Cisco Cisco ISA550W Integrated Security Appliance Quick Setup Guide
© 2012 Cisco Systems, Inc. All rights reserved.
Page 1 of 27
Application Note
Configuring a Zone-Based Firewall on the Cisco ISA500
Security Appliance
Security Appliance
This application note describes how to configure a zone-based firewall on the Cisco ISA500 security
appliance. This document includes the following sections:
appliance. This document includes the following sections:
•
•
•
•
•
•
A zone-based firewall can permit or deny inbound or outbound traffic to the Internet based on the zone,
service, source and destination address, and time of day. Zone-based security is a powerful and flexible
method of managing both internal and external network segments that allows you to separate and
protect critical internal network resources from unapproved access or attacks.
service, source and destination address, and time of day. Zone-based security is a powerful and flexible
method of managing both internal and external network segments that allows you to separate and
protect critical internal network resources from unapproved access or attacks.
Understanding Zones
A zone is a group of interfaces to which a security policy can be applied. The interfaces (such as VLAN,
DMZ, WAN, and VPN) in a zone share common functions or features. For example, two interfaces that
belong to the internal network might be placed in one security zone and the interfaces connected to the
Internet might be placed in another zone. Security policies are used to control the transit traffic between
the different zones that protects the different services.
DMZ, WAN, and VPN) in a zone share common functions or features. For example, two interfaces that
belong to the internal network might be placed in one security zone and the interfaces connected to the
Internet might be placed in another zone. Security policies are used to control the transit traffic between
the different zones that protects the different services.
Zone Security Levels
The zone security level is the level of trust given to that zone.
lists the security levels that the
ISA500 supports.The greater the value, the higher the permission level.
Table 1. Supported Security Levels
Trusted (100)
Highest level of trust. By default, the LAN zone is trusted.
VPN (75)
Higher level of trust than a public zone, but a lower level of trust than a trusted
zone. This security level is only used by the predefined VPN and SSLVPN zones.
All traffic to and from a VPN zone is encrypted.
zone. This security level is only used by the predefined VPN and SSLVPN zones.
All traffic to and from a VPN zone is encrypted.
Public (50)
Higher level of trust than a guest zone, but a lower level of trust than a VPN zone.
The Demilitarized (DMZ) zone is a public zone.
The Demilitarized (DMZ) zone is a public zone.
Guest (25)
Higher level of trust than an untrusted zone, but a lower level of trust than a public
zone. Guest zones can only be used for guest access.
zone. Guest zones can only be used for guest access.
Untrusted (0)
Lowest level of trust used by both the WAN and the virtual multicast zones. The
WAN port can only be mapped to an untrusted zone.
WAN port can only be mapped to an untrusted zone.