cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Get the latest Cisco news in this December issue of the Cisco Small Business Monthly Newsletter

726
Views
0
Helpful
7
Replies
Beginner

ISA550 Global Approve List by IP?

I see no feature in the new ISA500 Series to allow clients globally by IP to bypass the URL Web filtering or Application Control.  Am i missing this feature or does this not exist?  The SA500 and RV Series Routers have Global Approve Client Lists by IP and is very convenient since a lot of executives in most company's want full access to the internet.  Can someone please confirm if this is available for ISA550.  If it not available can someone from Cisco please confirm this feature will be added as I see no way we can implement these devices if we cannot give global approve access by IP as all our clients require this feature.  Thanks.

7 REPLIES 7
Rising star

ISA550 Global Approve List by IP?

Thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. I will be glad to provide assistance, in this case I found a Document explaining how to give a restriction to a specific Group, http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3522, 1st you need to create a Group then you need to create the restriction to this group. If you have any question just let me know

I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.
Beginner

ISA550 Global Approve List by IP?

Hi Jonathan,

I am having the same exact problem right now.  I have policies setup by zone currently, however I don't see the ability to setup a zone for exectutives and a zone for employees.  Perhaps I'm missing something here.  But right now there is only a 'LAN' zone which is everyone in the company.

I want to be able to use the web URL filtering by category for my employee group and disable web url filtering for my exectutive group whether it be by IP for MAC.  I think this is also what the above user is trying to do. 

thanks

Participant

ISA550 Global Approve List by IP?

Hello Patrick & pilgrims28

Currently the Web URL filtering is a per Zone policy. What this means is that you can only have one policy assigned to a zone. (pretty straightforward) You canNOT break up a policy by IP address. (TIP: you CAN do this with application control)

Where things can get complicated is that you can only assign a vLAN to one Zone. Which means that you would have to have two network, two zones, two URL policies.

Here is a basic example-

use vlan 1 = 192.168.75.0

Create vlan 2 = 192.168.60.0

use default zone = LAN Zone

create exec/priv zone = OTHER Zone

Assign default URL policy to LAN Zone

Assign New/exec URL policy to OTHER Zone

This will work, but you will have to have a network that supports vlans and configure everything to match. Also, since things are now in different zones, you will have to create a firewall rule to allow both networks to talk to each other in the firewall. (not to hard, just make a rule 'from: LAN to: OTHER -permit')

Hope this helps.

Rising star

ISA550 Global Approve List by IP?

Hi Patrick.

In this case I have a question for you, did you created a group for employees and other one for executives? If not you can create a Group following this instructions in this link, http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3169

If you tried to set the access list with MAC address remember that you can do it, but if you create too many rules is not going to be effective. It is much better if you set different groups to restrict the access.

I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.
Beginner

ISA550 Global Approve List by IP?

I see this being more complicated than it has to be, but for us Partners to explain to customers or local admins this scenario for configuring multiple VLANs, Groups, Zones, Firewall Rules, etc. would be a nightmare.  This is very important since most of the time we are trying to make our sales pitch to the decision maker who's first couple of questions include:  how do I exempt my computer from this filter without calling a Cisco Engineer everytime I need to make a change? Most devices on the market which compete with Cisco have a simple White list or Approve list for client IP or Mac address to bypass the filter all together.   This takes on easy step in the Software and it can be managed easily by any basic admin on premise.  Is Cisco going to add this capability in a future release because I think its a strong selling point and that is what made the SA 520 and RV devices popular in my sales.  Thanks.

Highlighted
Participant

ISA550 Global Approve List by IP?

I completely understand your concerns on this. I wish I could offer a clear answer to your question as before, but I am only a technical engineer. We could talk packets all day

What I will do however, is send this information along, as I agree that it would be a great feature.

Beginner

Re: ISA550 Global Approve List by IP?

Thanks for submitting this for a feature request.

Sent from Cisco Technical Support iPhone App