Cisco Cisco ISA570W Integrated Security Appliance Quick Setup Guide

© 2012 Cisco Systems, Inc. All rights reserved.

Page 2 of 27

The default behaviors for all predefined zones and new zones are determined by their security levels. 

 lists the predefined zones that the ISA500 supports. The default behavior is as follows:

Traffic from a higher security zone to a lower security zone is permitted. 

Traffic from a lower security zone to higher security zone is blocked. 

Traffic between zones with the same security level is blocked. 

For example, all traffic from the LAN (trusted zone) to the WAN (untrusted zone) is permitted, and traffic 
from the WAN (untrusted zone) to the DMZ (public zone) is blocked. 

If you create a new trusted zone such as a data zone, firewall rules are automatically generated to permit 
or block traffic from the data zone to other zones or vice-versa. This permit or block action is determined 
by the security levels. 

Table 2. Predefined Zones 

Untrusted zone. By default, the WAN port is mapped to the WAN zone and can only be 
mapped to an untrusted zone. 

 LAN

Trusted zone. You can map one or multiple VLANs to a trusted zone. By default, the 
DEFAULT VLAN is mapped to the LAN zone.

Public zone. Zone used for the public servers that you host in the DMZ networks. 

Virtual zone. Zone used for simplifying secure and remote SSL VPN connections. The 
SSLVPN zone does not have an assigned physical port.

Virtual zone. Zone used for simplifying secure IPsec VPN connections. The VPN zone 
does not have an assigned physical port.

Guest zone. Only used for guest access. By default, the GUEST VLAN is mapped to this 
zone.

Trusted zone. Security zone designed for voice traffic. Incoming and outgoing traffic from 
this zone is optimized for voice operations. If you have voice devices, such as a Cisco IP 
Phone, we recommend that you place devices into the VOICE zone.