user manual

Manuals Brands Cisco Systems Manuals Network Router Network Router ASA 5500

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Cisco ASA 5500 Series Configuration

Guide using the CLI

Software Version 8.4 and 8.6 for the ASA 5505, ASA 5510, ASA 5520, ASA

5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA

5545-X, ASA 5555-X, and ASA 5585-X

Released: January 31, 2011

Updated: October 31, 2012

Text Part Number: N/A, Online only

Summary of content (1994 pages)

PAGE 1

Cisco ASA 5500 Series Configuration Guide using the CLI Software Version 8.4 and 8.6 for the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, and ASA 5585-X Released: January 31, 2011 Updated: October 31, 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
PAGE 2

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
PAGE 3

CONTENTS About This Guide lxv Document Objectives Audience lxv lxv Related Documentation Conventions lxv lxvi Obtaining Documentation and Submitting a Service Request PART Getting Started with the ASA 1 CHAPTER lxvii 1 Introduction to the Cisco ASA 5500 Series Hardware and Software Compatibility VPN Specifications 1-1 1-1 1-1 New Features 1-1 New Features in Version 8.6(1) New Features in Version 8.4(5) New Features in Version 8.4(4.1) New Features in Version 8.
PAGE 4

Contents Firewall Mode Overview 1-27 Stateful Inspection Overview 1-27 VPN Functional Overview Security Context Overview CHAPTER 2 Getting Started 1-28 1-29 2-1 Accessing the Appliance Command-Line Interface 2-1 Configuring ASDM Access for Appliances 2-2 Accessing ASDM Using the Factory Default Configuration 2-2 Accessing ASDM Using a Non-Default Configuration (ASA 5505) 2-3 Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher) Starting ASDM 2-6 Connecting to ASDM for the First Tim
PAGE 5

Contents Preinstalled License 3-21 Permanent License 3-21 Time-Based Licenses 3-21 Time-Based License Activation Guidelines 3-21 How the Time-Based License Timer Works 3-21 How Permanent and Time-Based Licenses Combine 3-22 Stacking Time-Based Licenses 3-23 Time-Based License Expiration 3-23 Shared AnyConnect Premium Licenses 3-23 Information About the Shared Licensing Server and Participants Communication Issues Between Participant and Server 3-25 Information About the Shared Licensing Backup Server 3-25
PAGE 6

Contents Information About Routed Firewall Mode 4-2 Information About Transparent Firewall Mode 4-2 Licensing Requirements for the Firewall Mode 4-6 Default Settings 4-6 Guidelines and Limitations 4-6 Setting the Firewall Mode 4-8 Feature History for Firewall Mode 4-9 Configuring ARP Inspection for the Transparent Firewall 4-9 Information About ARP Inspection 4-10 Licensing Requirements for ARP Inspection 4-10 Default Settings 4-10 Guidelines and Limitations 4-10 Configuring ARP Inspection 4-11 Task Flow f
PAGE 7

Contents An Outside User Visits a Web Server on the Inside Network An Outside User Attempts to Access an Inside Host 4-27 CHAPTER 5 Configuring Multiple Context Mode 4-26 5-1 Information About Security Contexts 5-1 Common Uses for Security Contexts 5-2 Context Configuration Files 5-2 Context Configurations 5-2 System Configuration 5-2 Admin Context Configuration 5-2 How the ASA Classifies Packets 5-3 Valid Classifier Criteria 5-3 Classification Examples 5-4 Cascading Security Contexts 5-6 Management
PAGE 8

Contents Removing a Security Context 5-24 Changing the Admin Context 5-24 Changing the Security Context URL 5-25 Reloading a Security Context 5-26 Reloading by Clearing the Configuration 5-26 Reloading by Removing and Re-adding the Context Monitoring Security Contexts 5-27 Viewing Context Information 5-27 Viewing Resource Allocation 5-29 Viewing Resource Usage 5-32 Monitoring SYN Attacks in Contexts 5-33 Viewing Assigned MAC Addresses 5-35 Viewing MAC Addresses in the System Configuration Viewing MAC Addre
PAGE 9

Contents Guidelines and Limitations Default Settings 6-9 6-11 Starting Interface Configuration (ASA 5510 and Higher) 6-12 Task Flow for Starting Interface Configuration 6-12 Converting In-Use Interfaces to a Redundant or EtherChannel Interface 6-13 Enabling the Physical Interface and Configuring Ethernet Parameters 6-22 Configuring a Redundant Interface 6-25 Configuring a Redundant Interface 6-25 Changing the Active Interface 6-27 Configuring an EtherChannel 6-27 Adding Interfaces to the EtherChannel 6-
PAGE 10

Contents Configuring and Enabling Switch Ports as Trunk Ports Monitoring Interfaces 7-11 Configuration Examples for ASA 5505 Interfaces Access Port Example 7-11 Trunk Port Example 7-12 Where to Go Next 8 7-11 7-13 Feature History for ASA 5505 Interfaces CHAPTER 7-9 7-13 Completing Interface Configuration (Routed Mode) 8-1 Information About Completing Interface Configuration in Routed Mode Security Levels 8-1 Dual IP Stack (IPv4 and IPv6) 8-2 8-1 Licensing Requirements for Completing Interface
PAGE 11

Contents Configuring Bridge Groups 9-7 Configuring General Interface Parameters 9-8 Configuring a Management Interface (ASA 5510 and Higher) 9-11 Configuring the MAC Address and MTU 9-12 Configuring IPv6 Addressing 9-15 Information About IPv6 9-15 Configuring a Global IPv6 Address and Other Options 9-17 Allowing Same Security Level Communication 9-18 Monitoring Interfaces 9-19 Configuration Examples for Interfaces in Transparent Mode Feature History for Interfaces in Transparent Mode PART 9-20 Configu
PAGE 12

Contents CHAPTER 11 Configuring DHCP 11-1 Information About DHCP 11-1 Licensing Requirements for DHCP Guidelines and Limitations 11-1 11-2 Configuring a DHCP Server 11-2 Enabling the DHCP Server 11-3 Configuring DHCP Options 11-4 Options that Return an IP Address 11-4 Options that Return a Text String 11-4 Options that Return a Hexadecimal Value 11-5 Using Cisco IP Phones with a DHCP Server 11-6 Configuring DHCP Relay Services DHCP Monitoring Commands CHAPTER 12 11-7 11-8 Feature History for
PAGE 13

Contents Information About Object Groups 13-2 Licensing Requirements for Objects and Groups 13-2 Guidelines and Limitations for Objects and Groups 13-3 Configuring Objects 13-3 Configuring a Network Object 13-3 Configuring a Service Object 13-4 Configuring Object Groups 13-6 Adding a Protocol Object Group 13-6 Adding a Network Object Group 13-7 Adding a Service Object Group 13-8 Adding an ICMP Type Object Group 13-9 Nesting Object Groups 13-10 Removing Object Groups 13-11 Monitoring Objects and Groups 13-1
PAGE 14

Contents Adding an Extended Access List Adding Remarks to Access Lists Monitoring Extended Access Lists 15-3 15-5 15-5 Configuration Examples for Extended Access Lists 15-5 Configuration Examples for Extended Access Lists (No Objects) 15-6 Configuration Examples for Extended Access Lists (Using Objects) 15-6 Where to Go Next 15-7 Feature History for Extended Access Lists CHAPTER 16 Adding an EtherType Access List 15-7 16-1 Information About EtherType Access Lists 16-1 Licensing Requirements for
PAGE 15

Contents CHAPTER 18 Adding a Webtype Access List 18-1 Licensing Requirements for Webtype Access Lists Guidelines and Limitations Default Settings 18-1 18-1 18-2 Using Webtype Access Lists 18-2 Task Flow for Configuring Webtype Access Lists 18-2 Adding Webtype Access Lists with a URL String 18-3 Adding Webtype Access Lists with an IP Address 18-4 Adding Remarks to Access Lists 18-5 What to Do Next 18-5 Monitoring Webtype Access Lists 18-5 Configuration Examples for Webtype Access Lists Feature H
PAGE 16

Contents Configuration Examples for Access List Logging Feature History for Access List Logging 20-5 Managing Deny Flows 20-5 Information About Managing Deny Flows 20-6 Licensing Requirements for Managing Deny Flows Guidelines and Limitations 20-6 Default Settings 20-7 Managing Deny Flows 20-7 Monitoring Deny Flows 20-7 Feature History for Managing Deny Flows 20-8 PART Configuring IP Routing 6 CHAPTER 21 Routing Overview 21-1 Information About Routing 21-1 Switching 21-2 Path Determination 21-2 Sup
PAGE 17

Contents CHAPTER 22 Configuring Static and Default Routes 22-1 Information About Static and Default Routes 22-1 Licensing Requirements for Static and Default Routes Guidelines and Limitations 22-2 22-2 Configuring Static and Default Routes 22-2 Configuring a Static Route 22-3 Adding or Editing a Static Route 22-3 Configuring a Default Static Route 22-4 Limitations on Configuring a Default Static Route Configuring IPv6 Default and Static Routes 22-5 Monitoring a Static or Default Route 22-6 Confi
PAGE 18

Contents Configuring OSPF Area Parameters 24-10 Configuring OSPF NSSA 24-11 Defining Static OSPF Neighbors 24-12 Configuring Route Calculation Timers 24-13 Logging Neighbors Going Up or Down 24-13 Restarting the OSPF Process 24-14 Configuration Example for OSPF Monitoring OSPF 24-16 Feature History for OSPF CHAPTER 25 Configuring RIP 24-14 24-17 25-1 Information About RIP 25-1 Routing Update Process 25-2 RIP Routing Metric 25-2 RIP Stability Features 25-2 RIP Timers 25-2 Licensing Requirements f
PAGE 19

Contents Multicast Addresses 26-2 Licensing Requirements for Multicast Routing Guidelines and Limitations 26-3 Enabling Multicast Routing 26-3 26-2 Customizing Multicast Routing 26-4 Configuring Stub Multicast Routing and Forwarding IGMP Messages Configuring a Static Multicast Route 26-4 Configuring IGMP Features 26-5 Disabling IGMP on an Interface 26-6 Configuring IGMP Group Membership 26-6 Configuring a Statically Joined IGMP Group 26-6 Controlling Access to Multicast Groups 26-7 Limiting the Numb
PAGE 20

Contents Defining a Network for an EIGRP Routing Process 27-5 Configuring Interfaces for EIGRP 27-6 Configuring Passive Interfaces 27-7 Configuring the Summary Aggregate Addresses on Interfaces Changing the Interface Delay Value 27-9 Enabling EIGRP Authentication on an Interface 27-9 Defining an EIGRP Neighbor 27-10 Redistributing Routes Into EIGRP 27-11 Filtering Networks in EIGRP 27-12 Customizing the EIGRP Hello Interval and Hold Time 27-13 Disabling Automatic Route Summarization 27-14 Configuring Defau
PAGE 21

Contents Additional References 28-13 Related Documents for IPv6 Prefixes 28-14 RFCs for IPv6 Prefixes and Documentation 28-14 Feature History for IPv6 Neighbor Discovery PART Configuring Network Address Translation 7 CHAPTER 28-14 29 Information About NAT Why Use NAT? 29-1 29-1 NAT Terminology 29-2 NAT Types 29-3 NAT Types Overview 29-3 Static NAT 29-3 Information About Static NAT 29-3 Information About Static NAT with Port Translation 29-4 Information About One-to-Many Static NAT 29-6 Informat
PAGE 22

Contents DNS and NAT 29-24 Where to Go Next CHAPTER 30 29-27 Configuring Network Object NAT 30-1 Information About Network Object NAT 30-1 Licensing Requirements for Network Object NAT Prerequisites for Network Object NAT Guidelines and Limitations Default Settings 30-2 30-2 30-2 30-3 Configuring Network Object NAT 30-3 Configuring Dynamic NAT 30-4 Configuring Dynamic PAT (Hide) 30-6 Configuring Static NAT or Static NAT-with-Port-Translation Configuring Identity NAT 30-12 Monitoring Network
PAGE 23

Contents Configuration Examples for Twice NAT 31-24 Different Translation Depending on the Destination (Dynamic PAT) 31-24 Different Translation Depending on the Destination Address and Port (Dynamic PAT) Feature History for Twice NAT PART 31-28 Configuring Service Policies Using the Modular Policy Framework 8 CHAPTER 31-26 32 Configuring a Service Policy Using the Modular Policy Framework 32-1 Information About Service Policies 32-1 Supported Features for Through Traffic 32-2 Supported Features
PAGE 24

Contents CHAPTER 33 Configuring Special Actions for Application Inspections (Inspection Policy Map) Information About Inspection Policy Maps Guidelines and Limitations PART 33-2 Defining Actions in an Inspection Policy Map 33-2 Identifying Traffic in an Inspection Class Map 33-6 33-7 Configuring Access Control 9 CHAPTER 33-1 33-2 Default Inspection Policy Maps Where to Go Next 33-1 34 Configuring Access Rules 34-1 Information About Access Rules 34-1 General Information About Rules 34-2
PAGE 25

Contents CHAPTER 35 Configuring AAA Servers and the Local Database 35-1 Information About AAA 35-1 Information About Authentication 35-2 Information About Authorization 35-2 Information About Accounting 35-3 Summary of Server Support 35-3 RADIUS Server Support 35-4 Authentication Methods 35-4 Attribute Support 35-4 RADIUS Authorization Functions 35-5 TACACS+ Server Support 35-5 RSA/SDI Server Support 35-5 RSA/SDI Version Support 35-5 Two-step Authentication Process 35-5 RSA/SDI Primary and Replica Serv
PAGE 26

Contents Differentiating User Roles Using AAA 35-28 Using Local Authentication 35-28 Using RADIUS Authentication 35-29 Using LDAP Authentication 35-29 Using TACACS+ Authentication 35-30 Monitoring AAA Servers Additional References RFCs 35-31 35-30 35-31 Feature History for AAA Servers CHAPTER 36 Configuring the Identity Firewall 35-31 36-1 Information About the Identity Firewall 36-1 Overview of the Identity Firewall 36-1 Architecture for Identity Firewall Deployments 36-2 Features of the Identity
PAGE 27

Contents Guidelines and Limitations 37-2 Configuring Telnet Access 37-3 Using a Telnet Client 37-4 Configuring SSH Access 37-4 Using an SSH Client 37-5 Configuring HTTPS Access for ASDM 37-6 Configuring CLI Parameters 37-6 Licensing Requirements for CLI Parameters Guidelines and Limitations 37-7 Configuring a Login Banner 37-7 Customizing a CLI Prompt 37-8 Changing the Console Timeout 37-9 Configuring ICMP Access 37-10 Information About ICMP Access 37-10 Licensing Requirements for ICMP Access Guidelines
PAGE 28

Contents Configuring TACACS+ Command Authorization 37-29 Configuring Management Access Accounting 37-30 Viewing the Currently Logged-In User 37-30 Recovering from a Lockout 37-31 Setting a Management Session Quota 37-32 Feature History for Management Access CHAPTER 38 37-33 Configuring AAA Rules for Network Access AAA Performance 38-1 38-1 Licensing Requirements for AAA Rules Guidelines and Limitations 38-1 38-2 Configuring Authentication for Network Access 38-2 Information About Authentication 3
PAGE 29

Contents Configuration Examples for ActiveX Filtering Feature History for ActiveX Filtering 39-4 39-3 Configuring Java Applet Filtering 39-4 Information About Java Applet Filtering 39-4 Licensing Requirements for Java Applet Filtering 39-4 Guidelines and Limitations for Java Applet Filtering 39-5 Configuring Java Applet Filtering 39-5 Configuration Examples for Java Applet Filtering 39-5 Feature History for Java Applet Filtering 39-6 Filtering URLs and FTP Requests with an External Server 39-6 Informatio
PAGE 30

Contents Proxy for SCEP Requests 41-3 Revocation Checking 41-4 Supported CA Servers 41-4 CRLs 41-4 OCSP 41-5 The Local CA 41-6 Storage for Local CA Files 41-6 The Local CA Server 41-6 Licensing Requirements for Digital Certificates Prerequisites for Local Certificates 41-7 Prerequisites for SCEP Proxy Support Guidelines and Limitations 41-7 41-7 41-8 Configuring Digital Certificates 41-9 Configuring Key Pairs 41-9 Removing Key Pairs 41-10 Configuring Trustpoints 41-10 Configuring CRLs for a Trustpoint
PAGE 31

Contents Adding and Enrolling Users 41-36 Renewing Users 41-38 Restoring Users 41-39 Removing Users 41-39 Revoking Certificates 41-40 Maintaining the Local CA Certificate Database 41-40 Rolling Over Local CA Certificates 41-40 Archiving the Local CA Server Certificate and Keypair 41-41 Monitoring Digital Certificates 41-41 Feature History for Certificate Management PART Configuring Application Inspection 10 CHAPTER 41-43 42 Getting Started with Application Layer Protocol Inspection Information abo
PAGE 32

Contents Configuring an HTTP Inspection Policy Map for Additional Inspection Control ICMP Inspection 43-17 43-20 ICMP Error Inspection 43-21 Instant Messaging Inspection 43-21 IM Inspection Overview 43-21 Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control IP Options Inspection 43-24 IP Options Inspection Overview 43-25 Configuring an IP Options Inspection Policy Map for Additional Inspection Control IPsec Pass Through Inspection 43-26 IPsec Pass Through Inspection
PAGE 33

Contents Monitoring H.
PAGE 34

Contents Configuring a GTP Inspection Policy Map for Additional Inspection Control Verifying and Monitoring GTP Inspection 46-8 46-4 RADIUS Accounting Inspection 46-9 RADIUS Accounting Inspection Overview 46-9 Configuring a RADIUS Inspection Policy Map for Additional Inspection Control RSH Inspection 46-11 SNMP Inspection 46-11 SNMP Inspection Overview 46-11 Configuring an SNMP Inspection Policy Map for Additional Inspection Control XDMCP Inspection PART 46-12 47 Information About Cisco Unified Com
PAGE 35

Contents Phone Proxy Guidelines and Limitations 48-12 General Guidelines and Limitations 48-13 Media Termination Address Guidelines and Limitations 48-14 Configuring the Phone Proxy 48-14 Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster 48-15 Importing Certificates from the Cisco UCM 48-15 Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster 48-17 Creating Trustpoints and Generating Certificates 48-17 Creating the CTL File 48-18 Using an Existing CTL File
PAGE 36

Contents Example 4: Mixed-mode Cisco UCM cluster, Primary Cisco UCM, Secondary and TFTP Server on Different Servers 48-47 Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher 48-49 Example 6: VLAN Transversal 48-51 Feature History for the Phone Proxy CHAPTER 49 48-53 Configuring the TLS Proxy for Encrypted Voice Inspection 49-1 Information about the TLS Proxy for Encrypted Voice Inspection 49-1 Decryption and Inspection of Unified Communications Encrypte
PAGE 37

Contents Example 2: Cisco UMC/Cisco UMA Architecture – Security Appliance as TLS Proxy Only Feature History for Cisco Mobility Advantage CHAPTER 51 Configuring Cisco Unified Presence 50-12 50-14 51-1 Information About Cisco Unified Presence 51-1 Architecture for Cisco Unified Presence for SIP Federation Deployments 51-1 Trust Relationship in the Presence Federation 51-4 Security Certificate Exchange Between Cisco UP and the Security Appliance 51-5 XMPP Federation Deployments 51-5 Configuration Requi
PAGE 38

Contents Configuring NAT for Cisco Intercompany Media Engine Proxy 52-12 Configuring PAT for the Cisco UCM Server 52-14 Creating Access Lists for Cisco Intercompany Media Engine Proxy 52-16 Creating the Media Termination Instance 52-17 Creating the Cisco Intercompany Media Engine Proxy 52-18 Creating Trustpoints and Generating Certificates 52-21 Creating the TLS Proxy 52-24 Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy 52-25 (Optional) Configuring TLS within the Local Enterprise 52-
PAGE 39

Contents Configuration Examples for TCP Normalization Feature History for Connection Settings CHAPTER 54 Configuring QoS 53-15 53-16 54-1 Information About QoS 54-1 Supported QoS Features 54-2 What is a Token Bucket? 54-2 Information About Policing 54-3 Information About Priority Queuing 54-3 Information About Traffic Shaping 54-4 How QoS Features Interact 54-4 DSCP and DiffServ Preservation 54-5 Licensing Requirements for QoS Guidelines and Limitations 54-5 54-5 Configuring QoS 54-6 Determining
PAGE 40

Contents How the Botnet Traffic Filter Works 55-5 Licensing Requirements for the Botnet Traffic Filter Guidelines and Limitations Default Settings 55-6 55-6 55-6 Configuring the Botnet Traffic Filter 55-6 Task Flow for Configuring the Botnet Traffic Filter 55-7 Configuring the Dynamic Database 55-7 Adding Entries to the Static Database 55-9 Enabling DNS Snooping 55-10 Enabling Traffic Classification and Actions for the Botnet Traffic Filter Blocking Botnet Traffic Manually 55-15 Searching the Dynamic
PAGE 41

Contents Configuring Scanning Threat Detection 56-15 Information About Scanning Threat Detection 56-15 Guidelines and Limitations 56-16 Default Settings 56-16 Configuring Scanning Threat Detection 56-17 Monitoring Shunned Hosts, Attackers, and Targets 56-17 Feature History for Scanning Threat Detection 56-18 Configuration Examples for Threat Detection CHAPTER 57 Using Protection Tools Preventing IP Spoofing 57-1 57-1 Configuring the Fragment Size 57-2 Blocking Unwanted Connections 57-2 Configuring
PAGE 42

Contents Diverting Traffic to the ASA IPS module Monitoring the ASA IPS module 58-17 58-20 Troubleshooting the ASA IPS module 58-21 Installing an Image on the Module 58-21 Uninstalling a Software Module Image 58-23 Resetting the Password 58-23 Reloading or Resetting the Module 58-24 Shutting Down the Module 58-24 Configuration Examples for the ASA IPS module Feature History for the ASA IPS module CHAPTER 59 Configuring the ASA CX Module 58-25 58-25 59-1 Information About the ASA CX Module 59-1 Ho
PAGE 43

Contents Resetting the Password 59-17 Reloading or Resetting the Module Shutting Down the Module 59-19 Debugging the Module 59-19 Problems with the Authentication Proxy 59-18 59-20 Configuration Examples for the ASA CX Module Feature History for the ASA CX Module CHAPTER 60 Configuring the ASA CSC Module 59-21 59-22 60-1 Information About the CSC SSM 60-1 Determining What Traffic to Scan 60-3 Licensing Requirements for the CSC SSM Prerequisites for the CSC SSM Guidelines and Limitations Default S
PAGE 44

Contents License Requirements 61-2 Failover and Stateful Failover Links 61-3 Failover Link 61-3 Stateful Failover Link 61-4 Failover Interface Speed for Stateful Links Avoiding Interrupted Failover Links 61-5 61-5 Active/Active and Active/Standby Failover 61-8 Determining Which Type of Failover to Use 61-8 Stateless (Regular) and Stateful Failover Stateless (Regular) Failover 61-9 Stateful Failover 61-10 Transparent Firewall Mode Requirements 61-9 61-11 Auto Update Server Support in Failover Configu
PAGE 45

Contents Configuring the Primary Unit 62-8 Configuring the Secondary Unit 62-11 Configuring Optional Active/Standby Failover Settings 62-12 Enabling HTTP Replication with Stateful Failover 62-13 Disabling and Enabling Interface Monitoring 62-13 Configuring Failover Criteria 62-14 Configuring the Unit and Interface Health Poll Times 62-14 Configuring Virtual MAC Addresses 62-15 Controlling Failover 62-16 Forcing Failover 62-16 Disabling Failover 62-17 Restoring a Failed Unit 62-17 Testing the Failover Funct
PAGE 46

Contents Configuring Support for Asymmetrically Routed Packets Remote Command Execution 63-21 Changing Command Modes 63-22 Security Considerations 63-23 Limitations of Remote Command Execution 63-18 63-23 Controlling Failover 63-23 Forcing Failover 63-23 Disabling Failover 63-24 Restoring a Failed Unit or Failover Group 63-24 Testing the Failover Functionality 63-24 Monitoring Active/Active Failover 63-25 Feature History for Active/Active Failover PART Configuring VPN 16 CHAPTER 63-25 64 Config
PAGE 47

Contents Applying Crypto Maps to Interfaces 64-26 Using Interface Access Lists 64-26 Changing IPsec SA Lifetimes 64-29 Creating a Basic IPsec Configuration 64-29 Using Dynamic Crypto Maps 64-31 Providing Site-to-Site Redundancy 64-34 Viewing an IPsec Configuration 64-34 Clearing Security Associations 64-34 Clearing Crypto Map Configurations Supporting the Nokia VPN Client CHAPTER 65 Configuring L2TP over IPsec 64-35 64-35 65-1 Information About L2TP over IPsec/IKEv1 65-1 IPsec Transport and Tunnel
PAGE 48

Contents VPN Load-Balancing Cluster Configurations 66-9 Some Typical Mixed Cluster Scenarios 66-10 Scenario 1: Mixed Cluster with No SSL VPN Connections 66-10 Scenario 2: Mixed Cluster Handling SSL VPN Connections 66-10 Configuring Load Balancing 66-11 Configuring the Public and Private Interfaces for Load Balancing 66-11 Configuring the Load Balancing Cluster Attributes 66-12 Enabling Redirection Using a Fully Qualified Domain Name 66-13 Frequently Asked Questions About Load Balancing 66-14 IP Address Poo
PAGE 49

Contents Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions 67-20 Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions 67-23 Customizing Login Windows for Users of Clientless SSL VPN sessions 67-27 Configuring Microsoft Active Directory Settings for Password Management 67-28 Using Active Directory to Force the User to Change Password at Next Logon 67-29 Using Active Directory to Specify Maximum Password Age 67-30 Using Active Directory to Override an Account Disabled
PAGE 50

Contents Viewing the Username Configuration 67-79 Configuring Attributes for Specific Users 67-79 Setting a User Password and Privilege Level 67-80 Configuring User Attributes 67-80 Configuring VPN User Attributes 67-81 Configuring Clientless SSL VPN Access for Specific Users CHAPTER 68 Configuring IP Addresses for VPNs 68-1 Configuring an IP Address Assignment Method Configuring Local IP Address Pools 68-2 Configuring AAA Addressing 68-2 Configuring DHCP Addressing 68-3 CHAPTER 69 Configuring Remo
PAGE 51

Contents Specifying the Access Control Server Group 70-8 Setting the Query-for-Posture-Changes Timer 70-9 Setting the Revalidation Timer 70-10 Configuring the Default ACL for NAC 70-10 Configuring Exemptions from NAC 70-11 Assigning a NAC Policy to a Group Policy 70-13 Changing Global NAC Framework Settings 70-13 Changing Clientless Authentication Settings 70-13 Enabling and Disabling Clientless Authentication 70-14 Changing the Login Credentials Used for Clientless Authentication Changing NAC Framework
PAGE 52

Contents Using Related Commands CHAPTER 73 72-5 Configuring LAN-to-LAN IPsec VPNs Summary of the Configuration Configuring Interfaces 73-1 73-1 73-2 Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface Configuring ISAKMP Policies for IKEv1 Connections 73-4 Configuring ISAKMP Policies for IKEv2 Connections 73-4 Creating an IKEv1 Transform Set Creating an IKEv2 Proposal Configuring an ACL 73-5 73-6 73-7 Defining a Tunnel Group 73-7 Creating a Crypto Map and Applying It To an I
PAGE 53

Contents Gathering HTTP Form Data 74-24 Configuring SSO for Plug-ins 74-28 Configuring SSO with Macro Substitution Encoding 74-29 Authenticating with Digital Certificates 74-28 74-31 Creating and Applying Clientless SSL VPN Policies for Accessing Resources Assigning Users to Group Policies 74-31 Using the Security Appliance Authentication Server Using a RADIUS Server 74-31 Using an LDAP Server 74-32 74-31 74-31 Configuring Connection Profile Attributes for Clientless SSL VPN 74-32 Configuring Group
PAGE 54

Contents Automating Smart Tunnel Access 74-61 Enabling and Disabling Smart Tunnel Access Logging Off Smart Tunnel 74-63 When Its Parent Process Terminates 74-63 With A Notification Icon 74-64 74-62 Configuring Port Forwarding 74-64 Information About Port Forwarding 74-65 Configuring DNS for Port Forwarding 74-66 Adding Applications to Be Eligible for Port Forwarding Assigning a Port Forwarding List 74-69 Automating Port Forwarding 74-70 Enabling and Disabling Port Forwarding 74-70 74-67 Application Acc
PAGE 55

Contents Viewing the Clientless SSL VPN Home Page 74-88 Viewing the Clientless SSL VPN Application Access Panel Viewing the Floating Toolbar 74-89 74-88 Customizing Clientless SSL VPN Pages 74-90 Information About Customization 74-90 Exporting a Customization Template 74-91 Editing the Customization Template 74-91 Importing a Customization Object 74-97 Applying Customizations to Connection Profiles, Group Policies and Users Login Screen Advanced Customization 74-99 Modifying Your HTML File 74-101 74-97
PAGE 56

Contents Creating a Capture File 74-121 Using a Browser to Display Capture Data CHAPTER 75 74-122 Configuring AnyConnect VPN Client Connections 75-1 Information About AnyConnect VPN Client Connections Licensing Requirements for AnyConnect Connections 75-1 75-2 Guidelines and Limitations 75-5 Remote PC System Requirements 75-5 Remote HTTPS Certificates Limitation 75-5 Configuring AnyConnect Connections 75-5 Configuring the ASA to Web-Deploy the Client 75-6 Enabling Permanent Client Installation 75-7
PAGE 57

Contents Licensing 76-2 Host Scan Packaging 76-2 Installing and Enabling Host Scan on the ASA 76-3 Installing or Upgrading Host Scan 76-3 Enabling or Disabling a Host Scan 76-4 Viewing the Host Scan Version Enabled on the ASA 76-5 Uninstalling Host Scan 76-5 Assigning AnyConnect Feature Modules to Group Policies 76-6 Other Important Documentation Addressing Host Scan PART Configuring Logging, SNMP, and Smart Call Home 17 CHAPTER 76-7 77 Configuring Logging 77-1 Information About Logging 77-1 L
PAGE 58

Contents Sending All Syslog Messages in a Class to a Specified Output Destination Enabling Secure Logging 77-16 Including the Device ID in Non-EMBLEM Format Syslog Messages 77-17 Including the Date and Time in Syslog Messages 77-18 Disabling a Syslog Message 77-18 Changing the Severity Level of a Syslog Message 77-18 Limiting the Rate of Syslog Message Generation 77-19 Monitoring the Logs 77-19 Configuration Examples for Logging Feature History for Logging CHAPTER 78 77-20 77-20 Configuring NetFlow
PAGE 59

Contents SNMP Object Identifiers 79-3 SNMP Physical Vendor Type Values 79-5 Supported Tables in MIBs 79-11 Supported Traps (Notifications) 79-12 SNMP Version 3 79-15 SNMP Version 3 Overview 79-15 Security Models 79-16 SNMP Groups 79-16 SNMP Users 79-16 SNMP Hosts 79-16 Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software 79-16 Licensing Requirements for SNMP Prerequisites for SNMP 79-17 79-17 Guidelines and Limitations 79-17 Configuring SNMP 79-18 Enabling SNMP 7
PAGE 60

Contents CHAPTER 80 Configuring Anonymous Reporting and Smart Call Home 80-1 Information About Anonymous Reporting and Smart Call Home 80-1 Information About Anonymous Reporting 80-2 What is Sent to Cisco? 80-2 DNS Requirement 80-3 Anonymous Reporting and Smart Call Home Prompt 80-3 Information About Smart Call Home 80-4 Licensing Requirements for Anonymous Reporting and Smart Call Home Prerequisites for Smart Call Home and Anonymous Reporting Guidelines and Limitations 80-5 80-5 Configuring Anonymo
PAGE 61

Contents Backing Up Configuration Files or Other Files 81-8 Backing up the Single Mode Configuration or Multiple Mode System Configuration Backing Up a Context Configuration or Other File in Flash Memory 81-8 Backing Up a Context Configuration within a Context 81-9 Copying the Configuration from the Terminal Display 81-9 Backing Up Additional Files Using the Export and Import Commands 81-9 Using a Script to Back Up and Restore Files 81-10 Prerequisites 81-10 Running the Script 81-10 Sample Script 81-11 81
PAGE 62

Contents Monitoring Per-Process CPU Usage Common Problems PART 82-14 Reference 19 APPENDIX 82-14 A Using the Command-Line Interface A-1 Firewall Mode and Security Context Mode Command Modes and Prompts Syntax Formatting A-2 A-3 Abbreviating Commands A-3 Command-Line Editing A-3 Command Completion A-4 Command Help A-4 Filtering show Command Output Command Output Paging Adding Comments A-1 A-4 A-5 A-5 Text Configuration Files A-5 How Commands Correspond with Lines in the Text File A
PAGE 63

Contents Anycast Address B-9 Required Addresses B-10 IPv6 Address Prefixes B-10 Protocols and Applications TCP and UDP Ports B-11 Local Ports and Protocols ICMP Types APPENDIX C B-11 B-14 B-15 Configuring an External Server for Authorization and Authentication Understanding Policy Enforcement of Permissions and Attributes C-1 C-1 Configuring an External LDAP Server C-2 Organizing the ASA for LDAP Operations C-3 Searching the LDAP Hierarchy C-3 Binding the ASA to the LDAP Server C-4 Defining the
PAGE 64

Contents Cisco ASA 5500 Series Configuration Guide using the CLI lxiv
PAGE 65

About This Guide This preface introduces Cisco ASA 5500 Series Configuration Guide using the CLI and includes the following sections: • Document Objectives, page lxv • Audience, page lxv • Related Documentation, page lxv • Conventions, page lxvi • Obtaining Documentation and Submitting a Service Request, page lxvii Document Objectives The purpose of this guide is to help you configure the ASA using the command-line interface.
PAGE 66

About This Guide Conventions This document uses the following conventions: Convention Indication bold font Commands and keywords and user-entered text appear in bold font. italic font Document titles, new or emphasized terms, and arguments for which you supply values are in italic font. [ ] Elements in square brackets are optional. {x | y | z } Required alternative keywords are grouped in braces and separated by vertical bars.
PAGE 67

About This Guide Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
PAGE 68

About This Guide Cisco ASA 5500 Series Configuration Guide using the CLI lxviii
PAGE 69

PA R T 1 Getting Started with the ASA
PAGE 70
PAGE 71

CH A P T E R 1 Introduction to the Cisco ASA 5500 Series The ASA provides advanced Stateful Firewall and VPN concentrator functionality in one device, and for some models, an integrated Intrusion Prevention System (IPS) module or an integrated Content Security and Control (CSC) module.
PAGE 72

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features • New Features in Version 8.4(4.1), page 1-6 • New Features in Version 8.4(3), page 1-9 • New Features in Version 8.4(2), page 1-12 • New Features in Version 8.4(1), page 1-19 Note New, changed, and deprecated syslog messages are listed in syslog message guide. Note Version 8.4(4) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.1) or later. New Features in Version 8.
PAGE 73

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-1 New Features forASA Version 8.6(1) (continued) Feature Description Compression for DTLS and TLS To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from legacy VPN clients.
PAGE 74

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-1 New Features forASA Version 8.6(1) (continued) Feature Description Support for sub-range of LDAP search results When an LDAP search results in an attribute with a large number of values, depending on the server configuration, it might return a sub-range of the values and expect the ASA to initiate additional queries for the remaining value ranges.
PAGE 75

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-2 New Features for ASA Version 8.4(5)/ASDM Version 7.0(2) (continued) Feature Description ARP cache additions for non-connected subnets The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks.
PAGE 76

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-2 New Features for ASA Version 8.4(5)/ASDM Version 7.0(2) (continued) Feature Description Hardware Features ASA 5585-X DC power supply support Support was added for the ASA 5585-X DC power supply. This feature is not available in 8.5(1), 8.6(1), or 9.0(1). New Features in Version 8.4(4.1) Released: June 18, 2012 Table 1-3 lists the new features for ASA Version 8.4(4.1). Note Version 8.4(4) was removed from Cisco.
PAGE 77

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-3 New Features for ASA Version 8.4(4.1) (continued) Feature Description Support for maximum number of management sessions allowed and Diffie-Hellman Key Exchange Group 14 support for SSH The maximum number of simultaneous ASDM, SSH, and Telnet sessions allowed was added. Support for Diffie-Hellman Key Exchange Group 14 for SSH was added.
PAGE 78

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-3 New Features for ASA Version 8.4(4.1) (continued) Feature Description Application Inspection Features SunRPC change from dynamic ACL to pin-hole mechanism Previously, Sun RPC inspection does not support outbound access lists because the inspection engine uses dynamic access lists instead of secondary connections.
PAGE 79

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-3 New Features for ASA Version 8.4(4.1) (continued) Feature Description ASA 5585-X support for the The ASA CX module lets you enforce security based on the complete context of a situation.
PAGE 80

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-4 New Features for ASA Version 8.4(3) (continued) Feature Description Extended PAT for a PAT pool Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. This feature is not available in 8.
PAGE 81

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-4 New Features for ASA Version 8.4(3) (continued) Feature Description Compression for DTLS and TLS To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from legacy VPN clients.
PAGE 82

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features New Features in Version 8.4(2) Released: June 20, 2011 Table 1-5 lists the new features for ASA Version 8.4(2). Table 1-5 New Features for ASA Version 8.4(2) Feature Description Firewall Features Identity Firewall Typically, a firewall is not aware of the user identities and, therefore, cannot apply security policies based on identity. The Identity Firewall in the ASA provides more granular access control based on users’ identities.
PAGE 83

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-5 New Features for ASA Version 8.4(2) (continued) Feature Description PAT pool and round robin address assignment You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool.
PAGE 84

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-5 New Features for ASA Version 8.4(2) (continued) Feature Description Secure Hash Algorithm SHA-2 Support for Digital Signature over IPsec IKEv2 This release supports the use of SHA-2 compliant signature algorithms to authenticate IPsec IKEv2 VPN connections that use digital certificates, with the hash sizes SHA-256, SHA-384, and SHA-512.
PAGE 85

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-5 New Features for ASA Version 8.4(2) (continued) Feature Description SSL SHA-2 digital signature You can now use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5(1) or later (2.5(2) or later recommended).
PAGE 86

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-5 New Features for ASA Version 8.4(2) (continued) Feature Description IF-MIB ifAlias OID support The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias OID will be set to the value that has been set for the interface description. Also available in Version 8.2(5).
PAGE 87

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-6 New Features for ASA Version 8.2(5) (continued) Feature Description IF-MIB ifAlias OID support The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias OID will be set to the value that has been set for the interface description. Also available in Version 8.4(2).
PAGE 88

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-6 New Features for ASA Version 8.2(5) (continued) Feature Description SSL SHA-2 digital signature You can now use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5(1) or later (2.5(2) or later recommended).
PAGE 89

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features New Features in Version 8.4(1) Released: January 31, 2011 Table 1-7 lists the new features for ASA Version 8.4(1). Table 1-7 New Features for ASA Version 8.4(1) Feature Description Hardware Features Support for the ASA 5585-X We introduced support for the ASA 5585-X with Security Services Processor (SSP)-10, -20, -40, and -60. Note No Payload Encryption hardware for export Support was previously added in 8.2(3) and 8.
PAGE 90

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-7 New Features for ASA Version 8.4(1) (continued) Feature Description SSL SHA-2 digital signature This release supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5.1 or later (2.5.2 or later recommended).
PAGE 91

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-7 New Features for ASA Version 8.4(1) (continued) Feature Description Clientless VPN Auto Sign-on Enhancement Smart tunnel now supports HTTP-based auto sign-on on Firefox as well as Internet Explorer. Similar to when Internet Explorer is used, the administrator decides to which hosts a Firefox browser will automatically send credentials.
PAGE 92

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-7 New Features for ASA Version 8.4(1) (continued) Feature Description Bridge groups for transparent mode If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups.
PAGE 93

Chapter 1 Introduction to the Cisco ASA 5500 Series New Features Table 1-7 New Features for ASA Version 8.4(1) (continued) Feature Description UC Protocol Inspection Enhancements SIP Inspection and SCCP Inspection are enhanced to support new features in the Unified Communications Solutions; such as, SCCP v2.0 support, support for GETPORT messages in SCCP Inspection, SDP field support in INVITE messages with SIP Inspection, and QSIG tunneling over SIP.
PAGE 94

Chapter 1 Introduction to the Cisco ASA 5500 Series Firewall Functional Overview Table 1-7 New Features for ASA Version 8.4(1) (continued) Feature Description General Features Password Encryption Visibility You can show password encryption in a security context. We modified the following command: show password encryption. Firewall Functional Overview Firewalls protect inside networks from unauthorized access by users on an outside network.
PAGE 95

Chapter 1 Introduction to the Cisco ASA 5500 Series Firewall Functional Overview • Sending Traffic to the Content Security and Control Module, page 1-26 • Applying QoS Policies, page 1-26 • Applying Connection Limits and TCP Normalization, page 1-26 • Enabling Threat Detection, page 1-26 • Enabling the Botnet Traffic Filter, page 1-27 • Configuring Cisco Unified Communications, page 1-27 Permitting or Denying Traffic with Access Lists You can apply an access list to limit traffic from inside t
PAGE 96

Chapter 1 Introduction to the Cisco ASA 5500 Series Firewall Functional Overview Sending Traffic to the IPS Module If your model supports the IPS module for intrusion prevention, then you can send traffic to the module for inspection. The IPS module monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
PAGE 97

Chapter 1 Introduction to the Cisco ASA 5500 Series Firewall Functional Overview Enabling the Botnet Traffic Filter Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address.
PAGE 98

Chapter 1 Introduction to the Cisco ASA 5500 Series VPN Functional Overview If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.
PAGE 99

Chapter 1 Introduction to the Cisco ASA 5500 Series Security Context Overview • Authenticates users • Assigns user addresses • Encrypts and decrypts data • Manages security keys • Manages data transfer across the tunnel • Manages data transfer inbound and outbound as a tunnel endpoint or router The ASA invokes various standard protocols to accomplish these functions. Security Context Overview You can partition a single ASA into multiple virtual devices, known as security contexts.
PAGE 100

Chapter 1 Security Context Overview Cisco ASA 5500 Series Configuration Guide using the CLI 1-30 Introduction to the Cisco ASA 5500 Series
PAGE 101

CH A P T E R 2 Getting Started This chapter describes how to get started with your ASA.
PAGE 102

Chapter 2 Getting Started Configuring ASDM Access for Appliances All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. Step 4 Enter the enable password at the prompt. By default, the password is blank, and you can press the Enter key to continue. See the “Configuring the Hostname, Domain Name, and Passwords” section on page 10-1 to change the enable password.
PAGE 103

Chapter 2 Getting Started Configuring ASDM Access for Appliances Note To change to multiple context mode, see the “Enabling or Disabling Multiple Context Mode” section on page 5-15. After changing to multiple context mode, you can access ASDM from the admin context using the network settings above. Accessing ASDM Using a Non-Default Configuration (ASA 5505) If you do not have a factory default configuration, or want to change to transparent firewall mode, perform the following steps.
PAGE 104

Chapter 2 Getting Started Configuring ASDM Access for Appliances Command Purpose Transparent mode: Configures a bridge virtual interface and assigns a management VLAN to the bridge group. The security-level is a number between 1 and 100, where 100 is the most secure. interface bvi number ip address ip_address [mask] interface vlan number bridge-group bvi_number nameif name security-level level Example: hostname(config)# interface bvi 1 hostname(config-if)# ip address 192.168.1.1 255.255.255.
PAGE 105

Chapter 2 Getting Started Configuring ASDM Access for Appliances Examples The following configuration converts the firewall mode to transparent mode, configures the VLAN 1 interface and assigns it to BVI 1, enables a switchport, and enables ASDM for a management host: firewall transparent interface bvi 1 ip address 192.168.1.1 255.255.255.0 interface vlan 1 bridge-group 1 nameif inside security-level 100 interface ethernet 0/1 switchport access vlan 1 no shutdown dhcpd address 192.168.1.5-192.168.1.
PAGE 106

Chapter 2 Getting Started Starting ASDM Step 3 Command Purpose dhcpd address ip_address-ip_address interface_name dhcpd enable interface_name Enables DHCP for the management host on the management interface network. Make sure you do not include the Management 0/0 address in the range. Example: hostname(config)# dhcpd address 192.168.1.2-192.168.1.254 management hostname(config)# dhcpd enable management Step 4 http server enable Enables the HTTP server for ASDM.
PAGE 107

