GemTek Technology ISA570 User Manual

ADMINISTRATION

GUIDE

Cisco Small Business

ISA500 Series Integrated Security Appliance

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Federal Communication Commission Interference Statement

(For ISA570 and ISA570W)

This equipment has been tested and found to compl y with the limits for a Class A digital d evice, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmfu l interference when the equipment is operated in a commercial environment. This equipment genera tes, uses, and can radiate radio frequency energy and, if not insta lled and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

(For ISA550 and ISA550W)

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuan t to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, us es and can radi ate radio frequency energy and, if not installed and used in accordance with the instructi ons, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is

connected.

• Consult the dealer or an experienced radio/TV technician for help.

FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment.

This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.

IMPORTANT NOTE:

FCC Radiation Exposure Statement: (For ISA550W and ISA570W)

This equipment complies with FCC radiation exposure limits set forth for an uncontrol led environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body.

This transmitter must not be co-located or operating in conjunction with any oth er antenna or transmitter. The availability of some specific channels and/or operational frequency bands are country dependent

and are firmware programmed at the factory to match the intended destination. The firmware setting is not accessible by the end user.

Industry Canada statement:

This device complies with RSS-210 of the Industry Canada Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and ( 2) this device must accept any interference received, including interference that may cause undesired operation.

OL-23370-01

Ce dispositif est conforme à la norme CNR-210 d'Industrie Canada applicable aux appareils radio exempts de licence. Son fonctionnement est sujet aux deux conditions suivantes: (1) le dispositif ne doi t pas produire de brouillage préjudiciable, et (2) ce dispositif doit accepter tout brouill age reçu, y compris un brouillage susceptible de provoquer un fonctionnement indésirable.

IMPORTANT NOTE:

Canada Radiation Exposure Statement: (For ISA550W and ISA570W)

This equipment complies with Canada radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator and your body.

NOTE IMPORTANTE: (Pour l'utilisation de dispositifs mobiles)

Déclaration d'exposition aux radiations:

Cet équipement est conforme aux limites d'exposition aux rayonnements IC établies pour un environnement non contrôlé. Cet équipement doit être installé et utilisé avec un minimum de 20 cm de distance entre la source de rayonnement et votre corps.

This device has been designed to operate with an antenna having a maximum ga in of 1.8 dBi. Antenna having a higher gain is strictly prohibited per regulations of Industry Canada. The required antenna impedance is 50 ohms.

Under Industry Canada regulations, this radio transmitter may only operate using an antenna of a type and maximum (or lesser) gain approved for the transmitter by Industry Canada. To reduce potential radio interference to other users, the antenna type and its gain should be so chosen that the equivalent isotropically radiated power (e.i.r.p.) is not more than that necessary for successful communication.

(Le manuel d'utilisation de dispositifs émetteurs équipés d'antennes amovibles doit contenir les informations suivantes dans un endroit bien en vue:) Ce dispositif a été conçu pour fonctionner avec une antenne ayant un gain maximal de 1.8 dBi. Une antenne à gain plus élevé est strictement interdite par les règlements d'Industrie Canada. L'impédance d'antenne requise est de 50 ohms.

Conformément à la réglementation d'Industrie Canada, le présent émetteur radio peutfonctionner avec une antenne d'un type et d'un gain maximal (ou inférieur) approuvé pourl'émetteur par Ind ustrie Canada. Dans le but de réduire les risques de brouillage radioélectriqueà l'intention des aut res utilisateurs, il faut choisir le type d'antenne et son gain de sorte que lapuissance isotrope rayonnée équivalente (p.i.r.e.) ne dépasse pas l'intensité nécessaire àl'établissement d'une communication satisfaisante.

UL/CB

Rack Mount Instructions - The following or similar rack-mount instructions are included with the installation instructions:

A) Elevated Operating Ambient - If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tma) 40 degree C specified by the manufacturer.

B) Reduced Air Flow - Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.

C) Mechanical Loading - Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading.

OL-23370-01

D) Circuit Overloading - Consideration should be given to the connection of the equ ipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.

OL-23370-01

Contents

Chapter 1: Getting Started 12

Introduction 12

Feature Overview 13

Device Overview 14

Front Panel 14

Back Panel 17

Installation 18

Before You Begin 19

Installation Options 19

Placement Tips 19

Wall Mounting 20 Rack Mounting 21

Hardware Installation 22

Getting Started with the Configuration Utility 23

Launching the Configuration Utility 23

Navigating Through the Configuration Utility 24

Using the Help System 25

Using the Management Buttons 25

About the Default Settings 25

Performing Common Configuration Tasks 27

Changing the User Name and Password of the Default Administrator Account at Your First Login 27

Saving Your Configuration 28

Upgrading the Firmware if needed 29

Resetting the Device 30

Chapter 2: Wizards 32

Using the Startup Wizard 32

Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W 40

Using the Wireless Wizard to Configure the Wireless Settings 41 Configuring the SSID for Intranet WLAN Access 43 Configuring the SSID for Guest WLAN Access 44 Configuring the SSID for Guest WLAN Access (Captive Portal) 45

Cisco ISA500 Series Integrated Security Appliance Administration Guide 1

Contents

Using the DMZ Wizard to Configure the DMZ Settings 46

Using the DMZ Wizard to Configure the DMZ Settings 47 Configuring the DMZ 48 Configuring the DMZ Services 49

Using the Dual WAN Wizard to Configure the WAN Redundancy Settings 51

Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels 53

Using the Site-to-Site Wizard to Establish the Site-to-Site VPN tunnel 53 Configuring the IKE Policies 55 Configuring the Transform Policies 57

Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 58

Using Cisco IPSec VPN to Establish the IPSec VPN Tunnels 58 Configuring the Cisco IPSec VPN User Groups 63 Using SSL VPN to Establish the SSL VPN Tunnels 63 Configuring the SSL VPN Group Policies 66 Configuring the SSL VPN User Groups 69

Chapter 3: Status 70

System Status 70

Interface Status 74

ARP Table 74

DHCP Pool Assignment 75

Interface 75

Interface Statistics 77

Wireless Status for ISA550W and ISA570W 79

Wireless Status 80

Client Status 81

Active Users 81

VPN Status 81

IPSec VPN Status 82

SSL VPN Status 83

Reports 85

Reports of Event Logs 86

Reports of WAN Bandwidth 87

Reports of Security Services 87

Cisco ISA500 Series Integrated Security Appliance Administration Guide 2

Web Security Blocked Report 88 Anti-Virus Report 88 Email Security Report 89 Network Reputation Report 90 IPS Policy Protocol Inspection Report 90 IM and P2P Blocking Report 91

