User's Manual
Table Of Contents
- Getting Started
- Wizards
- Using the Startup Wizard
- Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W
- Using the DMZ Wizard to Configure the DMZ Settings
- Using the Dual WAN Wizard to Configure the WAN Redundancy Settings
- Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels
- Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access
- Status
- Networking
- Configuring IP Routing Mode
- Port Management
- Configuring the WAN
- Configuring the WAN Redundancy
- Configuring the VLAN
- Configuring the DMZ
- Configuring the Zones
- Configuring the Routing
- Dynamic DNS
- IGMP
- VRRP
- Configuring the Quality of Service
- Address Management
- Service Management
- Wireless Configuration for ISA550W and ISA570W
- Firewall
- Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic
- Configuring the Firewall Schedule
- Firewall Access Rule Configuration Examples
- Configuring the NAT Rules to Securely Access a Remote Network
- Configuring the Session Settings
- Configuring the Content Filtering to Control Access to Internet
- Configuring the MAC Filtering to Permit or Block Traffic
- Configuring the IP/MAC Binding to Prevent Spoofing
- Configuring the Attack Protection
- Configuring the Application Level Gateway
- Security Services
- VPN
- About VPN
- Configuring the Cisco IPSec VPN Server
- Configuring the Cisco IPSec VPN Client
- Configuring the Site-to-Site VPN
- Configuring the SSL VPN
- Elements of the SSL VPN
- Configuration Tasks to Establish a SSL VPN Tunnel
- Installing the Cisco AnyConnect VPN Client on User’s PC
- Importing the Certificates for User Authentication
- Configuring the SSL VPN Users
- Configuring the SSL VPN Gateway
- Configuring the SSL VPN Group Policies
- Configuring the SSL VPN Portal
- Configuring the L2TP Server
- Configuring the VPN Passthrough
- Viewing the VPN Status
- User Management
- Device Management
- Remote Management
- Administration
- SNMP
- Configuration Management
- Firmware Management
- Log Management
- Managing the Security License
- Managing the Certificates for Authentication
- Configuring the Email Alert Settings
- Configuring the RADIUS Servers
- Configuring the Time Zone
- Device Discovery
- Diagnosing the Device
- Measuring and Limiting Traffic with the Traffic Meter
- Configuring the ViewMaster
- Configuring the CCO Account
- Configuring the Device Properties
- Configuring the Debug Settings
- Troubleshooting
- Technical Specifications and Environmental Requirements
- Factory Default Settings
- Where to Go From Here
Firewall
Configuring the Application Level Gateway
Cisco ISA500 Series Integrated Security Appliance Administrator Guide 209
6
Configuring the Application Level Gateway
The security appliance can function as an Application Level Gateway (ALG) to
allow certain NAT un-friendly applications (such as SIP or H.323) to operate
properly through the security appliance.
If Voice-over-IP (VoIP) is used in your organization, you should enable the H.323
ALG or SIP ALG to open the ports necessary to enable the VoIP through your voice
device. The ALGs are created to work in a NAT environment to maintain the
security for privately addressed conferencing equipment protected by your voice
device.
You can use both H.323 and SIP ALGs at the same time, if necessary. To determine
which ALG to use, consult the documentation for your VoIP devices or
applications.
STEP 1 Click Firewall -> Application Level Gateway.
The Application Level Gateway window opens.
STEP 2 Enter the following information:
• SIP Protocol Support: SIP ALG can rewrite the information within the SIP
messages (SIP headers and SDP body) to make signaling and audio traffic
between the client behind NAT and the SIP endpoint possible. Check this
box to allow the SIP sessions to pass through the security appliance, or
uncheck this box to block the SIP sessions.
NOTE Enable SIP ALG when voice devices such as UC 500, UC 300, or SIP
phones are connected to the network behind the security appliance.
• H323 Support: H.323 is a standard teleconferencing protocol suite that
provides audio, data, and video conferencing. It allows for real-time point-to-
point and multipoint communication between client computers over a
packet-based network that does not provide a guaranteed quality of
service. Check this box to allow the H.323 sessions to pass through the
security appliance, or uncheck this box to block the H.323 sessions.
STEP 3 Click Save to apply your settings.