Chapter 2 Getting Started Starting ASDM Note • ASDM-IDM Launcher (Windows only)—The Launcher is an application downloaded from the ASA using a web browser that you can use to connect to any ASA IP address. You do not need to re-download the launcher if you want to connect to other ASAs. The Launcher also lets you run a virtual ASDM in Demo mode using files downloaded locally.
PAGE 108

Chapter 2 Getting Started Starting ASDM Step 3 b. Enter the username and password, and click OK. For a factory default configuration, leave these fields empty. With no HTTPS authentication configured, you can gain access to ASDM with no username and the enable password, which is blank by default. With HTTPS authentication enabled, enter your username and associated password. c. Save the installer to your PC, and then start the installer.
PAGE 109

Chapter 2 Getting Started Starting ASDM Prerequisites Download the Java Web Start application according to the “Connecting to ASDM for the First Time” section on page 2-7. Detailed Steps Step 1 Start the Java Web Start application. Step 2 Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher appears. Step 3 Enter the username and password, and click OK. For a factory default configuration, leave these fields empty.
PAGE 110

Chapter 2 Getting Started Factory Default Configurations Save Running Configuration to Flash Save Running Configuration to TFTP Server Save Running Configuration to Standby Unit Save Internal Log Buffer to Flash Clear Internal Log Buffer – Tools menu: Command Line Interface Ping File Management Update Software File Transfer Upload Image from Local PC System Reload – Toolbar/Status bar > Save – Configuration > Interface > Edit Interface > Renew DHCP Lease – Configuring a standby device after failover •
PAGE 111

Chapter 2 Getting Started Factory Default Configurations The factory default configuration is available only for routed firewall mode and single context mode. See Chapter 5, “Configuring Multiple Context Mode,” for more information about multiple context mode. See Chapter 4, “Configuring the Transparent or Routed Firewall,” for more information about routed and transparent firewall mode. For the ASA 5505, a sample transparent mode configuration is provided in this section.
PAGE 112

Chapter 2 Getting Started Factory Default Configurations • IP addresses— Outside address from DHCP; inside address set manually to 192.168.1.1/24. • Network Address Translation (NAT)—All inside IP addresses are translated when accessing the outside using interface PAT. • Traffic flow—IPv4 and IPv6 traffic allowed from inside to outside (this behavior is implicit on the ASA). Outside users are prevented from accessing the inside.
PAGE 113

Chapter 2 Getting Started Factory Default Configurations no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown ip address dhcp setroute interface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 no shutdown object network obj_any subnet 0 0 nat (inside,outside) dynamic interface http server enable http 192.168.1.0 255.255.255.0 inside dhcpd address 192.168.1.5-192.168.1.
PAGE 114

Chapter 2 Factory Default Configurations Figure 2-2 ASA 5505 Transparent Mode Internet Internet Gateway Router 192.168.1.3 outside VLAN 2 (Ethernet 0/0) BVI 1 IP 192.168.1.1 inside VLAN 1 (Ethernet 0/1-0/7) ASDM 192.168.1.
PAGE 115

Chapter 2 Getting Started Working with the Configuration dhcpd enable inside Note For testing purposes, you can allow ping from inside to outside by enabling ICMP inspection. Add the following commands to the sample configuration: policy-map global_policy class inspection_default inspect icmp ASA 5510 and Higher Default Configuration The default factory configuration for the ASA 5510 and higher configures the following: • Management interface—Management 0/0 (management).
PAGE 116

Chapter 2 Getting Started Working with the Configuration • Viewing the Configuration, page 2-18 • Clearing and Removing Configuration Settings, page 2-18 • Creating Text Configuration Files Offline, page 2-19 Saving Configuration Changes This section describes how to save your configuration and includes the following topics: • Saving Configuration Changes in Single Context Mode, page 2-16 • Saving Configuration Changes in Multiple Context Mode, page 2-16 Saving Configuration Changes in Single C
PAGE 117

Chapter 2 Getting Started Working with the Configuration Saving All Context Configurations at the Same Time To save all context configurations at the same time, as well as the system configuration, enter the following command in the system execution space: Command Purpose write memory all [/noconfirm] Saves the running configuration to the startup configuration for all contexts and the system configuration.
PAGE 118

Chapter 2 Getting Started Working with the Configuration Command Purpose copy startup-config running-config Merges the startup configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results.
PAGE 119

Chapter 2 Getting Started Applying Configuration Changes to Connections Command Purpose write erase Erases the startup configuration. Example: hostname(config)# write erase Erases the running configuration. clear configure all Note Example: hostname(config)# clear configure all In multiple context mode, if you enter clear configure all from the system configuration, you also remove all contexts and stop them from running.
PAGE 120

Chapter 2 Getting Started Applying Configuration Changes to Connections Command Purpose clear local-host [ip_address] [all] This command reinitializes per-client run-time states such as connection limits and embryonic limits. As a result, this command removes any connection that uses those limits. See the show local-host all command to view all current connections per host.
PAGE 121

CH A P T E R 3 Managing Feature Licenses A license specifies the options that are enabled on a given ASA. This document describes how to obtain a license activation key and how to activate it. It also describes the available licenses for each model. Note This chapter describes licensing for Version 8.4 and 8.6; for other versions, see the licensing documentation that applies to your version: http://www.cisco.com/en/US/products/ps6120/products_licensing_information_listing.
PAGE 122

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model • ASA 5540, page 3-5 • ASA 5550, page 3-6 • ASA 5580, page 3-7 • ASA 5512-X, page 3-8 • ASA 5515-X, page 3-8 • ASA 5525-X, page 3-9 • ASA 5545-X, page 3-10 • ASA 5555-X, page 3-11 • ASA 5585-X with SSP-10, page 3-12 • ASA 5585-X with SSP-20, page 3-13 • ASA 5585-X with SSP-40 and -60, page 3-14 Items that are in italics are separate, optional licenses with which that you can replace the Base or Security Plus li
PAGE 123

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-1 ASA 5505 License Features (continued) Licenses Description (Base License in Plain Text) Description (Security Plus Lic. in Plain Text) Encryption Base (DES) Base (DES) Failover No support Opt. lic.: Strong (3DES/AES) Active/Standby (no stateful failover) Interfaces of all types, Max. 52 Security Contexts 120 No support Inside Hosts, concurrent 2 10 Opt. lic.: Strong (3DES/AES) 3 No support Opt.
PAGE 124

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-2 ASA 5510 License Features (continued) Licenses Description (Base License in Plain Text) Description (Security Plus Lic. in Plain Text) AnyConnect Premium (sessions) 2 2 Optional Perm. or Time-based lic,: 10 25 50 100 Optional Perm. or Time-based lic: 250 10 25 50 100 250 Optional Shared licenses: Participant or Server. For the Server: Optional Shared licenses: Participant or Server.
PAGE 125

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-3 ASA 5520 License Features (continued) Licenses Description (Base License in Plain Text) AnyConnect Premium (sessions) 2 Optional Permanent or Time-based licenses: 10 25 50 100 250 500 750 Optional Shared licenses: Participant or Server.
PAGE 126

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-4 ASA 5540 License Features (continued) Licenses Description (Base License in Plain Text) VPN Load Balancing Supported General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max.
PAGE 127

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-5 ASA 5550 License Features (continued) Licenses Description (Base License in Plain Text) Security Contexts 2 VLANs, Maximum 400 Optional licenses: 5 10 20 50 100 ASA 5580 Table 3-6 ASA 5580 License Features Licenses Description (Base License in Plain Text) Firewall Licenses Botnet Traffic Filter Disabled Optional Time-based license: Available Firewall Conns, Concurrent 5580-20: 2,000,000 5580-40: 4,000
PAGE 128

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model ASA 5512-X If you have a No Payload Encryption model, then some of the features in Table 3-7 are not supported. See the “No Payload Encryption Models” section on page 3-30 for a list of unsupported features. Table 3-7 ASA 5512-X License Features Licenses Description (Base License in Plain Text) Description (Security Plus Lic.
PAGE 129

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-8 ASA 5515-X License Features Licenses Description (Base License in Plain Text) Firewall Licenses Botnet Traffic Filter Disabled Optional Time-based license: Available Firewall Conns, Concurrent 250,000 GTP/GPRS Disabled Optional license: Available Intercompany Media Eng. Disabled Optional license: Available UC Phone Proxy Sessions 2 Optional licenses: 24 50 100 250 500 VPN Licenses Adv.
PAGE 130

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-9 ASA 5525-X License Features (continued) Licenses Description (Base License in Plain Text) Intercompany Media Eng. Disabled UC Phone Proxy Sessions 2 Optional license: Available Optional licenses: 24 50 100 250 500 750 1000 VPN Licenses Adv.
PAGE 131

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-10 ASA 5545-X License Features (continued) Licenses Description (Base License in Plain Text) AnyConnect Essentials Disabled Optional license: Available (2500 sessions) AnyConnect for Mobile Disabled Optional license: Available AnyConnect Premium (sessions) 2 Optional Permanent or Time-based licenses: 10 25 50 100 250 500 750 1000 2500 Optional Shared licenses: Participant or Server.
PAGE 132

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-11 ASA 5555-X License Features (continued) Licenses Description (Base License in Plain Text) AnyConnect Premium (sessions) 2 Optional Permanent or Time-based licenses: 10 25 50 100 250 500 750 1000 2500 5000 Optional Shared licenses: Participant or Server.
PAGE 133

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-12 ASA 5585-X with SSP-10 License Features (continued) Licenses Description (Base License in Plain Text) Description (Security Plus License in Plain Text) AnyConnect Premium (sessions) 2 2 Opt. Permanent or Time-based lic.: Opt. Permanent or Time-based lic.: 10 25 50 100 250 10 25 50 100 250 500 750 1000 2500 5000 500 750 1000 2500 5000 Optional Shared licenses: Participant or Server.
PAGE 134

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-13 ASA 5585-X with SSP-20 License Features (continued) Licenses Description (Base License in Plain Text) Description (Security Plus Lic.
PAGE 135

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-14 ASA 5585-X with SSP-40 and -60 License Features (continued) Licenses Description (Base License in Plain Text) Firewall Conns, Concurrent 5585-X with SSP-40: 4,000,000 GTP/GPRS Disabled Optional license: Available Intercompany Media Eng.
PAGE 136

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model License Notes Table 3-15 includes common footnotes shared by multiple tables in the “Licenses Per Model” section on page 3-1. Table 3-15 License Notes License Notes AnyConnect Essentials AnyConnect Essentials sessions include the following VPN types: • SSL VPN • IPsec remote access VPN using IKEv2 This license does not support browser-based (clientless) SSL VPN access or Cisco Secure Desktop.
PAGE 137

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-15 License Notes (continued) License Notes AnyConnect for Mobile This license provides access to the AnyConnect Client for touch-screen mobile devices running Windows Mobile 5.0, 6.0, and 6.1. We recommend using this license if you want to support mobile access to AnyConnect 2.3 and later versions.
PAGE 138

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-15 License Notes (continued) License Notes Intercompany Media Engine When you enable the Intercompany Media Engine (IME) license, you can use TLS proxy sessions up to the configured TLS proxy limit.
PAGE 139

Chapter 3 Managing Feature Licenses Supported Feature Licenses Per Model Table 3-15 License Notes (continued) License Notes UC Phone Proxy sessions The following applications use TLS proxy sessions for their connections.
PAGE 140

Chapter 3 Managing Feature Licenses Information About Feature Licenses VPN License and Feature Compatibility Table 3-16 shows how the VPN licenses and features can combine. For a detailed list of the features supported by the AnyConnect Essentials license and AnyConnect Premium license, see AnyConnect Secure Mobility Client Features, Licenses, and OSs: • Version 3.0: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/feature/guide/any connect30features.html • Version 2.
PAGE 141

Chapter 3 Managing Feature Licenses Information About Feature Licenses • Licenses FAQ, page 3-30 Preinstalled License By default, your ASA ships with a license already installed. This license might be the Base License, to which you want to add more licenses, or it might already have all of your licenses installed, depending on what you ordered and what your vendor installed for you. See the “Monitoring Licenses” section on page 3-38 section to determine which licenses you have installed.
PAGE 142

Chapter 3 Managing Feature Licenses Information About Feature Licenses Note • If you stop using the time-based license before it times out, then the timer halts. The timer only starts again when you reactivate the time-based license. • If the time-based license is active, and you shut down the ASA, then the timer continues to count down. If you intend to leave the ASA in a shut down state for an extended period of time, then you should deactivate the time-based license before you shut down.
PAGE 143

Chapter 3 Managing Feature Licenses Information About Feature Licenses Stacking Time-Based Licenses In many cases, you might need to renew your time-based license and have a seamless transition from the old license to the new one. For features that are only available with a time-based license, it is especially important that the license not expire before you can apply the new license.
PAGE 144

Chapter 3 Managing Feature Licenses Information About Feature Licenses • Information About the Shared Licensing Server and Participants, page 3-24 • Communication Issues Between Participant and Server, page 3-25 • Information About the Shared Licensing Backup Server, page 3-25 • Failover and Shared Licenses, page 3-25 • Maximum Number of Participants, page 3-27 Information About the Shared Licensing Server and Participants The following steps describe how shared licenses operate: 1.
PAGE 145

Chapter 3 Managing Feature Licenses Information About Feature Licenses Note The ASA uses SSL between the server and participant to encrypt all communications. Communication Issues Between Participant and Server See the following guidelines for communication issues between the participant and server: • If a participant fails to send a refresh after 3 times the refresh interval, then the server releases the sessions back into the shared license pool.
PAGE 146

Chapter 3 Managing Feature Licenses Information About Feature Licenses • “Failover and Shared License Participants” section on page 3-27 Failover and Shared License Servers This section describes how the main server and backup server interact with failover.
PAGE 147

Chapter 3 Managing Feature Licenses Information About Feature Licenses Figure 3-1 Failover and Shared License Servers Key Blue=Shared license server in use Failover Pair #1 Failover Pair #2 (Active)=Active failover unit 1. Normal Main (Active) operation: Main (Standby) Failover Pair #1 2. Primary main Main (Failed) server fails over: Main (Active) Failover Pair #1 3.
PAGE 148

Chapter 3 Managing Feature Licenses Information About Feature Licenses Failover Licenses (8.3(1) and Later) With some exceptions, failover units do not require the same license on each unit. For earlier versions, see the licensing document for your version.
PAGE 149

Chapter 3 Managing Feature Licenses Information About Feature Licenses Note In the above example, if the AnyConnect Premium licenses are time-based, you might want to disable one of the licenses so you do not “waste” a 500 session license from which you can only use 250 sessions because of the platform limit. – You have two ASA 5540s, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts.
PAGE 150

Chapter 3 Managing Feature Licenses Information About Feature Licenses Upgrading Failover Pairs Because failover pairs do not require the same license on both units, you can apply new licenses to each unit without any downtime. If you apply a permanent license that requires a reload (see Table 3-18 on page 3-34), then you can fail over to the other unit while you reload. If both units require reloading, then you can reload them separately so you have no downtime.
PAGE 151

Chapter 3 Managing Feature Licenses Guidelines and Limitations A. No. Starting with Version 8.3(1), you do not have to have matching licenses on both units. Typically, you buy a license only for the primary unit; the secondary unit inherits the primary license when it becomes active. In the case where you also have a separate license on the secondary unit (for example, if you purchased matching licenses for pre-8.
PAGE 152

Chapter 3 Managing Feature Licenses Configuring Licenses • Downgrading to Version 8.1 or earlier—After you upgrade, if you activate additional feature licenses that were introduced before 8.2, then the activation key continues to be compatible with earlier versions if you downgrade. However if you activate feature licenses that were introduced in 8.2 or later, then the activation key is not backward compatible.
PAGE 153

Chapter 3 Managing Feature Licenses Configuring Licenses Obtaining an Activation Key To obtain an activation key, you need a Product Authorization Key, which you can purchase from your Cisco account representative. You need to purchase a separate Product Activation Key for each feature license. For example, if you have the Base License, you can purchase separate keys for Advanced Endpoint Assessment and for additional AnyConnect Premium sessions.
PAGE 154

Chapter 3 Managing Feature Licenses Configuring Licenses Table 3-18 Permanent License Reloading Requirements Model License Action Requiring Reload ASA 5505, ASA 5510 Changing between the Base and Security Plus license. All models Changing the Encryption license. All models Downgrading any permanent license (for example, going from 10 contexts to 2 contexts). Limitations and Restrictions Your activation key remains compatible if you upgrade to the latest version from any previous version.
PAGE 155

Chapter 3 Managing Feature Licenses Configuring Licenses Detailed Steps Step 1 Command Purpose activation-key key [activate | deactivate] Applies an activation key to the ASA. The key is a five-element hexadecimal string with one space between each element. The leading 0x specifier is optional; all values are assumed to be hexadecimal. Example: hostname# activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490 You can install one permanent key, and multiple time-based keys.
PAGE 156

Chapter 3 Managing Feature Licenses Configuring Licenses Detailed Steps Step 1 Command Purpose license-server secret secret Sets the shared secret, a string between 4 and 128 ASCII characters. Any participant with this secret can use the licensing server.
PAGE 157

Chapter 3 Managing Feature Licenses Configuring Licenses hostname(config)# license-server enable dmz What to Do Next See the “Configuring the Shared Licensing Backup Server (Optional)” section on page 3-37, or the “Configuring the Shared Licensing Participant” section on page 3-37. Configuring the Shared Licensing Backup Server (Optional) This section enables a shared license participant to act as the backup server if the main server goes down.
PAGE 158

Chapter 3 Managing Feature Licenses Monitoring Licenses Prerequisites The participant must have a shared licensing participant key. Detailed Steps Step 1 Command Purpose license-server address address secret secret [port port] Identifies the shared licensing server IP address and shared secret. If you changed the default port in the server configuration, set the port for the participant to match. Example: hostname(config)# license-server address 10.1.1.
PAGE 159

Chapter 3 Managing Feature Licenses Monitoring Licenses Detailed Steps Command Purpose show activation-key [detail] This command shows the permanent license, active time-based licenses, and the running license, which is a combination of the permanent license and active time-based licenses. The detail keyword also shows inactive time-based licenses.
PAGE 160

Chapter 3 Managing Feature Licenses Monitoring Licenses Example 3-2 Standalone Unit Output for show activation-key detail The following is sample output from the show activation-key detail command for a standalone unit that shows the running license (the combined permanent license and time-based licenses), as well as the permanent license and each installed time-based license (active and inactive): hostname# show activation-key detail Serial Number: 88810093382 Running Permanent Activation Key: 0xce06d
PAGE 161

Chapter 3 Managing Feature Licenses Monitoring Licenses 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Botnet Traffic Filter : Enabled 39 days Inactive Timebased Activation Key: 0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3 AnyConnect Premium Peers : 25 7 days Example 3-3 Primary Unit Output in a Failover Pair for show activation-key detail The following is sample output from the show activation-key detail command for the primary failover unit that shows: • The primary unit licen
PAGE 162

Chapter 3 Managing Feature Licenses Monitoring Licenses Other VPN Peers Total VPN Peers Shared License AnyConnect for Mobile AnyConnect for Cisco VPN Phone Advanced Endpoint Assessment UC Phone Proxy Sessions Total UC Proxy Sessions Botnet Traffic Filter Intercompany Media Engine : : : : : : : : : : 750 750 Disabled Disabled Disabled Disabled 4 4 Enabled Disabled perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual 33 days perpetual This platform has an ASA 5520 VPN Plus l
PAGE 163

Chapter 3 Managing Feature Licenses Monitoring Licenses • The secondary unit permanent license. • The secondary installed time-based licenses (active and inactive). This unit does not have any time-based licenses, so none display in this sample output.
PAGE 164

Chapter 3 Managing Feature Licenses Monitoring Licenses Failover VPN-DES VPN-3DES-AES Security Contexts GTP/GPRS AnyConnect Premium Peers AnyConnect Essentials Other VPN Peers Total VPN Peers Shared License AnyConnect for Mobile AnyConnect for Cisco VPN Phone Advanced Endpoint Assessment UC Phone Proxy Sessions Total UC Proxy Sessions Botnet Traffic Filter Intercompany Media Engine : : : : : : : : : Active/Active Enabled Disabled 2 Disabled : 2 : Disabled : 750 : 750 : Disabled : Disabled : Disabled :
PAGE 165

Chapter 3 Managing Feature Licenses Monitoring Licenses Messages Tx/Rx/Error: Registration : 0 Get : 0 Release : 0 Transfer : 0 / / / / 0 0 0 0 / / / / 0 0 0 0 The following is sample output from the show shared license detail command on the license server: hostname> show shared license detail Backup License Server Info: Device ID : ABCD Address : 10.1.1.
PAGE 166

Chapter 3 Managing Feature Licenses Feature History for Licensing Feature History for Licensing Table 3-19 lists each feature change and the platform release in which it was implemented. Table 3-19 Feature History for Licensing Feature Name Platform Releases Feature Information Increased Connections and VLANs 7.0(5) Increased the following limits: • ASA5510 Base license connections from 32000 to 5000; VLANs from 0 to 10.
PAGE 167

Chapter 3 Managing Feature Licenses Feature History for Licensing Table 3-19 Feature History for Licensing (continued) Feature Name Platform Releases Advanced Endpoint Assessment License 8.0(2) Feature Information The Advanced Endpoint Assessment license was introduced.
PAGE 168

Chapter 3 Managing Feature Licenses Feature History for Licensing Table 3-19 Feature History for Licensing (continued) Feature Name Platform Releases AnyConnect Essentials License 8.2(1) Feature Information The AnyConnect Essentials License was introduced. This license enables AnyConnect VPN client access to the ASA. This license does not support browser-based SSL VPN access or Cisco Secure Desktop.
PAGE 169

Chapter 3 Managing Feature Licenses Feature History for Licensing Table 3-19 Feature History for Licensing (continued) Feature Name Platform Releases Non-identical failover licenses 8.3(1) Feature Information Failover licenses no longer need to be identical on each unit. The license used for both units is the combined license from the primary and secondary units. We modified the following commands: show activation-key and show version. Stackable time-based licenses 8.
PAGE 170

Chapter 3 Managing Feature Licenses Feature History for Licensing Table 3-19 Feature History for Licensing (continued) Feature Name Increased connections for the ASA 5580 and 5585-X Platform Releases Feature Information 8.4(1) We increased the firewall connection limits: • ASA 5580-20—1,000,000 to 2,000,000. • ASA 5580-40—2,000,000 to 4,000,000. • ASA 5585-X with SSP-10: 750,000 to 1,000,000. • ASA 5585-X with SSP-20: 1,000,000 to 2,000,000.
PAGE 171

PA R T 2 Configuring Firewall and Security Context Modes
PAGE 172
PAGE 173

CH A P T E R 4 Configuring the Transparent or Routed Firewall This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. In multiple context mode, you cannot set the firewall mode separately for each context; you can only set the firewall mode for the entire ASA.
PAGE 174

Chapter 4 Configuring the Transparent or Routed Firewall Configuring the Firewall Mode Information About Routed Firewall Mode In routed mode, the ASA is considered to be a router hop in the network. It can use OSPF or RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet. You can share interfaces between contexts. The ASA acts as a router between connected networks, and each interface requires an IP address on a different subnet.
PAGE 175

Chapter 4 Configuring the Transparent or Routed Firewall Configuring the Firewall Mode The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported. Management Interface (ASA 5510 and Higher) In addition to each bridge group management IP address, you can add a separate Management slot/port interface that is not part of any bridge group, and that allows only management traffic to the ASA.
PAGE 176

Chapter 4 Configuring the Transparent or Routed Firewall Configuring the Firewall Mode multicast traffic such as that created by IP/TV. You can also establish routing protocol adjacencies through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols like HSRP or VRRP can pass through the ASA. BPDU Handling To prevent loops using the Spanning Tree Protocol, BPDUs are passed by default.
PAGE 177

Chapter 4 Configuring the Transparent or Routed Firewall Configuring the Firewall Mode Using the Transparent Firewall in Your Network Figure 4-1 shows a typical transparent firewall network where the outside devices are on the same subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside router. Figure 4-1 Transparent Firewall Network Internet 10.1.1.1 Network A Management IP 10.1.1.2 10.1.1.3 Network B 92411 192.168.1.
PAGE 178

Chapter 4 Configuring the Transparent or Routed Firewall Configuring the Firewall Mode Figure 4-2 shows two networks connected to the ASA, which has two bridge groups. Figure 4-2 Transparent Firewall Network with Two Bridge Groups 10.1.1.1 Management IP Bridge Group 1 10.1.1.2 Management IP Bridge Group 2 10.2.1.2 10.2.1.3 254279 10.1.1.3 10.2.1.1 Licensing Requirements for the Firewall Mode The following table shows the licensing requirements for this feature.
PAGE 179

Chapter 4 Configuring the Transparent or Routed Firewall Configuring the Firewall Mode • When you change modes, the ASA clears the running configuration because many commands are not supported for both modes. This action removes any contexts from running. If you then re-add a context that has an existing configuration that was created for the wrong mode, the context configuration might not work correctly.
PAGE 180

Chapter 4 Configuring the Transparent or Routed Firewall Configuring the Firewall Mode Table 4-1 Unsupported Features in Transparent Mode Feature Description Dynamic DNS — DHCP relay The transparent firewall can act as a DHCP server, but it does not support the DHCP relay commands.
PAGE 181

Chapter 4 Configuring the Transparent or Routed Firewall Configuring ARP Inspection for the Transparent Firewall Detailed Steps Command Purpose firewall transparent Sets the firewall mode to transparent. To change the mode to routed, enter the no firewall transparent command. Note Example: You are not prompted to confirm the firewall mode change; the change occurs immediately.
PAGE 182

Chapter 4 Configuring the Transparent or Routed Firewall Configuring ARP Inspection for the Transparent Firewall Information About ARP Inspection By default, all ARP packets are allowed through the ASA. You can control the flow of ARP packets by enabling ARP inspection.
PAGE 183

Chapter 4 Configuring the Transparent or Routed Firewall Configuring ARP Inspection for the Transparent Firewall Firewall Mode Guidelines Supported only in transparent firewall mode. Routed mode is not supported.
PAGE 184

Chapter 4 Configuring the Transparent or Routed Firewall Configuring ARP Inspection for the Transparent Firewall Examples For example, to allow ARP responses from the router at 10.1.1.1 with the MAC address 0009.7cbe.2100 on the outside interface, enter the following command: hostname(config)# arp outside 10.1.1.1 0009.7cbe.2100 What to Do Next Enable ARP inspection according to the “Enabling ARP Inspection” section on page 4-12.
PAGE 185

Chapter 4 Configuring the Transparent or Routed Firewall Customizing the MAC Address Table for the Transparent Firewall Feature History for ARP Inspection Table 4-2 lists the release history for each feature change and the platform release in which it was implemented. Table 4-3 Feature History for ARP Inspection Feature Name ARP inspection Releases Feature Information 7.
PAGE 186

Chapter 4 Configuring the Transparent or Routed Firewall Customizing the MAC Address Table for the Transparent Firewall Information About the MAC Address Table The ASA learns and builds a MAC address table in a similar way as a normal bridge or switch: when a device sends a packet through the ASA, the ASA adds the MAC address to its table. The table associates the MAC address with the source interface so that the ASA knows to send any packets addressed to the device out the correct interface.
PAGE 187

Chapter 4 Configuring the Transparent or Routed Firewall Customizing the MAC Address Table for the Transparent Firewall Additional Guidelines In transparent firewall mode, the management interface updates the MAC address table in the same manner as a data interface; therefore you should not connect both a management and a data interface to the same switch unless you configure one of the switch ports as a routed port (by default Cisco Catalyst switches share a MAC address for all VLAN switch ports).
PAGE 188

Chapter 4 Configuring the Transparent or Routed Firewall Customizing the MAC Address Table for the Transparent Firewall Command Purpose mac-address-table aging-time timeout_value Sets the MAC address entry timeout. The timeout_value (in minutes) is between 5 and 720 (12 hours). 5 minutes is the default.
PAGE 189

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples inside 0009.7cbe.5101 dynamic 10 Feature History for the MAC Address Table Table 4-2 lists the release history for each feature change and the platform release in which it was implemented. Table 4-4 Feature History for the MAC Address Table Feature Name MAC address table Releases Feature Information 7.0(1) Transparent firewall mode uses a MAC address table.
PAGE 190

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples An Inside User Visits a Web Server Figure 4-3 shows an inside user accessing an outside web server. Figure 4-3 Inside to Outside www.example.com Outside 209.165.201.2 Source Addr Translation 10.1.2.27 209.165.201.10 10.1.2.1 10.1.1.1 DMZ User 10.1.2.27 Web Server 10.1.1.3 92404 Inside The following steps describe how data moves through the ASA (see Figure 4-3): 1.
PAGE 191

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples 5. When www.example.com responds to the request, the packet goes through the ASA, and because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA performs NAT by translating the global destination address to the local user address, 10.1.2.27. 6. The ASA forwards the packet to the inside user.
PAGE 192

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples 5. When the DMZ web server responds to the request, the packet goes through the ASA and because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA performs NAT by translating the local source address to 209.165.201.3. 6. The ASA forwards the packet to the outside user.
PAGE 193

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples 5. The ASA forwards the packet to the inside user. An Outside User Attempts to Access an Inside Host Figure 4-6 shows an outside user attempting to access the inside network. Figure 4-6 Outside to Inside www.example.com Outside 209.165.201.2 Inside User 10.1.2.27 10.1.1.1 DMZ 92407 10.1.2.1 The following steps describe how data moves through the ASA (see Figure 4-6): 1.
PAGE 194

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples A DMZ User Attempts to Access an Inside Host Figure 4-7 shows a user in the DMZ attempting to access the inside network. Figure 4-7 DMZ to Inside Outside 209.165.201.2 10.1.2.1 10.1.1.1 DMZ User 10.1.2.27 Web Server 10.1.1.3 92402 Inside The following steps describe how data moves through the ASA (see Figure 4-7): 1. A user on the DMZ network attempts to reach an inside host.
PAGE 195

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples How Data Moves Through the Transparent Firewall Figure 4-8 shows a typical transparent firewall implementation with an inside network that contains a public web server. The ASA has an access list so that the inside users can access Internet resources. Another access list lets the outside users access only the web server on the inside network. Figure 4-8 Typical Transparent Firewall Data Path www.example.com Internet 209.
PAGE 196

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples An Inside User Visits a Web Server Figure 4-9 shows an inside user accessing an outside web server. Figure 4-9 Inside to Outside www.example.com Internet 209.165.201.2 Host 209.165.201.3 92408 Management IP 209.165.201.6 The following steps describe how data moves through the ASA (see Figure 4-9): 1. The user on the inside network requests a web page from www.example.com. 2.
PAGE 197

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples An Inside User Visits a Web Server Using NAT Figure 4-10 shows an inside user accessing an outside web server. Figure 4-10 Inside to Outside with NAT www.example.com Internet Static route on router to 209.165.201.0/27 through security appliance Source Addr Translation 10.1.2.27 209.165.201.10 10.1.2.1 Management IP 10.1.2.2 Host 10.1.2.
PAGE 198

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples An Outside User Visits a Web Server on the Inside Network Figure 4-11 shows an outside user accessing the inside web server. Figure 4-11 Outside to Inside Host Internet 209.165.201.2 Management IP 209.165.201.6 209.165.201.1 Web Server 209.165.200.225 92409 209.165.200.230 The following steps describe how data moves through the ASA (see Figure 4-11): 1.
PAGE 199

Chapter 4 Configuring the Transparent or Routed Firewall Firewall Mode Examples An Outside User Attempts to Access an Inside Host Figure 4-12 shows an outside user attempting to access a host on the inside network. Figure 4-12 Outside to Inside Host Internet 209.165.201.2 92410 Management IP 209.165.201.6 Host 209.165.201.3 The following steps describe how data moves through the ASA (see Figure 4-12): 1. A user on the outside network attempts to reach an inside host. 2.
PAGE 200

Chapter 4 Firewall Mode Examples Cisco ASA 5500 Series Configuration Guide using the CLI 4-28 Configuring the Transparent or Routed Firewall
PAGE 201

CH A P T E R 5 Configuring Multiple Context Mode This chapter describes how to configure multiple security contexts on the ASA and includes the following sections: • Information About Security Contexts, page 5-1 • Licensing Requirements for Multiple Context Mode, page 5-12 • Guidelines and Limitations, page 5-13 • Default Settings, page 5-14 • Configuring Multiple Contexts, page 5-14 • Changing Between Contexts and the System Execution Space, page 5-23 • Managing Security Contexts, page 5-23
PAGE 202

Chapter 5 Configuring Multiple Context Mode Information About Security Contexts • Information About Resource Management, page 5-8 • Information About MAC Addresses, page 5-11 Common Uses for Security Contexts You might want to use multiple security contexts in the following situations: • You are a service provider and want to sell security services to many customers.
PAGE 203

Chapter 5 Configuring Multiple Context Mode Information About Security Contexts logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on flash memory, and not remotely. If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal flash memory called admin.cfg.
PAGE 204

Chapter 5 Configuring Multiple Context Mode Information About Security Contexts NAT Configuration If you do not use unique MAC addresses, then the mapped addresses in your NAT configuration are used to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration. Classification Examples Figure 5-1 shows multiple contexts sharing an outside interface.
PAGE 205

Configuring Multiple Context Mode Information About Security Contexts Note that all new incoming traffic must be classified, even from inside networks. Figure 5-2 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B. Figure 5-2 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context Context A Context B Classifier GE 0/1.1 GE 0/1.
PAGE 206

Chapter 5 Configuring Multiple Context Mode Information About Security Contexts For transparent firewalls, you must use unique interfaces. Figure 5-3 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 1/0.3, which is assigned to Context B. Figure 5-3 Transparent Firewall Contexts Internet Classifier GE 0/0.2 GE 0/0.1 GE 0/0.3 Admin Context Context A Context B GE 1/0.1 GE 1/0.
PAGE 207

Chapter 5 Configuring Multiple Context Mode Information About Security Contexts Figure 5-4 shows a gateway context with two contexts behind the gateway. Figure 5-4 Cascading Contexts Internet GE 0/0.2 Outside Gateway Context Inside GE 0/0.1 (Shared Interface) Outside Outside Admin Context Context A Inside GE 1/1.43 Inside 153366 GE 1/1.
PAGE 208

Chapter 5 Configuring Multiple Context Mode Information About Security Contexts log in with a username, enter the login command. For example, you log in to the admin context with the username “admin.” The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user “admin” with maximum privileges.
PAGE 209

Chapter 5 Configuring Multiple Context Mode Information About Security Contexts Figure 5-5 Resource Oversubscription Total Number of System Connections = 999,900 Max. 20% (199,800) Maximum connections allowed. 16% (159,984) Connections in use. 12% (119,988) Connections denied because system limit was reached.
PAGE 210

Chapter 5 Configuring Multiple Context Mode Information About Security Contexts If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class.
PAGE 211

Chapter 5 Configuring Multiple Context Mode Information About Security Contexts Information About MAC Addresses To allow contexts to share interfaces, you should assign unique MAC addresses to each shared context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then other classification methods are attempted that might not provide full coverage.
PAGE 212

Chapter 5 Configuring Multiple Context Mode Licensing Requirements for Multiple Context Mode Failover MAC Addresses For use with failover, the ASA generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. See the “MAC Address Format” section for more information.
PAGE 213

Chapter 5 Configuring Multiple Context Mode Guidelines and Limitations Model License Requirement ASA 5505 No support. ASA 5510 Security Plus License: 2 contexts. Optional license: 5 contexts. ASA 5520 Base License: 2 contexts. Optional licenses: 5, 10, or 20 contexts. ASA 5540 Base License: 2 contexts. Optional licenses: 5, 10, 20, or 50 contexts. ASA 5550 Base License: 2 contexts. Optional licenses: 5, 10, 20, 50, or 100 contexts. ASA 5580 Base License: 2 contexts.
PAGE 214

Chapter 5 Configuring Multiple Context Mode Default Settings Model Guidelines Does not support the ASA 5505. Unsupported Features Multiple context mode does not support the following features: • Dynamic routing protocols Security contexts support only static routes. You cannot enable OSPF, RIP, or EIGRP in multiple context mode.
PAGE 215

Chapter 5 Configuring Multiple Context Mode Configuring Multiple Contexts Step 3 Configure interfaces in the system execution space. See Chapter 6, “Starting Interface Configuration (ASA 5510 and Higher).” Step 4 Configure security contexts. See the “Configuring a Security Context” section on page 5-18. Step 5 (Optional) Automatically assign MAC addresses to context interfaces. See the “Automatically Assigning MAC Addresses to Context Interfaces” section on page 5-22.
PAGE 216

Chapter 5 Configuring Multiple Context Mode Configuring Multiple Contexts Restoring Single Context Mode To copy the old running configuration to the startup configuration and to change the mode to single mode, perform the following steps. Prerequisites Perform this procedure in the system execution space. Detailed Steps Step 1 Command Purpose copy flash:old_running.cfg startup-config Copies the backup version of your original running configuration to the current startup configuration.
PAGE 217

Chapter 5 Configuring Multiple Context Mode Configuring Multiple Contexts Table 5-1 Resource Names and Limits Rate or Resource Name Concurrent Minimum and Maximum Number per Context System Limit1 mac-addresses Concurrent N/A 65,535 conns N/A Concurrent connections: TCP or UDP connections between any two hosts, including connections between one See the “Supported host and multiple other hosts. Feature Licenses Per Model” section on page 3-1 for the connection limit for your platform.
PAGE 218

Chapter 5 Configuring Multiple Context Mode Configuring Multiple Contexts Command Purpose limit-resource all 0 Sets all resource limits (shown in Table 5-1) to be unlimited. For example, you might want to create a class that includes the admin context that has no limitations. The default class has all resources set to unlimited by default.
PAGE 219

Chapter 5 Configuring Multiple Context Mode Configuring Multiple Contexts Although this context name does not exist yet in your configuration, you can subsequently enter the context name command to match the specified name to continue the admin context configuration. Detailed Steps Step 1 Command Purpose context name Adds or modifies a context. The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named “customerA” and “CustomerA,” for example.
PAGE 220

Chapter 5 Configuring Multiple Context Mode Configuring Multiple Contexts Step 3 Command Purpose To allocate a physical interface: Specifies the interfaces you can use in the context. Do not include a space between the interface type and the port number. allocate-interface physical_interface [mapped_name] [visible | invisible] To allocate one or more subinterfaces: allocate-interface physical_interface.subinterface[-physical_ interface.
PAGE 221

Chapter 5 Configuring Multiple Context Mode Configuring Multiple Contexts Step 4 Command Purpose config-url url Identifies the URL from which the system downloads the context configuration. When you add a context URL, the system immediately loads the context so that it is running, if the configuration is available. Example: hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/t Note est.cfg Enter the allocate-interface command(s) before you enter the config-url command.
PAGE 222

Chapter 5 Configuring Multiple Context Mode Configuring Multiple Contexts Examples The following example sets the admin context to be “administrator,” creates a context called “administrator” on the internal flash memory, and then adds two contexts from an FTP server: hostname(config)# admin-context administrator hostname(config)# context administrator hostname(config-ctx)# allocate-interface gigabitethernet0/0.1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.
PAGE 223

Chapter 5 Configuring Multiple Context Mode Changing Between Contexts and the System Execution Space Detailed Steps Command Purpose mac-address auto [prefix prefix] Automatically assign private MAC addresses to each context interface. Example: hostname(config)# mac-address auto prefix 19 The prefix is a decimal value between 0 and 65535. This prefix is converted to a 4-digit hexadecimal number, and used as part of the MAC address.
PAGE 224

Chapter 5 Configuring Multiple Context Mode Managing Security Contexts Removing a Security Context You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts using the clear context command. Note If you use failover, there is a delay between when you remove the context on the active unit and when the context is removed on the standby unit.
PAGE 225

Chapter 5 Configuring Multiple Context Mode Managing Security Contexts Detailed Steps Command Purpose admin-context context_name Sets the admin context. Any remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin context are terminated. You must reconnect to the new admin context. Example: hostname(config)# admin-context administrator Note A few system commands, including ntp server, identify an interface name that belongs to the admin context.
PAGE 226

Chapter 5 Configuring Multiple Context Mode Managing Security Contexts Detailed Steps Step 1 Command Purpose (Optional, if you do not want to perform a merge) Changes to the context and clears its configuration. If you want to perform a merge, skip to Step 2. changeto context name clear configure all Example: hostname(config)# changeto context ctx1 hostname/ctx1(config)# clear configure all Step 2 changeto system Changes to the system execution space.
PAGE 227

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts Detailed Steps Step 1 Command Purpose changeto context name Changes to the context that you want to reload. Example: hostname(comfig)# changeto context ctx1 hostname/ctx1(comfig)# Step 2 clear configure all Clears the running configuration. This command clears all connections. Example: hostname/ctx1(config)# clear configure all Step 3 copy startup-config running-config Example: Reloads the configuration.
PAGE 228

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts From the system execution space, view all contexts by entering the following command: Command Purpose show context [name | detail| count] Shows all contexts. The detail option shows additional information. See the following sample outputs below for more information. If you want to show information for a particular context, specify the name. The count option shows the total number of contexts.
PAGE 229

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30, GigabitEthernet0/3, Management0/0, Management0/0.1 Flags: 0x00000019, ID: 257 Context "null", is a system resource Config URL: ... null ... Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 See the command reference for more information about the detail output.
PAGE 230

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts Table 5-3 shows each field description. Table 5-3 show resource allocation Fields Field Description Resource The name of the resource that you can limit. Total The total amount of the resource that is allocated across all contexts. The amount is an absolute number of concurrent instances or instances per second.
PAGE 231

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts Xlates mac-addresses gold silver bronze All Contexts: 1 1 0 3 D CA CA default gold silver bronze All Contexts: all 1 1 0 3 CA DA CA CA default gold silver bronze All Contexts: all 1 1 0 3 C D CA CA 5 10 5 unlimited unlimited 23040 11520 65535 65535 6553 3276 5 10 5.00% 10.00% 20 20.00% 23040 N/A 23040 N/A 65535 6553 100.00% 9.99% 137623 209.99% Table 5-4 shows each field description.
PAGE 232

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts Viewing Resource Usage From the system execution space, you can view the resource usage for each context and display the system resource usage.
PAGE 233

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts The following is sample output from the show resource usage summary command, which shows the resource usage for all contexts and all resources. This sample shows the limits for 6 contexts.
PAGE 234

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts Command Purpose show perfmon Monitors the rate of attacks for individual contexts. show resource usage detail Monitors the amount of resources being used by TCP intercept for individual contexts. show resource usage summary detail Monitors the resources being used by TCP intercept for the entire system.
PAGE 235

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts chunk:nat chunk:route chunk:static tcp-intercept-rate globals np-statics statics nats ace-rules console-access-rul fixup-rules memory chunk:channels chunk:dbgtrace chunk:fixup chunk:ip-users chunk:list-elem chunk:list-hdr chunk:route block:16384 block:2048 1 2 1 16056 1 3 1 1 2 2 14 232695716 17 3 15 4 1014 1 1 510 32 1 2 1 16254 1 3 1 1 2 2 15 232020648 20 3 15 4 1014 1 1 885 34 unlimited unlimited unlimited unlimited unlimited u
PAGE 236

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts Viewing MAC Addresses in the System Configuration This section describes how to view MAC addresses in the system configuration. Guidelines If you manually assign a MAC address to an interface, but also have auto-generation enabled, the auto-generated address continues to show in the configuration even though the manual MAC address is the one that is in use.
PAGE 237

Chapter 5 Configuring Multiple Context Mode Monitoring Security Contexts mac-address auto GigabitEthernet0/0.5 a2d2.0400.11cc a2d2.0400.11cd allocate-interface GigabitEthernet0/1 allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3 mac-address auto GigabitEthernet0/1.1 a2d2.0400.120c a2d2.0400.120d mac-address auto GigabitEthernet0/1.2 a2d2.0400.1210 a2d2.0400.1211 mac-address auto GigabitEthernet0/1.3 a2d2.0400.1214 a2d2.0400.1215 config-url disk0:/CTX1.
PAGE 238

Chapter 5 Configuring Multiple Context Mode Configuration Examples for Multiple Context Mode Configuration Examples for Multiple Context Mode The following example: • Automatically sets the MAC addresses in contexts. • Sets the default class limit for conns to 10 percent instead of unlimited. • Creates a gold resource class. • Sets the admin context to be “administrator.” • Creates a context called “administrator” on the internal flash memory to be part of the default resource class.
PAGE 239