Contents

Process Status 92

Resource Utilization 92

Chapter 4: Networking 94

Configuring IP Routing Mode 95

Port Management 95

Viewing the Status of Physical Interfaces 95

Configuring the Physical Interfaces 96

Configuring 802.1X Access Control on Physical Ports 98

Configuring the Port Mirroring 100

Configuring the WAN 101

Configuring the Primary WAN 101

Configuring the Secondary WAN 104

Configuring the Network Addressing Mode 106

Configuring the PPPoE Profiles 111

Configuring the WAN Redundancy 112

Loading Balancing for WAN Redundancy 113

Load Balancing with Policy-based Routing Configuration Example 115

Failover for WAN Redundancy 116

Routing Table for WAN Redundancy 117

Configuring the Link Failover Detection 117

Configuring the VLAN 118

Configuring the VLANs 119

Configuring DHCP Reserved IPs 122

Configuring the DMZ 123

Configuring the Zones 127

Security Levels for Zones 128

Predefined Zones 128

Cisco ISA500 Series Integrated Security Appliance Administration Guide 3

Contents

Configuring the Zones 129

Configuring the Routing 130

Configuring the Routing Mode 131

Viewing the Routing Table 131

Configuring the Static Routing 132

Configuring the Dynamic Routing 133

Configuring Policy-based Routing Settings 134

Priority of Routing Rules 136

Dynamic DNS 136

IGMP 138

VRRP 139

Configuring the Quality of Service 140

General QoS Settings 141

Configuring the WAN QoS 141

Managing the WAN Bandwidth for Upstream Traffic 142 Configuring the WAN Queue Settings 142 Configuring the Traffic Selectors for WAN Interfaces 144 Configuring the WAN QoS Policy Profiles 145 Mapping the WAN QoS Policy Profiles to WAN Interfaces 146

Configuring the LAN QoS 147

Configuring the LAN Queue Settings 147 Configuring the LAN QoS Classification Methods 148 Mapping CoS to LAN Queue 149 Mapping DSCP to LAN Queue 149 Configuring Default CoS 149

Configuring the Wireless QoS 150

Default Wireless QoS Settings 150 Configuring the Wireless QoS Classification Methods 151 Mapping CoS to Wireless Queue 151 Mapping DSCP to Wireless Queue 151

