ZyXEL Communications ISG50 User Manual

 Chapter 23 Firewall

ISG50 User’s Guide

• If you enable intra-zone traffic blocking (see the chapter about zones), the firewall automatically 

creates (implicit) rules to deny packet passage between the interfaces in the specified zone.

• Besides configuring the firewall, you also need to configure NAT rules to allow computers on the 

WAN to access LAN devices. See 

 for more information.

• The ISG50 applies NAT (Destination NAT) settings before applying the firewall rules. So for 

example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you 
configure a corresponding firewall rule to allow the traffic, you  need to set the LAN IP address as 
the destination. See 

 for an example.

• The ordering of your rules is very important as rules are applied in sequence.

Configuration > Firewall       

The following table describes the labels in this screen. 

Configuration > Firewall

General 
Settings

Enable Firewall

Select this check box to activate the firewall. The ISG50 performs access control 
when the firewall is activated.

Allow 
Asymmetrical 
Route

If an alternate gateway on the LAN has an IP address in the same subnet as the 
ISG50’s LAN IP address, return traffic may not go through the ISG50. This is called 
an asymmetrical or “triangle” route. This causes the ISG50 to reset the 
connection, as the connection has not been acknowledged.

Select this check box to have the ISG50 permit the use of asymmetrical route 
topology on the network (not reset the connection). 

Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the 

LAN without passing through the ISG50. A better solution is to use virtual 
interfaces to put the ISG50 and the backup gateway on separate subnets. 

Firewall Rule Summary