Chapter 5 Configuring Multiple Context Mode Feature History for Multiple Context Mode Feature History for Multiple Context Mode Table 5-5 lists each feature change and the platform release in which it was implemented. Table 5-5 Feature History for Multiple Context Mode Feature Name Platform Releases Feature Information Multiple security contexts 7.0(1) Multiple context mode was introduced. We introduced the following commands: context, mode, and class. Automatic MAC address assignment 7.
PAGE 240

Chapter 5 Configuring Multiple Context Mode Feature History for Multiple Context Mode Table 5-5 Feature History for Multiple Context Mode (continued) Feature Name Platform Releases Feature Information Maximum contexts increased for the ASA 5550 8.4(1) and 5580 The maximum security contexts for the ASA 5550 was increased from 50 to 100. The maximum for the ASA 5580 was increased from 50 to 250. Automatic generation of a MAC address prefix 8.
PAGE 241

PA R T 3 Configuring Interfaces
PAGE 242
PAGE 243

CH A P T E R 6 Starting Interface Configuration (ASA 5510 and Higher) This chapter includes tasks for starting your interface configuration for the ASA 5510 and higher, including configuring Ethernet settings, redundant interfaces, and EtherChannels. Note For ASA 5505 configuration, see Chapter 7, “Starting Interface Configuration (ASA 5505).” For multiple context mode, complete all tasks in this section in the system execution space.
PAGE 244

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Information About Starting ASA 5510 and Higher Interface Configuration Auto-MDI/MDIX Feature For RJ-45 interfaces on the ASA 5500 series, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase.
PAGE 245

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Information About Starting ASA 5510 and Higher Interface Configuration Table 6-1 Management Interfaces Per Model Model Configurable for Through Traffic1 Management 0/02 Management 0/1 Management 1/0 Management 1/1 ASA 5520 Yes Yes No No No ASA 5540 Yes Yes No No No ASA 5550 Yes Yes No No No ASA 5580 Yes Yes Yes No No ASA 5512-X No Yes No No No ASA 5515-X No Yes No No No ASA 5525-X No Yes No No
PAGE 246

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Information About Starting ASA 5510 and Higher Interface Configuration For 8.4(1) and later, the management interface is not part of a normal bridge group. Note that for operational purposes, it is part of a non-configurable bridge group.
PAGE 247

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Information About Starting ASA 5510 and Higher Interface Configuration EtherChannels An 802.3ad EtherChannel is a logical interface (called a port-channel interface) consisting of a bundle of individual Ethernet links (a channel group) so that you increase the bandwidth for a single network. A port channel interface is used in the same way as a physical interface when you configure interface-related features.
PAGE 248

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Information About Starting ASA 5510 and Higher Interface Configuration Figure 6-1 Connecting to a VSS VSS Switch 2 Switch 1 gig3/5 gig6/5 gig0/0 gig0/1 port-channel 2 port-channel 1 ASA If you use the ASA in an Active/Standby failover deployment, then you need to create separate EtherChannels on the switches in the VSS, one for each ASA (see Figure 6-1). On each ASA, a single EtherChannel connects to both switches.
PAGE 249

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Information About Starting ASA 5510 and Higher Interface Configuration • On—The EtherChannel is always on, and LACP is not used. An “on” EtherChannel can only establish a connection with another “on” EtherChannel. LACP coordinates the automatic addition and deletion of links to the EtherChannel without user intervention.
PAGE 250

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Licensing Requirements for ASA 5510 and Higher Interfaces to interfaces, including an EtherChannel port interface. We recommend manually, or in multiple context mode, automatically configuring a unique MAC address in case the group channel interface membership changes.
PAGE 251

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Guidelines and Limitations Model License Requirement ASA 5515-X VLANs: Base License: 100 Interfaces of all types1: Base License: 528 ASA 5525-X VLANs: Base License: 200 Interfaces of all types1: Base License: 928 ASA 5545-X VLANs: Base License: 300 Interfaces of all types1: Base License: 1328 ASA 5555-X VLANs: Base License: 500 Interfaces of all types1: Base License: 2128 ASA 5585-X VLANs: Base License: 1024 Interface Speed for SS
PAGE 252

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Guidelines and Limitations Firewall Mode Guidelines • For transparent mode, you can configure up to eight bridge groups per context or for a single mode device. • Each bridge group can include up to four interfaces. • For multiple context, transparent mode, each context must use different interfaces; you cannot share an interface across contexts.
PAGE 253

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Default Settings • All interfaces in the channel group must be the same type and speed. The first interface added to the channel group determines the correct type and speed. • The device to which you connect the ASA 5500 EtherChannel must also support 802.3ad EtherChannels; for example, you can connect to the Catalyst 6500 switch.
PAGE 254

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) Default Connector Type The ASA 5550 (slot 1) and the 4GE SSM for the ASA 5510 and higher ASA include two connector types: copper RJ-45 and fiber SFP. RJ-45 is the default. You can configure the ASA to use the fiber SFP connectors.
PAGE 255

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel. Note Step 5 (Optional) Configure VLAN subinterfaces. See the “Configuring VLAN Subinterfaces and 802.1Q Trunking” section on page 6-30.
PAGE 256

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) • Clearing the running configuration and immediately applying a new configuration will minimize the downtime of your interfaces. You will not be waiting to configure the interfaces in real time. Step 1 Connect to the ASA; if you are using failover, connect to the active ASA. Step 2 If you are using failover, disable failover by entering the no failover command.
PAGE 257

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif mgmt security-level 100 ip address 10.1.1.5 255.255.255.
PAGE 258

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) interface redundant 1 nameif outside security-level 0 ip address 10.86.194.225 255.255.255.0 member-interface GigabitEthernet0/0 member-interface GigabitEthernet0/2 interface redundant 2 nameif inside security-level 100 ip address 192.168.1.3 255.255.255.
PAGE 259

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) channel-group 3 mode active shutdown no nameif no security-level no ip address ... Step 7 Enable each formerly unused interface that is now part of a logical interface by adding no in front of the shutdown command.
PAGE 260

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) ! interface port-channel 2 nameif inside security-level 100 ip address 192.168.1.3 255.255.255.0 ! interface port-channel 3 nameif mgmt security-level 100 ip address 10.1.1.5 255.255.255.0 Note Step 8 Other optional EtherChannel parameters can be configured after you import the new configuration. See the “Configuring an EtherChannel” section on page 6-27.
PAGE 261

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) • Changing your configuration offline lets you use the same interface names for your new logical interfaces, so you do not need to touch the feature configurations that refer to interface names. You only need to change the interface configuration. • Clearing the running system configuration and immediately applying a new configuration will minimize the downtime of your interfaces.
PAGE 262

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) ip address 192.168.1.3 255.255.255.0 no shutdown ! interface mgmt nameif mgmt security-level 100 ip address 10.1.1.5 255.255.255.0 management-only CustomerB Context interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.20.15.5 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.6.78 255.255.255.
PAGE 263

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) interface GigabitEthernet0/4 channel-group 2 mode active no shutdown ! interface GigabitEthernet0/5 channel-group 2 mode active no shutdown ! interface Management0/0 channel-group 3 mode active no shutdown ! interface Management0/1 channel-group 3 mode active no shutdown ! interface port-channel 1 interface port-channel 2 interface port-channel 3 Step 6 Change the interface allocation
PAGE 264

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) interface port-channel3 nameif mgmt security-level 100 ip address 10.8.1.8 255.255.255.0 management-only Step 8 Copy the new context configuration files over the old ones. For example, if your contexts are on an FTP server, copy over the existing files (making backups as desired) using FTP.
PAGE 265

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) Prerequisites For multiple context mode, complete this procedure in the system execution space. To change from the context to the system execution space, enter the changeto system command. Detailed Steps Step 1 Command Purpose interface physical_interface Specifies the interface you want to configure.
PAGE 266

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) Step 5 Command Purpose (Optional) Enables pause (XOFF) frames for flow control on 1-Gigabit and 10-Gigabit Ethernet interfaces.
PAGE 267

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) • For single context mode, complete the interface configuration. See Chapter 8, “Completing Interface Configuration (Routed Mode),” or Chapter 9, “Completing Interface Configuration (Transparent Mode).” Configuring a Redundant Interface A logical redundant interface consists of a pair of physical interfaces: an active and a standby interface.
PAGE 268

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) Detailed Steps Step 1 Command Purpose interface redundant number Adds the logical redundant interface, where the number argument is an integer between 1 and 8. Example: Note hostname(config)# interface redundant 1 Step 2 You need to add at least one member interface to the redundant interface before you can configure logical parameters for it such as a name.
PAGE 269

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) Changing the Active Interface By default, the active interface is the first interface listed in the configuration, if it is available.
PAGE 270

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) Caution If you are using a physical interface already in your configuration, removing the name will clear any configuration that refers to the interface. Detailed Steps Step 1 Command Purpose interface physical_interface Specifies the interface you want to add to the channel group, where the physical_interface ID includes the type, slot, and port number as type[slot/]port.
PAGE 271

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) What to Do Next Optional Tasks: • Customize the EtherChannel interface. See the “Customizing the EtherChannel” section on page 6-29. • Configure VLAN subinterfaces. See the “Configuring VLAN Subinterfaces and 802.1Q Trunking” section on page 6-30.
PAGE 272

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) Step 4 Command Purpose port-channel load-balance {dst-ip | dst-ip-port | dst-mac | dst-port | src-dst-ip | src-dst-ip-port | src-dst-mac | src-dst-port | src-ip | src-ip-port | src-mac | src-port | vlan-dst-ip | vlan-dst-ip-port | vlan-only | vlan-src-dst-ip | vlan-src-dst-ip-port | vlan-src-ip | vlan-src-ip-port} Configures the load-balancing algorithm.
PAGE 273

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) Guidelines and Limitations • Maximum subinterfaces—To determine how many VLAN subinterfaces are allowed for your platform, see the “Licensing Requirements for ASA 5510 and Higher Interfaces” section on page 6-8.
PAGE 274

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Starting Interface Configuration (ASA 5510 and Higher) What to Do Next (Optional) For the ASA 5580 and 5585-X, enable jumbo frame support according to the “Enabling Jumbo Frame Support (Supported Models)” section on page 6-32. Enabling Jumbo Frame Support (Supported Models) A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS), up to 9216 bytes.
PAGE 275

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Monitoring Interfaces Cryptochecksum: 718e3706 4edb11ea 69af58d0 0a6b7cb5 70291 bytes copied in 3.710 secs (23430 bytes/sec) [OK] hostname(config)# reload Proceed with reload? [confirm] Y Monitoring Interfaces To monitor interfaces, enter one of the following commands: Command Purpose show interface Displays interface statistics. show interface ip brief Displays interface IP addresses and status.
PAGE 276

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Where to Go Next interface gigabitethernet 0/1.1 vlan 101 no shutdown Multiple Context Mode Example The following example configures interface parameters in multiple context mode for the system configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA: interface gigabitethernet 0/1 speed 1000 duplex full no shutdown interface gigabitethernet 0/1.1 vlan 101 context contextA allocate-interface gigabitethernet 0/1.
PAGE 277

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Feature History for ASA 5510 and Higher Interfaces Feature History for ASA 5510 and Higher Interfaces Table 6-3 lists the release history for this feature. Table 6-3 Feature History for Interfaces Feature Name Releases Feature Information Increased VLANs 7.0(5) Increased the following limits: • ASA5510 Base license VLANs from 0 to 10. • ASA5510 Security Plus license VLANs from 10 to 25. • ASA5520 VLANs from 25 to 100.
PAGE 278

Chapter 6 Starting Interface Configuration (ASA 5510 and Higher) Feature History for ASA 5510 and Higher Interfaces Table 6-3 Feature History for Interfaces (continued) Feature Name Releases Feature Information Support for Pause Frames for Flow Control on the ASA 5580 10-Gigabit Ethernet Interfaces 8.2(2) You can now enable pause (XOFF) frames for flow control. This feature is also supported on the ASA 5585-X. We introduced the following command: flowcontrol.
PAGE 279

CH A P T E R 7 Starting Interface Configuration (ASA 5505) This chapter includes tasks for starting your interface configuration for the ASA 5505, including creating VLAN interfaces and assigning them to switch ports. For ASA 5510 and higher configuration, see the “Feature History for ASA 5505 Interfaces” section on page 7-13.
PAGE 280

Chapter 7 Starting Interface Configuration (ASA 5505) Information About ASA 5505 Interfaces Understanding ASA 5505 Ports and Interfaces The ASA 5505 supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: • Physical switch ports—The ASA has 8 Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. See the “Power over Ethernet” section on page 7-4 for more information.
PAGE 281

Starting Interface Configuration (ASA 5505) Information About ASA 5505 Interfaces With the Base license in routed mode, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 7-1 for an example network where the Home VLAN can communicate with the Internet, but cannot initiate contact with Business.
PAGE 282

Chapter 7 Starting Interface Configuration (ASA 5505) Licensing Requirements for ASA 5505 Interfaces VLAN MAC Addresses • Routed firewall mode—All VLAN interfaces share a MAC address. Ensure that any connected switches can support this scenario. If the connected switches require unique MAC addresses, you can manually assign MAC addresses. See the “Configuring the MAC Address and MTU” section on page 8-9. • Transparent firewall mode—Each VLAN has a unique MAC address.
PAGE 283

Chapter 7 Starting Interface Configuration (ASA 5505) Guidelines and Limitations Model License Requirement ASA 5505 VLANs: Base License: 3 (2 regular zones and 1 restricted zone that can only communicate with 1 other zone) Security Plus License: 20 VLAN Trunks: Base License: None. Security Plus License: 8. Interfaces of all types1: Base License: 52. Security Plus License: 120. 1. The maximum number of combined interfaces; for example, VLANs, physical, redundant, and bridge group interfaces.
PAGE 284

Chapter 7 Starting Interface Configuration (ASA 5505) Starting ASA 5505 Interface Configuration Starting ASA 5505 Interface Configuration This section includes the following topics: • Task Flow for Starting Interface Configuration, page 7-6 • Configuring VLAN Interfaces, page 7-6 • Configuring and Enabling Switch Ports as Access Ports, page 7-7 • Configuring and Enabling Switch Ports as Trunk Ports, page 7-9 Task Flow for Starting Interface Configuration To configure interfaces in single mode, pe
PAGE 285

Chapter 7 Starting Interface Configuration (ASA 5505) Starting ASA 5505 Interface Configuration Detailed Steps Step 1 Command Purpose interface vlan number Adds a VLAN interface, where the number is between 1 and 4090. Example: hostname(config)# interface vlan 100 Step 2 (Optional for the Base license) no forward interface vlan number To remove this VLAN interface and all associated configuration, enter the no interface vlan command.
PAGE 286

Chapter 7 Starting Interface Configuration (ASA 5505) Starting ASA 5505 Interface Configuration Caution The ASA 5505 does not support Spanning Tree Protocol for loop detection in the network. Therefore you must ensure that any connection with the ASA does not end up in a network loop. Detailed Steps Step 1 Command Purpose interface ethernet0/port Specifies the switch port you want to configure, where port is 0 through 7.
PAGE 287

Chapter 7 Starting Interface Configuration (ASA 5505) Starting ASA 5505 Interface Configuration What to Do Next • If you want to configure a switch port as a trunk port, see the “Configuring and Enabling Switch Ports as Trunk Ports” section on page 7-9. • To complete the interface configuration, see Chapter 8, “Completing Interface Configuration (Routed Mode),” or Chapter 9, “Completing Interface Configuration (Transparent Mode).
PAGE 288

Chapter 7 Starting Interface Configuration (ASA 5505) Starting ASA 5505 Interface Configuration Command Purpose switchport trunk native vlan vlan_id Assigns a native VLAN to the trunk, where the vlan_id is a single VLAN ID between 1 and 4090. Example: Packets on the native VLAN are not modified when sent over the trunk. For example, if a port has VLANs 2, 3 and 4 assigned to it, and VLAN 2 is the native VLAN, then packets on VLAN 2 that egress the port are not modified with an 802.1Q header.
PAGE 289

Chapter 7 Starting Interface Configuration (ASA 5505) Monitoring Interfaces Monitoring Interfaces To monitor interfaces, enter one of the following commands: Command Purpose show interface Displays interface statistics. show interface ip brief Displays interface IP addresses and status.
PAGE 290

Chapter 7 Starting Interface Configuration (ASA 5505) Configuration Examples for ASA 5505 Interfaces hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/2 hostname(config-if)# switchport access vlan 300 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/3 hostname(config-if)# switchport access vlan 400 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/4 hostname(config-if)# switchport access vlan 500 hostname(config-if)# no shutdown
PAGE 291

Chapter 7 Starting Interface Configuration (ASA 5505) Where to Go Next hostname(config-if)# no shutdown hostname(config-if)# hostname(config-if)# hostname(config-if)# hostname(config-if)# hostname(config-if)# interface ethernet 0/1 switchport mode trunk switchport trunk allowed vlan 200-202 switchport trunk native vlan 5 no shutdown hostname(config-if)# interface ethernet 0/2 hostname(config-if)# switchport access vlan 300 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/3 host
PAGE 292

Chapter 7 Feature History for ASA 5505 Interfaces Cisco ASA 5500 Series Configuration Guide using the CLI 7-14 Starting Interface Configuration (ASA 5505)
PAGE 293

CH A P T E R 8 Completing Interface Configuration (Routed Mode) This chapter includes tasks to complete the interface configuration for all models in routed firewall mode.
PAGE 294

Chapter 8 Completing Interface Configuration (Routed Mode) Licensing Requirements for Completing Interface Configuration in Routed Mode The level controls the following behavior: • Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.
PAGE 295

Chapter 8 Completing Interface Configuration (Routed Mode) Licensing Requirements for Completing Interface Configuration in Routed Mode Model License Requirement ASA 5505 VLANs: Base License: 3 (2 regular zones and 1 restricted zone that can only communicate with 1 other zone) Security Plus License: 20 VLAN Trunks: Base License: None. Security Plus License: 8. Interfaces of all types1: Base License: 52. Security Plus License: 120. 1.
PAGE 296

Chapter 8 Completing Interface Configuration (Routed Mode) Licensing Requirements for Completing Interface Configuration in Routed Mode Model License Requirement ASA 5580 VLANs: Base License: 1024 Interfaces of all types1: Base License: 4176 ASA 5512-X VLANs: Base License: 50 Interfaces of all types1: Base License: 328 ASA 5515-X VLANs: Base License: 100 Interfaces of all types1: Base License: 528 ASA 5525-X VLANs: Base License: 200 Interfaces of all types1: Base License: 928 ASA 5545-X VLANs:
PAGE 297

Chapter 8 Completing Interface Configuration (Routed Mode) Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines • For the ASA 5510 and higher in multiple context mode, configure the physical interfaces in the system execution space according to Chapter 6, “Starting Interface Configuration (ASA 5510 and Higher).
PAGE 298

Chapter 8 Completing Interface Configuration (Routed Mode) Completing Interface Configuration in Routed Mode • Task Flow for Completing Interface Configuration, page 8-6 • Configuring General Interface Parameters, page 8-6 • Configuring the MAC Address and MTU, page 8-9 • Configuring IPv6 Addressing, page 8-11 • Allowing Same Security Level Communication, page 8-15 Task Flow for Completing Interface Configuration Step 1 Set up your interfaces depending on your model: • ASA 5510 and higher—Cha
PAGE 299

Chapter 8 Completing Interface Configuration (Routed Mode) Completing Interface Configuration in Routed Mode • If you are using failover, do not use this procedure to name interfaces that you are reserving for failover and Stateful Failover communications. See the “Configuring Active/Standby Failover” section on page 62-7 or the “Configuring Active/Active Failover” section on page 63-8 to configure the failover and state links. • PPPoE is not supported in multiple context mode.
PAGE 300

Chapter 8 Completing Interface Configuration (Routed Mode) Completing Interface Configuration in Routed Mode Command Purpose ip address ip_address [mask] [standby ip_address] Sets the IP address manually. Note Example: hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2 For use with failover, you must set the IP address and standby address manually; DHCP and PPPoE are not supported. The ip_address and mask arguments set the interface IP address and subnet mask.
PAGE 301

Chapter 8 Completing Interface Configuration (Routed Mode) Completing Interface Configuration in Routed Mode hostname/contextA(config-if)# nameif outside hostname/contextA(config-if)# security-level 100 hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0 What to Do Next • (Optional) Configure the MAC address and the MTU. See the “Configuring the MAC Address and MTU” section on page 8-9. • (Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on page 8-11.
PAGE 302

Chapter 8 Completing Interface Configuration (Routed Mode) Completing Interface Configuration in Routed Mode The ASA supports IP path MTU discovery (as defined in RFC 1191), which allows a host to dynamically discover and cope with the differences in the maximum allowable MTU size of the various links along the path. Sometimes, the ASA cannot forward a datagram because the packet is larger than the MTU that you set for the interface, but the “don't fragment” (DF) bit is set.
PAGE 303

Chapter 8 Completing Interface Configuration (Routed Mode) Completing Interface Configuration in Routed Mode Detailed Steps Step 1 Command Purpose For the ASA 5510 and higher: If you are not already in interface configuration mode, enters interface configuration mode. interface {{redundant number | port-channel number | physical_interface}[.
PAGE 304

Chapter 8 Completing Interface Configuration (Routed Mode) Completing Interface Configuration in Routed Mode • Information About IPv6, page 8-12 • Configuring a Global IPv6 Address and Other Options, page 8-13 Information About IPv6 This section includes information about how to configure IPv6, and includes the following topics: • IPv6 Addressing, page 8-12 • Duplicate Address Detection, page 8-12 • Modified EUI-64 Interface IDs, page 8-13 IPv6 Addressing You can configure two types of unicast
PAGE 305

Chapter 8 Completing Interface Configuration (Routed Mode) Completing Interface Configuration in Routed Mode If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated (duplicate address detection is performed only on the new link-local address). The ASA uses neighbor solicitation messages to perform duplicate address detection.
PAGE 306

Chapter 8 Completing Interface Configuration (Routed Mode) Completing Interface Configuration in Routed Mode Detailed Steps Step 1 Command Purpose For the ASA 5510 and higher: If you are not already in interface configuration mode, enters interface configuration mode. interface {{redundant number | port-channel number | physical_interface}[.
PAGE 307

Chapter 8 Completing Interface Configuration (Routed Mode) Completing Interface Configuration in Routed Mode Step 3 Command Purpose (Optional) Suppresses Router Advertisement messages on an interface. By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the ASA to supply the IPv6 prefix (for example, the outside interface).
PAGE 308

Chapter 8 Completing Interface Configuration (Routed Mode) Monitoring Interfaces If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Information About Intra-Interface Communication Intra-interface communication might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection.
PAGE 309

Chapter 8 Completing Interface Configuration (Routed Mode) Feature History for Interfaces in Routed Mode hostname(config-if)# hostname(config-if)# hostname(config-if)# hostname(config-if)# nameif outside security-level 0 ip address dhcp no shutdown hostname(config-if)# hostname(config-if)# hostname(config-if)# hostname(config-if)# hostname(config-if)# interface vlan 200 nameif business security-level 100 ip address 10.1.1.1 255.255.255.
PAGE 310

Chapter 8 Completing Interface Configuration (Routed Mode) Feature History for Interfaces in Routed Mode Table 8-1 Feature History for Interfaces (continued) Feature Name Releases Feature Information Gigabit Ethernet Support for the ASA 5510 Security Plus License 7.2(3) The ASA 5510 now supports GE (Gigabit Ethernet) for port 0 and 1 with the Security Plus license.
PAGE 311

CH A P T E R 9 Completing Interface Configuration (Transparent Mode) This chapter includes tasks to complete the interface configuration for all models in transparent firewall mode.
PAGE 312

Chapter 9 Completing Interface Configuration (Transparent Mode) Licensing Requirements for Completing Interface Configuration in Transparent Mode to another bridge group in the ASA. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.
PAGE 313

Chapter 9 Completing Interface Configuration (Transparent Mode) Licensing Requirements for Completing Interface Configuration in Transparent Mode Model License Requirement ASA 5505 VLANs: Base License: 3 (2 regular zones and 1 restricted zone that can only communicate with 1 other zone) Security Plus License: 20 VLAN Trunks: Base License: None. Security Plus License: 8. Interfaces of all types1: Base License: 52. Security Plus License: 120. 1.
PAGE 314

Chapter 9 Completing Interface Configuration (Transparent Mode) Licensing Requirements for Completing Interface Configuration in Transparent Mode Model License Requirement ASA 5580 VLANs: Base License: 1024 Interfaces of all types1: Base License: 4176 ASA 5512-X VLANs: Base License: 50 Interfaces of all types1: Base License: 328 ASA 5515-X VLANs: Base License: 100 Interfaces of all types1: Base License: 528 ASA 5525-X VLANs: Base License: 200 Interfaces of all types1: Base License: 928 ASA 5545
PAGE 315

Chapter 9 Completing Interface Configuration (Transparent Mode) Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines • For the ASA 5510 and higher in multiple context mode, configure the physical interfaces in the system execution space according to Chapter 6, “Starting Interface Configuration (ASA 5510 and Higher).
PAGE 316

Chapter 9 Completing Interface Configuration (Transparent Mode) Default Settings Failover Guidelines Do not finish configuring failover interfaces with the procedures in this chapter. See the “Configuring Active/Standby Failover” section on page 62-7 or the “Configuring Active/Active Failover” section on page 63-8 to configure the failover and state links. In multiple context mode, failover interfaces are configured in the system configuration. IPv6 Guidelines • Supports IPv6.
PAGE 317

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode Step 2 (Multiple context mode) Allocate interfaces to the context according to the “Configuring Multiple Contexts” section on page 5-14. Step 3 (Multiple context mode) Enter the changeto context name command to change to the context you want to configure.Configure one or more bridge groups, including the IPv4 address. See the “Configuring Bridge Groups” section on page 9-7.
PAGE 318

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode Detailed Steps Step 1 Command Purpose interface bvi bridge_group_number Creates a bridge group, where bridge_group_number is an integer between 1 and 100. Example: hostname(config)# interface bvi 1 Step 2 ip address ip_address [mask] [standby ip_address] Example: hostname(config-if)# ip address 10.1.3.1 255.255.255.0 standby 10.1.3.
PAGE 319

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode For the ASA 5505, you must configure interface parameters for the following interface types: • VLAN interfaces Guidelines and Limitations • You can configure up to four interfaces per bridge group.
PAGE 320

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode Detailed Steps Step 1 Command Purpose For the ASA 5510 and higher: If you are not already in interface configuration mode, enters interface configuration mode. interface {{redundant number | port-channel number | physical_interface}[.
PAGE 321

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode Configuring a Management Interface (ASA 5510 and Higher) You can configure one management interface separate from the bridge group interfaces in single mode or per context. For more information, see the “Management Interface” section on page 6-2. Restrictions • See the “Management Interface” section on page 6-2.
PAGE 322

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode Command Step 3 Purpose Do one of the following: ip address ip_address [mask] [standby ip_address] Sets the IP address manually. Note For use with failover, you must set the IP address and standby address manually; DHCP is not supported. Example: hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.
PAGE 323

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode For an EtherChannel, all interfaces that are part of the channel group share the same MAC address. This feature makes the EtherChannel transparent to network applications and users, because they only see the one logical connection; they have no knowledge of the individual links.
PAGE 324

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode • In multiple context mode, complete this procedure in the context execution space. To change from the system to a context configuration, enter the changeto context name command. Detailed Steps Step 1 Command Purpose For the ASA 5510 and higher: If you are not already in interface configuration mode, enters interface configuration mode.
PAGE 325

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode Configuring IPv6 Addressing This section describes how to configure IPv6 addressing. For more information about IPv6, see the “Information About IPv6 Support” section on page 21-9 and the “IPv6 Addresses” section on page B-5.
PAGE 326

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode Duplicate address detection is suspended on interfaces that are administratively down. While an interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a pending state. An interface returning to an administratively up state restarts duplicate address detection for all of the unicast IPv6 addresses on the interface.
PAGE 327

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode Configuring a Global IPv6 Address and Other Options To configure a global IPv6 address and other options for a bridge group or management interface, perform the following steps. Note Configuring the global address automatically configures the link-local address, so you do not need to configure it separately. Restrictions The ASA does not support IPv6 anycast addresses.
PAGE 328

Chapter 9 Completing Interface Configuration (Transparent Mode) Completing Interface Configuration in Transparent Mode Step 3 Command Purpose (Optional) Suppresses Router Advertisement messages on an interface. By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the ASA to supply the IPv6 prefix (for example, the outside interface).
PAGE 329

Chapter 9 Completing Interface Configuration (Transparent Mode) Monitoring Interfaces Detailed Steps Command Purpose same-security-traffic permit inter-interface Enables interfaces on the same security level so that they can communicate with each other. Monitoring Interfaces To monitor interfaces, enter one of the following commands: Command Purpose show interface Displays interface statistics. show interface ip brief Displays interface IP addresses and status.
PAGE 330

Chapter 9 Completing Interface Configuration (Transparent Mode) Feature History for Interfaces in Transparent Mode no shutdown interface bvi 2 ip address 10.3.5.8 255.255.255.0 standby 10.3.5.9 interface management 0/0 nameif mgmt security-level 100 ip address 10.2.1.1 255.255.255.0 standby 10.2.1.2 no shutdown Feature History for Interfaces in Transparent Mode Table 9-1 lists each feature change and the platform release in which it was implemented.
PAGE 331

Chapter 9 Completing Interface Configuration (Transparent Mode) Feature History for Interfaces in Transparent Mode Table 9-1 Feature History for Interfaces in Transparent Mode (continued) Feature Name Platform Releases Native VLAN support for the ASA 5505 7.2(4)/8.0(4) Feature Information You can now include the native VLAN in an ASA 5505 trunk port. We introduced the following command: switchport trunk native vlan. Jumbo packet support for the ASA 5580 8.
PAGE 332

Chapter 9 Feature History for Interfaces in Transparent Mode Cisco ASA 5500 Series Configuration Guide using the CLI 9-22 Completing Interface Configuration (Transparent Mode)
PAGE 333

PA R T 4 Configuring Basic Settings
PAGE 334
PAGE 335

CH A P T E R 10 Configuring Basic Settings This chapter describes how to configure basic settings on your ASA that are typically required for a functioning configuration.
PAGE 336

Chapter 10 Configuring Basic Settings Configuring the Hostname, Domain Name, and Passwords Changing the Enable Password To change the enable password, enter the following command: Command Purpose enable password password Changes the enable password, which lets you enter privileged EXEC mode. By default, the enable password is blank. Example: The password argument is a case-sensitive password of up to 16 alphanumeric and special characters.
PAGE 337

Chapter 10 Configuring Basic Settings Setting the Date and Time Setting the Domain Name To set the domain name, enter the following command: Command Purpose domain-name name Specifies the domain name for the ASA. Example: hostname(config)# domain-name example.com The ASA appends the domain name as a suffix to unqualified names. For example, if you set the domain name to “example.com,” and specify a syslog server by the unqualified name of “jupiter,” then the ASA qualifies the name to “jupiter.
PAGE 338

Chapter 10 Configuring Basic Settings Setting the Date and Time Command Purpose clock summer-time zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset] Sets the start and end dates for daylight saving time as a specific date in a specific year. If you use this command, you need to reset the dates every year. The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time. Example: The day value sets the day of the month, from 1 to 31.
PAGE 339

Chapter 10 Configuring Basic Settings Setting the Date and Time Step 2 ntp trusted-key key_id Specifies an authentication key ID to be a trusted key, which is required for authentication with an NTP server. Example: The key_id argument is a value between 1 and 4294967295. You can enter multiple trusted keys for use with multiple servers. hostname(config)# ntp trusted-key 1 Step 3 ntp authentication-key key_id md5 key Sets a key to authenticate with an NTP server.
PAGE 340

Chapter 10 Configuring Basic Settings Configuring the Master Passphrase Setting the Date and Time Manually To set the date and time manually, perform the following steps: Detailed Steps Command Purpose clock set hh:mm:ss {month day | day month} year Sets the date time manually. The hh:mm:ss argument sets the hour, minutes, and seconds in 24-hour time. For example, enter 20:54:00 for 8:54 pm. Example: hostname# clock set 20:54:00 april 1 2004 The day value sets the day of the month, from 1 to 31.
PAGE 341

Chapter 10 Configuring Basic Settings Configuring the Master Passphrase • EIGRP • VPN load balancing • VPN (remote access and site-to-site) • Failover • AAA servers • Logging • Shared licenses Licensing Requirements for the Master Passphrase Model License Requirement All models Base License. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode.
PAGE 342

Chapter 10 Configuring Basic Settings Configuring the Master Passphrase Detailed Steps Step 1 Command Purpose key config-key password-encryption [new_passphrase [old_passphrase]] Sets the passphrase used for generating the encryption key. The passphrase must be between 8 and 128 characters long. All characters except a back space and double quotes are accepted for the passphrase.
PAGE 343

Chapter 10 Configuring Basic Settings Configuring the Master Passphrase Examples In the following configuration example, no previous key is present: hostname (config)# key config-key password-encryption 12345678 In the following configuration example, a key already exists: Hostname (config)# key config-key password-encryption 23456789 Old key: 12345678 hostname (config)# In the following configuration example, you want to key in interactively, but a key already exists.
PAGE 344

Chapter 10 Configuring Basic Settings Configuring the Master Passphrase Detailed Steps Step 1 Command Purpose no key config-key password-encryption [old_passphrase]] Removes the master passphrase. If you do not enter the passphrase in the command, you are prompted for it. Example: hostname(config)# no key config-key password-encryption Warning! You have chosen to revert the encrypted passwords to plain text.
PAGE 345

Chapter 10 Configuring Basic Settings Configuring the DNS Server Feature History for the Master Passphrase Table 10-1 lists each feature change and the platform release in which it was implemented. Table 10-1 Feature History for the Master Passphrase Feature Name Platform Releases Feature Information Master Passphrase 8.3(1) This feature was introduced.
PAGE 346

Chapter 10 Configuring Basic Settings Monitoring DNS Cache Step 2 dns server-group DefaultDNS Specifies the DNS server group that the ASA uses for outgoing requests. Example: Other DNS server groups can be configured for VPN tunnel groups. See the tunnel-group command in the command reference for more information. hostname(config)# dns server-group DefaultDNS Step 3 name-server ip_address [ip_address2] [...] [ip_address6] Example: Specifies one or more DNS servers.
PAGE 347

C H A P T E R 11 Configuring DHCP This chapter describes how to configure the DHCP server and includes the following sections: • Information About DHCP, page 11-1 • Licensing Requirements for DHCP, page 11-1 • Guidelines and Limitations, page 11-2 • Configuring a DHCP Server, page 11-2 • Configuring DHCP Relay Services, page 11-7 • DHCP Monitoring Commands, page 11-8 • Feature History for DHCP, page 11-8 Information About DHCP DHCP provides network configuration parameters, such as IP addres
PAGE 348

Chapter 11 Configuring DHCP Guidelines and Limitations Note By default, the ASA 5505 ships with a 10-user license. Guidelines and Limitations Use the following guidelines to configure the DHCP server: • You can configure a DHCP server on each interface of the ASA. Each interface can have its own pool of addresses to draw from.
PAGE 349

Chapter 11 Configuring DHCP Configuring a DHCP Server Enabling the DHCP Server The ASA can act as a DHCP server. DHCP is a protocol that provides network settings to hosts, including the host IP address, the default gateway, and a DNS server. Note The ASA DHCP server does not support BOOTP requests. In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used by more than one context.
PAGE 350

Chapter 11 Configuring DHCP Configuring a DHCP Server Step 7 Command Purpose dhcpd option 3 ip gateway_ip Defines a default gateway that is sent to DHCP clients. If you do not use the dhcpd option 3 command to define the default gateway, DHCP clients use the IP address of the management interface. As a result, the DHCP ACK does not include this option. The management interface does not route traffic. Example: hostname(config)# dhcpd option 3 ip 10.10.1.
PAGE 351

Chapter 11 Configuring DHCP Configuring a DHCP Server Options that Return a Hexadecimal Value Command Purpose dhcpd option code hex value Configures a DHCP option that returns a hexadecimal value. Example: hostname(config)# dhcpd option 2 hex 22.0011.01.FF1111.00FF.0000.AAAA.1111.1111 .1111.11 Note The ASA does not verify that the option type and value that you provide match the expected type and value for the option code as defined in RFC 2132.
PAGE 352

Chapter 11 Configuring DHCP Configuring a DHCP Server Using Cisco IP Phones with a DHCP Server Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch offices. This implementation allows centralized call processing, reduces the equipment required, and eliminates the administration of additional Cisco CallManager and other servers at branch offices.
PAGE 353

Chapter 11 Configuring DHCP Configuring DHCP Relay Services Command Purpose dhcpd option 3 ip router_ip1 Sets the default route. Example: hostname(config)# dhcpd option 3 ip 10.10.1.1 Configuring DHCP Relay Services A DHCP relay agent allows the ASA to forward DHCP requests from clients to a router connected to a different interface. The following restrictions apply to the use of the DHCP relay agent: Note • The relay agent cannot be enabled if the DHCP server feature is also enabled.
PAGE 354

Chapter 11 Configuring DHCP DHCP Monitoring Commands Step 3 Command Purpose dhcprelay timeout seconds (Optional) Set the number of seconds allowed for relay address negotiation. Example: hostname(config)# dhcprelay timeout 25 Step 4 dhcprelay setroute interface_name (Optional) Change the first default router address in the packet sent from the DHCP server to the address of the ASA interface.
PAGE 355

C H A P T E R 12 Configuring Dynamic DNS This chapter describes how to configure DDNS update methods and includes the following topics: • Information About DDNS, page 12-1 • Licensing Requirements for DDNS, page 12-2 • Guidelines and Limitations, page 12-2 • Configuring DDNS, page 12-2 • Configuration Examples for DDNS, page 12-3 • DDNS Monitoring Commands, page 12-6 • Feature History for DDNS, page 12-6 Information About DDNS DDNS update integrates DNS with DHCP.
PAGE 356

Chapter 12 Configuring Dynamic DNS Licensing Requirements for DDNS Licensing Requirements for DDNS The following table shows the licensing requirements for DDNS: Model License Requirement All models Base License. Guidelines and Limitations Failover Guidelines Supports Active/Active and Active/Standby failover. Firewall Mode Guidelines Supported in routed firewall mode. Context Mode Guidelines Supported in single and multiple context modes. Supported in transparent mode for the DNS Client pane.
PAGE 357

Chapter 12 Configuring Dynamic DNS Configuration Examples for DDNS In general, the DHCP server maintains DNS PTR RRs on behalf of clients. Clients may be configured to perform all desired DNS updates. The server may be configured to honor these updates or not. To update the PTR RR, the DHCP server must know the FQDN of the client. The client provides an FQDN to the server using a DHCP option called Client FQDN.
PAGE 358

Chapter 12 Configuring Dynamic DNS Configuration Examples for DDNS Step 1 To configure the DHCP client to request that the DHCP server perform no updates, enter the following command: hostname(config)# dhcp-client update dns server none Step 2 To create a DDNS update method named ddns-2 on the DHCP client that requests that the client perform both A and PTR updates, enter the following commands: hostname(config)# ddns update method ddns-2 hostname(DDNS-update-method)# ddns both Step 3 To associate t
PAGE 359

Chapter 12 Configuring Dynamic DNS Configuration Examples for DDNS Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR The following example shows how to configure the server to perform only PTR RR updates by default. However, the server honors the client request that it perform both A and PTR updates. The server also forms the FQDN by appending the domain name (example.
PAGE 360

Chapter 12 Configuring Dynamic DNS DDNS Monitoring Commands DDNS Monitoring Commands To monitor DDNS, enter one of the following commands: Command Purpose show running-config ddns Shows the current DDNS configuration. show running-config dns server-group Shows the current DNS server group status. Feature History for DDNS Table 12-1 lists each feature change and the platform release in which it was implemented.
PAGE 361

PA R T 5 Configuring Objects and Access Lists
PAGE 362
PAGE 363

C H A P T E R 13 Configuring Objects Objects are reusable components for use in your configuration. They can be defined and used in ASA configurations in the place of inline IP addresses. Objects make it easy to maintain your configurations because you can modify an object in one place and have it be reflected in all other places that are referencing it. Without objects you would have to modify the parameters for every feature when required, instead of just once.
PAGE 364

Chapter 13 Configuring Objects Configuring Objects and Groups • Information About Object Groups, page 13-2 Information About Objects Objects are created in and used by the ASA in the place of an inline IP address in any given configuration. You can define an object with a particular IP address and netmask pair or a protocol (and, optionally, a port) and use this object in several configurations.
PAGE 365

Chapter 13 Configuring Objects Configuring Objects and Groups Guidelines and Limitations for Objects and Groups This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall modes. IPv6 Guidelines Supports IPv6, with limitations. (See the “Additional Guidelines and Limitations” section on page 13-3.
PAGE 366

Chapter 13 Configuring Objects Configuring Objects and Groups Detailed Steps Step 1 Command Purpose object network obj_name Creates a new network object. The obj_name is a text string up to 64 characters in length and can be any combination of letters, digits, and the following characters: Example: hostname(config)# object-network OBJECT1 • underscore “_” • dash “-” • period “.” The prompt changes to network object configuration mode.
PAGE 367

Chapter 13 Configuring Objects Configuring Objects and Groups Detailed Steps Step 1 Command Purpose object service obj_name Creates a new service object. The obj_name is a text string up to 64 characters in length and can be any combination of letters, digits, and the following characters: Example: hostname(config)# object-service SERVOBJECT1 • underscore “_” • dash “-” • period “.” The prompt changes to service object configuration mode.
PAGE 368

Chapter 13 Configuring Objects Configuring Objects and Groups Configuring Object Groups This section includes the following topics: • Adding a Protocol Object Group, page 13-6 • Adding a Network Object Group, page 13-7 • Adding a Service Object Group, page 13-8 • Adding an ICMP Type Object Group, page 13-9 • Nesting Object Groups, page 13-10 • Removing Object Groups, page 13-11 Adding a Protocol Object Group To add or change a protocol object group, perform the steps in this section.
PAGE 369

Chapter 13 Configuring Objects Configuring Objects and Groups hostname (config-protocol)# protocol-object icmp Adding a Network Object Group A network object group supports IPv4 and IPv6 addresses. To add or change a network object group, perform the steps in this section. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects.
PAGE 370

Chapter 13 Configuring Objects Configuring Objects and Groups Adding a Service Object Group To add or change a service object group, perform the steps in this section. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command.
PAGE 371

Chapter 13 Configuring Objects Configuring Objects and Groups hostname (config-service)# port-object eq radius-acct hostname (config)# object-group service services3 tcp hostname (config-service)# description LDAP Group hostname (config-service)# port-object eq ldap Adding an ICMP Type Object Group To add or change an ICMP type object group, perform the steps in this section.
PAGE 372

Chapter 13 Configuring Objects Configuring Objects and Groups Nesting Object Groups You can nest object groups hierarchically so that one object group can contain other object groups of the same type and you can mix and match nested group objects and regular objects within an object group. The ASA does not support IPv6 nested object groups, however, so you cannot group an object with IPv6 entities under another IPv6 object-group.
PAGE 373

Chapter 13 Configuring Objects Configuring Objects and Groups You only need to specify the admin object group in your ACE as follows: hostname (config)# access-list ACL_IN extended permit ip object-group admin host 209.165.201.29 Removing Object Groups You can remove a specific object group or remove all object groups of a specified type; however, you cannot remove an object group or make an object group empty if it is used in an access list.
PAGE 374

Chapter 13 Configuring Objects Configuring Regular Expressions Feature History for Objects and Groups Table 1 lists each feature change and the platform release in which it was implemented. Table 1 Feature History for Object Groups Feature Name Releases Feature Information Object groups 7.0(1) Object groups simplify access list creation and maintenance. We introduced or modified the following commands: object-group protocol, object-group network, object-group service, object-group icmp_type.
PAGE 375

Chapter 13 Configuring Objects Configuring Regular Expressions Table 13-2 lists the metacharacters that have special meanings. Table 13-2 regex Metacharacters Character Description Notes . Dot Matches any single character. For example, d.g matches dog, dag, dtg, and any word that contains those characters, such as doggonnit. (exp) Subexpression A subexpression segregates characters from surrounding characters, so that you can use other metacharacters on the subexpression.
PAGE 376

Chapter 13 Configuring Objects Configuring Regular Expressions Table 13-2 regex Metacharacters (continued) Character Description Notes \ Escape character When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket. char Character When character is not a metacharacter, matches the literal character. \r Carriage return Matches a carriage return 0x0d. \n Newline Matches a new line 0x0a. \t Tab Matches a tab 0x09.
PAGE 377