Address Management 152

Configuring the Addresses 152

Configuring the Group Addresses 153

Service Management 154

Configuring the Services 154

Cisco ISA500 Series Integrated Security Appliance Administration Guide 4

Configuring the Group Services 155

Contents

Chapter 5: Wireless Configuration for ISA550W and ISA570W 157

Configuring the Radio Settings 157

Basic Radio Settings 158

Advanced Radio Settings 160

Configuring the Access Points 162

Configuring the Security Mode 162

Controlling the Wireless Access Based on MAC Addresses 169

Mapping the SSID to VLAN 170

Configuring the SSID Schedule 171

Configuring Wi-Fi Protected Setup 172

Configuring Wireless Rogue AP Detection 173

Configuring Wireless Captive Portal 174

Chapter 6: Firewall 177

Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic 178

Default Firewall Settings 178

Priorities of Firewall Access Rules 180

Preliminary Tasks for Configuring the Firewall Access Rules 180

General Settings for Configuring the Firewall Access Rules 181

Configuring a Firewall Access Rule 183

Configuring a Firewall Access Rule to Allow the Multicast Traffic 185

Configuring the Firewall Schedule 186

Firewall Access Rule Configuration Examples 187

Configuring the NAT Rules to Securely Access a Remote Network 192

Configuring Dynamic PAT Rules 193

Configuring Static NAT Rules 194

Configuring Port Forwarding Rules 195

Configuring Port Triggering Rules 196

Configuring Advanced NAT Rules 197

Viewing NAT Translation Status 199

Cisco ISA500 Series Integrated Security Appliance Administration Guide 5

Priorities of NAT Rules 200

Configuring the Session Settings 200

Configuring the Content Filtering to Control Access to Internet 201

Configuring the Content Filtering Policy Profiles 201

Configuring the Website Access Control List 203

Mapping the Content Filtering Policy Profiles to Zones 204

Configuring Advanced Settings 204

Configuring the MAC Filtering to Permit or Block Traffic 205

Configuring the IP/MAC Binding to Prevent Spoofing 206

Configuring the Attack Protection 207

Configuring the Application Level Gateway 209

Contents

Chapter 7: Security Services 210

Managing the Security Services 210

About the Security Services 211

Security License 212

Priority of Security Services 212

Managing the Security Services 212

Viewing the Security Service Reports 214

Intrusion Prevention Service 214

General IPS Settings 215

Configuring the IPS Policy and Protocol Inspection 216

Blocking the Instant Messaging and Peer-to-Peer Applications 218

Anti-Virus 220

Configuring the Anti-Virus 220

Configuring the Email Notification 223

Configuring the HTTP Notification 224

Email Reputation Filter 224

Web URL Filter 226

Configuring the Web URL Filter Policy Profiles 226

Configuring the Whitelist and Blacklist of Websites 227

Mapping the Web URL Filter Policy Profiles to Zones 228

Cisco ISA500 Series Integrated Security Appliance Administration Guide 6

Configuring Advanced Web URL Filter Settings 229

Web Reputation Filter 230

Network Reputation 231

Contents

Chapter 8: VPN 232

About VPN 232

Configuring the Cisco IPSec VPN Server 233

Cisco VPN Client Compatibility 234

Configuring the Group Policies for Cisco IPSec VPN Server 235

Configuring the Cisco IPSec VPN Client 238

Restrictions for Cisco IPSec VPN Client 239

Benefits of the Cisco IPSec VPN Client Feature 239

Modes of Operation 240

Client Mode 240 Network Extension Mode 241

General Settings 242

Configuring the Group Policies for Cisco IPSec VPN Client 243

Configuring the Site-to-Site VPN 246

Configuration Tasks to Establish a Site-to-Site VPN 246

General Site-to-Site VPN Settings 247

Configuring the IPSec VPN Policies 248

Configuring the IPSec IKE Policies 254

Configuring the IPSec Transform Policies 256

Configuring the SSL VPN 257

Elements of the SSL VPN 258

Configuration Tasks to Establish a SSL VPN Tunnel 259

Installing the Cisco AnyConnect VPN Client on User’s PC 260

Importing the Certificates for User Authentication 260

Configuring the SSL VPN Users 260

Configuring the SSL VPN Gateway 261

Configuring the SSL VPN Group Policies 263

Configuring the SSL VPN Portal 266

Configuring the L2TP Server 266

Cisco ISA500 Series Integrated Security Appliance Administration Guide 7

Configuring the VPN Passthrough 268

Viewing the VPN Status 268

Monitoring the IPSec VPN Status 269

Monitoring the SSL VPN Status 270

Contents

Chapter 9: User Management 273

About the Users and Groups 273

Available Services for User Groups 273

Default User and Group 274

Preempt the Administrators 274

Configuring the Users and Groups 275

Configuring Local Users 275

Configuring Local User Groups 276

Configuring the User Authentication Settings 277

Authentication Methods for User Login 278

Using Local Database for Authentication 279

Using RADIUS Server for Authentication 279

Using Local Database and RADIUS Server for Authentication 282

Using LDAP for Authentication 283

Using Local Database and LDAP for Authentication 286

Configuring the User Session Settings 286

Viewing Active User Sessions 287

Chapter 10: Device Management 288

Remote Management 289

Administration 290

Changing the User Name and Password for the Default Administrator Account 290

Configuring the User Session Settings 291

SNMP 292

Configuration Management 294

Saving your Current Configurations 294

Restoring your Settings from a Saved Configuration File 295

Cisco ISA500 Series Integrated Security Appliance Administration Guide 8

Contents

Reverting to the Factory Default Settings 296

Firmware Management 297

Viewing the Firmware Information 297

Checking for New Firmwares 298

Upgrading the Firmware 299

Using the Secondary Firmware 300

Firmware Auto Fall Back Mechanism 301

Using the Rescue Mode to Recover the System 302

Rebooting the Security Appliance 302

Log Management 302

Configuring the Log Settings 303

Configuring the Log Facilities 305

Viewing the Logs 306

Managing the Security License 307

Checking the License Status 308

Renewing the Security License 309

Managing the Certificates for Authentication 310

Viewing the Certificate Status 310

Managing the Certificates 311

Exporting the Certificates to Local PC 312 Exporting the Certificates to a USB Device 313 Importing the Certificates from Your Local PC 313 Importing the Certificates from a Mounted USB Device 314 Importing the Signed Certificate for CSR from Your Local PC 314 Generating New Certificate Signing Requests 315

Configuring the Email Alert Settings 316

Configuring the RADIUS Servers 319

Configuring the Time Zone 320

Device Discovery 321

UPnP 321

Bonjour 322

CDP 323

LLDP 324

Cisco ISA500 Series Integrated Security Appliance Administration Guide 9

Diagnosing the Device 324

Ping 325

Tracert 325

DNS Lookup 326

Packet Capture 326

System Diagnostics 327

Measuring and Limiting Traffic with the Traffic Meter 328

Configuring the ViewMaster 330

Configuring the CCO Account 331

Configuring the Device Properties 332

Configuring the Debug Settings 332

Contents

Appendix A: Troubleshooting 333

Internet Connection 333

Date and Time 336

Pinging to Test LAN Connectivity 337

Testing the LAN Path from Your PC to Your Security Appliance 337

Testing the LAN Path from Your PC to a Remote Device 338

Restoring Factory Default Settings 339

Appendix B: Technical Specifications and Environmental Requirements 340

Appendix C: Factory Default Settings 343

Device Management 343

User Management 346

Networking 347

Wireless 352

VPN 353

Security Services 356

Firewall 357

Reports 359

Default Service Objects 360

Default Address Objects 363

Cisco ISA500 Series Integrated Security Appliance Administration Guide 10

Contents

Appendix D: Where to Go From Here 365

Cisco ISA500 Series Integrated Security Appliance Administration Guide 11

Getting Started

This chapter provides the product overview and installation instruction to help you to install the security appliance, and describes the default settings and some basic configuration tasks to help you to begin configuring your security appliance. It includes the following sections:

• Introduction, page 12

• Feature Overview, page 13

Introduction

• Device Overview, page14

• Installation, page 18

• Getting Started with the Configuration Utility, page 23

• About the Default Settings, page 25

• Performing Common Configuration Tasks, page 27

The Cisco ISA500 Series Integrated Security Appliances are a set of Unified Threat Management (UTM) security appliances that provide business class security gateway solutions with zone-based firewall, site-to-site and remote access VPN (including Cisco IPSec VPN and SSL VPN) support, and Internet threat protection with multiple UTM security services. The ISA550W and ISA570W include 802.11b/g/n access point capabilities.

The following table lists the available model numbers to help you become familiar with your security appliance.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 12

Getting Started

Feature Overview

Models Description Configuration

ISA550 Cisco ISA550 Integrated

ISA550W Cisco ISA550 Integrated

ISA570 Cisco ISA570 Integrated

ISA570W Cisco ISA570 Integrated

Feature Overview

The features of the Cisco ISA500 Series Integrated Security Appliance are compared in the following table.

Security Appliance

Security Appliance with WiFi

Security Appliance

Security Appliance with WiFi

1 WAN port, 2 LAN ports, 4 configurable ports, and 1 USB 2.0 port

1 WAN port, 2 LAN ports, 4 configurable ports, 1 USB 2.0 port, and 802.11b/g/n

1 WAN port, 4 LAN ports, 5 configurable ports, and 1 USB 2.0 port

1 WAN port, 4 LAN ports, 5 configurable ports, 1 USB 2.0 port, and 802.11b/g/n

Feature ISA550 ISA550W ISA570 ISA570W

Firewall Throughput (1000B)

Firewall Throughput (IMIX)

IPSec VPN (large packet)

Anti-Virus Throughput

Intrusion Prevention Service Throughput

UTM Throughput 45 Mbps 45 Mbps 120 Mbps 120 Mbps

Cisco ISA500 Series Integrated Security Appliance Administration Guide 13

150 Mbps 150 Mbps 300 Mbps 300 Mbps

70 Mbps 70 Mbps 150 Mbps 150 Mbps

75 Mbps 75 Mbps 150 Mbps 150 Mbps

60 Mbps 60 Mbps 130 Mbps 130 Mbps

80 Mbps 80 Mbps 150 Mbps 150 Mbps

Getting Started

282351

Small Business

VPN

USB

WAN LAN

CONFIGURABLEPOWER/SYS

SPEED

LINK /ACT

234

ISA550

Cisco

281983

Small Business

VPN

USB

WAN LAN

CONFIGURABLEPOWER/SYS

SPEED

LINK /ACT

234

WLAN

ISA550W

Cisco

Device Overview

Feature ISA550 ISA550W ISA570 ISA570W

Maximum Concurrent Sessions

Sessions per Seconds (cps)

Wireless (802.11b/g/n)No Yes No Yes

IPSec Tunnels 50 50 100 100

SSL VPN Tunnels 25 25 50 50

Device Overview

Before you begin to use the security appliance, become familiar with the lights on the front panel and the ports on the rear panel. It includes the following sections:

15,000 15,000 40,000 40,000

2,500 2,500 3,000 3,000

• Front Panel, page 14

• Back Panel, page 17

Front Panel

ISA550 Front Panel

ISA550W Front Panel

Cisco ISA500 Series Integrated Security Appliance Administration Guide 14

Getting Started

Small Business

VPN

USB

WAN LAN

CONFIGURABLEPOWER/SYS

SPEED

LINK /ACT

910

234

282350

ISA570

Cisco

Small Business

VPN

USB

WAN LAN

CONFIGURABLEPOWER/SYS

SPEED

LINK /ACT

910

234

WLAN

281980

ISA570W

Cisco

Device Overview

ISA570 Front Panel

ISA570W Front Panel

Front Panel Lights

The following table describes the lights on the front panel of the security appliance. These lights are used for monitoring system activity.

Lights Description

POWER/SYS Indicates the power status and system status.

• Green lights when the system is powered on and

operates normally.

