Getting Started with the Configuration Utility

Logging in to the Configuration Utility

STEP 1 Connect your computer to an available LAN port on the back panel.

Your PC will become a DHCP client of the security appliance and will receive an IP
address in the 192.168.75.x range.

STEP 2 Start a web browser. In the address bar, enter the default IP address of the

security appliance: 192.168.75.1.

NOTE: The above address is the factory default LAN address. If you change this

setting, enter the new IP address to connect to the Configuration Utility.

STEP 3 When the login page opens, enter the username and password.

The default username is cisco. The default password is cisco. Usernames and
passwords are case sensitive.

1

STEP 4 Click Login.

STEP 5 For security purposes, you must change the default password of the default

administrator account. Set a new administrator password and click OK.

STEP 6 If you can access the Internet and a newer firmware is detected, the Firmware

Upgrade window opens. Follow the on-screen prompts to download and install
the firmware. See Upgrading your Firmware After your First Login, page 33.

STEP 7 If you cannot access the Internet or you are using the latest firmware, the Setup

Wizard will now launch. Follow the on-screen prompts to complete the initial
configuration. See Using the Setup Wizard for the Initial Configuration, page 36.

Cisco ISA500 Series Integrated Security Appliances Administration Guide 26

Getting Started

1

2

Getting Started with the Configuration Utility

Navigating Through the Configuration Utility

Use the left hand navigation pane to perform the tasks in the Configuration Utility.

1

Number Component Description

1Left Hand

Navigation
Pane

2 Main Content The main content of the feature or sub-feature

The left hand navigation pane provides easy
navigation through the configurable features. The
main branches expand to provide the features. Click
the main branch title to expand its contents. Click
the triangle next to a feature to expand or contract
its sub-features. Click the title of a feature or
sub-feature to open it.

appears in this area.

Cisco ISA500 Series Integrated Security Appliances Administration Guide 27

Getting Started

Getting Started with the Configuration Utility

Using the Help System

The Configuration Utility provides a context-sensitive help file for all configuration
tasks. To view the Help page, click the Help link in the top right corner of the
screen. A new window opens with information about the page that you are
currently viewing.

Configuration Utility Icons

The Configuration Utility has icons for commonly used configuration options. The
following table describes these icons:

Icon Description Action

1

Add icon Add an entry.

Edit icon Edit an entry.

Duplicate icon

Delete icon Delete an entry or delete multiple selected

Move icon Move an item to a specific location.

Move down icon Move an item down one position.

Move up icon Move an item up one position.

Expand triangle
icon

Contract triangle
icon

Create a copy of an existing entry.

entries.

Expand the sub-features of a feature in the left
navigation pane or expand the items under a
category.

Contract the sub-features of a feature in the left
navigation pane or contract the items under a
category.

Connect icon Establish a VPN connection.

Disconnect or
Logout icon

Cisco ISA500 Series Integrated Security Appliances Administration Guide 28

Terminate a VPN connection or an active user
session.

Getting Started

Getting Started with the Configuration Utility

Icon Description Action

1

Forced Authorized
icon

Forced
Unauthorized icon

Auto icon Enable 802.1x access control and cause the

Import PC icon Import a local certificate or a CA certificate

Export to USB or
Import from USB
icon

Details icon View the details of a certificate or a Certificate

Disable 802.1x access control and cause the
port to transition to the authorized state without
any authentication exchange required.

Cause the port to remain in the unauthorized
state, ignoring all attempts by the client to
authenticate.

port to begin in the unauthorized state, allowing
only EAPOL frames to be sent and received
through the port.

from PC.

Export a local certificate, a CA certificate, or a
Certificate Signing Request to a USB key, or
import a local certificate or a CA certificate
from a USB key.

Signing Request.

Download icon Download a local certificate, a CA certificate, or

a Certificate Signing Request to PC.

Upload icon Upload a signed certificate for the Certificate

Signing Request from PC.

Install or Renew
icon

Refresh icon Refresh the data.

Reset icon Reset the device to the factory defaults, or

Check for Updates
Now icon

Credentials icon View the device credentials.

Email Alerts icon View or configure the email alert settings.

Install the security license.

renew the security license.

Check for new signature updates from Cisco’s
signature server immediately.

Cisco ISA500 Series Integrated Security Appliances Administration Guide 29

Getting Started

Factory Default Settings

Factory Default Settings

The security appliance is preconfigured with settings to allow you to start using
the device with minimal changes. Depending on the requirements of your Internet
Service Provider (ISP) and the needs of your business, you may need to modify
some of these settings. You can use the Configuration Utility to customize all
settings, as needed.

This section includes the following topics:

• Default Settings of Key Features, page 30

• Restoring the Factory Default Settings, page 31

Default Settings of Key Features

1

The default settings of key features are described below. For a full list of all factory
default settings, see Factory Default Settings, page 461.

• IP Routing Mode: By default, only the IPv4 mode is enabled. To support
IPv4 and IPv6 addressing, enable the IPv4/IPv6 mode. See Configuring IPv4

or IPv6 Routing, page116.

• WAN Configuration: By default, the security appliance is configured to
obtain an IP address from your ISP using Dynamic Host Configuration
Protocol (DHCP). Depending on the requirement of your ISP, configure the
network addressing mode for the primary WAN. You can change other WAN
settings as well. See Configuring WAN Settings for Your Internet

Connection, page122.

• LAN Configuration: By default, the LAN of the security appliance is
configured in the 192.168.75.0 subnet and the LAN IP address is

192.168.75.1. The security appliance acts as a DHCP server to the hosts on
the LAN network. It can automatically assign IP addresses and DNS server
addresses to the PCs and other devices on the LAN. For most deployment
scenarios, the default DHCP and TCP/IP settings should be satisfactory.
However, you can change the subnet address or the default IP address. See

Configuring a VLAN, page 137.

• VLAN Configuration: The security appliance predefines a native VLAN
(DEFAULT) and a guest VLAN (GUEST). You can customize the predefined
VLANs or create new VLANs for your specific business needs. See

Configuring a VLAN, page 137.

Cisco ISA500 Series Integrated Security Appliances Administration Guide 30