Chapter 13 Configuring Objects Configuring Regular Expressions hostname(config)# regex url_example2 example2\.com Creating a Regular Expression Class Map A regular expression class map identifies one or more regular expressions. You can use a regular expression class map to match the content of certain traffic; for example, you can match URL strings inside HTTP packets. Detailed Steps Step 1 Create one or more regular expressions according to the “Configuring Regular Expressions” section.
PAGE 378

Chapter 13 Configuring Objects Scheduling Extended Access List Activation Scheduling Extended Access List Activation This section includes the following topics: • Information About Scheduling Access List Activation, page 13-16 • Licensing Requirements for Scheduling Access List Activation, page 13-16 • Guidelines and Limitations for Scheduling Access List Activation, page 13-16 • Configuring and Applying Time Ranges, page 13-17 • Configuration Examples for Scheduling Access List Activation, page
PAGE 379

Chapter 13 Configuring Objects Scheduling Extended Access List Activation Additional Guidelines and Limitations The following guidelines and limitations apply to using object groups with access lists: • Users could experience a delay of approximately 80 to 100 seconds after the specified end time for the ACL to become inactive. For example, if the specified end time is 3:50, because the end time is inclusive, the command is picked up anywhere between 3:51:00 and 3:51:59.
PAGE 380

Chapter 13 Configuring Objects Scheduling Extended Access List Activation Step 3 Command Purpose absolute start time date [end time date] Specifies an absolute time range. Example: The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m. hostname(config-time-range)# absolute start 7:59 2 january 2009 The date is in the format day month year; for example, 1 january 2006. access-list access_list_name [extended] {deny | permit}...
PAGE 381

Chapter 13 Configuring Objects Scheduling Extended Access List Activation Cisco ASA 5500 Series Configuration Guide using the CLI 13-19
PAGE 382

Chapter 13 Scheduling Extended Access List Activation Cisco ASA 5500 Series Configuration Guide using the CLI 13-20 Configuring Objects
PAGE 383

CH A P T E R 14 Information About Access Lists Cisco ASAs provide basic traffic filtering capabilities with access lists, which control access in your network by preventing certain traffic from entering or exiting. This chapter describes access lists and shows how to add them to your network configuration. Access lists are made up of one or more access control entries (ACEs).
PAGE 384

Chapter 14 Information About Access Lists Access Control Entry Order • IPv6 access lists—Determine which IPv6 traffic to block and which traffic to forward at router interfaces. For more information, see Chapter 19, “Adding an IPv6 Access List.” Table 14-1 lists the types of access lists and some common uses for them.
PAGE 385

Chapter 14 Information About Access Lists Access Control Implicit Deny The order of ACEs is important. When the ASA decides whether to forward or to drop a packet, the ASA tests the packet against each ACE in the order in which the entries are listed. After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are checked, and the packet is forwarded.
PAGE 386

Chapter 14 Where to Go Next • Chapter 17, “Adding a Standard Access List” • Chapter 18, “Adding a Webtype Access List” • Chapter 19, “Adding an IPv6 Access List” • Chapter 34, “Configuring Access Rules” Cisco ASA 5500 Series Configuration Guide using the CLI 14-4 Information About Access Lists
PAGE 387

CH A P T E R 15 Adding an Extended Access List This chapter describes how to configure extended access lists (also known as access control lists), and it includes the following sections: • Information About Extended Access Lists, page 15-1 • Licensing Requirements for Extended Access Lists, page 15-1 • Guidelines and Limitations, page 15-1 • Default Settings, page 15-2 • Configuring Extended Access Lists, page 15-2 • Monitoring Extended Access Lists, page 15-5 • Configuration Examples for Ext
PAGE 388

Chapter 15 Adding an Extended Access List Default Settings Firewall Mode Guidelines Supported only in routed and transparent firewall modes. IPv6 Guidelines IPv6 is supported. Additional Guidelines and Limitations The following guidelines and limitations apply to creating an extended access list: • Enter the access list name in uppercase letters so that the name is easy to see in the configuration.
PAGE 389

Chapter 15 Adding an Extended Access List Configuring Extended Access Lists Adding an Extended Access List An access list is made up of one or more access control entries (ACEs) with the same access list ID. To create an access list you start by creating an ACE and applying a list name. An access list with one entry is still considered a list, although you can add multiple entries to the list.
PAGE 390

Chapter 15 Adding an Extended Access List Configuring Extended Access Lists Detailed Steps Command Purpose (For IP traffic, no ports) Adds an extended ACE.
PAGE 391

Chapter 15 Adding an Extended Access List Monitoring Extended Access Lists Adding Remarks to Access Lists You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard, and Webtype access lists. The remarks make the access list easier to understand. To add a remark after the last access-list command you entered, enter the following command: Command Purpose access-list access_list_name remark text Adds a remark after the last access-list command you entered.
PAGE 392

Chapter 15 Adding an Extended Access List Configuration Examples for Extended Access Lists Configuration Examples for Extended Access Lists (No Objects) The following access list allows all hosts (on the interface to which you apply the access list) to go through the ASAe: hostname(config)# access-list ACL_IN extended permit ip any any The following sample access list prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network. All other addresses are permitted.
PAGE 393

Chapter 15 Adding an Extended Access List Where to Go Next hostname(config)# eq www hostname(config)# eq www hostname(config)# eq www hostname(config)# eq www hostname(config)# eq www hostname(config)# hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.16 access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.16 access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.78 access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.
PAGE 394

Chapter 15 Feature History for Extended Access Lists Cisco ASA 5500 Series Configuration Guide using the CLI 15-8 Adding an Extended Access List
PAGE 395

CH A P T E R 16 Adding an EtherType Access List This chapter describes how to configure EtherType access lists and includes the following sections: • Information About EtherType Access Lists, page 16-1 • Licensing Requirements for EtherType Access Lists, page 16-1 • Guidelines and Limitations, page 16-2 • Default Settings, page 16-2 • Configuring EtherType Access Lists, page 16-2 • Monitoring EtherType Access Lists, page 16-4 • What to Do Next, page 16-4 • Configuration Examples for EtherTy
PAGE 396

Chapter 16 Adding an EtherType Access List Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Available in single and multiple context modes. Firewall Mode Guidelines Supported in transparent firewall mode only. IPv6 Guidelines Supports IPv6.
PAGE 397

Chapter 16 Adding an EtherType Access List Configuring EtherType Access Lists Step 1 Create an access list by adding an ACE and applying an access list name, as shown in the “Adding EtherType Access Lists” section on page 16-3. Step 2 Apply the access list to an interface. (See the “Configuring Access Rules” section on page 34-7 for more information.
PAGE 398

Chapter 16 Adding an EtherType Access List What to Do Next Example The following sample access list allows common EtherTypes originating on the inside interface: hostname(config)# access-list ETHER ethertype permit ipx hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside Adding Remarks to Access Lists You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard, and Webtype access lists.
PAGE 399

Chapter 16 Adding an EtherType Access List Configuration Examples for EtherType Access Lists Configuration Examples for EtherType Access Lists The following example shows how to configure EtherType access lists: The following access list allows some EtherTypes through the ASA, but it denies IPX: hostname(config)# hostname(config)# hostname(config)# hostname(config)# hostname(config)# access-list ETHER ethertype deny ipx access-list ETHER ethertype permit 0x1234 access-list ETHER ethertype permit mpls-uni
PAGE 400

Chapter 16 Feature History for EtherType Access Lists Cisco ASA 5500 Series Configuration Guide using the CLI 16-6 Adding an EtherType Access List
PAGE 401

CH A P T E R 17 Adding a Standard Access List This chapter describes how to configure a standard access list and includes the following sections: • Information About Standard Access Lists, page 17-1 • Licensing Requirements for Standard Access Lists, page 17-1 • Guidelines and Limitations, page 17-1 • Default Settings, page 17-2 • Adding Standard Access Lists, page 17-3 • What to Do Next, page 17-4 • Monitoring Access Lists, page 17-4 • Configuration Examples for Standard Access Lists, page
PAGE 402

Chapter 17 Adding a Standard Access List Default Settings • IPv6 Guidelines, page 17-2 • Additional Guidelines and Limitations, page 17-2 Context Mode Guidelines Supported in single context mode only. Firewall Mode Guidelines Supported in routed and transparent firewall modes. IPv6 Guidelines Supports IPv6.
PAGE 403

Chapter 17 Adding a Standard Access List Adding Standard Access Lists Adding Standard Access Lists This section includes the following topics: • Task Flow for Configuring Extended Access Lists, page 17-3 • Adding a Standard Access List, page 17-3Adding Remarks to Access Lists, page 17-4 Task Flow for Configuring Extended Access Lists Use the following guidelines to create and implement an access list: • Create an access list by adding an ACE and applying an access list name.
PAGE 404

Chapter 17 Adding a Standard Access List What to Do Next Adding Remarks to Access Lists You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard, and Webtype access lists. The remarks make the access list easier to understand. To add a remark after the last access-list command you entered, enter the following command: Command Purpose access-list access_list_name remark text Adds a remark after the last access-list command you entered.
PAGE 405

Chapter 17 Adding a Standard Access List Feature History for Standard Access Lists The following example shows how to permit IP traffic through the ASA if conditions are matched: hostname(config)# access-list 77 standard permit The following example shows how to specify a destination address: hostname(config)# access-list 77 standard permit host 10.1.10.123 Feature History for Standard Access Lists Table 17-2 lists each feature change and the platform release in which it was implemented.
PAGE 406

Chapter 17 Feature History for Standard Access Lists Cisco ASA 5500 Series Configuration Guide using the CLI 17-6 Adding a Standard Access List
PAGE 407

CH A P T E R 18 Adding a Webtype Access List Webtype access lists are added to a configuration that supports filtering for clientless SSL VPN. This chapter describes how to add an access list to the configuration that supports filtering for WebVPN.
PAGE 408

Chapter 18 Adding a Webtype Access List Default Settings Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6. Additional Guidelines and Limitations The following guidelines and limitations apply to Webtype access lists: • The access-list webtype command is used to configure clientless SSL VPN filtering. The URL specified may be full or partial (no file specified), may include wildcards for the server, or may specify a port.
PAGE 409

Chapter 18 Adding a Webtype Access List Using Webtype Access Lists Adding Webtype Access Lists with a URL String To add an access list to the configuration that supports filtering for clientless SSL VPN, enter the following command: Command Purpose access-list access_list_name webtype {deny | permit} url [url_string | any] [log[[disable | default] | level] interval secs][time_range name]] Adds an access list to the configuration that supports filtering for WebVPN.
PAGE 410

Chapter 18 Adding a Webtype Access List Using Webtype Access Lists Adding Webtype Access Lists with an IP Address To add an access list to the configuration that supports filtering for clientless SSL VPN, enter the following command: Command Purpose access-list access_list_name webtype {deny | permit} tcp [host ip_address | ip_address subnet_mask | any] [oper port[port]] [log[[disable | default] | level] interval secs][time_range name]] Adds an access list to the configuration that supports filtering
PAGE 411

Chapter 18 Adding a Webtype Access List What to Do Next Adding Remarks to Access Lists You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard, and Webtype access lists. The remarks make the access list easier to understand. To add a remark after the last access-list command you entered, enter the following command: Command Purpose access-list access_list_name remark text Adds a remark after the last access-list command you entered.
PAGE 412

Chapter 18 Adding a Webtype Access List Configuration Examples for Webtype Access Lists The following example shows how to deny access to a specific file: hostname(config)# access-list acl_file webtype deny url https://www.example.com/dir/file.html The following example shows how to deny HTTP access to any URL through port 8080: hostname(config)# access-list acl_company webtype deny url http://my-server:8080/* The following examples show how to use wildcards in Webtype access lists.
PAGE 413

Chapter 18 Adding a Webtype Access List Feature History for Webtype Access Lists Feature History for Webtype Access Lists Table 18-2 lists each feature change and the platform release in which it was implemented. Table 18-2 Feature History for Webtype Access Lists Feature Name Releases Feature Information Webtype access lists 7.0(1) Webtype access lists are access lists that are added to a configuration that supports filtering for clientless SSL VPN.
PAGE 414

Chapter 18 Feature History for Webtype Access Lists Cisco ASA 5500 Series Configuration Guide using the CLI 18-8 Adding a Webtype Access List
PAGE 415

Chapter 18 Adding a Webtype Access List Feature History for Webtype Access Lists Cisco ASA 5500 Series Configuration Guide using the CLI 18-9
PAGE 416

Chapter 18 Feature History for Webtype Access Lists Cisco ASA 5500 Series Configuration Guide using the CLI 18-10 Adding a Webtype Access List
PAGE 417

CH A P T E R 19 Adding an IPv6 Access List This chapter describes how to configure IPv6 access lists to control and filter traffic through the ASA.
PAGE 418

Chapter 19 Adding an IPv6 Access List Prerequisites for Adding IPv6 Access Lists Prerequisites for Adding IPv6 Access Lists You should be familiar with IPv6 addressing and basic configuration. See the ipv6 commands in the Cisco Security Appliance Command Reference for more information about configuring IPv6. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context modes.
PAGE 419

Chapter 19 Adding an IPv6 Access List Default Settings – echo-reply – membership-query – membership-report – membership-reduction – router-renumbering – router-solicitation – router-advertisement – neighbor-solicitation – neighbor-advertisement – neighbor-redirect • If the protocol argument is specified, valid values are icmp, ip, tcp, udp, or an integer in the range of 1 to 254, representing an IP protocol number. Default Settings Table 19-1 lists the default settings for IPv6 access list parameters.
PAGE 420

Chapter 19 Adding an IPv6 Access List Configuring IPv6 Access Lists Configuring IPv6 Access Lists This section includes the following topics: • Task Flow for Configuring IPv6 Access Lists, page 19-4 • Adding IPv6 Access Lists, page 19-5 • Adding Remarks to Access Lists, page 19-6 Task Flow for Configuring IPv6 Access Lists Use the following guidelines to create and implement an access list: • Create an access list by adding an ACE and applying an access list name, as shown in the “Adding IPv6 Acce
PAGE 421

Chapter 19 Adding an IPv6 Access List Configuring IPv6 Access Lists Adding IPv6 Access Lists You can add a regular IPv6 access list or add an IPv6 access list with TCP.
PAGE 422

Chapter 19 Adding an IPv6 Access List Configuring IPv6 Access Lists To configure an IPv6 access list with ICMP, enter the following command: Command Purpose ipv6 access-list id [line line-num] {deny | permit} icmp6 {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [icmp_type | object-group icmp_type_obj_grp_id] [log [[level] [interval secs]
PAGE 423

Chapter 19 Adding an IPv6 Access List Monitoring IPv6 Access Lists Monitoring IPv6 Access Lists To monitor IPv6 access lists, perform one of the following tasks: Command Purpose show ipv6 access-list Displays all IPv6 access list information.
PAGE 424

Chapter 19 Feature History for IPv6 Access Lists Cisco ASA 5500 Series Configuration Guide using the CLI 19-8 Adding an IPv6 Access List
PAGE 425

CH A P T E R 20 Configuring Logging for Access Lists This chapter describes how to configure access list logging for extended access lists and Webytpe access lists, and it describes how to manage deny flows.
PAGE 426

Chapter 20 Configuring Logging for Access Lists Configuring Logging for Access Lists Note Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list does not generate a message.
PAGE 427

Chapter 20 Configuring Logging for Access Lists Configuring Logging for Access Lists Firewall Mode Guidelines Supported only in routed and transparent firewall modes. IPv6 Guidelines Supports IPv6. Additional Guidelines and Limitations ACE logging generates syslog message 106023 for denied packets. A deny ACE must be present to log denied packets. Default Settings Table 20-1 lists the default settings for extended access list parameters.
PAGE 428

Chapter 20 Configuring Logging for Access Lists Configuring Logging for Access Lists To configure logging for an ACE, enter the following command: Command Purpose access-list access_list_name [extended] {deny | permit}...[log [[level] [interval secs] | disable | default]] Configures logging for an ACE. The access-list access_list_name syntax specifies the access list for which you want to configure logging. Example: The extended option adds an ACE.
PAGE 429

Chapter 20 Configuring Logging for Access Lists Managing Deny Flows When the first ACE of outside-acl permits a packet, the ASA generates the following syslog message: %ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/10.0.0.0(12345) -> inside/192.168.1.1(1357) hit-cnt 1 (first hit) Although 20 additional packets for this connection arrive on the outside interface, the traffic does not have to be checked against the access list, and the hit count does not increase.
PAGE 430

Chapter 20 Configuring Logging for Access Lists Managing Deny Flows Information About Managing Deny Flows When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry to track the number of packets received within a specific interval. The ASA has a maximum of 32 K logging flows for ACEs. A large number of flows can exist concurrently at any point of time.
PAGE 431

Chapter 20 Configuring Logging for Access Lists Managing Deny Flows Default Settings Table 20-1 lists the default settings for managing deny flows. Table 20-3 Default Parameters for Managing Deny Flows Parameters Default numbers The numbers argument specifies the maximum number of deny flows. The default is 4096. secs The secs argument specifies the time, in seconds, between syslog messages. The default is 300.
PAGE 432

Chapter 20 Configuring Logging for Access Lists Managing Deny Flows Feature History for Managing Deny Flows Table 20-2 lists each feature change and the platform release in which it was implemented. Table 20-4 Feature History for Managing Deny Flows Feature Name Releases Feature Information Managing Deny Flows 7.0(1) You can configure the maximum number of deny flows and set the interval between deny flow alert messages.
PAGE 433

PA R T 6 Configuring IP Routing
PAGE 434
PAGE 435

C H A P T E R 21 Routing Overview This chapter describes underlying concepts of how routing behaves within the ASA, and the routing protocols that are supported.
PAGE 436

Chapter 21 Routing Overview Information About Routing Switching Switching algorithms is relatively simple; it is the same for most routing protocols. In most cases, a host determines that it must send a packet to another host. Having acquired a router address by some means, the source host sends a packet addressed specifically to a router physical (Media Access Control [MAC]-layer) address, this time with the protocol (network layer) address of the destination host.
PAGE 437

Chapter 21 Routing Overview Information About Routing • Link-State Versus Distance Vector, page 21-4 Static Versus Dynamic Static routing algorithms are hardly algorithms at all, but are table mappings established by the network administrator before the beginning of routing. These mappings do not change unless the network administrator alters them.
PAGE 438

Chapter 21 Routing Overview How Routing Behaves Within the ASA Link-State Versus Distance Vector Link-state algorithms (also known as shortest path first algorithms) flood routing information to all nodes in the internetwork. Each router, however, sends only the portion of the routing table that describes the state of its own links. In link-state algorithms, each router builds a picture of the entire network in its routing tables.
PAGE 439

Chapter 21 Routing Overview Supported Internet Protocols for Routing a level 6 syslog message 110001 generated (no route to host), even if there is another route for a given destination network that belongs to a different egress interface. If the route that belongs to a selected egress interface is found, the packet is forwarded to the corresponding next hop. Load sharing on the ASA is possible only for multiple next hops available using a single egress interface.
PAGE 440

Chapter 21 Routing Overview Information About the Routing Table Information About the Routing Table This section includes the following topics: • Displaying the Routing Table, page 21-6 • How the Routing Table Is Populated, page 21-6 • How Forwarding Decisions Are Made, page 21-8 • Dynamic Routing and Failover, page 21-9 Displaying the Routing Table To view the entries in the routing table, enter the following command: hostname# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M -
PAGE 441

Chapter 21 Routing Overview Information About the Routing Table Even though OSPF routes have the better administrative distance, both routes are installed in the routing table because each of these routes has a different prefix length (subnet mask). They are considered different destinations and the packet forwarding logic determines which route to use.
PAGE 442

Chapter 21 Routing Overview Information About the Routing Table The administrative distance is a local setting. For example, if you use the distance-ospf command to change the administrative distance of routes obtained through OSPF, that change would only affect the routing table for the ASA on which the command was entered. The administrative distance is not advertised in routing updates. Administrative distance does not affect the routing process.
PAGE 443

Chapter 21 Routing Overview Information About IPv6 Support Dynamic Routing and Failover Because static routing systems cannot react to network changes, they generally are considered unsuitable for large, constantly changing networks. Most of the dominant routing algorithms are dynamic routing algorithms, which adjust to changing network circumstances by analyzing incoming routing update messages.
PAGE 444

Chapter 21 Information About IPv6 Support • NetFlow Secure Event Logging filtering • Connection limits, timeouts, and TCP randomization • TCP Normalization • TCP state bypass • Access group, using an IPv6 access list • Static Routes • VPN (all types) • Failover • Transparent firewall mode IPv6-Enabled Commands The following ASA commands can accept and display IPv6 addresses: • capture • configure • copy • failover interface ip • http • name • object-group • ping • show co
PAGE 445

Chapter 21 Routing Overview Disabling Proxy ARPs Entering IPv6 Addresses in Commands When entering IPv6 addresses in commands that support them, enter the IPv6 address using standard IPv6 notation, for example: ping fe80::2e0:b6ff:fe01:3b7a. The ASA correctly recognizes and processes the IPv6 address. However, you must enclose the IPv6 address in square brackets ([ ]) in the following situations: • You need to specify a port number with the address, for example: [fe80::2e0:b6ff:fe01:3b7a]:8080.
PAGE 446

Chapter 21 Disabling Proxy ARPs Cisco ASA 5500 Series Configuration Guide using the CLI 21-12 Routing Overview
PAGE 447

C H A P T E R 22 Configuring Static and Default Routes This chapter describes how to configure static and default routes on the ASA and includes the following sections: • Information About Static and Default Routes, page 22-1 • Licensing Requirements for Static and Default Routes, page 22-2 • Guidelines and Limitations, page 22-2 • Configuring Static and Default Routes, page 22-2 • Monitoring a Static or Default Route, page 22-6 • Configuration Examples for Static or Default Routes, page 22-8
PAGE 448

Chapter 22 Configuring Static and Default Routes Licensing Requirements for Static and Default Routes syslog server, Websense or N2H2 server, or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. Additionally, the ASA supports up to three equal cost routes on the same interface for load balancing.
PAGE 449

Chapter 22 Configuring Static and Default Routes Configuring Static and Default Routes Configuring a Static Route Static routing algorithms are basically table mappings established by the network administrator before the beginning of routing. These mappings do not change unless the network administrator alters them. Algorithms that use static routes are simple to design and work well in environments where network traffic is relatively predictable and where network design is relatively simple.
PAGE 450

Chapter 22 Configuring Static and Default Routes Configuring Static and Default Routes Examples The following example shows static routes that are equal cost routes that direct traffic to three different gateways on the outside interface. The ASA distributes the traffic among the specified gateways. hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.
PAGE 451

Chapter 22 Configuring Static and Default Routes Configuring Static and Default Routes Command Purpose route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled] Enables you to add a static route. Example: hostname(config)# route outside 0 0 192.168.2.4 tunneled The dest_ip and mask arguments indicate the IP address for the destination network and the gateway_ip argument is the address of the next hop router.
PAGE 452

Chapter 22 Configuring Static and Default Routes Monitoring a Static or Default Route Note The ipv6 route command works the same way as the route command, which is used to define IPv4 static routes. Monitoring a Static or Default Route One of the problems with static routes is that there is no inherent mechanism for determining if the route is up or down. They remain in the routing table even if the next hop gateway becomes unavailable.
PAGE 453

Chapter 22 Configuring Static and Default Routes Monitoring a Static or Default Route Detailed Steps Step 1 Command Purpose sla monitor sla_id Configures the tracked object monitoring parameters by defining the monitoring process. Example: If you are configuring a new monitoring process, you enter sla monitor configuration mode.
PAGE 454

Chapter 22 Configuring Static and Default Routes Configuration Examples for Static or Default Routes Command Example: Purpose Tracks a default route obtained through DHCP, hostname(config)# interface phy_if hostname(config-if)# dhcp client route track track_id hostname(config-if)# ip address dhcp setroute hostname(config-if)# exit Example: Remember that you must use the setroute keyword with the ip address dhcp command to obtain the default route using DHCP.
PAGE 455

Chapter 22 Configuring Static and Default Routes Feature History for Static and Default Routes Cisco ASA 5500 Series Configuration Guide using the CLI 22-9
PAGE 456

Chapter 22 Feature History for Static and Default Routes Cisco ASA 5500 Series Configuration Guide using the CLI 22-10 Configuring Static and Default Routes
PAGE 457

C H A P T E R 23 Defining Route Maps This chapter describes route maps and includes the following sections: • Information About Route Maps, page 23-1 • Licensing Requirements for Route Maps, page 23-3 • Guidelines and Limitations, page 23-3 • Defining a Route Map, page 23-4 • Customizing a Route Map, page 23-4 • Configuration Example for Route Maps, page 23-6 • Feature History for Route Maps, page 23-6 Information About Route Maps Route maps are used when redistributing routes into an OSPF,
PAGE 458

Chapter 23 Defining Route Maps Information About Route Maps • Each ACL ends with an implicit deny statement, by design convention; there is no similar convention for route maps. If the end of a route map is reached during matching attempts, the result depends on the specific application of the route map.
PAGE 459

Chapter 23 Defining Route Maps Licensing Requirements for Route Maps A match or set value in each clause can be missed or repeated several times, if one of these conditions exists: Note • If several match commands or Match Clause values in ASDM are present in a clause, all must succeed for a given route in order for that route to match the clause (in other words, the logical AND algorithm is applied for multiple match commands).
PAGE 460

Chapter 23 Defining Route Maps Defining a Route Map Defining a Route Map You must define a route map when specifying which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process. To define a route map, enter the following command: Command Purpose route-map name {permit | deny} [sequence_number] Creates the route map entry. Enters route-map configuration mode. Route map entries are read in order.
PAGE 461

Chapter 23 Defining Route Maps Customizing a Route Map Command Purpose match metric metric_value Matches any routes that have a specified metric. The metric_value can range from 0 to 4294967295. Example: hostname(config-route-map)# match metric 200 match ip next-hop acl_id [acl_id] [...] Matches any routes that have a next hop router address that matches a standard ACL. Example: If you specify more than one ACL, then the route can match any of the ACLs.
PAGE 462

Chapter 23 Defining Route Maps Configuration Example for Route Maps Command Purpose set metric metric_value Sets the metric value. The metric_value argument can range from 0 to 294967295. Example: hostname(config-route-map)# set metric 200 Sets the metric type. set metric-type {type-1 | type-2} The metric-type argument can be type-1 or type-2.
PAGE 463

CH A P T E R 24 Configuring OSPF This chapter describes how to configure the ASA to route data, perform authentication, and redistribute routing information using the Open Shortest Path First (OSPF) routing protocol.
PAGE 464

Chapter 24 Configuring OSPF Licensing Requirements for OSPF The ASA can run two processes of OSPF protocol simultaneously on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one process on the inside and another on the outside, and redistribute a subset of routes between the two processes.
PAGE 465

Chapter 24 Configuring OSPF Guidelines and Limitations Model License Requirement All models Base License. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single context mode. Firewall Mode Guidelines Supported in routed firewall mode only. Transparent firewall mode is not supported. IPv6 Guidelines Does not support IPv6. Configuring OSPF This section describes how to enable an OSPF process on the ASA.
PAGE 466

Chapter 24 Configuring OSPF Customizing OSPF Detailed Steps Step 1 Command Purpose router ospf process_id Creates an OSPF routing process and enters router configuration mode for this OSPF process. Example: The process_id argument is an internally used identifier for this routing process and can be any positive integer. This ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum of two processes.
PAGE 467

Chapter 24 Configuring OSPF Customizing OSPF Detailed Steps Step 1 Command Purpose router ospf process_id Creates an OSPF routing process and enters router configuration mode for the OSPF process that you want to redistribute. Example: The process_id argument is an internally used identifier for this routing process and can be any positive integer. This ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum of two processes.
PAGE 468

Chapter 24 Configuring OSPF Customizing OSPF Command Purpose redistribute rip [metric metric-value] [metric-type {type-1 | type-2}] [tag tag_value] [subnets] [route-map map_name] Allows you to redistribute routes from a RIP routing process into the OSPF routing process.
PAGE 469

Chapter 24 Configuring OSPF Customizing OSPF To configure the software advertisement on one summary route for all redistributed routes included for a network address and mask, perform the following steps: Detailed Steps Step 1 Command Purpose router ospf process_id Creates an OSPF routing process and enters router configuration mode for this OSPF process. Example: The process_id argument is an internally used identifier for this routing process and can be any positive integer.
PAGE 470

Chapter 24 Configuring OSPF Customizing OSPF Configuring OSPF Interface Parameters You can change some interface-specific OSPF parameters, if necessary. Prerequisites You are not required to change any of these parameters, but the following interface parameters must be consistent across all routers in an attached network: ospf hello-interval, ospf dead-interval, and ospf authentication-key.
PAGE 471

Chapter 24 Configuring OSPF Customizing OSPF Command Purpose ospf authentication-key key Allows you to assign a password to be used by neighboring OSPF routers on a network segment that is using the OSPF simple password authentication. Example: hostname(config-interface)# ospf authentication-key cisco The key argument can be any continuous string of characters up to 8 bytes in length.
PAGE 472

Chapter 24 Configuring OSPF Customizing OSPF Command Purpose ospf retransmit-interval seconds Allows you to specify the number of seconds between LSA retransmissions for adjacencies belonging to an OSPF interface. Example: The value for seconds must be greater than the expected round-trip delay between any two routers on the attached network. The range is from 1 to 65535 seconds. The default value is 5 seconds.
PAGE 473

Chapter 24 Configuring OSPF Customizing OSPF Command Purpose area area-id authentication Enables authentication for an OSPF area. Example: hostname(config-router)# area 0 authentication area area-id authentication message-digest Enables MD5 authentication for an OSPF area. Example: hostname(config-router)# area 0 authentication message-digest Configuring OSPF NSSA The OSPF implementation of an NSSA is similar to an OSPF stub area.
PAGE 474

Chapter 24 Configuring OSPF Customizing OSPF Command Purpose area area-id nssa [no-redistribution] [default-information-originate] Defines an NSSA area. Example: hostname(config-router)# area 0 nssa summary-address ip_address mask [not-advertise] [tag tag] Example: hostname(config)# router ospf 1 hostname(config-router)# summary-address 10.1.0.0 255.255.0.0 Note Sets the summary address and helps reduce the size of the routing table.
PAGE 475

Chapter 24 Configuring OSPF Customizing OSPF Configuring Route Calculation Timers You can configure the delay time between when OSPF receives a topology change and when it starts an SPF calculation. You also can configure the hold time between two consecutive SPF calculations. To configure route calculation timers, perform the following steps: Detailed Steps Step 1 Command Purpose router ospf process_id Creates an OSPF routing process and enters router configuration mode for this OSPF process.
PAGE 476

Chapter 24 Configuring OSPF Restarting the OSPF Process To log neighbors going up or down, perform the following steps: Detailed Steps Step 1 Command Purpose router ospf process_id Creates an OSPF routing process and enters router configuration mode for this OSPF process. Example: The process_id argument is an internally used identifier for this routing process and can be any positive integer. This ID does not have to match the ID on any other device; it is for internal use only.
PAGE 477

Chapter 24 Configuring OSPF Configuration Example for OSPF Step 3 (Optional) To configure OSPF interface parameters, enter the following commands: hostname(config)# router ospf 2 hostname(config-router)# network 10.0.0.0 255.0.0.
PAGE 478

Chapter 24 Configuring OSPF Monitoring OSPF Monitoring OSPF You can display specific statistics such as the contents of IP routing tables, caches, and databases. You can also use the information provided to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path that your device packets are taking through the network.
PAGE 479

Chapter 24 Configuring OSPF Feature History for OSPF Command Purpose show ospf [process-id] summary-address Displays a list of all summary address redistribution information configured under an OSPF process. show ospf [process-id] virtual-links Displays OSPF-related virtual links information. Feature History for OSPF Table 24-1 lists each feature change and the platform release in which it was implemented.
PAGE 480

Chapter 24 Feature History for OSPF Cisco ASA 5500 Series Configuration Guide using the CLI 24-18 Configuring OSPF
PAGE 481

CH A P T E R 25 Configuring RIP This chapter describes how to configure the ASA to route data, perform authentication, and redistribute routing information using the Routing Information Protocol (RIP).
PAGE 482

Chapter 25 Configuring RIP Information About RIP The ASA supports both RIP Version 1 and RIP Version 2. RIP Version 1 does not send the subnet mask with the routing update. RIP Version 2 sends the subnet mask with the routing update and supports variable-length subnet masks. Additionally, RIP Version 2 supports neighbor authentication when routing updates are exchanged. This authentication ensures that the ASA receives reliable routing information from a trusted source.
PAGE 483

Chapter 25 Configuring RIP Licensing Requirements for RIP simultaneously attempting to update their neighbors. Each routing table entry has a route-timeout timer associated with it. When the route-timeout timer expires, the route is marked invalid but is retained in the table until the route-flush timer expires. Licensing Requirements for RIP The following table shows the licensing requirements for this feature: Model License Requirement All models Base License.
PAGE 484

Chapter 25 Configuring RIP Configuring RIP Configuring RIP This section describes how to enable and restart the RIP process on the ASA. After you have enabled RIP, see the “Customizing RIP” section on page 25-4 to learn how to customize the RIP process on the ASA. Note If you want to redistribute a route by defining which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process, you must first generate a default route.
PAGE 485

Chapter 25 Configuring RIP Customizing RIP Configuring the RIP Version To specify the version of RIP used by the ASA, perform the following steps: Detailed Steps Step 1 Command Purpose router rip Starts the RIP routing process and places you in router configuration mode. Example: hostname(config)# router rip Step 2 network network_address Specifies the interfaces that will participate in the RIP routing process.
PAGE 486

Chapter 25 Configuring RIP Customizing RIP Configuring Interfaces for RIP If you have an interface that you do not want to have participate in RIP routing, but that is attached to a network that you want advertised, you can configure the network (using the network command) that includes the network to which the interface is attached, and configure the passive interfaces (using the passive-interface command) to prevent that interface from using RIP.
PAGE 487

Chapter 25 Configuring RIP Customizing RIP Command Purpose rip send version {[1] [2]} Specifies the version of RIP to use when sending RIP updates out of the interface. Example: In this example, Version 1 is selected. hostname(config-if)# rip send version 1 rip receive version {[1] [2]} Specifies the version of RIP advertisements permitted to be received by an interface. Example: In this example, Version 2 is selected.
PAGE 488

Chapter 25 Configuring RIP Customizing RIP Filtering Networks in RIP To filter the networks received in updates, perform the following steps: Note Before you begin, you must create a standard access list that permits the networks that you want the RIP process to allow in the routing table and denies the networks that you want the RIP process to discard. Detailed Steps Step 1 Command Purpose router rip Enables the RIP routing process and places you in router configuration mode.
PAGE 489

Chapter 25 Configuring RIP Customizing RIP To redistribute a route into the RIP routing process, enter one of the following commands: Command Purpose Choose one of the following commands to redistribute the selected route type into the RIP routing process. You must specify the RIP metric values in the redistribute command if you do not have a default-metric command in the RIP router configuration.
PAGE 490

Chapter 25 Configuring RIP Customizing RIP RIP route authentication provides MD5 authentication of routing updates from the RIP routing protocol. The MD5 keyed digest in each RIP packet prevents the introduction of unauthorized or false routing messages from unapproved sources. RIP route authentication is configured on a per-interface basis.
PAGE 491

Chapter 25 Configuring RIP Monitoring RIP Monitoring RIP We recommend that you only use the debug commands to troubleshoot specific problems or during troubleshooting sessions with the Cisco TAC. Debugging output is assigned high priority in the CPU process and can render the ASA unusable. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect performance.
PAGE 492

Chapter 25 Feature History for RIP Cisco ASA 5500 Series Configuration Guide using the CLI 25-12 Configuring RIP
PAGE 493

CH A P T E R 26 Configuring Multicast Routing This chapter describes how to configure the ASA to use the multicast routing protocol and includes the following sections: • Information About Multicast Routing, page 26-1 • Licensing Requirements for Multicast Routing, page 26-2 • Guidelines and Limitations, page 26-3 • Enabling Multicast Routing, page 26-3 • Customizing Multicast Routing, page 26-4 • Configuration Example for Multicast Routing, page 26-14 • Additional References, page 26-15 •
PAGE 494

Chapter 26 Configuring Multicast Routing Licensing Requirements for Multicast Routing • Multicast Group Concept, page 26-2 Stub Multicast Routing Stub multicast routing provides dynamic host registration and facilitates multicast routing. When configured for stub multicast routing, the ASA acts as an IGMP proxy agent. Instead of fully participating in multicast routing, the ASA forwards IGMP messages to an upstream multicast router, which sets up delivery of the multicast data.
PAGE 495

Chapter 26 Configuring Multicast Routing Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single context mode. In multiple context mode, unshared interfaces and shared interfaces are not supported. Firewall Mode Guidelines Supported only in routed firewall mode. Transparent firewall mode is not supported. IPv6 Guidelines Does not support IPv6.
PAGE 496

Chapter 26 Configuring Multicast Routing Customizing Multicast Routing Customizing Multicast Routing This section describes how to customize multicast routing and includes the following topics: • Configuring Stub Multicast Routing and Forwarding IGMP Messages, page 26-4 • Configuring a Static Multicast Route, page 26-4 • Configuring IGMP Features, page 26-5 • Configuring PIM Features, page 26-9 • Configuring a Bidirectional Neighbor Filter, page 26-13 • Configuring a Multicast Boundary, page 2
PAGE 497

Chapter 26 Configuring Multicast Routing Customizing Multicast Routing Command Purpose mroute src_ip src_mask {input_if_name | rpf_neighbor} [distance] Configures a static multicast route. Example: hostname(config)# mroute src_ip src_mask {input_if_name | rpf_neighbor} [distance] mroute src_ip src_mask input_if_name [dense output_if_name] [distance] Configures a static multicast route for a stub area. The dense output_if_name keyword and argument pair is only supported for stub multicast routing.
PAGE 498

Chapter 26 Configuring Multicast Routing Customizing Multicast Routing Disabling IGMP on an Interface You can disable IGMP on specific interfaces. This information is useful if you know that there are no multicast hosts on a specific interface and you want to prevent the ASA from sending host query messages on that interface. To disable IGMP on an interface, enter the following command: Command Purpose no igmp Disables IGMP on an interface. To reenable IGMP on an interface, use the igmp command.
PAGE 499

Chapter 26 Configuring Multicast Routing Customizing Multicast Routing Command Purpose igmp static-group Configures the ASA statically to join a multicast group on an interface. The group-address argument is the IP address of the group.
PAGE 500

Chapter 26 Configuring Multicast Routing Customizing Multicast Routing Command Purpose igmp limit number Limits the number of IGMP states on an interface. Example: hostname(config-if)# igmp limit 50 Valid values range from 0 to 500, with 500 being the default value. Setting this value to 0 prevents learned groups from being added, but manually defined memberships (using the igmp join-group and igmp static-group commands) are still permitted. The no form of this command restores the default value.
PAGE 501

Chapter 26 Configuring Multicast Routing Customizing Multicast Routing Step 2 Command Purpose igmp query-timeout seconds Changes the timeout value of the query. Valid values range from 0 to 500; 225 is the default value. Example: hostname(config-if)# igmp query-timeout 30 Step 3 igmp query-max-response-time seconds Changes the maximum query response time.
PAGE 502

Chapter 26 Configuring Multicast Routing Customizing Multicast Routing Enabling and Disabling PIM on an Interface You can enable or disable PIM on specific interfaces. To enable or disable PIM on an interface, perform the following steps: Detailed Steps Step 1 Command Purpose pim Enables or reenables PIM on a specific interface. Example: hostname(config-if)# pim Step 2 Disables PIM on a specific interface.
PAGE 503

Chapter 26 Configuring Multicast Routing Customizing Multicast Routing Note The ASA always advertises the bidirectional capability in the PIM hello messages, regardless of the actual bidirectional configuration. Configuring the Designated Router Priority The DR is responsible for sending PIM register, join, and prune messages to the RP. When there is more than one multicast router on a network segment, selecting the DR is based on the DR priority.
PAGE 504

Chapter 26 Configuring Multicast Routing Customizing Multicast Routing Configuring PIM Message Intervals Router query messages are used to select the PIM DR. The PIM DR is responsible for sending router query messages. By default, router query messages are sent every 30 seconds. Additionally, every 60 seconds, the ASA sends PIM join or prune messages. To change these intervals, perform the following steps: Detailed Steps Step 1 Command Purpose pim hello-interval seconds Sends router query messages.
PAGE 505

Chapter 26 Configuring Multicast Routing Customizing Multicast Routing Configuring a Bidirectional Neighbor Filter The Bidirectional Neighbor Filter pane shows the PIM bidirectional neighbor filters, if any, that are configured on the ASA. A PIM bidirectional neighbor filter is an ACL that defines the neighbor devices that can participate in the DF election. If a PIM bidirectional neighbor filter is not configured for an interface, then there are no restrictions.
PAGE 506

Chapter 26 Configuring Multicast Routing Configuration Example for Multicast Routing Configuring a Multicast Boundary Address scoping defines domain boundaries so that domains with RPs that have the same IP address do not leak into each other. Scoping is performed on the subnet boundaries within large domains and on the boundaries between the domain and the Internet.
PAGE 507

Chapter 26 Configuring Multicast Routing Additional References Additional References For additional information related to routing, see the following sections: • Related Documents, page 26-15 • RFCs, page 26-15 Related Documents Related Topic Document Title Technical details about the IGMP and multicast routing IETF draft-ietf-idmr-igmp-proxy-01.
PAGE 508

Chapter 26 Feature History for Multicast Routing Cisco ASA 5500 Series Configuration Guide using the CLI 26-16 Configuring Multicast Routing
PAGE 509

CH A P T E R 27 Configuring EIGRP This chapter describes how to configure the ASA to route data, perform authentication, and redistribute routing information using the Enhanced Interior Gateway Routing Protocol (EIGRP).
PAGE 510

Chapter 27 Configuring EIGRP Licensing Requirements for EIGRP The hello packets are sent out as multicast messages. No response is expected to a hello message. The exception to this is for statically defined neighbors. If you use the neighbor command, or configure the Hello Interval in ASDM, to configure a neighbor, the hello messages sent to that neighbor are sent as unicast messages. Routing updates and acknowledgements are sent out as unicast messages.
PAGE 511

Chapter 27 Configuring EIGRP Configuring EIGRP IPv6 Guidelines Does not support IPv6. Configuring EIGRP This section describes how to enable the EIGRP process on your system. After you have enabled EIGRP, see the following sections to learn how to customize the EIGRP process on your system. • Enabling EIGRP, page 27-3 • Enabling EIGRP Stub Routing, page 27-3 Enabling EIGRP You can only enable one EIGRP routing process on the ASA.
PAGE 512

Chapter 27 Configuring EIGRP Customizing EIGRP neighbor that receives a packet informing it of the stub status will not query the stub router for any routes, and a router that has a stub peer will not query that peer. The stub router depends on the distribution router to send the correct updates to all peers.
PAGE 513

Chapter 27 Configuring EIGRP Customizing EIGRP • Enabling EIGRP Authentication on an Interface, page 27-9 • Defining an EIGRP Neighbor, page 27-10 • Redistributing Routes Into EIGRP, page 27-11 • Filtering Networks in EIGRP, page 27-12 • Customizing the EIGRP Hello Interval and Hold Time, page 27-13 • Disabling Automatic Route Summarization, page 27-14 • Configuring Default Information in EIGRP, page 27-15 • Disabling EIGRP Split Horizon, page 27-16 • Restarting the EIGRP Process, page 27
PAGE 514

Chapter 27 Configuring EIGRP Customizing EIGRP Configuring Interfaces for EIGRP If you have an interface that you do not want to have participate in EIGRP routing, but that is attached to a network that you want advertised, you can configure a network command that includes the network to which the interface is attached, and use the passive-interface command to prevent that interface from sending or receiving EIGRP updates.
PAGE 515

Chapter 27 Configuring EIGRP Customizing EIGRP Command delay value Purpose The value argument entered is in tens of microseconds. To set the delay for 2000 microseconds, you enter a value of 200. Example: To view the delay value assigned to an interface, use the show interface command. hostname(config-if)# delay 200 See the “Changing the Interface Delay Value” section on page 27-9 for more information on this particular option.
PAGE 516