• Green flashes when the system is booting.

• Amber flashes when the system booting has a

problem, a device error occurs, or the system has a problem.

VPN Indicates the Site-to-Site VPN connection status.

• Green lights when the Site-to-Site VPN tunnel is

established.

• Green flashes when attempting to establish the Site-to-

Site VPN tunnel.

• Amber flashes when the system is experiencing

problems setting up the Site-to-Site VPN connection.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 15

Getting Started

Device Overview

Lights Description

USB Indicates the USB device status.

• Green lights when a USB device is detected and

operates normally.

• Green flashes when the USB device is transmitting and

receiving data.

WLAN

(ISA550W and ISA570W only)

SPEED Indicates the traffic rate of the associated port.

LINK/ACT Indicates a connection is being made through the port.

NOTE The front panel of the ISA550 and ISA570 does not include the WLAN light.

Indicates the WLAN status.

• Green lights when the WLAN is enabled and

associated.

• Green flashes when the WLAN is transmitting and

receiving data.

• Off when the traffic rate is 10 or 100 Mbps.

• Green lights when the traffic rate is 1000 Mbps.

• Green lights when the link is up.

• Green flashes when the port is transmitting and

receiving data.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 16

Getting Started

281984

ANT02ANT01

RESET

POWER

12VDC

CONFIGURABLE

LAN

WAN

ANT01 ANT02

Reset

Button

Power

Switch

Power

Connector

WAN

Por t

USB

Por t

Configurable

Por ts

LAN

Por ts

281981

RESET

ANT02ANT01

8910

WAN

CONFIGURABLE

POWER

12VDC

LAN

ANT01 ANT02

Reset

Button

Power

Switch

Power

Connector

WAN

Por t

USB

Por t

Configurable

Por ts

LAN

Por ts

Device Overview

Back Panel

The back panel is where you connect the network devices. The ports on the panel vary depending on the model.

ISA550 and ISA550W Back Panel

ISA570 and ISA570W Back Panel

Cisco ISA500 Series Integrated Security Appliance Administration Guide 17

Getting Started

Installation

Back Panel Descriptions

Feature Description

ANT01/ANT02 Threaded connectors for the antennas (for ISA550W and

ISA570W only).

USB Port Connects the unit to a USB device. You can use a USB

device to backup and restore the configurations, or to upgrade the firmware images.

Configurable Ports

LAN Ports Connects PCs and other network appliances to the unit.

WAN Port Connects the unit to a DSL or a cable modem, or another

RESET Button To reboot the unit, push and release the RESET button. To

Power Switch Turns the unit on or off.

Power Connector

NOTE The back panel of ISA550 and ISA570 does not include two threaded connectors

for the antennas.

Can be set to operate as WAN, LAN, or DMZ ports. The ISA550 and ISA550W have 4 configurable ports. The ISA570 and ISA570W have 5 configurable ports.

The ISA550 and ISA550W have 2 dedicated LAN ports. The ISA570 and ISA570W have 4 dedicated LAN ports.

WAN connectivity device.

restore the factory default settings, push and hold the RESET button for 3 seconds.

Connects the unit to power using the supplied power cord and adapter.

Installation

This section describes how to install the security appliance. It includes the following topics:

• Before You Begin, page 19

Cisco ISA500 Series Integrated Security Appliance Administration Guide 18

Getting Started

Installation

• Installation Options, page 19

• Hardware Installation, page 22

Before You Begin

Before you begin the installation, make sure that you have the following equipments and services:

• An active Internet account.

• Mounting kits and tools for installing the hardware. The kits packed with the

security appliance are used for desktop placement and rack mounting. The kits include 4 rubber feet, 2 brackets, 2 silicon rubber spacers, 8 M3 screws, 4 M5 screws, and 4 washers.

NOTE The Wall-mounting kit is not included.

• RJ-45 Ethernet cables (Category 5 or higher) for connecting computers,

WAN and LAN interfaces, or other devices.

• A computer with Microsoft Internet Explorer 8.0, or Mozilla Firefox 3.6.x (or

later) for using the web-based Configuration Utility.

Installation Options

You can place your security appliance on a desktop, mount it on a wall, or mount it in a rack. It includes the following topics:

• Placement Tips, page 19

• Wall Mounting, page 20

• Rack Mounting, page 21

Placement Tips

• Ambient Temperature: To prevent the security appliance from overheating,

do not operate it in an area that exceeds an ambient temperature of 104°F (40°C).

• Air Flow: Be sure that there is adequate air flow around the device.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 19

Getting Started

196243

Installation

• Mechanical Loading: Be sure that the security appliance is level and stable

to avoid any hazardous conditions.

To place the security appliance on a desktop, install the supplied four rubber feet on the bottom of the security appliance. Place the security appliance on a flat surface.

Wall Mounting

There is no wall-mounting kit included with your security appliance. We recommend that you use the following screws to install your security appliance to the wall or the ceiling:

1 8mm/0.32 in 2 25mm/0.98 in 3 6.5mm/0.26in 4 18.6mm/0.73in

WARNING Insecure mounting might damage the device or cause injury. Cisco is not

responsible for damages incurred by improper wall-mounting.

To mount the security appliance to the wall:

STEP 1 Determine where you want to mount the security appliance. Verify that the surface

is smooth, flat, dry, and sturdy.

STEP 2 Insert two 18.6 mm (0.73 inch) screws, with anchors, into the wall 234 mm apart

(9.21 inches). Leave 3 to 4 mm (about 1/8 inch) of the head exposed.

STEP 3 Place the security appliance wall-mount slots over the screws. Slide the security

appliance down until the screws fit snugly into the wall-mount slots.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 20

Getting Started

Installation

CAUTION Do not overload the power outlet or circuit when installing multiple devices in a

Rack Mounting

You can mount the security appliance in any standard size, 19-inch (about 48 cm) wide rack. The security appliance requires 1 rack unit (RU) of space, which is 1.75 inches (44.45 mm) high.

rack.

STEP 1 Place one of the supplied silicon rubber spacers on the side of the security

appliance so that the four holes align to the screw holes. Place the rack mount bracket next to the silicon rubber spacer and install the M3 screws.

NOTE If the M3 screws are not long enough to reattach the bracket with the silicon

rubber spacer, attach the bracket directly to the case without the silicon rubber spacer.

STEP 2 Install the security appliance into a standard rack as shown below. Place the

washers on the brackets so that the holes align to the screw holes and then install the M5 screws.

Step 1

Step 2

281985

Cisco ISA500 Series Integrated Security Appliance Administration Guide 21

Getting Started

RESET

ANT02ANT01

8910

WAN

CONFIGURABLE

POWER

12VDC

LAN

Internet Access Device

Public

Web Server

Power

Network Devices

Installation

Hardware Installation

Follow these steps to connect the security appliance:

STEP 1 Connect the security appliance to power using the supplied power cord and

adapter. Make sure that the power switch is turned off.

