Cisco Cisco ISA550W Integrated Security Appliance Quick Setup Guide
© 2012 Cisco Systems, Inc. All rights reserved.
Page 16 of 19
After you add the new rule, the flow changes to the following:
Step 1.
The client sends a packet with source IP address (192.168.1.10) to the destination IP address
of (1.1.1.1) on port TCP/80 to request a web resource.
of (1.1.1.1) on port TCP/80 to request a web resource.
Step 2.
The ISA500 translates the packet's destination address (192.168.1.2) and forwards the
request to the internal web server. It also translates the packet’s source IP address to its WAN
interface IP address (WAN1_IP).
request to the internal web server. It also translates the packet’s source IP address to its WAN
interface IP address (WAN1_IP).
Step 3.
The web server replies to the request and sends the reply with a source IP address of
192.168.1.2 back to the router's WAN interface IP address (WAN1_IP).
192.168.1.2 back to the router's WAN interface IP address (WAN1_IP).
Step 4.
The ISA500 determines that the packet is part of a previous connection and undoes both the
source and destination NAT. It then places the original destination IP address (1.1.1.1) into the
source IP address field and the original source IP address (192.168.1.10) into the destination
IP address field.
source and destination NAT. It then places the original destination IP address (1.1.1.1) into the
source IP address field and the original source IP address (192.168.1.10) into the destination
IP address field.
Step 5.
The client receives the reply packet that it expects and the connection is established.
Configuring Port Triggering
Port triggering opens an incoming port for a specified type of traffic on a defined outgoing port. Port
triggering is more flexible and secure than port forwarding, because the incoming ports are always open.
The ports are open only when a program is actively using the trigger port.
triggering is more flexible and secure than port forwarding, because the incoming ports are always open.
The ports are open only when a program is actively using the trigger port.
Some applications may specifically require port triggering. These applications require that, when external
devices connect to them, they receive data on a specific port or range of ports to function properly. The
ISA500 must send all incoming data for that application only on the required port or range of ports. You
can specify a port triggering rule by defining the type of traffic (TCP or UDP) and the range of incoming
and outgoing ports to open when enabled.
devices connect to them, they receive data on a specific port or range of ports to function properly. The
ISA500 must send all incoming data for that application only on the required port or range of ports. You
can specify a port triggering rule by defining the type of traffic (TCP or UDP) and the range of incoming
and outgoing ports to open when enabled.
N
OTE
You can configure up to 15 port triggering rules.
Step 1.
Choose Firewall > NAT > Port Triggering.
Step 2.
To enable a port triggering rule, click the box in the
Enable column.
Step 3.
To add a new port triggering rule, click
Add.
Step 4.
Enter the following information.
–
Description: Enter the name for the port triggering rule.
–
Triggered Service: Choose an outgoing TCP or UDP service.