Chapter 27 Configuring EIGRP Customizing EIGRP Step 2 Command Purpose hostname(config-router)# network ip-addr [mask] Configures the interfaces and networks that participate in EIGRP routing. You can configure one or more network statements with this command. Example: Directly connected and static networks that fall within the defined network are advertised by the ASA. Additionally, only interfaces with an IP address that fall within the defined network participate in the EIGRP routing process.
PAGE 517

Chapter 27 Configuring EIGRP Customizing EIGRP Changing the Interface Delay Value The interface delay value is used in EIGRP distance calculations. You can modify this value on a per-interface basis. To change the interface delay value, perform the following steps: Detailed Steps Step 1 Command Purpose interface phy_if Enters interface configuration mode for the interface on which you are changing the delay value used by EIGRP.
PAGE 518

Chapter 27 Configuring EIGRP Customizing EIGRP Detailed Steps Step 1 router eigrp as-num Creates an EIGRP routing process and enters router configuration mode for this EIGRP process. Example: The as-num argument is the autonomous system number of the EIGRP routing process. hostname(config)# router eigrp 2 Step 2 network ip-addr [mask] Example: hostname(config)# router eigrp 2 hostname(config-router)# network 10.0.0.0 255.0.0.
PAGE 519

Chapter 27 Configuring EIGRP Customizing EIGRP Detailed Steps Step 1 Step 2 Command Purpose router eigrp as-num Creates an EIGRP routing process and enters router configuration mode for this EIGRP process. Example: hostname(config)# router eigrp 2 The as-num argument is the autonomous system number of the EIGRP routing process. neighbor ip-addr interface if_name Defines the static neighbor. The ip-addr argument is the IP address of the neighbor.
PAGE 520

Chapter 27 Configuring EIGRP Customizing EIGRP Command Purpose redistribute connected [metric bandwidth delay reliability loading mtu] [route-map map_name] Redistributes connected routes into the EIGRP routing process. Example: hostname(config-router): redistribute connected [metric bandwidth delay reliability loading mtu] [route-map map_name] redistribute static [metric bandwidth delay reliability loading mtu] [route-map map_name] Redistributes static routes into the EIGRP routing process.
PAGE 521

Chapter 27 Configuring EIGRP Customizing EIGRP To filter networks in EIGRP, perform the following steps: Detailed Steps Step 1 Command Purpose router eigrp as-num Creates an EIGRP routing process and enters router configuration mode for this EIGRP process. Example: The as-num argument is the autonomous system number of the EIGRP routing process.
PAGE 522

Chapter 27 Configuring EIGRP Customizing EIGRP Both the hello interval and the advertised hold time are configured on a per-interface basis. We recommend setting the hold time to be at minimum three times the hello interval. To configure the hello interval and advertised hold time, perform the following steps: Detailed Steps Step 1 Command Purpose interface phy_if Enters interface configuration mode for the interface on which you are configuring the hello interval or advertised hold time.
PAGE 523

Chapter 27 Configuring EIGRP Customizing EIGRP Detailed Steps Step 1 Command Purpose router eigrp as-num Creates an EIGRP routing process and enters router configuration mode for this EIGRP process. Example: The as-num argument is the autonomous system number of the EIGRP routing process. hostname(config)# router eigrp 2 Step 2 no auto-summary You cannot configure this value. Automatic summary addresses have an administrative distance of 5.
PAGE 524

Chapter 27 Configuring EIGRP Customizing EIGRP Step 2 Command Purpose hostname(config-router)# network ip-addr [mask] Configures the interfaces and networks that participate in EIGRP routing. You can configure one or more network statements with this command. Example: Directly connected and static networks that fall within the defined network are advertised by the ASA. Additionally, only interfaces with an IP address that fall within the defined network participate in the EIGRP routing process.
PAGE 525

Chapter 27 Configuring EIGRP Monitoring EIGRP To disable EIGRP split horizon, perform the following steps: Detailed Steps Step 1 Command Purpose interface phy_if Enters interface configuration mode for the interface on which you are changing the delay value used by EIGRP. Example: hostname(config)# interface phy_if Step 2 no split-horizon eigrp as-number Disables the split horizon.
PAGE 526

Chapter 27 Configuring EIGRP Configuration Example for EIGRP Command (continued) Purpose (continued) show eigrp [as-number] traffic Displays EIGRP traffic statistics. router-id Displays the router-id for this EIGRP process. Disabling EIGRP Logging Messages Note no eigrp log-neighbor-changes Disables the logging of neighbor change messages. Enter this command in router configuration mode for the EIGRP routing process.
PAGE 527

Chapter 27 Configuring EIGRP Feature History for EIGRP Feature History for EIGRP Table 27-1 lists each feature change and the platform release in which it was implemented. Table 27-1 Feature History for EIGRP Feature Name Platform Releases EIGRP support 7.0(1) Feature Information Support was added for routing data, performing authentication, and redistributing and monitoring routing information using the Enhanced Interior Gateway Routing Protocol (EIGRP).
PAGE 528

Chapter 27 Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-20 Configuring EIGRP
PAGE 529

Chapter 27 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-21
PAGE 530

Chapter 27 Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-22 Configuring EIGRP
PAGE 531

Chapter 27 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-23
PAGE 532

Chapter 27 Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-24 Configuring EIGRP
PAGE 533

Chapter 27 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-25
PAGE 534

Chapter 27 Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-26 Configuring EIGRP
PAGE 535

Chapter 27 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-27
PAGE 536

Chapter 27 Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-28 Configuring EIGRP
PAGE 537

Chapter 27 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-29
PAGE 538

Chapter 27 Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using the CLI 27-30 Configuring EIGRP
PAGE 539

CH A P T E R 28 Configuring IPv6 Neighbor Discovery This chapter describes how to enable and configure IPv6 neighbor discovery on the ASA and includes the following sections: • Information About IPv6 Neighbor Discovery, page 28-1 • Licensing Requirements for IPv6 Neighbor Discovery, page 28-4 • Guidelines and Limitations, page 28-4 • Default Settings for IPv6 Neighbor Discovery, page 28-6 • Configuring the Neighbor Solicitation Message Interval, page 28-7 • Configuring the Neighbor Reachable Ti
PAGE 540

Chapter 28 Configuring IPv6 Neighbor Discovery Information About IPv6 Neighbor Discovery This section includes the following topics: • Neighbor Solicitation Messages, page 28-2 • Neighbor Reachable Time, page 28-3 • Router Advertisement Messages, page 28-3 • Static IPv6 Neighbors, page 28-4 Neighbor Solicitation Messages Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to discover the link-layer addresses of other nodes on the local link.
PAGE 541

Chapter 28 Configuring IPv6 Neighbor Discovery Information About IPv6 Neighbor Discovery Neighbor Reachable Time The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly, however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.
PAGE 542

Chapter 28 Configuring IPv6 Neighbor Discovery Licensing Requirements for IPv6 Neighbor Discovery destination address in router solicitation messages is the all-routers multicast address with a scope of the link. When a router advertisement is sent in response to a router solicitation, the destination address in the router advertisement message is the unicast address of the source of the router solicitation message.
PAGE 543

Chapter 28 Configuring IPv6 Neighbor Discovery Guidelines and Limitations • The configured time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.
PAGE 544

Chapter 28 Configuring IPv6 Neighbor Discovery Default Settings for IPv6 Neighbor Discovery • The ICMP syslogs generated are caused by a regular refresh of IPv6 neighbor entries. The ASA default timer for IPv6 neighbor entry is 30 seconds, so the ASA would generate ICMPv6 neighbor discovery and response packets about every 30 seconds.
PAGE 545

Chapter 28 Configuring IPv6 Neighbor Discovery Configuring the Neighbor Solicitation Message Interval Configuring the Neighbor Solicitation Message Interval To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, enter the following command: Command Purpose ipv6 nd ns-interval value Sets the interval between IPv6 neighbor solicitation retransmissions on an interface. Example: Valid values for the value argument range from 1000 to 3600000 milliseconds.
PAGE 546

Chapter 28 Configuring IPv6 Neighbor Discovery Configuring the Router Advertisement Transmission Interval Configuring the Router Advertisement Transmission Interval To configure the interval between IPv6 router advertisement transmissions on an interface, enter the following command: Command Purpose ipv6 nd ra-interval [msec] value Sets the interval between IPv6 router advertisement transmissions. Example: The optional msec keyword indicates that the value provided is in milliseconds.
PAGE 547

Chapter 28 Configuring IPv6 Neighbor Discovery Configuring DAD Settings Examples The following example configures an IPv6 router lifetime value of 2000 seconds for the selected interface, GigabitEthernet 0/0: hostname (config)# interface gigabitethernet 0/0 hostname (config-if)# ipv6 nd ra-lifetime 2000 Configuring DAD Settings To specify DAD settings on the interface, enter the following command: Command Purpose ipv6 nd dad attempts value Specifies the uniqueness of new unicast IPv6 addresses before
PAGE 548

Chapter 28 Configuring IPv6 Neighbor Discovery Suppressing Router Advertisement Messages Suppressing Router Advertisement Messages Router advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the ASA to supply the IPv6 prefix (for example, the outside interface).
PAGE 549

Chapter 28 Configuring IPv6 Neighbor Discovery Configuring the IPv6 Prefix Configuring the IPv6 Prefix To configure the which IPv6 prefixes are included in IPv6 router advertisements, enter the following command: Command Purpose ipv6 nd prefix ipv6-prefix/prefix-length | default [[valid-lifetime preferred-lifetime] | [at valid-date preferred-date] | infinite | no-advertise | off-link | no-autoconfig] Configures which IPv6 prefixes are included in IPv6 router advertisements.
PAGE 550

Chapter 28 Configuring IPv6 Neighbor Discovery Configuring a Static IPv6 Neighbor Examples The following example includes the IPv6 prefix 2001:DB8::/32, with a valid lifetime of 1000 seconds and a preferred lifetime of 900 seconds, in router advertisements sent out on the specified interface, which is GigabitEthernet 0/0: hostname (config)# interface gigabitethernet 0/0 hostname (config-if)# ipv6 nd prefix 2001:DB8::/32 1000 900 Configuring a Static IPv6 Neighbor To configure a static entry in the IPv6
PAGE 551

Chapter 28 Configuring IPv6 Neighbor Discovery Monitoring IPv6 Neighbor Discovery Monitoring IPv6 Neighbor Discovery To monitor IPv6 neighbor discovery parameters, enter the following command: Command Purpose show ipv6 interface Displays the usability status of interfaces configured for IPv6. Including the interface name, such as “outside” and displays the settings for the specified interface.
PAGE 552

Chapter 28 Configuring IPv6 Neighbor Discovery Feature History for IPv6 Neighbor Discovery Related Documents for IPv6 Prefixes Related Topic Document Title ipv6 commands command reference RFCs for IPv6 Prefixes and Documentation RFC Title RFC 2373 includes complete documentation to show IP Version 6 Addressing Architecture how IPv6 network address numbers must be shown in router advertisements.
PAGE 553

PA R T 7 Configuring Network Address Translation
PAGE 554
PAGE 555

CH A P T E R 29 Information About NAT This chapter provides an overview of how Network Address Translation (NAT) works on the ASA.
PAGE 556

Chapter 29 Information About NAT NAT Terminology One of the main functions of NAT is to enable private IP networks to connect to the Internet. NAT replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet. In this way, NAT conserves public addresses because it can be configured to advertise at a minimum only one public address for the entire network to the outside world.
PAGE 557

Chapter 29 Information About NAT NAT Types NAT Types • NAT Types Overview, page 29-3 • Static NAT, page 29-3 • Dynamic NAT, page 29-8 • Dynamic PAT, page 29-10 • Identity NAT, page 29-11 NAT Types Overview You can implement NAT using the following methods: • Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation. See the “Static NAT” section on page 29-3.
PAGE 558

Chapter 29 Information About NAT NAT Types Figure 29-1 shows a typical static NAT scenario. The translation is always active so both real and remote hosts can initiate connections. Figure 29-1 Static NAT Security Appliance 209.165.201.1 10.1.1.2 209.165.201.2 130035 10.1.1.1 Inside Outside Information About Static NAT with Port Translation Static NAT with port translation lets you specify a real and mapped protocol (TCP or UDP) and port.
PAGE 559

Chapter 29 Information About NAT NAT Types Static NAT with Identity Port Translation The following static NAT with port translation example provides a single address for remote users to access FTP, HTTP, and SMTP. These servers are actually different devices on the real network, but for each server, you can specify static NAT with port translation rules that use the same mapped IP address, but different ports. (See Figure 29-3.
PAGE 560

Chapter 29 Information About NAT NAT Types Information About One-to-Many Static NAT Typically, you configure static NAT with a one-to-one mapping. However, in some cases, you might want to configure a single real address to several mapped addresses (one-to-many). When you configure one-to-many static NAT, when the real host initiates traffic, it always uses the first mapped address.
PAGE 561

Chapter 29 Information About NAT NAT Types For example, you have a load balancer at 10.1.2.27. Depending on the URL requested, it redirects traffic to the correct web server (see Figure 29-5). (See the “Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)” section on page 30-17 for details on how to configure this example.) Figure 29-5 One-to-Many Static NAT Host Undo Translation 209.165.201.5 10.1.2.27 Outside Undo Translation 209.165.201.3 10.1.2.27 Undo Translation 209.
PAGE 562

Chapter 29 Information About NAT NAT Types Figure 29-6 shows a typical few-to-many static NAT scenario. Few-to-Many Static NAT Security Appliance 10.1.2.27 209.165.201.3 10.1.2.28 209.165.201.4 10.1.2.27 209.165.201.5 10.1.2.28 209.165.201.6 10.1.2.27 209.165.201.7 248769 Figure 29-6 Inside Outside For a many-to-few or many-to-one configuration, where you have more real addresses than mapped addresses, you run out of mapped addresses before you run out of real addresses.
PAGE 563

Chapter 29 Information About NAT NAT Types Information About Dynamic NAT Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool typically includes fewer addresses than the real group. When a host you want to translate accesses the destination network, the ASA assigns the host an IP address from the mapped pool. The translation is created only when the real host initiates the connection.
PAGE 564

Chapter 29 Information About NAT NAT Types Note For the duration of the translation, a remote host can initiate a connection to the translated host if an access rule allows it. Because the address is unpredictable, a connection to the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule.
PAGE 565

Chapter 29 Information About NAT NAT Types Figure 29-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned. Figure 29-10 Dynamic PAT 209.165.201.1:2020 10.1.1.1:1026 209.165.201.1:2021 10.1.1.2:1025 209.165.201.1:2022 Inside Outside 130034 Security Appliance 10.1.1.
PAGE 566

Chapter 29 Information About NAT NAT in Routed and Transparent Mode Figure 29-11 shows a typical identity NAT scenario. Figure 29-11 Identity NAT 209.165.201.1 209.165.201.1 209.165.201.2 209.165.201.2 Inside Outside 130036 Security Appliance NAT in Routed and Transparent Mode You can configure NAT in both routed and transparent firewall mode.
PAGE 567

Chapter 29 Information About NAT NAT in Routed and Transparent Mode NAT in Routed Mode Figure 29-12 shows a typical NAT example in routed mode, with a private network on the inside. Figure 29-12 NAT Example: Routed Mode Web Server www.cisco.com Outside 209.165.201.2 Originating Packet Security Appliance Translation 10.1.2.27 209.165.201.10 Responding Packet Undo Translation 209.165.201.10 10.1.2.27 10.1.2.1 10.1.2.27 130023 Inside 1. When the inside host at 10.1.2.
PAGE 568

Chapter 29 Information About NAT NAT for VPN Figure 29-13 NAT Example: Transparent Mode www.example.com Internet Static route on router: 209.165.201.0/27 to 10.1.1.1 Source Addr Translation 10.1.1.75 209.165.201.15 Static route on ASA: 192.168.1.0/24 to 10.1.1.3 10.1.1.2 Management IP 10.1.1.1 ASA 10.1.1.75 10.1.1.3 Source Addr Translation 192.168.1.2 209.165.201.10 250261 192.168.1.1 Network 2 192.168.1.2 1. When the inside host at 10.1.1.
PAGE 569

Information About NAT NAT for VPN Figure 29-14 shows a VPN client that wants to visit a website at www.example.com. In this example, an interface PAT rule on the outside interface matches the VPN-assigned address 10.1.1.10. With intra-interface communication enabled, traffic can exit the same interface it entered to reach www.example.com. A similar example without the need for hairpin networking includes an ASA for VPN termination, and a separate ASA with NAT as the Internet gateway.
PAGE 570

Chapter 29 Information About NAT How NAT is Implemented How NAT is Implemented The ASA can implement address translation in two ways: network object NAT and twice NAT.
PAGE 571

Chapter 29 Information About NAT How NAT is Implemented Information About Network Object NAT All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a network object, which can be a single IP address, a range of addresses, or a subnet.
PAGE 572

Chapter 29 Information About NAT How NAT is Implemented Figure 29-16 Twice NAT with Different Destination Addresses Server 1 209.165.201.11 Server 2 209.165.200.225 209.165.201.0/27 209.165.200.224/27 DMZ Translation 10.1.2.27 209.165.202.129 Translation 10.1.2.27 209.165.202.130 Inside Packet Dest. Address: 209.165.201.11 10.1.2.27 Packet Dest. Address: 209.165.200.225 130039 10.1.2.0/24 Figure 29-17 shows the use of source and destination ports. The host on the 10.1.2.
PAGE 573

Information About NAT How NAT is Implemented Figure 29-18 shows a remote host connecting to a mapped host. The mapped host has a twice static NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to that network, nor can a host on that network connect to the translated host. Figure 29-18 Twice Static NAT with Destination Address Translation 209.165.
PAGE 574

Chapter 29 Information About NAT NAT Rule Order NAT Rule Order Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3. Table 29-1 shows the order of rules within each section. Table 29-1 NAT Rule Table Table Section Rule Type Order of Rules within the Section Section 1 Applied on a first match basis, in the order they appear in the configuration.
PAGE 575

Chapter 29 Information About NAT NAT Interfaces The resultant ordering would be: 192.168.1.1/32 (static) 10.1.1.0/24 (static) 192.168.1.0/24 (static) 172.16.1.0/24 (dynamic) (object abc) 172.16.1.0/24 (dynamic) (object def) 192.168.1.0/24 (dynamic) NAT Interfaces You can configure a NAT rule to apply to any interface (in other words, all interfaces), or you can identify specific real and mapped interfaces.
PAGE 576

Chapter 29 Information About NAT Routing NAT Packets Mapped Addresses and Routing When you translate the real address to a mapped address, the mapped address you choose determines how to configure routing, if necessary, for the mapped address. See additional guidelines about mapped IP addresses in Chapter 30, “Configuring Network Object NAT,” and Chapter 31, “Configuring Twice NAT.” See the following mapped address types: • Addresses on the same network as the mapped interface.
PAGE 577

Chapter 29 Information About NAT Routing NAT Packets the NAT rule must match both the source and destination addresses, the proxy ARP decision is made only on the “source” address). If the ASA ARP response is received before the actual host ARP response, then traffic will be mistakenly sent to the ASA (see Figure 29-20). Figure 29-20 Proxy ARP Problems with Identity NAT 209.165.200.230 3 ARP Response Too late 209.165.200.231 209.165.200.225 Inside Outside ARP for 209.165.200.230.
PAGE 578

Chapter 29 Information About NAT DNS and NAT Transparent Mode Routing Requirements for Remote Networks If the ASA performs NAT for a host that is not on the directly-connected network, then you need to configure a static route on the ASA for that network. You also need to have a static route for embedded IP addresses that are at least one hop away from the ASA (such as in VoIP or DNS traffic) when you have inspection and NAT enabled.
PAGE 579

Information About NAT DNS and NAT and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly. Figure 29-22 DNS Reply Modification, DNS Server on Outside DNS Server 1 DNS Query ftp.cisco.com? 2 Outside DNS Reply 209.165.201.10 Security Appliance 3 DNS Reply Modification 209.165.201.10 10.1.3.14 Inside 4 DNS Reply 10.1.3.14 User ftp.cisco.
PAGE 580

Chapter 29 Information About NAT DNS and NAT a static rule between the inside and DMZ, then you also need to enable DNS reply modification on this rule. The DNS reply will then be modified two times.In this case, the ASA again translates the address inside the DNS reply to 192.168.1.10 according to the static rule between inside and DMZ. Figure 29-23 DNS Reply Modification, DNS Server, Host, and Server on Separate Networks DNS Server 1 DNS Query ftp.cisco.com? 2 DNS Reply 209.165.201.
PAGE 581

Chapter 29 Information About NAT Where to Go Next Figure 29-24 shows a web server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation.
PAGE 582

Chapter 29 Where to Go Next Cisco ASA 5500 Series Configuration Guide using the CLI 29-28 Information About NAT
PAGE 583

CH A P T E R 30 Configuring Network Object NAT All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a single IP address, a range of addresses, or a subnet. After you configure the network object, you can then identify the mapped address for that object.
PAGE 584

Chapter 30 Configuring Network Object NAT Licensing Requirements for Network Object NAT Licensing Requirements for Network Object NAT The following table shows the licensing requirements for this feature: Model License Requirement All models Base License.
PAGE 585

Chapter 30 Configuring Network Object NAT Default Settings • If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT configuration is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use translations.
PAGE 586

Chapter 30 Configuring Network Object NAT Configuring Network Object NAT Configuring Dynamic NAT This section describes how to configure network object NAT for dynamic NAT. For more information, see the “Dynamic NAT” section on page 29-8. Detailed Steps Step 1 Command Purpose Network object: To specify the mapped addresses (that you want to translate to), configure a network object or network object group. A network object group can contain objects and/or inline addresses.
PAGE 587

Chapter 30 Configuring Network Object NAT Configuring Network Object NAT Step 4 Command Purpose nat [(real_ifc,mapped_ifc)] dynamic mapped_obj [interface] [dns] Configures dynamic NAT for the object IP addresses. Note You can only define a single NAT rule for a given object. See the “Additional Guidelines” section on page 30-2.
PAGE 588

Chapter 30 Configuring Network Object NAT Configuring Network Object NAT Configuring Dynamic PAT (Hide) This section describes how to configure network object NAT for dynamic PAT (hide). For more information, see the “Dynamic PAT” section on page 29-10. Guidelines For a PAT pool: • If available, the real source port number is used for the mapped port.
PAGE 589

Chapter 30 Configuring Network Object NAT Configuring Network Object NAT Detailed Steps Step 1 Command Purpose (Optional) Specify the mapped address(es) (that you want to translate to). You can configure a single address or, for a PAT pool, multiple addresses. Configure a network object or network object group. A network object group can contain objects and/or inline addresses.
PAGE 590

Chapter 30 Configuring Network Object NAT Configuring Network Object NAT Step 4 Command Purpose nat [(real_ifc,mapped_ifc)] dynamic {mapped_inline_host_ip | mapped_obj | pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]] | interface} [interface] [dns] Configures dynamic PAT for the object IP addresses. You can only define a single NAT rule for a given object. See the “Additional Guidelines” section on page 30-2.
PAGE 591

Chapter 30 Configuring Network Object NAT Configuring Network Object NAT Command Purpose (continued) – Extended PAT—(8.4(3) and later, not including 8.5(1) or 8.6(1)) The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address.
PAGE 592

Chapter 30 Configuring Network Object NAT Configuring Network Object NAT Configuring Static NAT or Static NAT-with-Port-Translation This section describes how to configure a static NAT rule using network object NAT. For more information, see the “Static NAT” section on page 29-3. Detailed Steps Step 1 Command Purpose (Optional) To specify the mapped addresses (that you want to translate to), configure a network object or network object group.
PAGE 593

Chapter 30 Configuring Network Object NAT Configuring Network Object NAT Step 4 Command Purpose nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface} [dns | service {tcp | udp} real_port mapped_port] [no-proxy-arp] Configures static NAT for the object IP addresses. Example: hostname(config-network-object)# nat (inside,outside) static MAPPED_IPS service tcp 80 8080 Note You can only define a single NAT rule for a given object.
PAGE 594

Chapter 30 Configuring Network Object NAT Configuring Network Object NAT Examples The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside with DNS rewrite enabled. hostname(config)# object network my-host-obj1 hostname(config-network-object)# host 10.1.1.1 hostname(config-network-object)# nat (inside,outside) static 10.2.2.2 dns The following example configures static NAT for the real host 10.1.1.1 on the inside to 2.2.2.
PAGE 595

Chapter 30 Configuring Network Object NAT Configuring Network Object NAT Step 3 Command Purpose {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} If you are creating a new network object, defines the real IP address(es) to which you want to perform identity NAT. If you configured a network object for the mapped addresses in Step 1, then these addresses must match. Example: hostname(config-network-object)# subnet 10.1.1.0 255.255.255.
PAGE 596

Chapter 30 Configuring Network Object NAT Monitoring Network Object NAT The following example maps a host address to itself using a network object: hostname(config)# object network my-host-obj1-identity hostname(config-network-object)# host 10.1.1.1 hostname(config-network-object)# object network my-host-obj1 hostname(config-network-object)# host 10.1.1.
PAGE 597

Chapter 30 Configuring Network Object NAT Configuration Examples for Network Object NAT Configuration Examples for Network Object NAT This section includes the following configuration examples: • Providing Access to an Inside Web Server (Static NAT), page 30-15 • NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT), page 30-16 • Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many), page 30-17 • Single Address for FTP, HTTP, and SMTP (Static NAT-
PAGE 598

Chapter 30 Configuring Network Object NAT Configuration Examples for Network Object NAT Step 3 Configure static NAT for the object: hostname(config-network-object)# nat (inside,outside) static 209.165.201.10 NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT) The following example configures dynamic NAT for inside users on a private network when they access the outside.
PAGE 599

Chapter 30 Configuring Network Object NAT Configuration Examples for Network Object NAT Step 4 Create a network object for the outside web server: hostname(config)# object network myWebServ Step 5 Define the web server address: hostname(config-network-object)# host 209.165.201.12 Step 6 Configure static NAT for the web server: hostname(config-network-object)# nat (outside,inside) static 10.1.2.
PAGE 600

Chapter 30 Configuring Network Object NAT Configuration Examples for Network Object NAT hostname(config)# object network myPublicIPs hostname(config-network-object)# range 209.165.201.3 209.265.201.8 Step 2 Create a network object for the load balancer: hostname(config)# object network myLBHost Step 3 Define the load balancer address: hostname(config-network-object)# host 10.1.2.
PAGE 601

Chapter 30 Configuring Network Object NAT Configuration Examples for Network Object NAT Step 2 Define the FTP server address, and configure static NAT with identity port translation for the FTP server: hostname(config-network-object)# host 10.1.2.27 hostname(config-network-object)# nat (inside,outside) static 209.165.201.
PAGE 602

Chapter 30 Configuring Network Object NAT Configuration Examples for Network Object NAT When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The ASA refers to the static rule for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly.
PAGE 603

Chapter 30 Configuring Network Object NAT Configuration Examples for Network Object NAT DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS Modification) Figure 30-6 shows a web server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10.
PAGE 604

Chapter 30 Configuring Network Object NAT Feature History for Network Object NAT Feature History for Network Object NAT Table 30-1 lists each feature change and the platform release in which it was implemented. Table 30-1 Feature History for Network Object NAT Feature Name Platform Releases Feature Information Network Object NAT 8.3(1) Configures NAT for a network object IP address(es).
PAGE 605

Chapter 30 Configuring Network Object NAT Feature History for Network Object NAT Table 30-1 Feature History for Network Object NAT (continued) Feature Name Platform Releases Flat range of PAT ports for a PAT pool 8.4(3) Feature Information If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535.
PAGE 606

Chapter 30 Configuring Network Object NAT Feature History for Network Object NAT Table 30-1 Feature History for Network Object NAT (continued) Feature Name Platform Releases Extended PAT for a PAT pool 8.4(3) Feature Information Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough translations, you can now enable extended PAT for a PAT pool.
PAGE 607

CH A P T E R 31 Configuring Twice NAT Twice NAT lets you identify both the source and destination address in a single rule.
PAGE 608

Chapter 31 Configuring Twice NAT Licensing Requirements for Twice NAT Twice NAT also lets you use service objects for static NAT-with-port-translation; network object NAT only accepts inline definition. For detailed information about the differences between twice NAT and network object NAT, see the “How NAT is Implemented” section on page 29-16. Twice NAT rules are added to section 1 of the NAT rules table, or if specified, section 3.
PAGE 609

Chapter 31 Configuring Twice NAT Default Settings Additional Guidelines • If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use translations.
PAGE 610

Chapter 31 Configuring Twice NAT Configuring Twice NAT Configuring Dynamic NAT This section describes how to configure twice NAT for dynamic NAT. For more information, see the “Dynamic NAT” section on page 29-8. Detailed Steps Step 1 Command Purpose Network object: Configure the real source addresses. object network obj_name {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} You can configure either a network object or a network object group.
PAGE 611

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 3 Command Purpose (Optional) Configure the real destination addresses. Network object: You can configure either a network object or a network object group.
PAGE 612

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 5 Command Purpose (Optional) Configure service objects for: object service obj_name service {tcp | udp} destination operator port Example: hostname(config)# object service REAL_SVC hostname(config-service-object)# service tcp destination eq 80 hostname(config)# object service MAPPED_SVC hostname(config-service-object)# service tcp destination eq 8080 Cisco ASA 5500 Series Configuration Guide using the CLI 31-6 • Destination real port
PAGE 613

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 6 Command Purpose nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}] source dynamic {real_obj | any} {mapped_obj [interface]} [destination static {mapped_obj | interface} real_obj] [service mapped_dest_svc_obj real_dest_svc_obj] [dns] [inactive] [description desc] Configure dynamic NAT. See the following guidelines: • Interfaces—(Required for transparent mode) Specify the real and mapped interfaces.
PAGE 614

Chapter 31 Configuring Twice NAT Configuring Twice NAT Command Purpose (Continued) • Destination addresses (Optional): – Mapped—Specify a network object or group, or for static interface NAT with port translation only, specify the interface keyword (see Step 4). If you specify interface, be sure to also configure the service keyword. For this option, you must configure a specific interface for the real_ifc. See the “Static Interface NAT with Port Translation” section on page 29-5 for more information.
PAGE 615

Chapter 31 Configuring Twice NAT Configuring Twice NAT • Many application inspections do not support extended PAT. See the “Default Settings” section on page 42-4 in Chapter 42, “Getting Started with Application Layer Protocol Inspection,” for a complete list of unsupported inspections. • If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT pool as the PAT address in a separate static NAT-with-port-translation rule. For example, if the PAT pool includes 10.
PAGE 616

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 2 Command Purpose Network object: Specify the mapped address(es) (that you want to translate to). You can configure a single address or, for a PAT pool, multiple addresses. Configure a network object or network object group. A network object group can contain objects and/or inline addresses.
PAGE 617

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 4 Command Purpose (Optional) Configure the mapped destination addresses. Network object: The destination translation is always static. For identity NAT, you can skip this step and simply use the same object or group for both the real and mapped addresses.
PAGE 618

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 6 Command Purpose nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}] source dynamic {real-obj | any} {mapped_obj [interface] | [pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]] [interface] | interface} [destination static {mapped_obj | interface} real_obj] [service mapped_dest_svc_obj real_dest_svc_obj] [dns] [inactive] [description desc] Configures dynamic PAT (hide).
PAGE 619

Chapter 31 Configuring Twice NAT Configuring Twice NAT Command Purpose (continued) For a PAT pool, you can specify one or more of the following options: -- Round robin—The round-robin keyword enables round-robin address allocation for a PAT pool. Without round robin, by default all ports for a PAT address will be allocated before the next PAT address is used.
PAGE 620

Chapter 31 Configuring Twice NAT Configuring Twice NAT Command Purpose (continued) • Destination addresses (Optional): – Mapped—Specify a network object or group, or for static interface NAT with port translation only (routed mode), specify the interface keyword (see Step 4). If you specify interface, be sure to also configure the service keyword. For this option, you must configure a specific interface for the real_ifc.
PAGE 621

Chapter 31 Configuring Twice NAT Configuring Twice NAT Configuring Static NAT or Static NAT-with-Port-Translation This section describes how to configure a static NAT rule using twice NAT. For more information about static NAT, see the “Static NAT” section on page 29-3. Detailed Steps Step 1 Command Purpose Network object: Configure the real source addresses.
PAGE 622

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 3 Command Purpose (Optional) Configure the real destination addresses. Network object: You can configure either a network object or a network object group.
PAGE 623

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 5 Command Purpose (Optional) Configure service objects for: object service obj_name service {tcp | udp} [source operator port] [destination operator port] Example: hostname(config)# object service REAL_SRC_SVC hostname(config-service-object)# service tcp source eq 80 hostname(config)# object service MAPPED_SRC_SVC hostname(config-service-object)# service tcp source eq 8080 • Source or destination real port • Source or destination mapped
PAGE 624

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 6 Command Purpose nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}] source static real_ob [mapped_obj | interface] [destination static {mapped_obj | interface} real_obj] [service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj] [dns] [no-proxy-arp] [inactive] [description desc] Configures static NAT. See the following guidelines: • Interfaces—(Required for transparent mode) Specify the real and mapped interfaces.
PAGE 625

Chapter 31 Configuring Twice NAT Configuring Twice NAT Command Purpose (Continued) • Ports—(Optional) Specify the service keyword along with the real and mapped service objects (see Step 5). For source port translation, the objects must specify the source service. The order of the service objects in the command for source port translation is service real_obj mapped_obj. For destination port translation, the objects must specify the destination service.
PAGE 626

Chapter 31 Configuring Twice NAT Configuring Twice NAT which host sent the packet. In this example, connections are originated from outside to inside, so the “source” address and port of the FTP server is actually the destination address and port in the originating packet. hostname(config)# object service FTP_PASV_PORT_RANGE hostname(config-service-object)# service tcp source range 65000 65004 hostname(config)# object network HOST_FTP_SERVER hostname(config-network-object)# host 192.168.10.
PAGE 627

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 2 Command Purpose (Optional) Configure the real destination addresses. Network object: You can configure either a network object or a network object group.
PAGE 628

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 4 Command Purpose (Optional) Configure service objects for: object service obj_name service {tcp | udp} [source operator port] [destination operator port] Example: hostname(config)# object service REAL_SRC_SVC hostname(config-service-object)# service tcp source eq 80 hostname(config)# object service MAPPED_SRC_SVC hostname(config-service-object)# service tcp source eq 8080 • Source or destination real port • Source or destination mappe
PAGE 629

Chapter 31 Configuring Twice NAT Configuring Twice NAT Step 5 Command Purpose nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}] source static {nw_obj nw_obj | any any} [destination static {mapped_obj | interface} real_obj] [service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj] [no-proxy-arp] [route-lookup] [inactive] [description desc] Configures identity NAT. See the following guidelines: • Interfaces—(Required for transparent mode) Specify the real and mapped interfaces.
PAGE 630

Chapter 31 Configuring Twice NAT Monitoring Twice NAT Command Purpose (Continued) • No Proxy ARP—(Optional) Specify no-proxy-arp to disable proxy ARP for incoming packets to the mapped IP addresses. See the “Mapped Addresses and Routing” section on page 29-22 for more information. • Route lookup—(Optional; routed mode only; interface(s) specified) Specify route-lookup to determine the egress interface using a route lookup instead of using the interface specified in the NAT command.
PAGE 631

Configuring Twice NAT Configuration Examples for Twice NAT Figure 31-1 Twice NAT with Different Destination Addresses Server 1 209.165.201.11 Server 2 209.165.200.225 209.165.201.0/27 209.165.200.224/27 DMZ Translation 10.1.2.27 209.165.202.129 Translation 10.1.2.27 209.165.202.130 Inside 10.1.2.0/24 Packet Dest. Address: 209.165.201.11 Step 1 10.1.2.27 Packet Dest. Address: 209.165.200.
PAGE 632

Chapter 31 Configuring Twice NAT Configuration Examples for Twice NAT hostname(config-network-object)# host 209.165.202.130 Step 7 Configure the second twice NAT rule: hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress2 destination static DMZnetwork2 DMZnetwork2 Different Translation Depending on the Destination Address and Port (Dynamic PAT) Figure 31-2 shows the use of source and destination ports. The host on the 10.1.2.
PAGE 633

Chapter 31 Configuring Twice NAT Configuration Examples for Twice NAT hostname(config-network-object)# host 209.165.202.
PAGE 634

Chapter 31 Configuring Twice NAT Feature History for Twice NAT Feature History for Twice NAT Table 31-1 lists each feature change and the platform release in which it was implemented. Table 31-1 Feature History for Twice NAT Feature Name Platform Releases Twice NAT 8.3(1) Feature Information Twice NAT lets you identify both the source and destination address in a single rule. We modified or introduced the following commands: nat, show nat, show xlate, show nat pool.
PAGE 635

Chapter 31 Configuring Twice NAT Feature History for Twice NAT Table 31-1 Feature History for Twice NAT (continued) Feature Name Platform Releases Round robin PAT pool allocation uses the same 8.4(3) IP address for existing hosts Feature Information When using a PAT pool with round robin allocation, if a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available. We did not modify any commands.
PAGE 636

Chapter 31 Configuring Twice NAT Feature History for Twice NAT Table 31-1 Feature History for Twice NAT (continued) Feature Name Platform Releases Extended PAT for a PAT pool 8.4(3) Feature Information Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information.
PAGE 637

PA R T 8 Configuring Service Policies Using the Modular Policy Framework
PAGE 638
PAGE 639

CH A P T E R 32 Configuring a Service Policy Using the Modular Policy Framework Service policies using Modular Policy Framework provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. A service policy consists of multiple actionsapplied to an interface or applied globally.
PAGE 640

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies Supported Features for Through Traffic Table 32-1 lists the features supported by Modular Policy Framework. Table 32-1 Modular Policy Framework Feature Application inspection (multiple types) See: • Chapter 42, “Getting Started with Application Layer Protocol Inspection.” • Chapter 43, “Configuring Inspection of Basic Internet Protocols.
PAGE 641

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies Note When you use a global policy, all features are unidirectional; features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant.
PAGE 642

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies For example, if a packet matches a class map for connection limits, and also matches a class map for an application inspection, then both actions are applied. If a packet matches a class map for HTTP inspection, but also matches another class map that includes HTTP inspection, then the second class map actions are not applied.
PAGE 643

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies Incompatibility of Certain Feature Actions Some features are not compatible with each other for the same traffic. The following list may not include all incompatibilities; for information about compatibility of each feature, see the chapter or section for your feature: Note • You cannot configure QoS priority queueing and QoS policing for the same set of traffic.
PAGE 644

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Licensing Requirements for Service Policies Feature Matching for Multiple Service Policies For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), service policies operate on traffic flows, and not just individual packets.
PAGE 645

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Default Settings Class Map Guidelines The maximum number of class mapsof all types is 255 in single mode or per context in multiple mode. Class maps include the following types: • Layer 3/4 class maps (for through traffic and management traffic).
PAGE 646

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Default Settings • DNS inspection for the maximum message length of 512 bytes • FTP • H323 (H225) • H323 (RAS) • RSH • RTSP • ESMTP • SQLnet • Skinny (SCCP) • SunRPC • XDMCP • SIP • NetBios • TFTP • IP Options The default policy configuration includes the following commands: class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-leng
PAGE 647

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Task Flows for Configuring Service Policies policy, this class ensures that the correct inspection is applied to each packet, based on the destination port of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection.
PAGE 648

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Task Flows for Configuring Service Policies Inspection Policy Map Actions 241507 Inspection Class Map/ Match Commands You can create a self-contained inspection policy map that identifies the traffic directly with match commands, or you can create an inspection class map for reuse or for more complicated matching.
PAGE 649

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Task Flows for Configuring Service Policies Layer 3/4 Policy Map Connection Limits Connection Limits Service Policy Inspection Inspection 241508 IPS See the “Defining Actions (Layer 3/4 Policy Map)” section on page 32-15 and the “Applying Actions to an Interface (Service Policy)” section on page 32-17.
PAGE 650

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Identifying Traffic (Layer 3/4 Class Maps) Traffic shaping can only be applied the to class-default class map. Step 4 For the same class map, identify the priority policy map that you created in Step 2 using the service-policy priority_policy_map command. Step 5 Apply the shaping policy map to the interface accrding to “Applying Actions to an Interface (Service Policy)” section on page 32-17.
PAGE 651

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Identifying Traffic (Layer 3/4 Class Maps) Command Purpose match access-list access_list_name Matches traffic specified by an extended access list. If the ASA is operating in transparent firewall mode, you can use an EtherType access list.
PAGE 652

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Identifying Traffic (Layer 3/4 Class Maps) Command Purpose match precedence value1 [value2] [value3] [value4] Matches up to four precedence values, represented by the TOS byte in the IP header, where value1 through value4 can be 0 to 7, corresponding to the possible precedences.
PAGE 653

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Defining Actions (Layer 3/4 Policy Map) Detailed Steps Step 1 Command Purpose class-map type management class_map_name hostname(config)# class-map type management all_mgmt Creates a management class map, where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved. All types of class maps use the same name space, so you cannot reuse a name already used by another type of class map.
PAGE 654

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Defining Actions (Layer 3/4 Policy Map) Detailed Steps Command Purpose Step 1 policy-map policy_map_name Step 2 (Optional) Adds the policy map. The policy_map_name argument is the name of the policy map up to 40 characters in length. All types of policy maps use the same name space, so you cannot reuse a name Example: already used by another type of policy map.
PAGE 655

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Applying Actions to an Interface (Service Policy) The following example shows how traffic matches the first available class map, and will not match any subsequent class maps that specify actions in the same feature domain: hostname(config)# class-map telnet_traffic hostname(config-cmap)# match port tcp eq 23 hostname(config)# class-map ftp_traffic hostname(config-cmap)# match port tcp eq 21 hostname(config)# class-map tcp_traffic h
PAGE 656

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Monitoring Modular Policy Framework Detailed Steps Command Purpose service-policy policy_map_name interface interface_name Creates a service policy by associating a policy map with an interface. Example: hostname(config)# service-policy inbound_policy interface outside service-policy policy_map_name global Creates a service policy that applies to all interfaces that do not have a specific policy.
PAGE 657

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Configuration Examples for Modular Policy Framework Applying Inspection and QoS Policing to HTTP Traffic In this example (see Figure 32-1), any HTTP connection (TCP traffic on port 80) that enters or exits the ASA through the outside interface is classified for HTTP inspection. Any HTTP traffic that exits the outside interface is classified for policing. HTTP Inspection and QoS Policing Security appliance port 80 A insp.
PAGE 658

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Configuration Examples for Modular Policy Framework hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_traffic_policy global Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers In this example (see Figure 32-3), any HTTP connection destined for Server A (TCP traffic on port 80) that enters
PAGE 659

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Feature History for Service Policies hostname(config)# service-policy policy_serverB interface inside hostname(config)# service-policy policy_serverA interface outside Applying Inspection to HTTP Traffic with NAT In this example, the Host on the inside network has two addresses: one is the real IP address 192.168.1.1, and the other is a mapped IP address used on the outside network, 209.165.200.225.
PAGE 660

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework Feature History for Service Policies Table 32-3 Feature History for Service Policies (continued) Feature Name Releases Feature Information Inspection policy maps 7.2(1) The inspection policy map was introduced. The following command was introduced: class-map type inspect. Regular expressions and policy maps 7.2(1) Regular expressions and policy maps were introduced to be used under inspection policy maps.
PAGE 661

CH A P T E R 33 Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as defined in an inspection policy map.
PAGE 662

Chapter 33 Configuring Special Actions for Application Inspections (Inspection Policy Map) Guidelines and Limitations – Some traffic matching commands can specify regular expressions to match text inside a packet. Be sure to create and test the regular expressions before you configure the policy map, either singly or grouped together in a regular expression class map. • Parameters—Parameters affect the behavior of the inspection engine.
PAGE 663

Chapter 33 Configuring Special Actions for Application Inspections (Inspection Policy Map) Defining Actions in an Inspection Policy Map If a packet matches multiple different match or class commands, then the order in which the ASA applies the actions is determined by internal ASA rules, and not by the order they are added to the policy map. The internal rules are determined by the application type and the logical progression of parsing a packet, and are not user-configurable.
PAGE 664

Chapter 33 Configuring Special Actions for Application Inspections (Inspection Policy Map) Defining Actions in an Inspection Policy Map Detailed Steps Step 1 Command Purpose (Optional) See the “Identifying Traffic in an Inspection Class Map” section on page 33-6. Alternatively, you can identify the traffic directly within the policy map. Create an inspection class map. Step 2 policy-map type inspect application policy_map_name Creates the inspection policy map.
PAGE 665