STEP 2 If you are installing the ISA550W and ISA570W, screw each antenna onto a

threaded connector on the back panel. Orient each antenna to point upward.

STEP 3 For a DSL or cable modem, or other WAN connectivity devices, connect an

Ethernet network cable from the device to the WAN port on the back panel. Cisco strongly recommends using Cat5E or better cable.

STEP 4 For network devices, connect an Ethernet network cable from the network device

to one of the dedicated LAN ports on the back panel.

STEP 5 For a UC 500 or a UC 300, connect an Ethernet network cable from the WAN port

of the UC 500 or a UC 300 to an available LAN port of the security appliance.

STEP 6 For a UC500 or a UC300, connect an Ethernet network cable from the WAN port of

the UC500 or UC300 to an available LAN port on the back panel of the security appliance.

STEP 7 Power on the connected devices.

STEP 8 Power on the security appliance. The lights on the front panel for all connected

ports light up to show active connections.

A sample configuration is illustrated below.

Congratulations! The installation of the security appliance is complete.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 22

Getting Started

Getting Started with the Configuration Utility

The Configuration Utility is a web based device manager that is used to provision the security appliance. To use this utility, you must be able to connect to the security appliance from your administration PC or laptop. You can access the security appliance by using web browser such as Microsoft Internet Explorer 8.0, or Mozilla Firefox 3.6.x (or later). It includes the following sections:

• Launching the Configuration Utility, page 23

• Navigating Through the Configuration Utility, page 24

• Using the Help System, page 25

• Using the Management Buttons, page 25

Launching the Configuration Utility

STEP 1 Connect your computer to an available LAN port on the back panel of the security

appliance.

STEP 2 Start a web browser. In the Address bar, enter the default IP address of the

security appliance: 192.168.1.1.

NOTE The above address is the factory default LAN address. If you change this

setting in the DEFAULT VLAN configuration, you will need to enter the new IP address to connect to the Configuration Utility.

STEP 3 Enter the default user name and password in the login screen:

• Username: cisco

• Password: cisco

STEP 4 Click Login.

For the first login, you are forced to immediately change the default user name and password of the default administrator account to prevent unauthorized access. For more information, see Changing the User Name and Password of the

Default Administrator Account at Your First Login, page 27.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 23

Getting Started

Getting Started with the Configuration Utility

After you change them, the Startup Wizard launches. For more information about how to use the Startup Wizard to configure your security appliance, see Using the

Startup Wizard, page 32.

Navigating Through the Configuration Utility

Use the left hand navigation pane and content pane to perform the tasks in the Configuration Utility.

Number Components Description

1Left Hand

Navigation

2 Content Pane The content of the feature or subfeature appears in

Cisco ISA500 Series Integrated Security Appliance Administration Guide 24

Pane

The left hand navigation pane provides easy navigation through the configurable features. The main branches expand to provide the features. Click on the main branch title to expand its contents. Click on the right arrow of a feature to open its subfeatures, or click on the down arrow of a feature to contract its subfeatures. Click on the title of a feature or subfeature to open it.

this area.

Getting Started

About the Default Settings

Using the Help System

The Configuration Utility includes a detailed Help file for all configuration tasks. To view the Help page, click the Help link in the top right corner of the screen.

Using the Management Buttons

Device Management buttons and icons provide an easy method of configuring device information. In this guide, we use the texts by replacing the buttons or icons to indicate what the buttons or icons are used for.

Icons Actions Icons Actions

Move Expand

Move Down Collapse

Move Up Edit or other specific actions

About the Default Settings

The security appliance is predefined with the settings that allow you to start using the device with minimal changes needed. Depending the requirements of your Internet Service Provider (ISP) and the needs of your business, you might need to modify some of these settings. You can use the Configuration Utility to customize all settings, as needed.

with relative description

Delete or Delete Selection

Settings of particular interest are described below. For a full list of all factory default settings, see Appendix C, "Factory Default Settings."

Cisco ISA500 Series Integrated Security Appliance Administration Guide 25

Getting Started

About the Default Settings

• IP Routing Mode: By default, only the IPv4 mode is enabled. To support the

IPv4 and IPv6 addressing, you need to enable the IPv4/IPv6 mode. To change the IP routing mode, see Configuring IP Routing Mode, page 95.

• WAN Configuration: By default, the security appliance is configured to

obtain an IP address from your ISP by using Dynamic Host Configuration Protocol (DHCP). Depending on the requirement of your ISP, you will need to configure the network address mode for the primary WAN and the secondary WAN if applicable. You can change other WAN settings as well. See Configuring the WAN, page 101.

• LAN Configuration: By default, the LAN of the security appliance is

configured in the 192.168.1.0 subnet and the LAN IP address is 192.168.1.1. The security appliance acts as a DHCP server to the hosts on the WLAN or LAN network. It can automatically assign IP addresses and DNS server addresses to the PCs and other devices on the LAN. For most deployment scenarios, the default DHCP and TCP/IP settings should be satisfactory. However, you can change the subnet address or the default IP address. You can assign static IP addresses to connected devices rather than allowing the security appliance to act as a DHCP server. See Configuring the VLAN,

page 118.

• VLAN Configuration: The security appliance predefines a native VLAN

(DEFAULT) and a guest VLAN (GUEST). You can customize new VLANs for your specific business needs. See Configuring the VLAN, page 118.

• Configurable Ports: By default, all configurable ports are set to act as LAN

ports. Alternatively, you can configure the configurable port for use as a DMZ port or a secondary WAN port. See Configuring the WAN, page 101 or

Configuring the DMZ, page 123.

• Wireless Network (for ISA550W and ISA570W only): The ISA550W or

ISA570W is configured with four SSIDs. All SSIDs are disabled by default. For security purposes, we strongly recommend that you configure the SSIDs with the appropriate security settings. See Wireless Configuration for

ISA550W and ISA570W, page 157.

• Administrative Access: You can access the Configuration Utility by using a

web browser and entering the default LAN IP address of 192.168.1.1. You can log into by entering the username and password of the default administrator account. You are forced to change the default username and password after the first login. See Changing the User Name and Password

of the Default Administrator Account at Your First Login, page 27. You

also may want to change the user login settings for authentication. See

Configuring the User Authentication Settings, page 277.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 26

Getting Started

Performing Common Configuration Tasks

• Security Services: By default, the UTM security services such as Intrusion

Prevention Service (IPS), Web URL Filter, Web Reputation Filter, Anti-Virus, and Email Reputation Filter are disabled. For more information about how to configure the security services, see Security Services, page 210.

• Firewall: By default, the firewall prevents inbound traffic and allows all

outbound traffic. If you want to allow some inbound traffic or prevent some outbound traffic, you must customize firewall access rules. The security appliance supports up to 100 custom access rules. See Configuring the

Firewall Access Rules to Control Inbound and Outbound Traffic, page 178.

• VPN: By default, the VPN feature is disabled. The security appliance can

function as a Cisco IPSec VPN server or a Cisco VPN hardware client, or as a SSL VPN gateway so that remote users can securely access the corporate network resources over the VPN tunnels. You can also establish a secure IPSec VPN tunnel between two sites that are physically separated by using the Site-to-Site VPN feature. For more information about how to configure the VPN features, see VPN, page 232.

Performing Common Configuration Tasks

We strongly recommend that you complete the following common tasks before you begin configuring your security appliance. It includes the following sections:

• Changing the User Name and Password of the Default Administrator

Account at Your First Login, page 27

• Saving Your Configuration, page 28

• Upgrading the Firmware if needed, page 29

• Resetting the Device, page 30

Changing the User Name and Password of the Default Administrator Account at Your First Login

The default administrator account is an administrative account that has fully privilege to set the configurations and read the system status. It does not belong to any user group. To prevent unauthorized access, you are forced to immediately change the default user name and password at its first login.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 27

Getting Started

Performing Common Configuration Tasks

STEP 1 After the first login, a prompt window opens.

STEP 2 Enter the following information:

• User Name: Enter a new user name that contains the letters, numbers, or

underline for the default administrator account.

• New Password: Enter a new password for the default administrator account.

Passwords are case-sensitive.

NOTE Restrictions for password: The password should contain at least

three types of these character classes: lower case letters, upper case letters, numbers, and special characters. Do not repeat any character more than three times consecutively. Do not set the password as the user name or the reversed user name. The password cannot be set as “cisco”, “ocsic”, or any variant obtained by changing the capitalization of letters.

• Confirm Password: Enter the new password again for confirmation.

STEP 3 Click Save to apply your settings.

Saving Your Configuration

At any point during the configuration process, you can save your configurations. Later, if you make changes that you want to abandon, you can easily revert to the saved configurations.

STEP 1 Click Device Management -> Firmware and Configuration -> Configuration.

The Configuration window opens.

STEP 2 To save the current settings on your local PC, perform the following steps:

a. In Backup/Restore Settings area, click Backup after the Save A Copy of

Current Settings option.

b. The Encryption window opens. You can optionally encrypt the configurations

for security purposes, check the Encrypt box and enter the password in the Key field, and then click OK.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 28

Getting Started

Performing Common Configuration Tasks

c. Locate where to save the configuration file, and then click Save.

STEP 3 To save the current settings on a USB device, perform the following steps:

a. Insert a USB device into the USB interface on the back panel of your security

appliance. The USB device is automatically mounted once you insert it.

b. In the USB -> Mount/Unmount area, check the mounting status of the USB

device. Make sure that the USB Driver Status shows as “UP” when you use the USB device to manage the configurations.

c. In the USB -> Backup/Restore Settings area, click Backup after the Save A

Copy of Current Settings option.

d. The Encryption window opens. You can optionally encrypt the configurations

for security purposes, check the Encrypt box and then enter the password in the Key field, and then click OK. Your current settings are saved as a configuration file on the root folder of the USB device.

Upgrading the Firmware if needed

Before you do any other tasks, ensure that you are using the latest firmware version. You can upgrade from a firmware file stored on your computer or a mounted USB device.

CAUTION During a firmware upgrade, do NOT try to go online, turn off the device, shut down

the PC, remove the cable, or interrupt the process in anyway until the operation is complete. This process should take several minutes or so including the reboot process. Interrupting the upgrade process at specific points when the flash is being written to can corrupt the flash memory and render the security appliance unusable.

STEP 1 Click Device Management -> Firmware and Configuration -> Firmware.

The Firmware window opens.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 29

Getting Started

Performing Common Configuration Tasks

STEP 2 To manually upgrade the firmware from your local PC, perform the following steps:

a. In the Network -> Firmware Upgrade area, click Browse to locate and select

the firmware image from your local PC.

b. To upgrade the firmware and keep using the current settings, click Upgrade.

c. To upgrade the firmware and revert to the factory default settings, click

Upgrade & Factory Reset. When the operation is complete, the security appliance automatically reboots with the factory default settings.

STEP 3 To upgrade the firmware through a USB device, perform the following steps:

a. Insert the USB device with the firmware images into the USB interface on the

back panel of your security appliance. The USB device is automatically mounted after you inserted it.

b. In the USB -> Mount/Unmount area, check the mounting status of the USB

device. Make sure that the USB Driver Status shows as “UP” when you use the USB device to manage the firmware.

c. In the USB -> Backup/Restore Settings area, all firmware images located on

the USB device appears in the list.

• To upgrade the firmware and keep using the current settings, select the

latest firmware image from the list and then click Upgrade.

• To upgrade the firmware and revert to the factory default settings, select the

latest firmware image from the list and then click Upgrade & Factory Reset. When the operation is complete, the security appliance automatically reboots with the factory default settings.

Resetting the Device

To revert your security appliance to the factory default settings, you can press and hold the RESET button on the back panel for minimum of 3 seconds, or perform the following procedures.

CAUTION The Revert To Factory Default Settings operation will wipe out the current

configurations used on your security appliance (including the imported certificates). We recommmend that you save the current settings before reverting to the factory default settings.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 30

Getting Started

Performing Common Configuration Tasks

STEP 1 Click Device Management -> Firmware and Configuration -> Configuration.

The Configuration window opens.

STEP 2 In the Backup/Restore Settings -> Revert To Factory Default Settings area,

click Default.

The security appliance will reboot with the factory default settings.

Cisco ISA500 Series Integrated Security Appliance Administration Guide 31

Wizards

This chapter describes how to use the wizards to configure your security appliance.

• Using the Startup Wizard, page 32

• Using the Wireless Wizard to Configure the Wireless Settings for

ISA550W and ISA570W, page 40

• Using the DMZ Wizard to Configure the DMZ Settings, page 46

• Using the Dual WAN Wizard to Configure the WAN Redundancy

Settings, page 51

• Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels, page 53

• Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access, page 58

To access the Wizards pages, click Wizards in the left hand navigation pane.

Using the Startup Wizard

The Startup Wizard helps you configure the remote management, port, WAN, LAN, DMZ, and WLAN (for ISA550W and ISA570W only) settings. The first time you log into your security appliance, the Startup Wizard automatically launches.

STEP 1 Click Wizard -> Startup Wizard.

The Getting Started window opens. A prompt warning message is displayed as below.

Cisco ISA500 Series Integrated Security Appliance Administrator Guide 32

Wizards

Using the Startup Wizard

CAUTION When the Startup Wizard is complete, the previous settings relevant to the

STEP 2 Click Begin.

changed WAN, DDNS, LAN, DMZ, and WLAN are cleaned up, and relevant services are reinitialized.

For the first login, you can ignore this warning message and follow the on-screen prompts to complete the initial configuration. If you have already configured the security appliance, make sure that you have read the warning message before you use the Startup Wizard to configure your security appliance. Click OK to close the warning message window.

The Remote Management window opens. The security appliance allows remote management securely by using HTTPS and HTTP. For example, https:// xxx.xxx.xxx.xxx:8080.