Chapter 33 Configuring Special Actions for Application Inspections (Inspection Policy Map) Defining Actions in an Inspection Policy Map Step 4 Command Purpose {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Specifies the action you want to perform on the matching traffic. Not all options are available for each application. Other actions specific to the application might also be available.
PAGE 666

Chapter 33 Configuring Special Actions for Application Inspections (Inspection Policy Map) Identifying Traffic in an Inspection Class Map Identifying Traffic in an Inspection Class Map This type of class map allows you to match criteria that is specific to an application. For example, for DNS traffic, you can match the domain name in a DNS query. A class map groups multiple traffic matches (in a match-all class map), or lets you match any of a list of matches (in a match-any class map).
PAGE 667

Chapter 33 Configuring Special Actions for Application Inspections (Inspection Policy Map) Where to Go Next Step 3 Command Purpose (Optional) Adds a description to the class map. description string Example: hostname(config-cmap)# description All UDP traffic Step 4 Define the traffic to include in the class by To specify traffic that should not match the class map, use the entering one or more match commands available match not command. For example, if the match not command for your application.
PAGE 668

Chapter 33 Where to Go Next Cisco ASA 5500 Series Configuration Guide using the CLI 33-8 Configuring Special Actions for Application Inspections (Inspection Policy Map)
PAGE 669

PA R T 9 Configuring Access Control
PAGE 670
PAGE 671

CH A P T E R 34 Configuring Access Rules This chapter describes how to control network access through the ASA using access rules and includes the following sections: Note • Information About Access Rules, page 34-1 • Licensing Requirements for Access Rules, page 34-6 • Prerequisites, page 34-7 • Guidelines and Limitations, page 34-7 • Default Settings, page 34-7 • Configuring Access Rules, page 34-7 • Monitoring Access Rules, page 34-8 • Configuration Examples for Permitting or Denying Ne
PAGE 672

Chapter 34 Configuring Access Rules Information About Access Rules • Information About EtherType Rules, page 34-5 General Information About Rules This section describes information for both access rules and EtherType rules, and it includes the following topics: • Implicit Permits, page 34-2 • Information About Interface Access Rules and Global Access Rules, page 34-2 • Using Access Rules and EtherType Rules on the Same Interface, page 34-2 • Implicit Deny, page 34-3 • Inbound and Outbound Rule
PAGE 673

Chapter 34 Configuring Access Rules Information About Access Rules Implicit Deny Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the ASA except for particular addresses, then you need to deny the particular addresses and then permit all others.
PAGE 674

Chapter 34 Configuring Access Rules Information About Access Rules Figure 34-1 Outbound Access List Web Server: 209.165.200.225 ASA Outside ACL Outbound Permit HTTP from 10.1.1.14, 10.1.2.67, and 10.1.3.34 to 209.165.200.225 Deny all others ACL Inbound Permit from any to any 10.1.1.14 209.165.201.4 Static NAT HR ACL Inbound Permit from any to any 10.1.2.67 209.165.201.6 Static NAT Eng ACL Inbound Permit from any to any 10.1.3.34 209.165.201.
PAGE 675

Chapter 34 Configuring Access Rules Information About Access Rules For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections. To control ping, specify echo-reply (0) (ASA to host) or echo (8) (host to ASA).
PAGE 676

Chapter 34 Configuring Access Rules Licensing Requirements for Access Rules Supported EtherTypes and Other Traffic An EtherType rule controls the following: • EtherType identified by a 16-bit hexadecimal number, including common types IPX and MPLS unicast or multicast. • Ethernet V2 frames. • BPDUs, which are permitted by default. BPDUs are SNAP-encapsulated, and the ASA is designed to specifically handle BPDUs. • Trunk port (Cisco proprietary) BPDUs.
PAGE 677

Chapter 34 Configuring Access Rules Prerequisites Prerequisites Before you can create an access rule, create the access list. See Chapter 15, “Adding an Extended Access List,” and Chapter 16, “Adding an EtherType Access List,” for more information. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall modes.
PAGE 678

Chapter 34 Configuring Access Rules Monitoring Access Rules Detailed Steps Command Purpose access-group access_list {{in | out} interface interface_name [per-user-override | control-plane] | global} Binds an access list to an interface or applies it globally. Example: hostname(config)# access-group acl_out in interface outside Specify the extended, EtherType, or IPv6 access list name. You can configure one access-group command per access list type per interface.
PAGE 679

Chapter 34 Configuring Access Rules Configuration Examples for Permitting or Denying Network Access Configuration Examples for Permitting or Denying Network Access This section includes typical configuration examples for permitting or denying network access. The following example illustrates the commands required to enable access to an inside web server with the IP address 209.165.201.12. (This IP address is the real address, not the visible on the outside interface after NAT.
PAGE 680

Chapter 34 Configuring Access Rules Feature History for Access Rules Feature History for Access Rules Table 34-2 lists each feature change and the platform release in which it was implemented. Table 34-2 Feature History for Access Rules Feature Name Interface access rules Platform Releases 7.0(1) Feature Information Controlling network access through the ASA using access lists. We introduced the following command: access-group. Global access rules 8.3(1) Global access rules were introduced.
PAGE 681

CH A P T E R 35 Configuring AAA Servers and the Local Database This chapter describes support for authentication, authorization, and accounting (AAA, pronounced “triple A”), and how to configure AAA servers and the local database.
PAGE 682

Chapter 35 Configuring AAA Servers and the Local Database Information About AAA • RSA/SDI Server Support, page 35-5 • NT Server Support, page 35-6 • Kerberos Server Support, page 35-6 • LDAP Server Support, page 35-6 • Local Database Support, Including as a Falback Method, page 35-8 • How Fallback Works with Multiple Servers in a Group, page 35-8 • Using Certificates and User Login Credentials, page 35-9 • Task Flow for Configuring AAA, page 35-11 Information About Authentication Authenti
PAGE 683

Chapter 35 Configuring AAA Servers and the Local Database Information About AAA Information About Accounting Accounting tracks traffic that passes through the ASA, enabling you to have a record of user activity. If you enable authentication for that traffic, you can account for traffic per user. If you do not authenticate the traffic, you can account for traffic per IP address.
PAGE 684

Chapter 35 Configuring AAA Servers and the Local Database Information About AAA RADIUS Server Support The ASA supports the following RFC-compliant RADIUS servers for AAA: • Cisco Secure ACS 3.2, 4.0, 4.1, 4.2, and 5.x • Cisco Identity Services Engine (ISE) • RSA RADIUS in RSA Authentication Manager 5.2, 6.1, and 7.x • Microsoft Authentication Methods The ASA supports the following authentication methods with RADIUS: Note • PAP—For all connection types.
PAGE 685

Chapter 35 Configuring AAA Servers and the Local Database Information About AAA • A list of attributes is available at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1 605508 RADIUS Authorization Functions The ASA can use RADIUS servers for user authorization of VPN remote access and firewall cut-through-proxy sessions using dynamic access lists or access list names per user.
PAGE 686

Chapter 35 Configuring AAA Servers and the Local Database Information About AAA locks the username, preventing another (replica) server from accepting it. This actions means that the same user cannot authenticate to two ASAs using the same authentication servers simultaneously. After a successful username lock, the ASA sends the passcode.
PAGE 687

Chapter 35 Configuring AAA Servers and the Local Database Information About AAA • Kerberos—The ASA responds to the LDAP server by sending the username and realm using the GSSAPI Kerberos mechanism. You can configure the ASA and LDAP server to support any combination of these SASL mechanisms.
PAGE 688

Chapter 35 Configuring AAA Servers and the Local Database Information About AAA HTTP Forms Authentication for Clientless SSL VPN The ASA can use the HTTP Form protocol for both authentication and single sign-on (SSO) operations of Clientless SSL VPN user sessions only. For configuration information, see the “Using Single Sign-on with Clientless SSL VPN” section on page 74-13.
PAGE 689

Chapter 35 Configuring AAA Servers and the Local Database Information About AAA Using Certificates and User Login Credentials The following section describes the different methods of using certificates and user login credentials (username and password) for authentication and authorization. These methods apply to IPsec, AnyConnect, and Clientless SSL VPN. In all cases, LDAP authorization does not use the password as a credential.
PAGE 690

Chapter 35 Configuring AAA Servers and the Local Database Licensing Requirements for AAA Servers – Uses the username value of the certificate primary DN field as a credential Note If the primary DN field is not present in the certificate, the ASA uses the secondary DN field value as the username for the authorization request. For example, consider a user certificate that includes the following Subject DN fields and values: Cn=anyuser,OU=sales;O=XYZCorporation;L=boston;S=mass;C=us;ea=anyuser@example.
PAGE 691

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA • Managing User Passwords, page 35-25 • .Changing User Passwords, page 35-27 • Authenticating Users with a Public Key for SSH, page 35-28 • Differentiating User Roles Using AAA, page 35-28 Task Flow for Configuring AAA Step 1 Do one or both of the following: • Add a AAA server group. See the “Configuring AAA Server Groups” section on page 35-11. • Add a user to the local database.
PAGE 692

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Detailed Steps Step 1 Command Purpose aaa-server server_tag protocol {kerberos | ldap | nt | radius | sdi | tacacs+} Identifies the server group name and the protocol. For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers.
PAGE 693

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Step 2 Command Purpose merge-dacl {before-avpair | after-avpair} Merges a downloadable ACL with the ACL received in the Cisco AV pair from a RADIUS packet. The default setting is no merge dacl, which specifies that downloadable ACLs will not be merged with Cisco AV pair ACLs. If both an AV pair and a downloadable ACL are received, the AV pair has priority and is used.
PAGE 694

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Step 4 Command Purpose reactivation-mode {depletion [deadtime minutes] | timed} Specifies the method (reactivation policy) by which failed servers in a group are reactivated. The depletion keyword reactivates failed servers only after all of the servers in the group are inactive.
PAGE 695

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Table 35-2 Host Mode Commands, Server Types, and Defaults (continued) Command Applicable AAA Server Types Default Value ldap-login-password LDAP — ldap-naming-attribute LDAP — ldap-over-ssl LDAP 636 ldap-scope LDAP — mschapv2-capable RADIUS enabled Description If not set, the ASA uses sAMAccountName for LDAP requests.
PAGE 696

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA hostname(config)# aaa-server AuthOutbound protocol radius hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3 hostname(config-aaa-server-host)# key RadUauthKey hostname(config-aaa-server-host)# exit hostname(config)# aaa-server NTAuth protocol nt hostname(config-aaa-server-group)# exit hostname(config)# aaa-server NTAuth (inside) host 10.1.1.
PAGE 697

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA To set up VPN user authorization using LDAP, perform the following steps. Detailed Steps Step 1 Command Purpose aaa-server server_group protocol {kerberos | ldap | nt | radius | sdi | tacacs+} Creates a AAA server group. Example: hostname(config)# aaa-server servergroup1 protocol ldap hostname(config-aaa-server-group) Step 2 tunnel-group groupname Creates an IPsec remote access tunnel group named remotegrp.
PAGE 698

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Configuring LDAP Attribute Maps The ASA can use an LDAP directory for authenticating VPN remote access users or firewall network access/cut-thru-proxy sessions and/or for setting policy permissions (also called authorization attributes), such as ACLs, bookmark lists, DNS or WINS settings, session timers, and so on. That is, you can set the key attributes that exist in a local group policy externally through an LDAP server.
PAGE 699

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA To map LDAP features correctly, perform the following steps: Detailed Steps Step 1 Command Purpose ldap attribute-map map-name Creates an unpopulated LDAP attribute map table. Example: hostname(config)# ldap attribute-map att_map_1 Step 2 map-name user-attribute-name Cisco-attribute-name Maps the user-defined attribute name department to the Cisco attribute.
PAGE 700

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA hostname(config-ldap-attribute-map)# map-value accessType helpdesk 7 hostname(config-ldap-attribute-map)# aaa-server LDAP protocol ldap hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 10.1.254.
PAGE 701

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Limitations You cannot use the local database for network access authorization.
PAGE 702

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA To add a user to the local database, perform the following steps: Detailed Steps Cisco ASA 5500 Series Configuration Guide using the CLI 35-22
PAGE 703

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Step 1 Command Purpose username username {nopassword | password password [mschap]} [privilege priv_level] Creates the user account. The username username keyword is a string from 4 to 64 characters long. Note Example: hostname(config)# username exampleuser1 privilege 1 The ASA does not prohibit the creation of usernames that only differ by case with previously configured usernames.
PAGE 704

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Step 2 Command Purpose aaa authorization exec authentication-server (Optional) Enforces user-specific access levels for users who authenticate for management access (see the aaa authentication console LOCAL command). This command enables management authorization for local, RADIUS, LDAP (mapped), and TACACS+ users.
PAGE 705

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Step 4 Command Purpose service-type {admin | nas-prompt | remote-access} (Optional) Configures the user level if you configured management authorization in Step 2. The admin keyword allows full access to any services specified by the aaa authentication console LOCAL commands. The admin keyword is the default.
PAGE 706

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA • They may include upper case characters. • They may include numbers. • They may include special characters. To specify password policy for users, perform the following steps: Step 1 Command Purpose password-policy lifetime value Sets the password policy for the current context and the interval in days after which passwords expire. Valid values are between 0 and 65536 days. The default value is 0 days.
PAGE 707

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Step 7 Command Purpose password-policy minimum-uppercase value Sets the minimum number of upper case characters that passwords may have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum.
PAGE 708

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Authenticating Users with a Public Key for SSH Users can authenticate with a public key for SSH. The public key can be hashed or not hashed. To authenticate with a public key for SSH, enter the following command: Command Purpose username {user} attributes ssh authentication publickey key [hashed] Enables public key authentication on a per-user basis.
PAGE 709

Chapter 35 Configuring AAA Servers and the Local Database Configuring AAA Where mysecret123 is the stored password and 15 is the assigned privilege level, which indicates an admin user. The available configuration options for the service-type attribute include the following: • admin, in which users are allowed access to the configuration mode. This option also allows a user to connect via remote access. • nas-prompt, in which users are allowed access to the EXEC mode.
PAGE 710

Chapter 35 Configuring AAA Servers and the Local Database Monitoring AAA Servers map-name company Privilege-Level map-name title IETF-Radius-Service-Type To apply the LDAP attribute map to the LDAP AAA server, enter the following commands: hostname(config)# aaa-server ldap-server (dmz1) host 10.20.30.
PAGE 711

Chapter 35 Configuring AAA Servers and the Local Database Additional References Additional References For additional information related to implementing LDAP mapping, see the “RFCs” section on page 35-31.
PAGE 712

Chapter 35 Configuring AAA Servers and the Local Database Feature History for AAA Servers Table 35-3 Feature History for AAA Servers Feature Name Platform Releases AAA Servers 7.0(1) Feature Information AAA Servers describe support for AAA and how to configure AAA servers and the local database.
PAGE 713

CH A P T E R 36 Configuring the Identity Firewall This chapter describes how to configure the ASA for the Identity Firewall.
PAGE 714

Chapter 36 Configuring the Identity Firewall Information About the Identity Firewall The Identity Firewall integrates with Microsoft Active Directory in conjunction with an external Active Directory (AD) Agent that provides the actual identity mapping. The ASA uses Windows Active Directory as the source to retrieve the current user identity information for specific IP addresses and allows transparent authentication for Active Directory users.
PAGE 715

Chapter 36 Configuring the Identity Firewall Information About the Identity Firewall Figure 36-1 Identity Firewall Components LAN ASA Client NetBIOS Probe LD AP US DI RA mktg.sample.com 10.1.1.2 AD Agent WMI 1 AD Agent xxxxxx AD Servers On the ASA: Configure local user groups and 4 Identity Firewall policies. Client <-> ASA: The client logs onto the network through Microsoft Active Directory. The AD Server authenticates users and generates user logon security logs.
PAGE 716

Chapter 36 Configuring the Identity Firewall Information About the Identity Firewall • Supports the combination of 5-tuple policies with ID-based policies. The identity-based feature works in tandem with existing 5-tuple solution. • Supports usage with IPS and Application Inspection policies. • Retrieves user identity information from remote access VPN, AnyConnect VPN, L2TP VPN and cut-through proxy. All retrieved users are populated to all ASA devices connected to the AD Agent.
PAGE 717

Configuring the Identity Firewall Information About the Identity Firewall Figure 36-2 Deployment Scenario without Redundancy No Redundancy Scenario 1 Scenario 2 AD Agent AD Agent AD Agent AD Server AD Agent ASA xxxxxx AD Server ASA As shown in Figure 36-3, you can deploy the Identity Firewall components to support redundancy. Scenario 1 shows a deployment with multiple Active Directory servers and a single AD Agent installed on a separate Windows server.
PAGE 718

Chapter 36 Configuring the Identity Firewall Information About the Identity Firewall Figure 36-5 shows a WAN-based deployment to support a remote site. The Active Directory server and the AD Agent are installed on the main site LAN. The clients are located at a remote site and connect to the Identity Firewall components over a WAN. Figure 36-5 WAN-based Deployment Remote Site Enterprise Main Site ASA Client NetBIOS Probe Login/Authentication AP LD R AD IU S WAN mktg.sample.com 10.1.1.
PAGE 719

Chapter 36 Configuring the Identity Firewall Information About the Identity Firewall Figure 36-7 WAN-based Deployment with Remote AD Agent and AD Servers Remote Site Enterprise Main Site ASA Client RADIUS WAN LDAP Directory Sync AD Agent mktg.sample.com 10.1.1.
PAGE 720

Chapter 36 Configuring the Identity Firewall Licensing for the Identity Firewall Licensing for the Identity Firewall The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall modes.
PAGE 721

Chapter 36 Configuring the Identity Firewall Prerequisites • MAC address checking by the Identity Firewall does not work when intervening routers are present. Users logged onto clients that are behind the same router have the same MAC addresses. With this implementation, all the packets from the same router are able to pass the check, because the ASA is unable to ascertain to the actual MAC addresses behind the router.
PAGE 722

Chapter 36 Configuring the Identity Firewall Configuring the Identity Firewall Note Before running the AD Agent Installer, you must install the following patches on every Microsoft Active Directory server that the AD Agent monitors. These patches are required even when the AD Agent is installed directly on the domain controller server. See the README First for the Cisco Active Directory Agent.
PAGE 723

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall See Configuring Cut-through Proxy Authentication, page 22. Step 6 Configure VPN authentication. See Configuring VPN Authentication, page 24. Configuring the Active Directory Domain Active Directory domain configuration on the ASA is required for the ASA to download Active Directory groups and accept user identities from specific domains when receiving IP-user mapping from the AD Agent.
PAGE 724

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Step 6 Command Purpose hostname(config-aaa-server-host)# ldap-login-dn string Example: hostname(config-aaa-server-host)#ldap-login-dn SAMPLE\user1 Specifies the name of the directory object that the system should bind this as. The ASA identifies itself for authenticated binding by attaching a Login DN field to the user authentication request.
PAGE 725

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Configuring Active Directory Agents Periodically or on-demand, the AD Agent monitors the Active Directory server security event log file via WMI for user login and logoff events. The AD Agent maintains a cache of user ID and IP address mappings. and notifies the ASA of changes. Configure the primary and secondary AD Agents for the AD Agent Server Group.
PAGE 726

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Configuring Identity Options Perform this procedure to add or edit the Identity Firewall feature; select the Enable check box to enable the feature. By default, the Identity Firewall feature is disabled. Prerequisites Before configuring the identify options for the Identity Firewall, you must you must meet the prerequisites for the AD Agent and Microsoft Active Directory.
PAGE 727

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Command Step 1 hostname(config)# user-identity enable Step 2 hostname(config)# user-identity default-domain domain_NetBIOS_name Example: hostname(config)# user-identity default-domain SAMPLE Purpose Enables the Identity Firewall feature. Specifies the default domain for the Identity Firewall. For domain_NetBIOS_name, enter a name up to 32 characters consisting of [a-z], [A-Z], [0-9], [!@#$%^&()-_=+[]{};,.
PAGE 728

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Step 4 Command Purpose hostname(config)# user-identity logout-probe netbios local-system probe-time minutes minutes retry-interval seconds seconds retry-count times [user-not-needed|match-any|exact-match] Example: hostname(config)# user-identity logout-probe netbios local-system probe-time minutes 10 retry-interval seconds 10 retry-count 2 user-not-needed Enables NetBIOS probing.
PAGE 729

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Step 5 Command Purpose hostname(config)# user-identity inactive-user-timer minutes minutes Example: hostname(config)# user-identity inactive-user-timer minutes 120 Specifies the amount of time before a user is considered idle, meaning the ASA has not received traffic from the user's IP address for specified amount of time.
PAGE 730

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Step 8 Command Purpose hostname(config)# user-identity action domain-controller-down domain_nickname disable-user-identity-rule Example: hostname(config)# user-identity action domain-controller-down SAMPLE disable-user-identity-rule Specifies the action when the domain is down because Active Directory domain controller is not responding.
PAGE 731

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Step 12 Command Purpose hostname(config)# user-identity ad-agent active-user-database {on-demand|full-download} Example: hostname(config)# user-identity ad-agent active-user-database full-download Defines how the ASA retrieves the user identity-IP address mapping information from the AD Agent: • full-download—Specifies that the ASA send a request to the AD Agent to download the entire IP-user mapping table wh
PAGE 732

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Configuring Identity-based Access Rules An access rule permits or denies traffic based on the protocol, a source and destination IP address or network, and the source and destination ports. For information about access rules, see in Chapter 34, “Configuring Access Rules.” The Identity Firewall feature adds the ability to permit or deny traffic based on a users’ identities or based on a user group.
PAGE 733

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Command Purpose Step 1 hostname(config)# object-group user user_group_name Examples: hostname(config)# object-group user users1 Defines object groups that you can use to control access with the Identity Firewall. You can use the object group as part of an access group or service policy.
PAGE 734

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Step 5 Step 6 Command Purpose hostname(config)# access-list access_list_name {deny | permit} protocol [{user-group [domain_name\\]user_group_name | user {[domain_name\\]user_name | any | none} | object-group-user object_group_user_name}] {any | host sip | sip smask | interface name | object src_object_name | object-group network_object_group_name> [eq port | …] {object-group-user dst_object_group_name | objec
PAGE 735

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall • If the backslash (\) delimiter is not found in the log in credentials, the ASA does not parse a domain and authentication is conducted with the AAA server that corresponds to default domain configured for the Identity Firewall. • If a default domain or a server group is not configured for that default domain, the ASA rejects the authentication.
PAGE 736

Chapter 36 Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall • The ASA IP address is 172.1.1.118. • The Active Directory domain controller has the IP address 71.1.2.93. • The end user client has the IP address 172.1.1.118 and uses HTTPS to log in through a web portal. • The user is authenticated by the Active Directory domain controller via LDAP. • The ASA uses the inside interface to connect to the Active Directory domain controller on the corporate network.
PAGE 737

Chapter 36 Configuring the Identity Firewall Monitoring the Identity Firewall • Apply VPN-Filter with bypassing access-list check disabled • Apply VPN-Filter with bypassing access-list check enabled Configuration Example -- VPN with IDFW Rule -1 By default, “sysopt connection permit-vpn" is enabled and VPN traffic is exempted from access-list check. In order to apply regular interface based ACL rules for VPN traffic, VPN traffic access-list bypassing needs to be disabled.
PAGE 738

Chapter 36 Configuring the Identity Firewall Monitoring the Identity Firewall • Monitoring Memory Usage for the Identity Firewall, page 26 • Monitoring Users for the Identity Firewall, page 27 Monitoring AD Agents You can monitor the AD Agent component of the Identity Firewall.
PAGE 739

Chapter 36 Configuring the Identity Firewall Monitoring the Identity Firewall Note How you configure the Identity Firewall to retrieve user information from the AD Agent impacts the amount of memory used by the feature. You specify whether the ASA uses on demand retrieval or full download retrieval. Selecting On Demand has the benefit of using less memory as only users of received packets are queried and stored. See Configuring Identity Options, page 14 for a description of these options.
PAGE 740

Chapter 36 Configuring the Identity Firewall Feature History for the Identity Firewall Feature History for the Identity Firewall Table 36-1 lists the release history for this feature. \ Table 36-1 Feature History for the Identity Firewall Feature Name Releases Feature Information Identity Firewall 8.4(2) The Identity Firewall feature was introduced.
PAGE 741

CH A P T E R 37 Configuring Management Access This chapter describes how to access the ASA for system management through Telnet, SSH, and HTTPS (using ASDM), how to authenticate and authorize users, how to create login banners, and how to customize CLI parameters.
PAGE 742

Chapter 37 Configuring Management Access Configuring ASA Access for ASDM, Telnet, or SSH Licensing Requirements for ASA Access for ASDM, Telnet, or SSH The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode.
PAGE 743

Chapter 37 Configuring Management Access Configuring ASA Access for ASDM, Telnet, or SSH Configuring Telnet Access To identify the client IP addresses allowed to connect to the ASA using Telnet, perform the following steps. Detailed Steps Step 1 Command Purpose telnet source_IP_address mask source_interface For each address or subnet, identifies the IP addresses from which the ASA accepts connections.
PAGE 744

Chapter 37 Configuring Management Access Configuring ASA Access for ASDM, Telnet, or SSH Using a Telnet Client To gain access to the ASA CLI using Telnet, enter the login password set by the password command. If you configure Telnet authentication (see the “Configuring Authentication for CLI and ASDM Access” section on page 37-19), then enter the username and password defined by the AAA server or local database.
PAGE 745

Chapter 37 Configuring Management Access Configuring ASA Access for ASDM, Telnet, or SSH Step 7 Command Purpose (Optional) Limits access to SSH version 1 or 2. By default, SSH allows both versions 1 and 2. ssh version version_number Example: hostname(config)# ssh version 2 Step 8 ssh key-exchange {dh-group1 | dhgroup14} Example: hostname(config)# ssh key-exchange dh-group14 Specifies that either the Diffie-Hellman Group 1 or Diffie-Hellman Group 14 follows and should be used for key exchange.
PAGE 746

Chapter 37 Configuring Management Access Configuring CLI Parameters Configuring HTTPS Access for ASDM To use ASDM, you need to enable the HTTPS server, and allow HTTPS connections to the ASA. HTTPS access is enabled as part of the factory default configuration or when you use the setup command. This section describes how to manually configure ASDM access.
PAGE 747

Chapter 37 Configuring Management Access Configuring CLI Parameters Licensing Requirements for CLI Parameters The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode.
PAGE 748

Chapter 37 Configuring Management Access Configuring CLI Parameters To configure a login banner, perform the following steps: Detailed Steps Command Purpose banner {exec | login | motd} text Adds a banner to display at one of three times: when a user first connects (message-of-the-day (motd)), when a user logs in (login), and when a user accesses privileged EXEC mode (exec). When a user connects to the ASA, the message-of-the-day banner appears first, followed by the login banner and prompts.
PAGE 749

Chapter 37 Configuring Management Access Configuring CLI Parameters priority Displays the failover priority as pri (primary) or sec (secondary). state Displays the traffic-passing state of the unit. The following values appear for the state: • act—Failover is enabled, and the unit is actively passing traffic. • stby— Failover is enabled, and the unit is not passing traffic and is in a standby, failed, or another nonactive state.
PAGE 750

Chapter 37 Configuring Management Access Configuring ICMP Access Configuring ICMP Access By default, you can send ICMP packets to any ASA interface using either IPv4 or IPv6. This section tells how to limit ICMP management access to the ASA. You can protect the ASA from attacks by limiting the addresses of hosts and networks that are allowed to have ICMP access to the ASA. Note For allowing ICMP traffic through the ASA, see Chapter 34, “Configuring Access Rules.
PAGE 751

Chapter 37 Configuring Management Access Configuring ICMP Access Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6. Additional Guidelines • The ASA does not respond to ICMP echo requests directed to a broadcast address. • The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.
PAGE 752

Chapter 37 Configuring Management Access Configuring Management Access Over a VPN Tunnel The following example shows how to allow the host at 10.1.1.15 to use only ping to the inside interface, enter the following command: hostname(config)# icmp permit host 10.1.1.
PAGE 753

Chapter 37 Configuring Management Access Configuring AAA for System Administrators IPv6 Guidelines Supports IPv6. Additional Guidelines You can define only one management access interface. Configuring a Management Interface To configure the management interface, enter the following command: Command Purpose management access management_interface The management_interface specifies the name of the management interface that you want to access when entering the ASA from another interface.
PAGE 754

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Information About AAA for System Administrators This section describes AAA for system administrators and includes the following topics: • Information About Management Authentication, page 37-14 • Information About Command Authorization, page 37-14 Information About Management Authentication This section describes authentication for management access and includes the following topics: • Comparing CLI Access with and wi
PAGE 755

Chapter 37 Configuring Management Access Configuring AAA for System Administrators • About Preserving User Credentials, page 37-15 • Security Contexts and Command Authorization, page 37-16 Supported Command Authorization Methods You can use one of two command authorization methods: • Note • Local privilege levels—Configure the command privilege levels on the ASA.
PAGE 756

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Credentials required Username and Password Authentication Serial Authorization Privileged Mode Privileged Command Mode Exit Authorization Authorization Password Yes No No Yes Privileged Mode Password No No Yes No Security Contexts and Command Authorization The following are important points to consider when implementing command authorization with multiple security contexts: • AAA settings are discrete per co
PAGE 757

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Licensing Requirements for AAA for System Administrators The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Prerequisites Depending on the feature, you can use the following: • AAA server—See the “Configuring AAA Server Groups” section on page 35-11. • Local Database—See the “Adding a User Account to the Local Database” section on page 35-20.
PAGE 758

Chapter 37 Configuring Management Access Configuring AAA for System Administrators • Configure enable authentication (see the “Configuring Authentication to Access Privileged EXEC Mode (the enable Command)” section on page 37-19). Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode.
PAGE 759

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Configuring Authentication for CLI and ASDM Access To configure management authentication, enter the following command: Command Purpose aaa authentication {telnet | ssh | http | serial} console {LOCAL | server_group [LOCAL]} Authenticates users for management access. The telnet keyword controls Telnet access. The ssh keyword controls SSH access. The SSH default usernames asa and pix are no longer supported.
PAGE 760

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Configuring Authentication for the enable Command You can configure the ASA to authenticate users when they enter the enable command. See the “Comparing CLI Access with and without Authentication” section on page 37-14 for more information. To authenticate users who enter the enable command, enter the following command.
PAGE 761

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Limiting User CLI and ASDM Access with Management Authorization If you configure CLI or enable authentication, you can limit a local user, RADIUS, TACACS+, or LDAP user (if you map LDAP attributes to RADIUS attributes) from accessing the CLI, ASDM, or the enable command.
PAGE 762

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Command Step 2 Purpose To configure the user for management authorization, see the following requirements for each AAA server type or local user: • RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type attribute, which maps to one of the following values: – Service-Type 6 (Administrative)—Allows full access to any services specified by the aaa authentication console commands.
PAGE 763

Chapter 37 Configuring Management Access Configuring AAA for System Administrators For more information about command authorization, see the “Information About Command Authorization” section on page 37-14.
PAGE 764

Chapter 37 Configuring Management Access Configuring AAA for System Administrators To configure local command authorization, perform the following steps: Detailed Steps Step 1 Command Purpose privilege [show | clear | cmd] level level [mode {enable | cmd}] command command Assigns a command to a privilege level. Repeat this command for each command that you want to reassign.
PAGE 765

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Step 3 Command Purpose aaa authorization command LOCAL Enables the use of local command privilege levels, which can be checked with the privilege level of users in the local database, RADIUS server, or LDAP server (with mapped attributes).
PAGE 766

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Viewing Local Command Privilege Levels The following commandslet you view privilege levels for commands. Command Purpose show running-config all privilege all Shows all commands. show running-config privilege level level Shows commands for a specific level. The level is an integer between 0 and 15. show running-config privilege command command Shows the level of a specific command.
PAGE 767

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Note • Cisco Secure ACS might include a command type called “pix-shell.” Do not use this type for ASA command authorization. The first word of the command is considered to be the main command. All additional words are considered to be arguments, which need to be preceded by permit or deny.
PAGE 768

Chapter 37 Configuring Management Access Configuring AAA for System Administrators For example, to allow enable, but not enable password, enter enable in the commands field, and deny password in the arguments field. Be sure to check the Permit Unmatched Args check box so that enable alone is still allowed (see Figure 37-3).
PAGE 769

Chapter 37 Configuring Management Access Configuring AAA for System Administrators – login – logout – pager – show pager – clear pager – quit – show version Configuring TACACS+ Command Authorization If you enable TACACS+ command authorization, and a user enters a command at the CLI, the ASA sends the command and username to the TACACS+ server to determine if the command is authorized.
PAGE 770

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Configuring Management Access Accounting You can send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI. You can configure accounting when users log in, when they enter the enable command, or when they issue commands. For command accounting, you can only use TACACS+ servers.
PAGE 771

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Table 37-1 show curpriv Command Output Description (continued) Field Description Current privilege level Levels range from 0 to 15. Unless you configure local command authorization and assign commands to intermediate privilege levels, levels 0 and 15 are the only levels that are used.
PAGE 772

Chapter 37 Configuring Management Access Configuring AAA for System Administrators Table 37-2 CLI Authentication and Command Authorization Lockout Scenarios (continued) Feature Lockout Condition Description TACACS+ command authorization You are logged in as a user without enough privileges or as a user that does not exist Local command authorization You are logged in You enable command Log in and reset the as a user without authorization, but then passwords and aaa commands.
PAGE 773

Chapter 37 Configuring Management Access Feature History for Management Access Feature History for Management Access Table 37-3 lists each feature change and the platform release in which it was implemented. Table 37-3 Feature History for Management Access Feature Name Platform Releases Feature Information Management Access 7.0(1) We introduced this feature.
PAGE 774

Chapter 37 Feature History for Management Access Cisco ASA 5500 Series Configuration Guide using the CLI 37-34 Configuring Management Access
PAGE 775

CH A P T E R 38 Configuring AAA Rules for Network Access This chapter describes how to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the “Configuring AAA for System Administrators” section on page 37-13.
PAGE 776

Chapter 38 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6.
PAGE 777

Chapter 38 Configuring AAA Rules for Network Access Configuring Authentication for Network Access • Port 21 for FTP • Port 23 for Telnet • Port 80 for HTTP • Port 443 for HTTPS ASA Authentication Prompts For Telnet and FTP, the ASA generates an authentication prompt. For HTTP, the ASA uses basic HTTP authentication by default, and provides an authentication prompt.
PAGE 778

Chapter 38 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Static PAT and HTTP For HTTP authentication, the ASA checks real ports when static PAT is configured. If it detects traffic destined for real port 80, regardless of the mapped port, the ASA intercepts the HTTP connection and enforces authentication. For example, assume that outside TCP port 889 is translated to port 80 and that any relevant access lists permit the traffic: object network obj-192.168.123.
PAGE 779

Chapter 38 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Step 3 Command Purpose aaa authentication match acl_name interface_name server_group Configures authentication. Example: hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound The acl_name argument is the name of the access list that you created in Step 2. The interface_name argument is the name of the interface specified with the nameif command.
PAGE 780

Chapter 38 Configuring AAA Rules for Network Access Configuring Authentication for Network Access hostname(config)# aaa authentication listener http inside redirect The following example authenticates Telnet traffic from the outside interface to a particular server (209.165.201.5): hostname(config)# aaa-server AuthInbound protocol tacacs+ hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.
PAGE 781

Chapter 38 Configuring AAA Rules for Network Access Configuring Authentication for Network Access timeout to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens a 1-second window of opportunity that might allow unauthenticated users to go through the firewall if they are coming from the same source IP address.
PAGE 782

Chapter 38 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Authenticating HTTP(S) Connections with a Virtual Server If you enabled the redirection method of HTTP and HTTPS authentication in the “Configuring Network Access Authentication” section on page 38-4, then you have also automatically enabled direct authentication.
PAGE 783

Chapter 38 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Command Purpose virtual http Redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the ASA. The ASA prompts for the AAA server username and password. After the AAA server authenticates the user, the ASA redirects the HTTP connection back to the original server, but it does not include the AAA server username and password.
PAGE 784

Chapter 38 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Command Purpose virtual telnet ip_address Configures a virtual Telnet server. Example: The ip_address argument sets the IP address for the virtual Telnet server. Make sure this address is an unused address that is routed to the ASA. hostname(config)# virtual telnet 209.165.202.
PAGE 785

Chapter 38 Configuring AAA Rules for Network Access Configuring Authorization for Network Access Configuring Authorization for Network Access After a user authenticates for a given connection, the ASA can use authorization to further control traffic from the user.
PAGE 786

Chapter 38 Configuring AAA Rules for Network Access Configuring Authorization for Network Access Step 1 Command Purpose aaa-server Identifies your AAA servers. If you have already identified them, continue to the next step. For more information about identifying AAA servers, see the “Configuring AAA Server Groups” section on page 35-11.
PAGE 787

Chapter 38 Configuring AAA Rules for Network Access Configuring Authorization for Network Access Step 5 Command Purpose aaa local authentication attempts max-fail number (Optional) Uses the local database for network access authentication and limits the number of consecutive failed login attempts that the ASA allows any given user account (with the exception of users with a privilege level of 15. This feature does not affect level 15 users). The number argument value is between 1 and 16.
PAGE 788

Chapter 38 Configuring AAA Rules for Network Access Configuring Authorization for Network Access hostname(config-aaa-server-host)# key TACPlusUauthKey hostname(config-aaa-server-host)# exit hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound Configuring RADIUS Authorization When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept message sent by a RADIUS server.
PAGE 789

Chapter 38 Configuring AAA Rules for Network Access Configuring Authorization for Network Access • Simplified and centralized management of access lists—Downloadable access lists enable you to write a set of access lists once and apply it to many user or group profiles and distribute it to many ASAs.
PAGE 790

Chapter 38 Configuring AAA Rules for Network Access Configuring Authorization for Network Access ip:inacl#2=ACE-2 . . . ip:inacl#n=ACE-n The following example is of an attribute-value pair: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 6.
PAGE 791

Chapter 38 Configuring AAA Rules for Network Access Configuring Authorization for Network Access The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding example), and number is a unique version ID generated by Cisco Secure ACS.
PAGE 792

Chapter 38 Configuring AAA Rules for Network Access Configuring Accounting for Network Access Downloaded access lists have two spaces between the word “access-list” and the name. These spaces serve to differentiate a downloaded access list from a local access list. In this example, “79AD4A08” is a hash value generated by the ASA to help determine when access list definitions have changed on the RADIUS server.
PAGE 793

Chapter 38 Configuring AAA Rules for Network Access Configuring Accounting for Network Access Step 1 Command Purpose access-list If you want the ASA to provide accounting data per user, you must enable authentication. For more information, see the “Configuring Network Access Authentication” section on page 38-4. If you want the ASA to provide accounting data per IP address, enabling authentication is not necessary.
PAGE 794

Chapter 38 Configuring AAA Rules for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Using MAC Addresses to Exempt Traffic from Authentication and Authorization The ASA can exempt from authentication and authorization any traffic from specific MAC addresses.
PAGE 795

Chapter 38 Configuring AAA Rules for Network Access Feature History for AAA Rules Examples The following example bypasses authentication for a single MAC address: hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# aaa mac-exempt match abc The following example bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3: hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.
PAGE 796

Chapter 38 Feature History for AAA Rules Cisco ASA 5500 Series Configuration Guide using the CLI 38-22 Configuring AAA Rules for Network Access
PAGE 797

C H A P T E R 39 Configuring Filtering Services This chapter describes how to use filtering services to provide greater control over traffic passing through the ASA and includes the following sections: • Information About Web Traffic Filtering, page 39-1 • Configuring ActiveX Filtering, page 39-2 • Configuring Java Applet Filtering, page 39-4 • Filtering URLs and FTP Requests with an External Server, page 39-6 • Monitoring Filtering Statistics, page 39-15 Information About Web Traffic Filtering
PAGE 798

Chapter 39 Configuring Filtering Services Configuring ActiveX Filtering Configuring ActiveX Filtering This section includes the following topics: • Information About ActiveX Filtering, page 39-2 • Licensing Requirements for ActiveX Filtering, page 39-2 • Guidelines and Limitations for ActiveX Filtering, page 39-3 • Configuring ActiveX Filtering, page 39-3 • Configuration Examples for ActiveX Filtering, page 39-3 • Feature History for ActiveX Filtering, page 39-4 Information About ActiveX Filt
PAGE 799

Chapter 39 Configuring Filtering Services Licensing Requirements for ActiveX Filtering Guidelines and Limitations for ActiveX Filtering This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Does not support IPv6.
PAGE 800

Chapter 39 Configuring Filtering Services Configuring Java Applet Filtering Feature History for ActiveX Filtering Table 39-1 lists the release history for ActiveX Filtering. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 39-1 Feature History for ActiveX Filtering Feature Name Platform Releases ActiveX filtering 7.
PAGE 801

Chapter 39 Configuring Filtering Services Configuring Java Applet Filtering Guidelines and Limitations for Java Applet Filtering This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Does not support IPv6.
PAGE 802

Chapter 39 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server The following example removes the configuration for downloading Java applets to a host on a protected network: hostname(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 This command allows host 192.168.3.3 to download Java applets. Feature History for Java Applet Filtering Table 39-1 lists the release history for Java applet filtering.
PAGE 803

Chapter 39 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Note URL caching will only work if the version of the URL server software from the URL server vendor supports it. Although ASA performance is less affected when using an external server, you might notice longer access times to websites or FTP servers when the filtering server is remote from the ASA.
PAGE 804

Chapter 39 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Identifying the Filtering Server You can identify up to four filtering servers per context. The ASA uses the servers in order until a server responds. In single mode, a maximum of 16 of the same type of filtering servers are allowed. You can only configure a single type of server (Websense or Secure Computing SmartFilter) in your configuration.
PAGE 805

Chapter 39 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Command Purpose For Websense: Identifies the address of the filtering server. if_name is the name of the ASA interface connected to the filtering server (the default is inside). For the vendor {secure-computing | n2h2} option, use secure-computing as the vendor string; however, n2h2 is acceptable for backward compatibility.
PAGE 806

Chapter 39 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Configuring Additional URL Filtering Settings After you have accessed a website, the filtering server can allow the ASA to cache the server address for a certain period of time, as long as each website hosted at the address is in a category that is permitted at all times.
PAGE 807

Chapter 39 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Caching Server Addresses After you access a website, the filtering server can allow the ASA to cache the server address for a certain period of time, as long as each website hosted at the address is in a category that is permitted at all times. When you access the server again, or if another user accesses the server, the ASA does not need to consult the filtering server again.
PAGE 808

Chapter 39 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Enabling HTTP Filtering You must identify and enable the URL filtering server before enabling HTTP filtering. When the filtering server approves an HTTP connection request, the ASA allows the reply from the web server to reach the originating client. If the filtering server denies the request, the ASA redirects you to a block page, indicating that access was denied.
PAGE 809

Chapter 39 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Truncating Long HTTP URLs By default, if a URL exceeds the maximum permitted size, then it is dropped.
PAGE 810

Chapter 39 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server To enable HTTPS filtering, enter the following command: Command Purpose filter https port[-port] localIP local_mask foreign_IP foreign_mask [allow] Enables HTTPS filtering. Replaces port[-port] with a range of port numbers if a different port than the default port for HTTPS (443) is used.
PAGE 811

Chapter 39 Configuring Filtering Services Monitoring Filtering Statistics Monitoring Filtering Statistics To monitor filtering statistics, enter one of the following commands: Command Purpose show url-server Shows information about the URL filtering server. show url-server statistics Shows URL filtering statistics. show url-block Shows the number of packets held in the url-block buffer and the number (if any) dropped because of exceeding the buffer limit or retransmission.
PAGE 812

Chapter 39 Configuring Filtering Services Monitoring Filtering Statistics STATUS_REQUEST LOOKUP_REQUEST LOG_REQUEST 1609 1526 0 Errors: ------RFC noncompliant GET method URL buffer update failure 1601 1526 NA 0 0 The following is sample output from the show url-block command: hostname# show url-block url-block url-mempool 128 url-block url-size 4 url-block block 128 The following is sample output from the show url-block block statistics command: hostname# show url-block block statistics URL Pending
PAGE 813

Chapter 39 Configuring Filtering Services Monitoring Filtering Statistics Feature History for URL Filtering Table 39-5 lists the release history for URL filtering. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 39-5 Feature History for URL Filtering Feature Name Platform Releases Feature Information URL filtering 7.0(1) Filters URLs based on an established set of filtering criteria.
PAGE 814

Chapter 39 Monitoring Filtering Statistics Cisco ASA 5500 Series Configuration Guide using the CLI 39-18 Configuring Filtering Services
PAGE 815