Enter the following information:

• Remote Management: Click On to enable remote management by using

HTTPS, or click Off to disable it. We recommend that you use HTTPS for secure purposes.

• HTTPS Listen Port Number: If you enable remote management by using

HTTPS, enter the port number to be listened on. By default, the listened port for HTTPS is 8080.

• HTTP Enable: Click On box to enable remote management by using HTTP,

or click Off to disable it.

• HTTP Listen Port Number: If you enable remote management by using

HTTP, enter the port number to be listened on. By default, the listened port for HTTP is 80.

• Access Type: Choose the level of permission for remote management:

- Allow access from any IP address: Any IP address from a remote WAN

network can access the Configuration Utility.

- Restrict a specific IP address: Only the specified remote host can

access the Configuration Utility. Enter the IP address of the remote host in the IP Address field.

Cisco ISA500 Series Integrated Security Appliance Administrator Guide 33

Wizards

Using the Startup Wizard

STEP 3 After you are finished, click Next.

- Restrict access to a range of IP addresses: Only the hosts in the

specified remote network can access the Configuration Utility. Enter the starting IP address in the From field and the ending IP address in the To field.

• Remote SNMP: Click On to enable SNMP for the remote connection, or click

Off to disable SNMP. Enabling SNMP allows remote users to use the SNMP protocol to access the Configuration Utility.

The Port Configuration window opens. From this page you can specify the port configuration. The Startup Wizard predefines four port configuration solutions. You can also modify the port types for the configurable ports when you create a secondary WAN or configure the DMZs.

If you are using the ISA570 or ISA570W, choose one of the following options:

• 1 WAN, 9 LAN Switch: This is the default setting. The security appliance is

set to one WAN port (WAN1) and nine LAN ports.

• 1 WAN, 1 DMZ, and 8 LAN Switch: The security appliance is set to one

WAN port (WAN1), one DMZ port, and eight LAN ports. The configurable port GE10 is set to a DMZ port.

• 1 WAN, 1 WAN Backup, and 8 LAN Switch: The security appliance is set to

two WA N po rts (WA N1 is th e pr imar y WAN and WAN2 i s the se con dar y WAN) and eight LAN ports. The configurable port GE10 is set to a secondary WAN p or t.

• 1 WAN, 1 WAN Backup, 1 DMZ, and 7 LAN Switch: The security appliance

is set to two WAN ports (WAN1 is the primary WAN and WAN2 is the secondary WAN), one DMZ port, and seven LAN ports. The configurable port GE10 is set to a secondary WAN port and the configurable port GE9 is set to a DMZ port.

If you are using the ISA550 or ISA550W, choose one of the following options:

• 1 WAN, 6 LAN Switch: This is the default setting. The security appliance is

set to one WAN port (WAN1) and six LAN ports.

• 1 WAN, 1 DMZ, and 5 LAN Switch: The security appliance is set to one

WAN port (WAN1), one DMZ port, and five LAN ports. The configurable port GE7 is set to a DMZ port.

Cisco ISA500 Series Integrated Security Appliance Administrator Guide 34

Wizards

Using the Startup Wizard

• 1 WAN, 1 WAN Backup, and 5 LAN Switch: The security appliance is set to

two WA N po rts (WA N1 is th e pr imar y WAN and WAN2 i s the se con dar y WAN) and five LAN ports. The configurable port GE7 is set to a secondary WAN p or t.

• 1 WAN, 1 WAN Backup, 1 DMZ, and 4 LAN Switch: The security appliance

is set to two WAN ports (WAN1 is the primary WAN and WAN2 is the secondary WAN), one DMZ port, and four LAN ports. The configurable port GE7 is set to a secondary WAN port and the configurable port GE6 is set to a DMZ port.

NOTE If you have two ISP links, we recommend that you set a backup WAN

so that you can provide backup connectivity or load balancing. If you need to host public services, we recommend that you set a DMZ port.

NOTE The configurable ports can be set as the WAN, LAN, and DMZ ports.

Up to two WAN ports and four DMZ ports can be configured on the security appliance. To configure multiple DMZ ports, go to the

Networking -> DMZ page. For more information, see Configuring the

DMZ, page 123.

STEP 4 After you are finished, click Next.

The Primary WAN Connection window opens. From this page you can configure the primary WAN port.

Choose the network addressing mode from the IP Address Assignment dropdown list and complete the corresponding fields for the primary WAN port depending on the requirements of your ISP. The security appliance supports DHCPC, Static IP, PPPoE, PPTP, and L2TP. For complete details, see Configuring

the Network Addressing Mode, page 106.

NOTE If only one single WAN port is c onfigured on your security appliance, skip the

next two steps and proceed to the step 7.

STEP 5 After you are finished, click Next.

The Secondary WAN Connection window opens. From this page you can configure the secondary WAN port.

Cisco ISA500 Series Integrated Security Appliance Administrator Guide 35

Wizards

Using the Startup Wizard

STEP 6 After you are finished, click Next.

Choose the network addressing mode from the IP Address Assignment dropdown list and complete the corresponding fields for the secondary WAN port depending on the requirements of your ISP. For complete details, see Configuring

the Network Addressing Mode, page 106.

The WAN Redundancy window opens. From this page you can determine how the two ISP links are used.

• Use the Loab Balancing mode if you want to use both ISP links

simultaneously. The two links will carry data for the protocols that are bound to them. Enter the following information:

- Equal Load Balancing (Round Robin): Re-orders the WAN interfaces for

Round Robin selection. The order is as follows: WAN1 and WAN2. The Round Robin will then repeat back to WAN1 and continue the order.

- Weighted Load Balancing: Distributes the bandwidth to two WAN ports

by the weighted percange or by the weighted link bandwidth. If you choose this mode, then choose one of the following options and finish the setting:

Weighted By percentage: Allows you to set the percentage for each WAN, such as 80% percentage bandwidth for WAN1 and lest 20% percentage bandwidth for WAN2.

Weighted By Link Bandwidth: Allows you to set the rate limiting for each WAN, such as 10 Mbps for WAN1 and 5 Mbps for WAN2.

• Use the Failover mode if you want to use one ISP link as a backup. If a failure

is detected on the primary link, then the security appliance directs all Internet traffic to the backup link. When the primary link regains connectivity, all Internet traffic is directed to the primary link, and the backup link becomes idle. Enter the following information:

- Auto Failover to: Choose either WAN1 or WAN2 as the primary link. By

default, WAN1 is set as the primary link and WAN2 is set as the backup link. You can also set WAN2 as the primary link.

- Preempt Delay Timer: Enter the time in seconds that the system will

preempt the primary link from the backup link when the primary link is up again. The default is 5 seconds.

STEP 7 After you are finished, click Next.

The LAN Configuration window opens. From this page you can configure the default LAN settings.

Cisco ISA500 Series Integrated Security Appliance Administrator Guide 36

Wizards

Using the Startup Wizard

• IP: Enter the IP address of the default LAN.

• Netmask: Enter the IP address of the netmask.