C H A P T E R 40 Configuring Web Cache Services Using WCCP This chapter describes how to configure web caching services using WCCP, and includes the following sections: • Information About WCCP, page 40-1 • Guidelines and Limitations, page 40-1 • Licensing Requirements for WCCP, page 40-2 • Enabling WCCP Redirection, page 40-3 • WCCP Monitoring Commands, page 40-4 • Feature History for WCCP, page 40-4 Information About WCCP The purpose of web caching is to reduce latency and network traffic.
PAGE 816

Chapter 40 Configuring Web Cache Services Using WCCP Licensing Requirements for WCCP • Multiple routers in a service group. • Multicast WCCP. • The Layer 2 redirect method. • WCCP source address spoofing. • WAAS devices. WCCP Interaction With Other Features In the ASA implementation of WCCP, the protocol interacts with other configurable features according to the following: • Cut-through proxy will not work in combination with WCCP.
PAGE 817

Chapter 40 Configuring Web Cache Services Using WCCP Enabling WCCP Redirection Enabling WCCP Redirection Note The ASA selects the highest IP address configured on any interface as the WCCP router ID. This address is used to establish a GRE tunnel with the cache engine. WCCP redirection is supported only on the ingress of an interface.
PAGE 818

Chapter 40 Configuring Web Cache Services Using WCCP WCCP Monitoring Commands WCCP Monitoring Commands To monitor WCCP, enter one of the following commands: Command Purpose show running-config wccp Shows the current WCCP configuration. show running-config wccp interface Shows the current WCCP interfaces status. Feature History for WCCP Table 40-2 lists the release history for this feature. Table 40-2 Feature History for WCCP Feature Name Releases Feature Information WCCP 7.
PAGE 819

CH A P T E R 41 Configuring Digital Certificates This chapter describes how to configure digital certificates and includes the following sections: • Information About Digital Certificates, page 41-1 • Licensing Requirements for Digital Certificates, page 41-7 • Prerequisites for Local Certificates, page 41-7 • Guidelines and Limitations, page 41-8 • Configuring Digital Certificates, page 41-9 • Monitoring Digital Certificates, page 41-41 • Feature History for Certificate Management, page 41-4
PAGE 820

Chapter 41 Configuring Digital Certificates Information About Digital Certificates Public Key Cryptography Digital signatures, enabled by public key cryptography, provide a way to authenticate devices and users. In public key cryptography, such as the RSA encryption system, each user has a key pair containing both a public and a private key. The keys act as complements, and anything encrypted with one of the keys can be decrypted with the other.
PAGE 821

Chapter 41 Configuring Digital Certificates Information About Digital Certificates • For the purposes of generating keys, the maximum key modulus for RSA keys is 2048 bits. The default size is 1024. Many SSL connections using identity certificates with RSA key pairs that exceed 1024 bits can cause a high CPU usage on the ASA and rejected clientless logins. • For signature operations, the supported maximum key size is 4096 bits.
PAGE 822

Chapter 41 Configuring Digital Certificates Information About Digital Certificates The ASA does not support polling for certificates. The ASA supports load balancing for this feature. Revocation Checking When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate before this time period expires; for example, because of security concerns or a change of name or association. CAs periodically issue a signed list of revoked certificates.
PAGE 823

Chapter 41 Configuring Digital Certificates Information About Digital Certificates The ASA can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a configurable amount of time for each trustpoint. When the ASA has cached a CRL for longer than the amount of time it is configured to cache CRLs, the ASA considers the CRL too old to be reliable, or “stale.
PAGE 824

Chapter 41 Configuring Digital Certificates Information About Digital Certificates configuring validating responder certificates external to the validation path of the client certificate. The OCSP server (responder) certificate usually signs the OCSP response. After receiving the response, the ASA tries to verify the responder certificate. The CA normally sets the lifetime of the OCSP responder certificate to a relatively short period to minimize the chance of being compromised.
PAGE 825

Chapter 41 Configuring Digital Certificates Licensing Requirements for Digital Certificates Figure 41-1 The Local CA ASDM and CLI configuration and management User Enrollment Webpage for PKCS12 Users Certificate Enrollment and Retrieval Local Database in flash memory or Mounted external file system (CIFS or FTP) HTTP CRL retrieval 191783 Security Device with Local CA Configured Licensing Requirements for Digital Certificates The following table shows the licensing requirements for this feature: Mo
PAGE 826

Chapter 41 Configuring Digital Certificates Guidelines and Limitations • An SSL port must be open for IKEv2 VPN connections. • The CA must be in auto-grant mode. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines • Supported in single and multiple context mode for a local CA. • Supported in single context mode only for third-party CAs. Firewall Mode Guidelines Supported in routed and transparent firewall mode.
PAGE 827

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Configuring Digital Certificates This section describes how to configure local CA certificates. Make sure that you follow the sequence of tasks listed to correctly configure this type of digital certificate.
PAGE 828

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 3 Command Purpose show crypto key name of key Verifies key pairs that you have generated. Example: hostname/contexta(config)# show crypto key examplekey Step 4 Saves the key pair that you have generated. write memory Example: hostname(config)# write memory Removing Key Pairs To remove key pairs, perform the following steps: Command Purpose crypto key zeroize rsa Removes key pairs.
PAGE 829

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Command Purpose enrollment url url Requests automatic enrollment using SCEP with the specified trustpoint and configures the enrollment URL. Example: hostname/contexta(config-ca-trustpoint)# enrollment url http://10.29.67.142:80/certsrv/mscep/mscep.dll Requests manual enrollment with the specified trustpoint by pasting the certificate received from the CA into the terminal.
PAGE 830

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 9 Command Purpose ip-address ip-address During enrollment, asks the CA to include the IP address of the ASA in the certificate. Example: hostname/contexta(config-ca-trustpoint)# ip-address 10.10.100.1 Step 10 keypair name Specifies the key pair whose public key is to be certified.
PAGE 831

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 17 Command Purpose serial-number During enrollment, asks the CA to include the ASA serial number in the certificate. Example: hostname/contexta(config-ca-trustpoint)# serial number JMX1213L2A7 Step 18 write memory Saves the running configuration.
PAGE 832

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Command Purpose policy both Configures retrieval policy. CRLs are retrieved from CRL distribution points specified in authenticated certificates and from URLs that you configure. Example: Step 4 hostname (config-ca-crl)# policy both To continue, go to Step 4. url n url If you used the keywords static or both when you configured the CRL policy, you must configure URLs for CRL retrieval.
PAGE 833

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 10 Command Purpose crypto ca crl request trustpoint Retrieves the current CRL from the CA represented by the specified trustpoint and tests the CRL configuration for the current trustpoint. Example: hostname (config-ca-crl)# crypto ca crl request Main Step 11 Saves the running configuration.
PAGE 834

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Importing a Trustpoint Configuration To import a trustpoint configuration, enter the following command: Command Purpose crypto ca import trustpoint pkcs12 Imports keypairs and issued certificates that are associated with a trustpoint configuration. The ASA prompts you to paste the text into the terminal in base 64 format.
PAGE 835

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Configuring CA Certificate Map Rules You can configure rules based on the Issuer and Subject fields of a certificate. Using the rules you create, you can map IPsec peer certificates to tunnel groups with the tunnel-group-map command. The ASA supports one CA certificate map, which can include many rules.
PAGE 836

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Obtaining Certificates Manually To obtain certificates manually, perform the following steps: Step 1 Command Purpose crypto ca authenticate trustpoint Imports the CA certificate for the configured trustpoint. Example: Note hostname(config)# crypto ca authenticate Main Enter the base 64 encoded CA certificate.
PAGE 837

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 3 Command Purpose crypto ca import trustpoint certificate Imports each certificate you receive from the CA. Requests that you paste the certificate to the terminal in base-64 format. Example: hostname (config)# crypto ca import Main certificate % The fully-qualified domain name in the certificate will be: securityappliance.example.com Enter the base 64 encoded certificate.
PAGE 838

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Obtaining Certificates Automatically with SCEP To obtain certificates automatically using SCEP, perform the following steps: Step 1 Command Purpose crypto ca authenticate trustpoint Obtains the CA certificate for the configured trustpoint.
PAGE 839

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 3 Command Purpose show crypto ca server certificate Verifies that the enrollment process was successful by displaying certificate details issued for the ASA and the CA certificate for the trustpoint. Example: hostname/contexta(config)# show crypto ca server certificate Main Step 4 write memory Saves the running configuration.
PAGE 840

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 5 Command Purpose secondary-pre-fill-username ssl-client hide use-common-password password Hides the secondary prefill username for AnyConnect VPN sessions. Example: Despite the ssl-client keyword inherited from earlier releases, use this command to support AnyConnect sessions that use either IKEv2 or SSL.
PAGE 841

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates hostname (config-ca-server)# no shutdown % Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password: caserver Re-enter password: caserver Keypair generation process begin. Please wait...
PAGE 842

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 3 Command Purpose subject-name-default dn (Optional) Specifies the subject-name DN that is appended to each username on issued certificates. Example: The subject-name DN and the username combine to form the DN in all user certificates that are issued by the local CA server.
PAGE 843

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Customizing the Local CA Server To configure a customized local CA server, perform the following steps: Step 1 Command Purpose crypto ca server Enters local CA server configuration mode. Allows you to configure and manage a local CA. Example: hostname (config)# crypto ca server Step 2 Specifies parameters that do not have default values.
PAGE 844

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Debugging the Local CA Server To debug the newly configured local CA server, perform the following steps: Step 1 Command Purpose crypto ca server Enters local ca server configuration mode. Allows you to configure and manage a local CA. Example: hostname (config)# crypto ca server Step 2 Displays debugging messages when you configure and enable the local CA server.
PAGE 845

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Command Purpose no crypto ca server Removes an existing local CA server (either enabled or disabled). Example: Note Deleting the local CA server removes the configuration from the ASA. After the configuration has been deleted, it is unrecoverable.
PAGE 846

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Configuring the Issuer Name To configure the certificate issuer name, perform the following steps: Step 1 Command Purpose crypto ca server Enters local CA server configuration mode. Allows you to configure and manage a local CA. Example: hostname (config)# crypto ca server Step 2 issuer-name DN-string Example: hostname (config-ca-server)# issuer-name CN=xx5520,CN=30.132.0.
PAGE 847

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 2 Command Purpose lifetime ca-certificate time Determines the expiration date included in the certificate. The default lifetime of a local CA certificate is three years. Example: Step 3 hostname (config-ca-server)# lifetime ca-certificate 365 Make sure that you limit the validity period of the certificate to less than the recommended end date of 03:14:08 UTC, January 19, 2038.
PAGE 848

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Configuring the CRL Lifetime To configure the CRL lifetime, perform the following steps: Step 1 Command Purpose crypto ca server Enters local CA server configuration mode. Allows you to configure and manage a local CA. Example: hostname (config)# crypto ca server Step 2 lifetime crl time Sets the length of time that you want the CRL to remain valid.
PAGE 849

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Examples The following is sample output that shows two user certificates in the database.
PAGE 850

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 3 Command Purpose crypto ca server Enters local CA server configuration mode. Allows you to configure and manage a local CA. Example: hostname (config)# crypto ca server Step 4 database path mount-name directory-path Example: hostname (config-ca-server)# database path mydata:newuser Specifies the location of mydata, the premounted CIFS file system to be used for the local CA server database.
PAGE 851

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Downloading CRLs To make the CRL available for HTTP download on a given interface or port, perform the following steps: Step 1 Command Purpose crypto ca server Enters local ca server configuration mode. Allows you to configure and manage a local CA.
PAGE 852

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Storing CRLs To establish a specific location for the automatically generated CRL of the local CA, perform the following steps: Step 1 Command Purpose crypto ca server Enters local ca server configuration mode. Allows you to configure and manage a local CA. Example: hostname (config)# crypto ca server Step 2 cdp-url url Example: hostname(config-ca-server)# cdp-url http://172.16.1.1/pathname/myca.
PAGE 853

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Setting Up Enrollment Parameters To set up enrollment parameters, perform the following steps: Step 1 Command Purpose crypto ca server Enters local ca server configuration mode. Allows you to configure and manage a local CA.
PAGE 854

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Adding and Enrolling Users To add a user who is eligible for enrollment in the local CA database, perform the following steps: Step 1 Command Purpose crypto ca server user-db add username [dn dn] [email emailaddress] Adds a new user to the local CA database. Options are as follows: • username—A string of 4-64 characters, which is the simple username for the user being added.
PAGE 855

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Step 4 Command Purpose crypto ca server user-db show-otp Shows the issued OTP. Example: hostname (config-ca-server)# crypto ca server user-db show-otp Step 5 otp expiration timeout Example: hostname (config-ca-server)# otp expiration 24 Sets the enrollment time limit in hours. The default expiration time is 72 hours. The otp expiration command defines the amount of time that the OTP is valid for user enrollment.
PAGE 856

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Renewing Users To specify the timing of renewal notices, perform the following steps: Step 1 Command Purpose crypto ca server Enters local CA server configuration mode. Allows you to configure and manage a local CA.
PAGE 857

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Restoring Users To restore a user and a previously revoked certificate that was issued by the local CA server, perform the following steps: Step 1 Command Purpose crypto ca server Enters local ca server configuration mode. Allows you to configure and manage a local CA.
PAGE 858

Chapter 41 Configuring Digital Certificates Configuring Digital Certificates Revoking Certificates To revoke a user certificate, perform the following steps: Step 1 Command Purpose crypto ca server Enters local ca server configuration mode. Allows you to configure and manage a local CA.
PAGE 859

Chapter 41 Configuring Digital Certificates Monitoring Digital Certificates END OF CERTIFICATE Archiving the Local CA Server Certificate and Keypair To archive the local CA server certificate and keypair, enter the following command: Command Purpose copy Copies the local CA server certificate and keypair and all files from the ASA using either FTP or TFTP. Example: Note hostname# copy LOCAL-CA-SERVER_0001.pl2 tftp://10.1.1.
PAGE 860

Chapter 41 Configuring Digital Certificates Monitoring Digital Certificates Examples The following example shows an RSA general-purpose key: hostname/contexta(config)# show crypto key mypubkey Key pair was generated at: 16:39:47 central Feb 10 2010 Key name: Usage: General Purpose Key Modulus Size (bits): 1024 Key Data: 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 0781848f 78bccac2 4a1b5b8d 2f3e30b4 4cae9f86 f4485207 9eeb0f5d 45fd1811 3b4aafce 292b3b64 b4124a6f 7a777b08 5508e9e
PAGE 861

Chapter 41 Configuring Digital Certificates Feature History for Certificate Management Feature History for Certificate Management Table 41-1 lists each feature change and the platform release in which it was implemented. Table 41-1 Feature History for Certificate Management Feature Name Platform Releases Certificate management 7.0(1) Digital certificates (including CA certificates, identity certificates, and code signer certificates) provide digital identification for authentication.
PAGE 862

Chapter 41 Configuring Digital Certificates Feature History for Certificate Management Table 41-1 Feature History for Certificate Management (continued) Feature Name Platform Releases Feature Information Certificate management 8.
PAGE 863

PA R T 10 Configuring Application Inspection
PAGE 864
PAGE 865

CH A P T E R 42 Getting Started with Application Layer Protocol Inspection This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports.
PAGE 866

Chapter 42 Getting Started with Application Layer Protocol Inspection Information about Application Layer Protocol Inspection Figure 42-1 How Inspection Engines Work ACL 2 Client ASA 6 7 5 3 XLATE CONN Server 4 Inspection 132875 1 In Figure 42-1, operations are numbered in the order they occur, and are described as follows: 1. A TCP SYN packet arrives at the ASA to establish a new connection. 2. The ASA checks the access list database to determine if the connection is permitted. 3.
PAGE 867

Chapter 42 Getting Started with Application Layer Protocol Inspection Guidelines and Limitations When you enable application inspection for a service that embeds IP addresses, the ASA translates embedded addresses and updates any checksum or other fields that are affected by the translation.
PAGE 868

Chapter 42 Getting Started with Application Layer Protocol Inspection Default Settings • The ASA sends a TCP reset to the outside host when the service resetinbound command is enabled. (The service resetinbound command is disabled by default.) For more information, see the service command in the ASA command reference. This behavior ensures that a reset action will reset the connections on the ASA and on inside servers; therefore countering denial of service attacks.
PAGE 869

Chapter 42 Getting Started with Application Layer Protocol Inspection Default Settings Table 42-1 Supported Application Inspection Engines (continued) Application1 Default Port NAT Limitations Standards2 Comments IP Options — — RFC 791, RFC 2113 All IP Options traffic is matched in the default class map. MGCP UDP/2427, 2727 No extended PAT. RFC 2705bis-05 — MMP TCP 5443 No extended PAT. — — NetBIOS Name Server over IP UDP/137, No extended PAT.
PAGE 870

Chapter 42 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netb
PAGE 871

Chapter 42 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Tip We suggest that you only inspect traffic on ports on which you expect application traffic; if you inspect all traffic, for example using match any, the ASA performance can be impacted. If you want to match non-standard ports, then create a new class map for the non-standard ports. See the “Default Settings” section on page 42-4 for the standard ports for each inspection engine.
PAGE 872

Chapter 42 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Step 3 • Instant Messaging—See the “Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control” section on page 43-21 • IP Options—See the “Configuring an IP Options Inspection Policy Map for Additional Inspection Control” section on page 43-25 • MGCP—See the “Configuring an MGCP Inspection Policy Map for Additional Inspection Control” section on page
PAGE 873

Chapter 42 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Table 42-2 Protocol Keywords Keywords Notes ctiqbe — dcerpc [map_name] If you added a DCERPC inspection policy map according to “Configuring a DCERPC Inspection Policy Map for Additional Inspection Control” section on page 46-2, identify the map name in this command.
PAGE 874

Chapter 42 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Table 42-2 Protocol Keywords Keywords Notes icmp error — ils — im [map_name] If you added an Instant Messaging inspection policy map according to “Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control” section on page 43-21, identify the map name in this command.
PAGE 875

Chapter 42 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Table 42-2 Step 6 Protocol Keywords Keywords Notes sqlnet — sunrpc The default class map includes UDP port 111; if you want to enable Sun RPC inspection for TCP port 111, you need to create a new class map that matches TCP port 111, add the class to the policy, and then apply the inspect sunrpc command to that class.
PAGE 876

Chapter 42 Configuring Application Layer Protocol Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 42-12 Getting Started with Application Layer Protocol Inspection
PAGE 877

CH A P T E R 43 Configuring Inspection of Basic Internet Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
PAGE 878

Chapter 43 Configuring Inspection of Basic Internet Protocols DNS Inspection • Configuring a DNS Inspection Policy Map for Additional Inspection Control, page 43-7 • Verifying and Monitoring DNS Inspection, page 43-10 How DNS Application Inspection Works The ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
PAGE 879

Chapter 43 Configuring Inspection of Basic Internet Protocols DNS Inspection For details about the configuration required see the “Configuring DNS Rewrite” section on page 43-3. DNS Rewrite performs two functions: • Translating a public address (the routable or “mapped” address) in a DNS reply to a private address (the “real” address) when the DNS client is on a private interface. • Translating a private address to a public address when the DNS client is on the public interface.
PAGE 880

Chapter 43 Configuring Inspection of Basic Internet Protocols DNS Inspection Configuring DNS Rewrite with Two NAT Zones To implement a DNS Rewrite scenario similar to the one shown in Figure 43-1, perform the following steps: Step 1 Create a static translation for the web server using the dns option. See Chapter 30, “Configuring Network Object NAT.” Step 2 Create an access list that permits traffic to the port that the web server listens to for HTTP requests.
PAGE 881

Configuring Inspection of Basic Internet Protocols DNS Inspection Figure 43-2 DNS Rewrite with Three NAT Zones DNS server erver.example.com IN A 209.165.200.5 Outside Security Web server appliance 192.168.100.10 DMZ 192.168.100.1 99.99.99.2 Inside 10.10.10.1 132407 Chapter 43 Web client 10.10.10.25 In Figure 43-2, a web server, server.example.com, has the real address 192.168.100.10 on the DMZ interface of the ASA. A web client with the IP address 10.10.10.
PAGE 882

Chapter 43 Configuring Inspection of Basic Internet Protocols DNS Inspection 3. The ASA receives the DNS reply and submits it to the DNS application inspection engine. 4. The DNS application inspection engine does the following: a. Searches for any NAT rule to undo the translation of the embedded A-record address “[outside]:209.165.200.5”. In this example, it finds the following static configuration: object network obj-192.168.100.10-01 host 192.168.100.10 nat (dmz,outside) static 209.165.200.
PAGE 883

Chapter 43 Configuring Inspection of Basic Internet Protocols DNS Inspection where domain-qualified-hostname is the hostname with a domain suffix, as in server.example.com. The period after the hostname is important. mapped-address is the translated IP address of the web server. The following example configures the ASA for the scenario shown in Figure 43-2. It assumes DNS inspection is already enabled. hostname(config)# object network obj-192.168.100.10-01 hostname(config-network-object)# host 192.168.
PAGE 884

Chapter 43 Configuring Inspection of Basic Internet Protocols DNS Inspection For the traffic that you identify in this class map, you can specify actions such as drop, drop-connection, reset, mask, set the rate limit, and/or log the connection in the inspection policy map. If you want to perform different actions for each match command, you should identify the traffic directly in the policy map. a.
PAGE 885

Chapter 43 Configuring Inspection of Basic Internet Protocols DNS Inspection Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. Step 5 (Optional) To add a description to the policy map, enter the following command: hostname(config-pmap)# description string Step 6 To apply actions to matching traffic, perform the following steps. a.
PAGE 886

Chapter 43 Configuring Inspection of Basic Internet Protocols DNS Inspection hostname(config-pmap-p)# tsig enforced action {drop [log] | [log} Where the count string argument specifies the maximum number of mismatch instances before a system message log is sent. The duration seconds specifies the period, in seconds, to monitor. The following example shows a how to define a DNS inspection policy map. hostname(config)# regex domain_example “example\.com” hostname(config)# regex domain_foo “foo\.
PAGE 887

Chapter 43 Configuring Inspection of Basic Internet Protocols FTP Inspection Service-policy: sample_policy Class-map: dns_port Inspect: dns maximum-length 1500, packet 0, drop 0, reset-drop 0 FTP Inspection This section describes the FTP inspection engine.
PAGE 888

Chapter 43 Configuring Inspection of Basic Internet Protocols FTP Inspection Caution Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP RFCs. If the strict option is enabled, each FTP command and response sequence is tracked for the following anomalous activity: • Truncated command—Number of commas in the PORT and PASV reply command is checked to see if it is five.
PAGE 889

Chapter 43 Configuring Inspection of Basic Internet Protocols FTP Inspection Step 2 (Optional) Create one or more regular expression class maps to group regular expressions according to the “Creating a Regular Expression Class Map” section on page 13-15. Step 3 (Optional) Create an FTP inspection class map by performing the following steps. A class map groups multiple traffic matches. Traffic must match all of the match commands to match the class map.
PAGE 890

Chapter 43 Configuring Inspection of Basic Internet Protocols FTP Inspection . Table 43-1 FTP Map request-command deny Options request-command deny Option Purpose appe Disallows the command that appends to a file. cdup Disallows the command that changes to the parent directory of the current working directory. dele Disallows the command that deletes a file on the server. get Disallows the client command for retrieving a file from the server.
PAGE 891

Chapter 43 Configuring Inspection of Basic Internet Protocols FTP Inspection • Specify the FTP class map that you created in Step 3 by entering the following command: hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# • b. Specify traffic directly in the policy map using one of the match commands described in Step 3. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied.
PAGE 892

Chapter 43 Configuring Inspection of Basic Internet Protocols HTTP Inspection hostname(config-pmap)# class ftp-traffic hostname(config-pmap-c)# inspect ftp strict mymap hostname(config)# service-policy ftp-policy interface inside Verifying and Monitoring FTP Inspection FTP application inspection generates the following log messages: • An Audit record 303002 is generated for each file that is retrieved or uploaded.
PAGE 893

Chapter 43 Configuring Inspection of Basic Internet Protocols HTTP Inspection Configuring an HTTP Inspection Policy Map for Additional Inspection Control To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can then apply the inspection policy map when you enable HTTP inspection. Note When you enable HTTP inspection with an inspection policy map, strict HTTP inspection with the action reset and log is enabled by default.
PAGE 894

Chapter 43 Configuring Inspection of Basic Internet Protocols HTTP Inspection Where the regex_name is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. e.
PAGE 895

Chapter 43 Configuring Inspection of Basic Internet Protocols HTTP Inspection Where the field is the predefined message header keyword. The regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. The length gt max_bytes is the maximum message body length in bytes. The count gt max_count is the maximum number of header fields. k.
PAGE 896

Chapter 43 Configuring Inspection of Basic Internet Protocols ICMP Inspection Step 7 To configure parameters that affect the inspection engine, perform the following steps: a. To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# b.
PAGE 897

Chapter 43 Configuring Inspection of Basic Internet Protocols ICMP Error Inspection ICMP Error Inspection When this feature is enabled, the ASA creates translation sessions for intermediate hops that send ICMP error messages, based on the NAT configuration. The ASA overwrites the packet with the translated IP addresses. When disabled, the ASA does not create translation sessions for intermediate nodes that generate ICMP error messages.
PAGE 898

Chapter 43 Configuring Inspection of Basic Internet Protocols Instant Messaging Inspection To create an IM inspection policy map, perform the following steps: Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the “Creating a Regular Expression” section on page 13-12. See the types of text you can match in the match commands described in Step 3.
PAGE 899

Chapter 43 Configuring Inspection of Basic Internet Protocols Instant Messaging Inspection Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. g.
PAGE 900

Chapter 43 Configuring Inspection of Basic Internet Protocols IP Options Inspection Where the drop-connection action closes the connection. The reset action closes the connection and sends a TCP reset to the client. The log action sends a system log message when this policy map matches traffic. The following example shows how to define an IM inspection policy map.
PAGE 901

Chapter 43 Configuring Inspection of Basic Internet Protocols IP Options Inspection IP Options Inspection Overview Each IP packet contains an IP header with the Options field. The Options field, commonly referred to as IP Options, provide for control functions that are required in some situations but unnecessary for most common communications. In particular, IP Options include provisions for time stamps, security, and special routing.
PAGE 902

Chapter 43 Configuring Inspection of Basic Internet Protocols IPsec Pass Through Inspection Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. Step 2 (Optional) To add a description to the policy map, enter the following command: hostname(config-pmap)# description string Step 3 To configure parameters that affect the inspection engine, perform the following steps: a.
PAGE 903

Chapter 43 Configuring Inspection of Basic Internet Protocols IPv6 Inspection IPsec Pass Through Inspection Overview Internet Protocol Security (IPsec) is a protocol suite for securing IP communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
PAGE 904

Chapter 43 Configuring Inspection of Basic Internet Protocols NetBIOS Inspection • Authentication • Encapsulating Security Payload In addition, default IPv6 inspection checks conformance to RFC 2460 for type and order of extension headers in IPv6 packets: • IPv6 header • Hop-by-Hop Options header (0) • Destination Options header (60) • Routing header (43) • Fragment header (44) • Authentication (51) • Encapsulating Security Payload header(50) • Destination Options header (60) • No Ne
PAGE 905

Chapter 43 Configuring Inspection of Basic Internet Protocols NetBIOS Inspection Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control To specify actions when a message violates a parameter, create a NETBIOS inspection policy map. You can then apply the inspection policy map when you enable NETBIOS inspection.
PAGE 906

Chapter 43 Configuring Inspection of Basic Internet Protocols PPTP Inspection You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see the “Defining Actions in an Inspection Policy Map” section on page 33-2. Step 6 To configure parameters that affect the inspection engine, perform the following steps: a.
PAGE 907

Chapter 43 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection However, when used for VPN by Windows, the interaction is inverted. The PNS is a remote single-user PC that initiates connection to the head-end PAC to gain access to a central network. SMTP and Extended SMTP Inspection This section describes the IM inspection engine.
PAGE 908

Chapter 43 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection • The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank space) and “<” ‚”>” are only allowed if they are used to define a mail address (“>” must be preceded by “<”). • Unexpected transition by the SMTP server.
PAGE 909

Chapter 43 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection hostname(config-pmap-c)# {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the command reference for the exact options available. The drop keyword drops all packets that match. The send-protocol-error keyword sends a protocol error message.
PAGE 910

Chapter 43 Configuring Inspection of Basic Internet Protocols TFTP Inspection TFTP Inspection TFTP inspection is enabled by default. TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and client. The ASA inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server.
PAGE 911

CH A P T E R 44 Configuring Inspection for Voice and Video Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
PAGE 912

Chapter 44 Configuring Inspection for Voice and Video Protocols CTIQBE Inspection Limitations and Restrictions The following summarizes limitations that apply when using CTIQBE application inspection: • CTIQBE application inspection does not support configurations with the alias command. • Stateful failover of CTIQBE calls is not supported. • Entering the debug ctiqbe command may delay message transmission, which may have a performance impact in a real-time environment.
PAGE 913

Chapter 44 Configuring Inspection for Voice and Video Protocols H.323 Inspection The line beginning with RTP/RTCP: PAT xlates: appears only if an internal CTI device has registered with an external CallManager and the CTI device address and ports are PATed to that external interface. This line does not appear if the CallManager is located on an internal interface, or if the internal CTI device address and ports are translated to the same external interface that is used by the CallManager.
PAGE 914

Chapter 44 Configuring Inspection for Voice and Video Protocols H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The ASA supports H.323 through Version 6, including H.323 v3 feature Multiple Calls on One Call Signaling Channel. With H.
PAGE 915

Chapter 44 Configuring Inspection for Voice and Video Protocols H.323 Inspection After inspecting the H.225 messages, the ASA opens the H.245 channel and then inspects traffic sent over the H.245 channel as well. All H.245 messages passing through the ASA undergo H.245 application inspection, which translates embedded IP addresses and opens the media channels negotiated in H.245 messages. The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the H.225 and H.
PAGE 916

Chapter 44 Configuring Inspection for Voice and Video Protocols H.323 Inspection • Static PAT may not properly translate IP addresses embedded in optional fields within H.323 messages. If you experience this kind of problem, do not use static PAT with H.323. • H.323 application inspection is not supported with NAT between same-security-level interfaces. • When a NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway that is also registered with the H.
PAGE 917

Chapter 44 Configuring Inspection for Voice and Video Protocols H.323 Inspection Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. d. (Optional) To match a media type, enter the following command: hostname(config-cmap)# match [not] media-type {audio | data | video} Step 4 Create an H.
PAGE 918

Chapter 44 Configuring Inspection for Voice and Video Protocols H.323 Inspection b. To enable call setup betweeen H.323 Endpoings, enter the following command: hostname(config)# ras-rcf-pinholes enable You can enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The ASA includes options to open pinholes for calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages.
PAGE 919

Chapter 44 Configuring Inspection for Voice and Video Protocols H.323 Inspection hostname(config-pmap-c)# match called-party regex caller1 hostname(config-pmap-c)# match calling-party regex caller2 hostname(config)# policy-map type inspect h323 h323_map hostname(config-pmap)# parameters hostname(config-pmap-p)# class h323_traffic hostname(config-pmap-c)# drop Configuring H.323 and H.225 Timeout Values To configure the idle time after which an H.
PAGE 920

Chapter 44 Configuring Inspection for Voice and Video Protocols H.323 Inspection For the local endpoint 10.130.56.4 and foreign host 172.30.254.205, there are 0 concurrent calls. This means that there is no active call between the endpoints even though the H.225 session still exists. This could happen if, at the time of the show h225 command, the call has already ended but the H.225 session has not yet been deleted.
PAGE 921

Chapter 44 Configuring Inspection for Voice and Video Protocols MGCP Inspection MGCP Inspection This section describes MGCP application inspection.
PAGE 922

Chapter 44 Configuring Inspection for Voice and Video Protocols MGCP Inspection Figure 44-1 Using NAT with MGCP To PSTN Cisco PGW 2200 M H.323 M M Cisco CallManager 209.165.201.10 209.165.201.11 209.165.201.1 Gateway is told to send its media to 209.165.200.231 (public address of the IP Phone) 209.165.200.231 MGCP SCCP RTP to 10.0.0.76 from 209.165.200.231 209.165.200.231 GW GW IP IP IP 10.0.0.76 Branch offices 119936 RTP to 209.165.201.1 from 209.165.200.
PAGE 923

Chapter 44 Configuring Inspection for Voice and Video Protocols MGCP Inspection • Note The port on which the call agent receives commands from the gateway. Call agents usually listen to UDP port 2727. MGCP inspection does not support the use of different IP addresses for MGCP signaling and RTP data.
PAGE 924

Chapter 44 Configuring Inspection for Voice and Video Protocols MGCP Inspection d. If you want to change the maximum number of commands allowed in the MGCP command queue, enter the following command: hostname(config-pmap-p)# command-queue command_limit The following example shows how to define an MGCP map: hostname(config)# policy-map type inspect mgcp sample_map hostname(config-pmap)# parameters hostname(config-pmap-p)# call-agent 10.10.11.5 101 hostname(config-pmap-p)# call-agent 10.10.11.
PAGE 925

Chapter 44 Configuring Inspection for Voice and Video Protocols RTSP Inspection The following is sample output from the show mgcp sessions detail command. hostname# show mgcp sessions detail 1 in use, 1 most used Session active 0:00:14 Gateway IP host-pc-2 Call ID 9876543210abcdef Connection ID 6789af54c9 Endpoint name aaln/1 Media lcl port 6166 Media rmt IP 192.168.5.7 Media rmt port 6058 RTSP Inspection This section describes RTSP application inspection.
PAGE 926

Chapter 44 Configuring Inspection for Voice and Video Protocols RTSP Inspection Using RealPlayer When using RealPlayer, it is important to properly configure transport mode. For the ASA, add an access-list command from the server to the client or vice versa. For RealPlayer, change transport mode by clicking Options>Preferences>Transport>RTSP Settings. If using TCP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use TCP for all content check boxes.
PAGE 927

Chapter 44 Configuring Inspection for Voice and Video Protocols RTSP Inspection To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map. For the traffic that you identify in this class map, you can specify actions such as drop-connection and/or log the connection in the inspection policy map.
PAGE 928

Chapter 44 Configuring Inspection for Voice and Video Protocols RTSP Inspection Not all options are available for each match or class command. See the CLI help or the command reference for the exact options available. The drop keyword drops all packets that match. The send-protocol-error keyword sends a protocol error message. The drop-connection keyword drops the packet and closes the connection. The mask keyword masks out the matching portion of the packet.
PAGE 929

Chapter 44 Configuring Inspection for Voice and Video Protocols SIP Inspection SIP Inspection This section describes SIP application inspection.
PAGE 930

Chapter 44 Configuring Inspection for Voice and Video Protocols SIP Inspection • Session Initiation Protocol (SIP)-Specific Event Notification, RFC 3265 • Session Initiation Protocol (SIP) Extension for Instant Messaging, RFC 3428 MESSAGE/INFO requests can come in at any time after registration/subscription. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens pinholes that time out according to the configured SIP timeout value.
PAGE 931

Chapter 44 Configuring Inspection for Voice and Video Protocols SIP Inspection Step 2 (Optional) Create one or more regular expression class maps to group regular expressions according to the “Creating a Regular Expression Class Map” section on page 13-15.s Step 3 (Optional) Create a SIP inspection class map by performing the following steps. A class map groups multiple traffic matches. Traffic must match all of the match commands to match the class map.
PAGE 932

Chapter 44 Configuring Inspection for Voice and Video Protocols SIP Inspection Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. h. (Optional) To match a SIP via header, enter the following command: hostname(config-cmap)# match [not] message-path regex {class class_name | regex_name} Where the regex regex_name argument is the regular expression you created in Step 1.
PAGE 933

Chapter 44 Configuring Inspection for Voice and Video Protocols SIP Inspection The drop-connection keyword drops the packet and closes the connection. The mask keyword masks out the matching portion of the packet. The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server and/or client. The log keyword, which you can use alone or with one of the other keywords, sends a system log message. The rate-limit message_rate argument limits the rate of messages.
PAGE 934

Chapter 44 Configuring Inspection for Voice and Video Protocols SIP Inspection j.
PAGE 935

Chapter 44 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection state Active, idle 0:00:06 This sample shows two active SIP sessions on the ASA (as shown in the Total field). Each call-id represents a call. The first session, with the call-id c3943000-960ca-2e43-228f@10.130.56.44, is in the state Call Init, which means the session is still in call setup. Call setup is not complete until a final response to the call has been received.
PAGE 936

Chapter 44 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Supporting Cisco IP Phones Note For specific information about setting up the Phone Proxy on the ASA, which is part of the Cisco Unified Communications architecture and supports IP phone deployment, see Chapter 48, “Configuring the Cisco Phone Proxy.
PAGE 937

Chapter 44 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection To create an SCCP inspection policy map, perform the following steps: Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the “Configuring Regular Expressions” section on page 13-12. See the types of text you can match in the match commands described in Step 3.
PAGE 938

Chapter 44 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection b. To enforce registration before calls can be placed, enter the following command: hostname(config-pmap-p)# enforce-registration c. To set the maximum SCCP station message ID allowed, enter the following command: hostname(config-pmap-p)# message-ID max hex_value Where the hex_value argument is the station message ID in hex. d.
PAGE 939

Chapter 44 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection The output indicates that a call has been established between two internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively.
PAGE 940

Chapter 44 Skinny (SCCP) Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 44-30 Configuring Inspection for Voice and Video Protocols
PAGE 941

CH A P T E R 45 Configuring Inspection of Database and Directory Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
PAGE 942

Chapter 45 Configuring Inspection of Database and Directory Protocols SQL*Net Inspection During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful BIND RESPONSE from the server is received, other operational messages may be exchanged (such as ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers, used by H.
PAGE 943

Chapter 45 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in the packet. SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and addresses to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload.
PAGE 944

Chapter 45 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection Managing Sun RPC Services Use the Sun RPC services table to control Sun RPC traffic through the ASA based on established Sun RPC sessions.
PAGE 945

Chapter 45 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003 protocol UDP port 111 timeout 0:30:00 sunrpc-server inside 192.168.100.2 255.255.255.255 service 100005 protocol UDP port 111 timeout 0:30:00 This output shows that a timeout interval of 30 minutes is configured on UDP port 111 for the Sun RPC server with the IP address 192.168.100.2 on the inside interface.
PAGE 946

Chapter 45 Sun RPC Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 45-6 Configuring Inspection of Database and Directory Protocols
PAGE 947

CH A P T E R 46 Configuring Inspection for Management Application Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
PAGE 948

Chapter 46 Configuring Inspection for Management Application Protocols DCERPC Inspection DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages.
PAGE 949

Chapter 46 Configuring Inspection for Management Application Protocols GTP Inspection The following example shows how to define a DCERPC inspection policy map with the timeout configured for DCERPC pinholes.
PAGE 950

Chapter 46 Configuring Inspection for Management Application Protocols GTP Inspection Figure 46-1 GPRS Tunneling Protocol Internet Home PLMN MS SGSN Gn GGSN Gi Corporate network 2 Gp Corporate network 1 Roaming partner (visited PLMN) 119935 GRX The UMTS is the commercial convergence of fixed-line telephony, mobile, Internet and computer technology. UTRAN is the networking protocol used for implementing wireless networks in this system.
PAGE 951

Chapter 46 Configuring Inspection for Management Application Protocols GTP Inspection • timeout signaling 0:30:00 • timeout tunnel 0:01:00 • tunnel-limit 500 To create and configure a GTP map, perform the following steps. You can then apply the GTP map when you enable GTP inspection according to the “Configuring Application Layer Protocol Inspection” section on page 42-6.
PAGE 952

Chapter 46 Configuring Inspection for Management Application Protocols GTP Inspection This command must be used to enable IMSI Prefix filtering. You can configure multiple instances to specify permitted MCC and MNC combinations. By default, the ASA does not check the validity of MNC and MCC combinations, so you must verify the validity of the combinations configured. To find more information about MCC and MNC codes, see the ITU E.212 recommendation, Identification Plan for Land Mobile Stations. b.
PAGE 953

Chapter 46 Configuring Inspection for Management Application Protocols GTP Inspection hostname(config-network)# b. Use the network-object command with the host keyword to identify the SGSN. hostname(config-network)# network-object host IP-address For example, the following command creates a network objects representing the SGSN: hostname(config-network)# network-object host 192.168.50.100 hostname(config-network)# g.
PAGE 954

Chapter 46 Configuring Inspection for Management Application Protocols GTP Inspection The request keyword specifies the maximum period of time allowed before beginning to receive the GTP message. The signaling keyword specifies the period of inactivity after which the GTP signaling will be removed. The tunnel keyword specifies the period of inactivity after which the GTP tunnel will be torn down.
PAGE 955

Chapter 46 Configuring Inspection for Management Application Protocols RADIUS Accounting Inspection hostname# show service-policy inspect gtp statistics gsn 9.9.9.9 1 in use, 1 most used, timeout 0:00:00 GTP GSN Statistics for 9.9.9.
PAGE 956

Chapter 46 Configuring Inspection for Management Application Protocols RADIUS Accounting Inspection the GGSN, but the connection from the server remains active. The IP address assigned to the malicious attacker gets released and reassigned to a legitimate user who will then get billed for services that the attacker will use. RADIUS accounting inspection prevents this type of attack by ensuring the traffic seen by the GGSN is legitimate.
PAGE 957

Chapter 46 Configuring Inspection for Management Application Protocols RSH Inspection RSH Inspection RSH inspection is enabled by default. The RSH protocol uses a TCP connection from the RSH client to the RSH server on TCP port 514. The client and server negotiate the TCP port number where the client listens for the STDERR output stream. RSH inspection supports NAT of the negotiated port number if necessary. SNMP Inspection This section describes the IM inspection engine.
PAGE 958

Chapter 46 Configuring Inspection for Management Application Protocols XDMCP Inspection XDMCP Inspection XDMCP inspection is enabled by default; however, the XDMCP inspection engine is dependent upon proper configuration of the established command. XDMCP is a protocol that uses UDP port 177 to negotiate X sessions, which use TCP when established. For successful negotiation and start of an XWindows session, the ASA must allow the TCP back connection from the Xhosted computer.
PAGE 959

Chapter 46 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-13
PAGE 960

Chapter 46 XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-14 Configuring Inspection for Management Application Protocols
PAGE 961

Chapter 46 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-15
PAGE 962

Chapter 46 XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-16 Configuring Inspection for Management Application Protocols
PAGE 963

Chapter 46 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-17
PAGE 964

Chapter 46 XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-18 Configuring Inspection for Management Application Protocols
PAGE 965

Chapter 46 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-19
PAGE 966

Chapter 46 XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-20 Configuring Inspection for Management Application Protocols
PAGE 967

Chapter 46 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-21
PAGE 968

Chapter 46 XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-22 Configuring Inspection for Management Application Protocols
PAGE 969

Chapter 46 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-23
PAGE 970

Chapter 46 XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-24 Configuring Inspection for Management Application Protocols
PAGE 971

Chapter 46 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-25
PAGE 972

Chapter 46 XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 46-26 Configuring Inspection for Management Application Protocols
PAGE 973

PA R T 11 Configuring Unified Communications
PAGE 974
PAGE 975

CH A P T E R 47 Information About Cisco Unified Communications Proxy Features This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features.
PAGE 976

Chapter 47 Information About the Adaptive Security Appliance in Cisco Unified Communications Information About Cisco Unified Communications Proxy Features TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signaling End-to-end encryption often leaves network security appliances “blind” to media and signaling traffic, which can compromise access control and threat prevention security functions.
PAGE 977

Chapter 47 Information About Cisco Unified Communications Proxy Features TLS Proxy Applications in Cisco Unified Communications The ASA provides perimeter security by encrypting signaling connections between enterprises and preventing unathorized calls. An ASA running the Cisco Intercompany Media Engine Proxy can either be deployed as an Internet firewall or be designated as a Cisco Intercompany Media Engine Proxy and placed in the DMZ, off the path of the regular Internet traffic.
PAGE 978

Chapter 47 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features For the Cisco Unified Mobility solution, the TLS client is a Cisco UMA client and the TLS server is a Cisco UMA server. The ASA is between a Cisco UMA client and a Cisco UMA server. The mobility proxy (implemented as a TLS proxy) for Cisco Unified Mobility allows the use of an imported PKCS-12 certificate for server proxy during the handshake with the client.
PAGE 979

Chapter 47 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features Model License Requirement1 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5545-X Base License: 2 sessions.
PAGE 980