• DHCP Server: Choose one of the following DHCP modes:

- Disable: Choose this option if the computers on the VLAN are configured

with static IP addresses or are configured to use another DHCP server.

- DHCP Server: Allows the security appliance to act as a DHCP server and

assigns IP addresses to all devices that are connected to the DEFAULT VLAN. Any new DHCP client joining the DEFAULT VLAN is assigned an IP address of the DHCP pool.

- DHCP Relay: Allows the security appliance to use a DHCP Relay. If you

choose DHCP Relay, enter the IP address of the remote DHCP server in the Relay IP field.

If you choose DHCP Server as the DHCP mode, enter the following information:

• Start IP: Enter the starting IP address of the DHCP pool.

• End IP: Enter the ending IP address of the DHCP pool.

NOTE The starting and ending IP addresses should be in the same range as

the LAN’s subnet address.

• Lease Time: Enter the maximum connection time that a dynamic IP address

is “leased” to a network user. When the time elapses, the user is automatically renewed the dynamic IP address.

• DNS 1: Enter the IP address of the primary DNS server.

• DNS 2: Optionally, enter the IP address of the secondary DNS server.

• WINS 1: Enter the IP address for the primary WINS server.

• WINS 2: Optionally, enter the IP address of the secondary WINS server.

• Domain Name: Optionally, enter the domain name for the default LAN.

• Default Gateway: Enter the IP address of default gateway.

STEP 8 After you are finished, click Next.

If you have no DMZ port, skip the next two steps and proceed to the step 10.

Cisco ISA500 Series Integrated Security Appliance Administrator Guide 37

Wizards

Using the Startup Wizard

If you have a DMZ port, the DMZ Configuration window opens. To host public services, you need to configure a DMZ network in this page and specify the relevant DMZ services from the next DMZ Service page.

• IP: Enter the subnet IP address of the DMZ.

• Netmask: Enter the subnet mask of the DMZ.

• DHCP Service: Choose one of the following options:

- Disable: Choose this option if the computers on the DMZ are configured

with static IP addresses or are configured to use another DHCP server.

- DHCP Server: Allows the security appliance to act as a DHCP server and

assigns IP addresses to all devices that are connected to the DMZ. Any new DHCP client joining the DMZ is assigned an IP address of the DHCP pool.

- DHCP Relay: Allows the security appliance to use a DHCP Relay. If you

choose DHCP Relay, enter the IP address of the remote DHCP server in the Relay IP field.

If you choose DHCP Server as the DHCP mode, enter the following information:

• Start IP: Enter the starting IP address of the DHCP pool.

• End IP: Enter the ending IP address of the DHCP pool.

NOTE The starting and ending IP addresses should be in the same range as

the DMZ’s subnet address.

• Lease Time: Enter the maximum connection time that a dynamic IP address

is “leased” to a network user. When the time elapses, the user is automatically renewed the dynamic IP address.

• DNS 1: Enter the IP address of the primary DNS server.

• DNS 2: Optionally, enter the IP address of the secondary DNS server.

• WINS 1: Enter the IP address for the primary WINS server.

• WINS 2: Optionally, enter the IP address of the secondary WINS server.

• Domain Name: Optionally, enter the domain name for the DMZ.

• Default Gateway: Enter the IP address of default gateway.

Cisco ISA500 Series Integrated Security Appliance Administrator Guide 38

Wizards

Using the Startup Wizard

STEP 9 After you are finished, click Next.

STEP 10 After you are finished, click Next.

The DMZ Service window opens. From this page you can configure the DMZ services. For complete details, see Configuring the DMZ Services, page 49.

NOTE After you configure the DMZ services, the firewall access rules will

automatically generated by the security appliance to allow the access to the services on your DMZ.

The Wireless Radio Setting window opens. From this page you can configure the wireless radio settings.

NOTE The wireless configurations such as wireless radio settings and Intranet

WLAN access (see next step) are only available for the ISA550W and ISA570W. If your security appliance is not a wireless device, proceed to the step 12.

• Wireless Network Mode: Choose the 802.11 modulation technique. The

ISA550W and ISA550W supports the following radio modes:

- 802.11b only: Choose this mode if all devices in the wireless network

use 802.11b. Only 802.11b clients can connect to the access point.

- 802.11g only: Choose this mode if all devices in the wireless network

use 802.11g. Only 802.11g clients can connect to the access point.

- 802.11b/g mixed: Choose this mode if some devices in the wireless

network use 802.11b and others use 802.11g. Both 802.11b and 802.11g clients can connect to the access point.

- 802.11n only: Choose this mode if all devices in the wireless network

can support 802.11n. Only 802.11n clients operating in the 2.4 GHz frequency can connect to the access point.

- 802.11g/n mixed: Choose this mode to allow 802.11g and 802.11n

clients operating in the 2.4 GHz frequency to connect to the access point.

- 802.11b/g/n mixed: Choose this mode to allow 802.11b, 802.11g, and

802.11n clients operating in the 2.4 GHz frequency to connect to the access point.

Cisco ISA500 Series Integrated Security Appliance Administrator Guide 39

Wizards

Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W

• Wireless Channel: Choose a channel or choose Auto to let the system

determine the best channel to use based on the environmental noise levels for the available channels.

STEP 11 After you are finished, click Next.

The Wireless Connectivity Type - Intranet WLAN Access window opens. From this page you can configure the wireless connectivity settings for the SSID1.

NOTE The ISA550W and ISA570W support four SSIDs. To configure the wireless

connectivity settings for other SSIDs, go to the Wireless -> Basic Settings page or use the Wireless wizard. For more information, see Configuring the

Access Points, page 151 or Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W, page 40.

• SSID Name: The SSID name.

• Security Mode: Choose the encryption algorithm for data encryption for this

SSID. Depending on the selected security mode, configure the corresponding settings. See Configuring the Security Mode, page 162.

• VLAN Name: Choose the VLAN to which this SSID is mapped. All traffic from

the wireless clients that are connected to this SSID will be directed to the selected VLAN.

STEP 12 After you are finished, click Next.

The Summary window opens. The Summary page displays the summary information for all configurations you made.

STEP 13 Click Submit to save the settings.

Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W

Use the Wireless Wizard to configure the wireless radio and Intranet connectivity settings for the ISA550W and ISA570W. It includes the following sections:

• Using the Wireless Wizard to Configure the Wireless Settings, page 41

Cisco ISA500 Series Integrated Security Appliance Administrator Guide 40

Wizards

Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W

• Configuring the SSID for Intranet WLAN Access, page 43

• Configuring the SSID for Guest WLAN Access, page 44

• Configuring the SSID for Guest WLAN Access (Captive Portal), page 45

Using the Wireless Wizard to Configure the Wireless Settings

STEP 1 Click Wizards -> Wireless Wizard.

The Getting Started window opens.

STEP 2 Click Begin.

The Wireless Radio Setting window opens. Enter the following information:

• Wireless Network Mode: Specify the Physical Layer (PHY) standard that

the wireless radio uses.