Chapter 47 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features Table 47-2 Default and Maximum TLS Sessions on the Security Appliance Security Appliance Platform Default TLS Sessions Maximum TLS Sessions ASA 5505 10 80 ASA 5510 100 200 ASA 5520 300 1200 ASA 5540 1000 4500 ASA 5550 2000 4500 ASA 5580 4000 13,000 The following table shows the Unified Communications Proxy license details by platform for intercompany me
PAGE 981

Chapter 47 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features For more information about licensing, see Chapter 3, “Managing Feature Licenses.
PAGE 982

Chapter 47 Licensing for Cisco Unified Communications Proxy Features Cisco ASA 5500 Series Configuration Guide using the CLI 47-8 Information About Cisco Unified Communications Proxy Features
PAGE 983

CH A P T E R 48 Configuring the Cisco Phone Proxy This chapter describes how to configure the adaptive security appliance for Cisco Phone Proxy feature.
PAGE 984

Chapter 48 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Figure 48-1 Phone Proxy Secure Deployment Trusted / Inside / Un-Secured M Un-trusted / Outside / Secured ASA TCP/RTP M M M TLS/SRTP Internet IP Home Router w/NAT M Remote IP phone IP Internal IP phone IP Home Router w/NAT Remote IP phone Unencrypted signaling Encrypted signaling 271631 Enterprise The phone proxy supports a Cisco UCM cluster in mixed mode or nonsecure mode.
PAGE 985

Chapter 48 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Note As an alternative to authenticating remote IP phones through the TLS handshake, you can configure authentication via LSC provisioning. With LSC provisioning you create a password for each remote IP phone user and each user enters the password on the remote IP phones to retrieve the LSC.
PAGE 986

Chapter 48 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy • Cisco Unified IP Phone 7941G-GE • Cisco Unified IP Phone 7940 (SCCP protocol support only) • Cisco Unified Wireless IP Phone 7921 • Cisco Unified Wireless IP Phone 7925 Note • Note Note To support Cisco Unified Wireless IP Phone 7925, you must also configure MIC or LSC on the IP phone so that it properly works with the phone proxy.
PAGE 987

Chapter 48 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy Model License Requirement1 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5545-X Base License: 2 sessions.
PAGE 988

Chapter 48 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Prerequisites for the Phone Proxy This section contains the following topics: • Media Termination Instance Prerequisites, page 48-6 • Certificates from the Cisco UCM, page 48-7 • DNS Lookup Prerequisites, page 48-7 • Cisco Unified Communications Manager Prerequisites, page 48-7 • Access List Rules, page 48-7 • NAT and PAT Prerequisites, page 48-8 • Prerequisites for IP Phones on Multiple Interfaces, page 48-9 •
PAGE 989

Chapter 48 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Certificates from the Cisco UCM Import the following certificates which are stored on the Cisco UCM. These certificates are required by the ASA for the phone proxy. • Cisco_Manufacturing_CA • CAP-RTP-001 • CAP-RTP-002 • CAPF certificate (Optional) If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF certificate from the Cisco UCM.
PAGE 990

Chapter 48 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Table 48-1 Port Configuration Requirements Address Port Protocol Description Media Termination 1024-65535 UDP Allow incoming SRTP TFTP Server 69 UDP Allow incoming TFTP Cisco UCM 2443 TCP Allow incoming secure SCCP Cisco UCM 5061 TCP Allow incoming secure SIP CAPF Service (on Cisco 3804 UCM) TCP Allow CAPF service for LSC provisioning Note All these ports are configurable on the Cisco UCM, except for
PAGE 991

Chapter 48 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Note • Both PAT configurations—for the nonsecure and secure ports—must be configured. When the IP phones must contact the CAPF on the Cisco UCM and the Cisco UCM is configured with static PAT (LCS provisioning is required), you must configure static PAT for the default CAPF port 3804.
PAGE 992

Chapter 48 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Note You can configure LSC provisioning for additional end-user authentication. See the Cisco Unified Communications Manager configuration guide for information. • The CAPF certificate must be imported onto the ASA. • The CTL file created on the ASA must be created with a CAPF record-entry.
PAGE 993

Chapter 48 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Prerequisites for Rate Limiting TFTP Requests In a remote access scenario, we recommend that you configure rate limiting of TFTP requests because any IP phone connecting through the Internet is allowed to send TFTP requests to the TFTP server. To configure rate limiting of TFTP requests, configure the police command in the Modular Policy Framework. See the command reference for information about using the police command.
PAGE 994

Chapter 48 Configuring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations End-User Phone Provisioning The phone proxy is a transparent proxy with respect to the TFTP and signaling transactions. If NAT is not configured for the Cisco UCM TFTP server, then the IP phones need to be configured with the Cisco UCM cluster TFTP server address. If NAT is configured for the Cisco UCM TFTP server, then the Cisco UCM TFTP server global address is configured as the TFTP server address on the IP phones.
PAGE 995

Chapter 48 Configuring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations • General Guidelines and Limitations, page 48-13 • Media Termination Address Guidelines and Limitations, page 48-14 General Guidelines and Limitations The phone proxy has the following general limitations: • Only one phone proxy instance can be configured on the ASA by using the phone-proxy command. See the command reference for information about the phone-proxy command.
PAGE 996

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy – Two SIP IP phones: both in non-secure mode Two SCCP IP phones: one IP phone in authenticated mode and one in encrypted mode, both in authenticated mode, both in encrypted mode – Two SIP IP phones: one IP phone in authenticated mode and one in encrypted mode, both in authenticated mode, both in encrypted mode Two SCCP IP phones: both in non-secure mode This limitation results from the way the application-redirect rules (rules tha
PAGE 997

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy • Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster, page 48-21 • Creating the Media Termination Instance, page 48-22 • Creating the Phone Proxy Instance, page 48-23 • Enabling the Phone Proxy with SIP and Skinny Inspection, page 48-25 • Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy, page 48-26 Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster Follow these tasks t
PAGE 998

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 3 Click Find and it will display all the certificates. Step 4 Find the filename Cisco_Manufacturing_CA. This is the certificate need to verify the IP phone certificate. Click the .PEM file Cisco_Manufacturing_CA.pem. This will show you the certificate information and a dialog box that has the option to download the certificate.
PAGE 999

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster Note For mixed-mode clusters, the phone proxy does not support the Cisco Unified Call Manager using TFTP to send encrypted configuration files to IP phones through the ASA.
PAGE 1000

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Prerequisites Import the required certificates, which are stored on the Cisco UCM. See Certificates from the Cisco UCM, page 48-7 and Importing Certificates from the Cisco UCM, page 48-15. Command Purpose Step 1 hostname(config)# crypto key generate rsa label key-pair-label modulus size Example: crypto key generate rsa label cucmtftp_kp modulus 1024 Creates a keypair that can be used for the trustpoints.
PAGE 1001

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Prerequisites If you are using domain names for your Cisco UCM and TFTP server, you must configure DNS lookup on the ASA. Add an entry for each of the outside interfaces on the ASA into your DNS server, if such entries are not already present. Each ASA outside IP address should have a DNS entry associated with it for lookups. These DNS entries must also be enabled for Reverse Lookup.
PAGE 1002

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Using an Existing CTL File Note Only when the phone proxy is running in mixed-mode clusters, you have the option to use an existing CTL file to install trustpoints.
PAGE 1003

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy What to Do Next Once you have created the TLS proxy instance, create the phone proxy instance. See Creating the Phone Proxy Instance, page 48-23. Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster For mixed mode clusters, there might be IP phones that are already configured as encrypted so it requires TLS to the Cisco UCM. You must configure the LDC issuer for the TLS proxy.
PAGE 1004

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Command Purpose Step 10 hostname(config-tlsp)# server trust-point _internal_PP_ctl-instance_filename Example: hostname(config-tlsp)# server trust-point _internal_PP_myctl Configures the server trustpoint and references the internal trustpoint named _internal_PP_ctl-instance_filename.
PAGE 1005

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy The media termination address you configure must meet the requirements as described in Media Termination Instance Prerequisites, page 48-6. Command Purpose Step 1 hostname(config)# media-termination instance_name Example: hostname(config)# media-termination mediaterm1 Creates the media termination instance that you attach to the phone proxy.
PAGE 1006

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 1 Step 2 Command Purpose hostname(config)# phone-proxy phone_proxy_name Example: hostname(config)# phone-proxy myphoneproxy Creates the phone proxy instance. hostname(config-phone-proxy)# media-termination instance_name Examples: hostname(config-phone-proxy)# media-termination my_mt Specifies the media termination instance used by the phone proxy for SRTP and RTP.
PAGE 1007

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 7 Command Purpose hostname(config-phone-proxy)# cipc security-mode authenticated (Optional) Forces Cisco IP Communicator (CIPC) softphones to operate in authenticated mode when CIPC softphones are deployed in a voice and data VLAN scenario. See Cisco IP Communicator Prerequisites, page 48-10 for all requirements for using the phone proxy with CIPC.
PAGE 1008

Chapter 48 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Command Purpose hostname(config)# class-map class_map_name Example: class-map sec_sip Configures the secure SIP class of traffic to inspect. Step 5 hostname(config-cmap)# match port tcp eq 5061 Matches the TCP port 5061 to which you want to apply actions for secure SIP inspection Step 6 hostname(config-cmap)# exit Exits from the Class Map configuration mode.
PAGE 1009

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Configuring Your Router Your firewall/router needs to be configured to forward a range of UDP ports to the IP phone. This will allow the IP phone to receive audio when you make/receive calls. Note Different Cable/DSL routers have different procedures for this configuration.
PAGE 1010

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Table 48-4 Security Appliance Debug Commands to Use with the Phone Proxy To Use the Command Notes To show error and event messages for TLS proxy inspection. debug inspect tls-proxy [events | errors] Use this command when your IP phone has successfully downloaded all TFTP files but is failing to complete the TLS handshake with the TLS proxy configured for the phone proxy.
PAGE 1011

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Table 48-5 Security Appliance Capture Commands to Use with the Phone Proxy To Use the Command Notes To capture packets on the ASA interfaces. capture capture_name interface interface_name Use this command if you are experiencing any problems that might require looking into the packets.
PAGE 1012

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Table 48-6 lists the show commands to use with the phone proxy. Table 48-6 Security Appliance Show Commands to Use with the Phone Proxy To Use the Command Notes To show the packets or connections show asp drop dropped by the accelerated security path. Use this command to troubleshoot audio quality issues with the IP phones or other traffic issues with the phone proxy.
PAGE 1013

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Table 48-6 Security Appliance Show Commands to Use with the Phone Proxy To Use the Command Notes To show the logs in the buffer and logging show logging settings. Before entering the show logging command, enable the logging buffered command so that the show logging command displays the current message buffer and the current settings.
PAGE 1014

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy • Check the Security settings on the IP phone by selecting the Settings button > Security Configuration. Settings for web access, Security mode, MIC, LSC, CTL file, trust list, and CAPF appear. Under Security mode, make sure the IP phone is set to Encrypted. • Check the IP phone to determine which certificates are installed on the phone by selecting the Settings button > Security Configuration > Trust List.
PAGE 1015

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Step 2 From the ASA, verify that the CTL file for the phone proxy contains one record entry for each entity in the network—Primary Cisco UCM, Secondary Cisco UCM, TFTP server—by entering the following command: hostname# show running-config all ctl-file [ctl_name] Each of these record entries creates one entry on the IP phone trustlist. The phone proxy creates one entry internally with the function CUCM+TFTP.
PAGE 1016

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Solution Step 1 Verify that DNS lookup is configured on the ASA. Step 2 If DNS lookup is configured, determine whether you can ping the FQDN for the Cisco UCM from the ASA. Step 3 If ASA cannot ping the Cisco UCM FQDN, check to see if there is a problem with the DNS server. Step 4 Additionally, use the name command to associate a name with an IP address with the FQDN.
PAGE 1017

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy PP: Client outside:192.168.10.5/49355 retransmitting request for Config file SEP001562106AF3.cnf.xml.sgn PP: opened 0x17ccde PP: 192.168.10.5/49355 requesting SEP001562106AF3.cnf.xml.sgn PP: Client outside:192.168.10.5/49355 retransmitting request for Config file SEP001562106AF3.cnf.xml.sgn PP: opened 0x17ccde PP: 192.168.10.5/49355 requesting SEP001562106AF3.cnf.xml.sgn PP: Client outside:192.168.10.
PAGE 1018

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Step 3 If the router is a Linksys router, see Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy, page 48-26 for information on the configuration requirements. IP Phone Requesting Unsigned File Error Problem The IP phone should always request a signed file. Therefore, the TFTP file being requested always has the .SGN extension.
PAGE 1019

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Make sure that each media-termination instance is created correctly and that the address or addresses are set correctly. The ASA must meet specific criteria for media termination. See Media Termination Instance Prerequisites, page 48-6 for the complete list of prerequisites that you must follow when creating the media termination instance and configuring the media termination addresses.
PAGE 1020

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy b. Verify that the list of installed certificates contains all required certificates for the phone proxy. See Table 48-2, Certificates Required by the Security Appliance for the Phone Proxy, for information. c. Step 4 Import any missing certificates onto the ASA. See also Importing Certificates from the Cisco UCM, page 48-15.
PAGE 1021

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy SSL Handshake Failure Problem The phone proxy is not functioning. Initial troubleshooting uncovered the following errors in the ASA syslogs: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl handshake failure %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_CERTIFICATE Reason: no certificate returned %ASA-6-725006: Device failed SSL handshake with outside client:72.146.123.
PAGE 1022

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy [3des-sha1] [des-sha1] [rc4-md5] [possibly others] See the command reference for more information about setting ciphers with the ssl encryption command. Certificate Validation Errors Problem Errors in the ASA log indicate that certificate validation errors occurred. Entering the show logging asdm command, displayed the following errors: 3|Jun 19 2008 17:23:54|717009: Certificate validation failed.
PAGE 1023

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy phone-proxy mypp media-termination address 10.10.0.25 cipc security-mode authenticated cluster-mode mixed disable service-settings timeout secure-phones 0:05:00 hostname(config)# Make sure that each media-termination instance is created correctly and that the address or addresses are set correctly. The ASA must meet specific criteria for media termination.
PAGE 1024

Chapter 48 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy The SAST keys can be seen via the show crypto key mypubkey rsa command. The SAST keys are associated with a trustpoint that is labeled _internal_ctl-file_name_SAST_X where ctl-file-name is the name of the CTL file instance that was configured, and X is an integer from 0 to N-1 where N is the number of SASTs configured for the CTL file (the default is 2).
PAGE 1025

Chapter 48 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy mGF/hfDDNAICBAA= hostname(config)# quit INFO: Import PKCS12 operation completed successfully hostname(config)# Step 3 Create the CTL file instance on the new ASA using the same name as the one used in the SAST trustpoints created in Step 2 by entering the following commands. Create trustpoints for each Cisco UMC (primary and secondary).
PAGE 1026

Chapter 48 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Figure 48-2 Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher Corporate Network IP Cisco UCM+TFTP 192.0.2.101 Comcast Address 69.181.112.219 ASA Outside Interface 10.10.0.24 IP M Home Router w/NAT Comcast Address 98.208.49.30 Home Router w/NAT Cisco UCM cluster is in nonsecure mode ASA Inside Interface 192.0.2.1 IP Phone A 192.0.2.16 IP object network obj-192.0.2.101 host 192.0.2.
PAGE 1027

Chapter 48 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher Figure 48-3 shows an example of the configuration for a mixed-mode Cisco UCM cluster using the following topology. Figure 48-3 Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher Corporate Network IP Cisco UCM+TFTP 192.0.2.101 Comcast Address 69.181.112.219 ASA Outside Interface 10.10.0.
PAGE 1028

Chapter 48 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy address 10.10.0.25 interface outside phone-proxy mypp media-termination my_mediaterm tftp-server address 192.0.2.
PAGE 1029

Chapter 48 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy host 192.0.2.101 nat (inside,outside) static interface udp 69 69 access-list pp extended permit udp any host 10.10.0.
PAGE 1030

Chapter 48 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Figure 48-5 Mixed-mode Cisco UCM cluster, Primary Cisco UCM, Secondary Cisco UCM, and TFTP Server on Different Servers Primary Cisco UCM 192.0.2.105 Secondary Cisco UCM 192.0.2.106 M M ASA Inside Interface 192.0.2.24 TFTP / Publisher 192.0.2.101 Corporate Network M IP Phone A 192.0.2.102 Internet IP Home Router Comcast Address w/NAT 98.208.49.30 ASA Outside Interface 10.10.0.
PAGE 1031

Chapter 48 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy crypto ca trustpoint ldc_server enrollment self proxy_ldc_issuer fqdn my-ldc-ca.exmaple.com subject-name cn=FW_LDC_SIGNER_172_23_45_200 keypair ldc_signer_key crypto ca enroll ldc_server tls-proxy my_proxy server trust-point _internal_PP_myctl client ldc issuer ldc_server client ldc keypair phone_common client cipher-suite aes128-sha1 aes256-sha1 media-termination my_mediaterm address 192.0.2.
PAGE 1032

Chapter 48 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Figure 48-6 TFTP Server 192.0.2.101 LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher ASA Inside Interface 192.0.2.24 M Corporate Network IP Phone A 192.0.2.102 Internet ASA Outside Interface 10.10.0.24 IP Home Router Comcast Address w/NAT 98.208.49.30 IP IP Home Router Comcast Address w/NAT 69.181.112.219 271633 Phone B 192.0.2.103 object network obj-192.0.2.
PAGE 1033

Chapter 48 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy server trust-point _internal_PP_myctl client ldc issuer ldc_server client ldc keypair phone_common client cipher-suite aes128-sha1 aes256-sha1 media-termination my_mediaterm address 192.0.2.25 interface inside address 10.10.0.25 interface outside phone-proxy mypp media-termination my_mediaterm tftp-server address 192.0.2.
PAGE 1034

Chapter 48 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Figure 48-7 VLAN Transversal Between CIPC Softphones on the Data VLAN and Hard Phones on the Voice VLAN ASA Data VLAN interface 10.10.0.24 Cisco UCM + TFTP Server 192.0.2.101 Corporate Network (Voice VLAN) M Cisco IPC 10.130.50.10 Corporate Network (Data VLAN) Cisco IPC 10.130.50.11 IP ASA Inside Interface 10.130.50.24 IP object network obj-10.130.50.0 subnet 10.130.50.0 255.255.255.
PAGE 1035

Chapter 48 Configuring the Cisco Phone Proxy Feature History for the Phone Proxy class sec_sip inspect sip phone-proxy mypp service-policy pp_policy interface data Feature History for the Phone Proxy Table 48-7 lists the release history for this feature. Table 48-7 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information Cisco Phone Proxy 8.0(4) The phone proxy feature was introduced. The following new commands were introduced.
PAGE 1036

Chapter 48 Feature History for the Phone Proxy Cisco ASA 5500 Series Configuration Guide using the CLI 48-54 Configuring the Cisco Phone Proxy
PAGE 1037

CH A P T E R 49 Configuring the TLS Proxy for Encrypted Voice Inspection This chapter describes how to configure the adaptive security appliance for the TLS Proxy for Encrypted Voice Inspection feature.
PAGE 1038

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Proxy for Encrypted Voice Inspection Figure 49-1 TLS Proxy Flow Cisco IP Phone Cisco ASA Cisco CallManager M IP Client Hello (Proxy) Server Hello (Proxy) Server Certificate (Proxy) Server Key Exchange Certificate Request (Proxy) Server Hello Done Client Certificate Client Key Exchange Certificate Verify [Change Cipher Spec] Finished [Change Cipher Spec] Finished (Proxy) Client Hello Server Hello Server Cer
PAGE 1039

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Proxy for Encrypted Voice Inspection proxy, the CTL file must contain the certificate that the security appliance creates for the Cisco UCMs. To proxy calls on behalf of the Cisco IP Phone, the security appliance presents a certificate that the Cisco UCM can verify, which is a Local Dynamic Certificate for the phone, issued by the certificate authority on the security appliance.
PAGE 1040

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Proxy for Encrypted Voice Inspection Figure 49-3 CTL Client TLS Proxy Features — ASA IP Address or Domain Name Figure 49-3 shows support for entering the security appliance IP address or domain name in the CTL Client. Figure 49-4 CTL Client TLS Proxy Features — CTL Entry for ASA Figure 49-4 shows that the CTL entry for the security appliance as the TLS proxy has been added.
PAGE 1041

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Licensing for the TLS Proxy Figure 49-5 CTL Client TLS Proxy Features — CTL File Installed on the ASA The security appliance does not store the raw CTL file in the flash, rather, it parses the CTL file and installs appropriate trustpoints. Figure 49-5 indicates the installation was successful.
PAGE 1042

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Licensing for the TLS Proxy Model License Requirement1 ASA 5580 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions.2 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions.
PAGE 1043

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Prerequisites for the TLS Proxy for Encrypted Voice Inspection Table 49-1 shows the default and maximum TLS session details by platform.
PAGE 1044

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection • Creating a CTL Provider Instance, page 49-11 • Creating the TLS Proxy Instance, page 49-12 • Enabling the TLS Proxy Instance for Skinny or SIP Inspection, page 49-13 Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection To configure the security appliance for TLS proxy, perform the following steps: Step 1 (Optional) Set the maximum number of TLS proxy sess
PAGE 1045

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_1/nci/p08/secuauth.htm Note You will need the CTL Client that is released with Cisco Unified CallManager Release 5.1 to interoperate with the security appliance. See the “CTL Client Overview” section on page 49-3 for more information regarding TLS proxy support.
PAGE 1046

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Step 5 Command Purpose hostname(config-ca-trustpoint)# subject-name X.500_name Example: hostname(config-ca-trustpoint)# subject-name cn=EJW-SV-1-Proxy Includes the indicated subject DN in the certificate during enrollment Cisco IP Phones require certain fields from the X.509v3 certificate to be present to validate the certificate via consulting the CTL file.
PAGE 1047

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Step 3 Command Purpose hostname(config-ca-trustpoint)# proxy-ldc-issuer Issues TLS proxy local dynamic certificates. The proxy-ldc-issuer command grants a crypto trustpoint the role as local CA to issue the LDC and can be accessed from crypto ca trustpoint configuration mode.
PAGE 1048

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Command Purpose Step 1 hostname(config)# ctl-provider ctl_name Example: hostname(config)# ctl-provider my_ctl Enters the CTL provider configuration mode so that you can create the Certificate Trust List provider instance. Step 2 hostname(config-ctl-provider)# client interface if_name ipv4_addr Example: hostname(config-ctl-provider)# client interface inside address 172.23.45.
PAGE 1049

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Command Purpose Step 1 hostname(config)# tls-proxy proxy_name Example: hostname(config)# tls-proxy my_proxy Creates the TLS proxy instance. Step 2 hostname(config-tlsp)# server trust-point proxy_trustpoint Example: hostname(config-tlsp)# server trust-point ccm_proxy Specifies the proxy trustpoint certificate to present during TLS handshake.
PAGE 1050

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Step 1 Command Purpose hostname(config)# class-map class_map_name Example: hostname(config)# class-map sec_skinny Configures the secure Skinny class of traffic to inspect. Where class_map_name is the name of the Skinny class map.
PAGE 1051

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Monitoring the TLS Proxy Monitoring the TLS Proxy You can enable TLS proxy debug flags along with SSL syslogs to debug TLS proxy connection problems.
PAGE 1052

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Monitoring the TLS Proxy Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Data channel ready for the Client Apr 17 2007 23:13:47: %ASA-7-725013: SSL Server inside:195.168.2.201/5061 choose cipher : AES128-SHA Apr 17 2007 23:13:47: %ASA-7-717025: Validating certificate chain containing 1 certificate(s). Apr 17 2007 23:13:47: %ASA-7-717029: Identified client certificate within certificate chain.
PAGE 1053

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection Feature History for the TLS Proxy for Encrypted Voice Inspection Public Key Type: RSA (1024 bits) Issuer Name: cn=TLS-Proxy-Signer Subject Name: cn=SEP0002B9EB0AAD o=Cisco Systems Inc c=US Validity Date: start date: 09:25:41 PDT Apr 16 2007 end date: 09:25:41 PDT Apr 15 2008 Associated Trustpoints: outside 133.9.0.218:49159 inside 195.168.2.
PAGE 1054

Chapter 49 Feature History for the TLS Proxy for Encrypted Voice Inspection Cisco ASA 5500 Series Configuration Guide using the CLI 49-18 Configuring the TLS Proxy for Encrypted Voice Inspection
PAGE 1055

CH A P T E R 50 Configuring Cisco Mobility Advantage This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Mobility Advantage Proxy features.
PAGE 1056

Chapter 50 Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Figure 50-1 OML MMP Stack HTTP etc. MMP TLS/SSL IP 271645 TCP The TCP/TLS default port is 5443. There are no embedded NAT or secondary connections. Cisco UMA client and server communications can be proxied via TLS, which decrypts the data, passes it to the inspect MMP module, and re-encrypt the data before forwarding it to the endpoint.
PAGE 1057

Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature hostname(config)# tls-proxy my_proxy hostname(config-tlsp)# no server authenticate-client Figure 50-2 Security Appliance as Firewall with Mobility Advantage Proxy and MMP Inspection Enterprise Services Mobile Data Network (GPRS Data Channel) Network: Active Directory 10.1.1.0/24 Exchange IP Address: 10.1.1.
PAGE 1058

Chapter 50 Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Note This interface PAT rule converges the Cisco UMA client IP addresses on the outside interface of the ASA into a single IP address on the inside interface by using different source ports. Performing this action is often referred as “outside PAT”.
PAGE 1059

Chapter 50 Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature In scenario 2 (Figure 50-3), PAT can be used to converge all client traffic into one source IP, so that the firewall does not have to open up a wildcard pinhole for inbound traffic. hostname(config)# access-list cumc extended permit tcp any host 172.16.27.41 eq 5443 versus hostname(config)# access-list cumc extended permit tcp host 192.0.2.183 host 172.16.27.
PAGE 1060

Chapter 50 Configuring Cisco Mobility Advantage Licensing for the Cisco Mobility Advantage Proxy Feature Figure 50-5 How the Security Appliance Represents Cisco UMA – Certificate Impersonation 3rd Party CA Certificate Authority Enroll with FQDN of Cisco UMA Certificate Cisco UMA 271644 ASA Internet Cisco UMC Client TLS (ASA Certificate with Cisco UMA FQDN) Key 1 Inspected and Modified (if needed) TLS (Self-signed, or from local CA) Key 2 A trusted relationship between the ASA and the Cisco UMA se
PAGE 1061

Chapter 50 Configuring Cisco Mobility Advantage Configuring Cisco Mobility Advantage • Enabling the TLS Proxy for MMP Inspection, page 50-9 Task Flow for Configuring Cisco Mobility Advantage To configure for the ASA to perform TLS proxy and MMP inspection as shown in Figure 50-2 and Figure 50-3, perform the following tasks. It is assumed that self-signed certificates are used between the ASA and the Cisco UMA server.
PAGE 1062

Chapter 50 Configuring Cisco Mobility Advantage Configuring Cisco Mobility Advantage Step 1 Command Purpose hostname(config)# crypto ca trustpoint trustpoint_name Example: hostname(config)# crypto ca trustpoint cuma_server Enters the trustpoint configuration mode for the specified trustpoint so that you can create the trustpoint for the Cisco UMA server. A trustpoint represents a CA identity and possibly a device identity, based on a certificate issued by the CA.
PAGE 1063

Chapter 50 Configuring Cisco Mobility Advantage Configuring Cisco Mobility Advantage Step 3 Command Purpose hostname(config-tlsp)# client trust-point proxy_name Example: hostname(config-tlsp)# client trust-point cuma_proxy Specifies the trustpoint and associated certificate that the ASA uses in the TLS handshake when the ASA assumes the role of the TLS client. The certificate must be owned by the ASA (identity certificate).
PAGE 1064

Chapter 50 Configuring Cisco Mobility Advantage Monitoring for Cisco Mobility Advantage Command Purpose Step 6 hostname(config-pmap)# inspect mmp tls-proxy proxy_name Example: hostname(config-pmap)# inspect mmp tls-proxy cuma_proxy Enables SCCP (Skinny) application inspection and enables the phone proxy for the specified inspection session. Step 7 hostname(config-pmap)# exit Exits from the Policy Map configuration mode.
PAGE 1065

Chapter 50 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage • Example 1: Cisco UMC/Cisco UMA Architecture – Security Appliance as Firewall with TLS Proxy and MMP Inspection, page 50-11 • Example 2: Cisco UMC/Cisco UMA Architecture – Security Appliance as TLS Proxy Only, page 50-12 This section describes sample configurations that apply to two deployment scenarios for the TLS proxy used by the Cisco Mobility Adv
PAGE 1066

Chapter 50 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage object network obj-10.1.1.2-01 host 10.1.1.2 nat (inside,outside) static 192.0.2.140 crypto ca import cuma_proxy pkcs12 sample_passphrase quit ! for CUMA server’s self-signed certificate crypto ca trustpoint cuma_server enrollment terminal crypto ca authenticate cuma_server Enter the base 64 encoded CA certificate.
PAGE 1067

Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Figure 50-7 Cisco UMC/Cisco UMA Architecture – Scenario 2: Security Appliance as TLS Proxy Only Client connects to cuma.example.com (192.0.2.41) Cisco UMC Client Internet ISP Gateway DMZ Corporate Firewall Internal Network IP Address: 172.16.27.41 (DMZ routable) 192.0.2.41/24 outside eth0 192.0.2.
PAGE 1068

Chapter 50 Configuring Cisco Mobility Advantage Feature History for Cisco Mobility Advantage tls-proxy cuma_proxy server trust-point cuma_proxy no server authenticate-client client cipher-suite aes128-sha1 aes256-sha1 class-map cuma_proxy match port tcp eq 5443 policy-map global_policy class cuma_proxy inspect mmp tls-proxy cuma_proxy service-policy global_policy global Feature History for Cisco Mobility Advantage Table 50-1 lists the release history for this feature.
PAGE 1069

CH A P T E R 51 Configuring Cisco Unified Presence This chapter describes how to configure the adaptive security appliance for Cisco Unified Presence.
PAGE 1070

Chapter 51 Configuring Cisco Unified Presence Information About Cisco Unified Presence Figure 51-1 Typical Cisco Unified Presence/LCS Federation Scenario Enterprise X private Cisco UCM Cisco UCM Cisco UP (UK) Cisco UP (HK) Enterprise Y DMZ DMZ private network AD Cisco UCM Cisco UP (US) Orative (Ann) Routing Inside ASA Outside Proxy 8.0.4 (Cisco UP) IPPM (Ann) SIP Internet 192.0.2.
PAGE 1071

Configuring Cisco Unified Presence Information About Cisco Unified Presence hostname(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 5060 For another Cisco UP with the address 10.0.0.
PAGE 1072

Chapter 51 Configuring Cisco Unified Presence Information About Cisco Unified Presence http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht ml Trust Relationship in the Presence Federation Within an enterprise, setting up a trust relationship is achievable by using self-signed certificates or you can set it up on an internal CA. Establishing a trust relationship cross enterprises or across administrative domains is key for federation.
PAGE 1073

Chapter 51 Configuring Cisco Unified Presence Information About Cisco Unified Presence Security Certificate Exchange Between Cisco UP and the Security Appliance You need to generate the keypair for the certificate (such as cup_proxy_key) used by the ASA, and configure a trustpoint to identify the self-signed certificate sent by the ASA to Cisco UP (such as cup_proxy) in the TLS handshake.
PAGE 1074

Chapter 51 Configuring Cisco Unified Presence Information About Cisco Unified Presence For further information about configuring Cisco Unified Presence Federation for XMPP Federation, see the Integration Guide for Configuring Cisco Unified Presence Release 8.0 for Interdomain Federation: http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht ml Configuration Requirements for XMPP Federation For XMPP Federation, ASA acts as a firewall only.
PAGE 1075

Chapter 51 Configuring Cisco Unified Presence Licensing for Cisco Unified Presence nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_ obj_host_ service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_5269 n
PAGE 1076

Chapter 51 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Model License Requirement1 ASA 5545-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5555-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5585-X with SSP-10 Base License: 2 sessions. ASA 5585-X with SSP-20, -40, or -60 Base License: 2 sessions.
PAGE 1077

Chapter 51 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation • Creating the TLS Proxy Instance, page 51-12 • Enabling the TLS Proxy for SIP Inspection, page 51-13 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation To configure a Cisco Unified Presence/LCS Federation scenario with the ASA as the TLS proxy where there is a single Cisco UP that is in the local domain and self-signed certificates are used between the Cisco UP a
PAGE 1078

Chapter 51 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Step 1 Step 2 Command Purpose hostname(config)# crypto key generate rsa label key-pair-label modulus size Example: crypto key generate rsa label ent_y_proxy_key modulus 1024 INFO: The name for the keys will be: ent_y_proxy_key Keypair generation process begin. Please wait... hostname(config)# Creates the RSA keypair that can be used for the trustpoints.
PAGE 1079

Chapter 51 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Command Purpose Step 1 hostname(config)# crypto ca export trustpoint identity-certificate Example: hostname(config)# crypto ca export ent_y_proxy identity-certificate Export the ASA self-signed (identity) certificate.
PAGE 1080

Chapter 51 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation What to Do Next Once you have created the trustpoints and installed the certificates for the local and remote entities on the ASA, create the TLS proxy instance. See Creating the TLS Proxy Instance, page 51-12.
PAGE 1081

Chapter 51 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Step 7 Step 8 Command Purpose hostname(config-tlsp)# client trust-point proxy_trustpoint Example: hostname(config-tlsp)# client trust-point ent_y_proxy Specifies the trustpoint and associated certificate that the ASA uses in the TLS handshake when the ASA assumes the role of the TLS client. Where the proxy_trustpoint for the client trust-point command is the remote entity proxy.
PAGE 1082

Chapter 51 Configuring Cisco Unified Presence Monitoring Cisco Unified Presence Command Purpose Step 8 hostname(config)# policy-map name Example: hostname(config)# policy-map global_policy Configure the policy map and attach the action to the class of traffic. Step 9 hostname(config-pmap)# class classmap_name Example: hostname(config-pmap)# class ent_x_to_y Assigns a class map to the policy map so that you can assign actions to the class map traffic.
PAGE 1083

Chapter 51 Configuring Cisco Unified Presence Configuration Example for Cisco Unified Presence • Example Access List Configuration for XMPP Federation, page 51-17 • Example NAT Configuration for XMPP Federation, page 51-18 Example Configuration for SIP Federation Deployments The following sample illustrates the necessary configuration for the ASA to perform TLS proxy for Cisco Unified Presence as shown in Figure 51-5.
PAGE 1084

Chapter 51 Configuring Cisco Unified Presence Configuration Example for Cisco Unified Presence Figure 51-5 Typical Cisco Unified Presence/LCS Federation Scenario Enterprise X private Cisco UCM Cisco UCM Cisco UP (UK) Cisco UP (HK) Enterprise Y DMZ DMZ private network AD Cisco UCM Cisco UP (US) Orative (Ann) Routing Inside ASA Outside Proxy 8.0.4 (Cisco UP) IPPM (Ann) SIP Internet 192.0.2.
PAGE 1085

Chapter 51 Configuring Cisco Unified Presence Configuration Example for Cisco Unified Presence quit ! for Entity Y’s CA certificate crypto ca trustpoint ent_y_ca enrollment terminal crypto ca authenticate ent_y_ca Enter the base 64 encoded CA certificate.
PAGE 1086

Chapter 51 Configuring Cisco Unified Presence Configuration Example for Cisco Unified Presence The following values are used in this sample configuration: • Private XMPP federation Cisco Unified Presence Release 8.0 IP address = 1.1.1.1 • Private second Cisco Unified Presence Release 8.0 IP address= 2.2.2.2 • Private third Cisco Unified Presence Release 7.x IP address = 3.3.3.3 • XMPP federation listening port = 5269 access-list ALLOW-ALL extended permit tcp any host 1.1.1.
PAGE 1087

Chapter 51 Configuring Cisco Unified Presence Configuration Example for Cisco Unified Presence • Private third Cisco Unified Presence Release 7.x IP address = 3.3.3.3 • XMPP federation listening port = 5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.
PAGE 1088

Chapter 51 Configuring Cisco Unified Presence Feature History for Cisco Unified Presence Feature History for Cisco Unified Presence Table 51-1 lists the release history for this feature. Table 51-1 Feature History for Cisco Unified Presence Feature Name Releases Feature Information Cisco Presence Federation Proxy 8.0(4) The Cisco Unified Presence proxy feature was introduced. Cisco Presence Federation Proxy 8.3(1) The Unified Communications Wizard was added to ASDM.
PAGE 1089

CH A P T E R 52 Configuring Cisco Intercompany Media Engine Proxy This chapter describes how to configure the adaptive security appliance for Cisco Intercompany Media Engine Proxy.
PAGE 1090

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Cisco Intercompany Media Engine has the following key features: • Works with existing phone numbers: Cisco Intercompany Media Engine works with the phone numbers an enterprise currently has and does not require an enterprise to learn new numbers or change providers to use Cisco Intercompany Media Engine.
PAGE 1091

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy On successful verification, the terminating side creates a ticket that grants permission to the call originator to make a Cisco IME call to a specific number. See Tickets and Passwords, page 52-3 for information.
PAGE 1092

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Ticket Verification Process with Cisco Intercompany Media Engine 1 Enterprise A UC-IME Server Enterprise B gets authorization ticket from A at end of validation protocol Enterprise B 2 UC-IME server passes ticket to UCM and it’s stored as part of VoIP route UC-IME Server Internet M M Cisco UCM Cisco UCM ASA IP IP 4 ASA validates ticket 3 Enterprise B calls A and includes tick
PAGE 1093

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Call Fallback to the PSTN Cisco Intercompany Media Engine provides features that manage the QoS on the Internet, such as the ability to monitor QoS of the RTP traffic in real-time and fallback to PSTN automatically if problems arise.
PAGE 1094

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy • Cisco Intercompany Media Engine (UC-IME) Bootstrap server—Provides a certificate required admission onto the public peer-to-peer network for Cisco Intercompany Media Engine. Figure 52-3 illustrates the components of the Cisco Intercompany Media Engine in a basic deployment.
PAGE 1095

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Basic Deployment Scenario UC-IME Bootstrap Server Enterprise A Enterprise B Internet UC-IME Server UC-IME Server SIP Trunk M M Cisco UCM Cisco UCM ASA Enabled with UC-IME Proxy IP ASA Enabled with UC-IME Proxy IP IP V PSTN Gateway PSTN IP V 248762 Figure 52-4 PSTN Gateway Off Path Deployment In an off path deployment, inbound and outbound Cisco Intercompany Media Engine
PAGE 1096

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Licensing for Cisco Intercompany Media Engine Off Path Deployment of the Adaptive Security Appliance Inside Enterprise DMZ UC-IME Server Cisco UCM Cluster Outside Enterprise Permiter Security Figure 52-5 UC-IME Bootstrap Server M M M Internet M M Internet Firewall Intranet Firewall ASA enabled with UC-IME proxy IP IP Only UC-IME calls pass through the ASA enabled with the UC-IME proxy.
PAGE 1097

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Guidelines and Limitations Model License Requirement All other models Intercompany Media Engine license. When you enable the Intercompany Media Engine (IME) license, you can use TLS proxy sessions up to the configured TLS proxy limit.
PAGE 1098

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Guidelines and Limitations • Having Cisco UCMs on more than one of the ASA interfaces is not supported with the Cisco Intercompany Media Engine Proxy. Having the Cisco UCMs on one trusted interface is especially necessary in an off path deployment because the ASA requires that you specify the listening interface for the mapping service and the Cisco UCMs must be connected on one trusted interface. • Multipart MIME is not supported.
PAGE 1099

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy This section contains the following topics: • Task Flow for Configuring Cisco Intercompany Media Engine, page 52-11 • Configuring NAT for Cisco Intercompany Media Engine Proxy, page 52-12 • Configuring PAT for the Cisco UCM Server, page 52-14 • Creating Access Lists for Cisco Intercompany Media Engine Proxy, page 52-16 • Creating the Medi
PAGE 1100

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Or Configure PAT for the UCM server. See Configuring PAT for the Cisco UCM Server, page 52-14. Step 2 Create access lists for Cisco Intercompany Media Engine Proxy. See Creating Access Lists for Cisco Intercompany Media Engine Proxy, page 52-16. Step 3 Create the media termination address instance for Cisco Intercompany Media Engine Proxy.
PAGE 1101

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Figure 52-7 Example for Configuring NAT for a Deployment Local Enterprise Local Cisco UCMs 192.168.10.30 199.168.10.31 Configure NAT: 192.168.10.30 192.168.10.31 209.165.200.227 209.165.200.228 M M TLS Corporate Network Local ASA Outside Cisco UCM addresses 209.165.200.227 209.165.200.
PAGE 1102

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 8 hostname(config-network-object)# exit Exits from the objects configuration mode. Step 9 hostname(config)# nat (inside,outside) source static real_obj mapped_obj Examples: hostname(config)# nat (inside,outside) source static ucm_real_192.168.10.30 ucm_209.165.200.228 hostname(config)# nat (inside,outside) source static ucm_real_192.168.10.31 ucm_209.165.200.
PAGE 1103

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1 hostname(config)# object network name Examples: hostname(config)# object network ucm-pat-209.165.200.228 Configures a network object for the outside IP address of Cisco UCM that you want to translate. Step 2 hostname(config-network-object)# host ip_address Example: hostname(config-network-object)# host 209.165.200.
PAGE 1104

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Creating Access Lists for Cisco Intercompany Media Engine Proxy To configure access lists for the Cisco Intercompany Media Engine Proxy to reach the Cisco UCM server, perform the following steps. The example command lines in this task are based on a basic (in-line) deployment. See Figure 52-6 on page 52-11 for an illustration explaining the example command lines in this task.
PAGE 1105

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What to Do Next Create the media termination instance on the ASA for the Cisco Intercompany Media Engine Proxy. See Creating the Media Termination Instance, page 52-17.
PAGE 1106

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1 hostname(config)# media-termination instance_name Example: hostname(config)# media-termination uc-ime-media-term Creates the media termination instance that you attach to the Cisco Intercompany Media Engine Proxy. Step 2 hostname(config-media-termination)# address ip_address interface intf_name Examples: hostname(config-media-termination)# address 209.165.200.
PAGE 1107

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Note Step 1 You cannot change any of the configuration settings for the Cisco Intercompany Media Engine Proxy described in this procedure when the proxy is enabled for SIP inspection. Remove the Cisco Intercompany Media Engine Proxy from SIP inspection before changing any of the settings described in this procedure.
PAGE 1108

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 4 Command Purpose hostname(config-uc-ime)# ticket epoch n password password Example: hostname(config-uc-ime)# ticket epoch 1 password password1234 Configures the ticket epoch and password for Cisco Intercompany Media Engine. Where n is an integer from 1-255. The epoch contains an integer that updates each time that the password is changed.
PAGE 1109

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 5 Command Purpose (Optional) Specifies the fallback timers for Cisco Intercompany Media Engine.
PAGE 1110

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Configuring TLS within the Local Enterprise, page 52-27. Performing that task allows for secure TLS connections between the local Cisco UCM and the local ASA. The instructions in that task describe how to create trustpoints between the local Cisco UCM and the local ASA.
PAGE 1111

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 4 hostname(config-ca-trustpoint)# keypair keyname Example: hostname(config-ca-trustpoint)# keypair local-ent-key Specifies the key pair whose public key is to be certified. Step 5 hostname(config-ca-trustpoint)# enroll terminal Specifies that you will use the “copy and paste” method of enrollment with this trustpoint (also known as manual enrollment).
PAGE 1112

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Creating the TLS Proxy Because either enterprise, namely the local or remote Cisco UCM servers, can initiate the TLS handshake (unlike IP Telephony or Cisco Mobility Advantage, where only the clients initiate the TLS handshake), you must configure by-directional TLS proxy rules. Each enterprise can have an ASA as the TLS proxy.
PAGE 1113

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 6 Command Purpose hostname(config-tlsp)# server trust-point proxy_trustpoint Example: hostname(config-tlsp)# server trust-point local-ent For inbound connections, specifies the proxy trustpoint certificate presented during TLS handshake. The certificate must be owned by the adaptive security appliance (identity certificate).
PAGE 1114

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1 hostname(config)# class-map class_map_name Examples: hostname(config)# class-map ime-inbound-sip Defines a class for the inbound Cisco Intercompany Media Engine SIP traffic. Step 2 hostname(config-cmap)# match access-list access_list_name Examples: hostname(config-cmap)# match access-list ime-inbound-sip Identifies the SIP traffic to inspect.
PAGE 1115

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 14 hostname(config-pmap)# exit Exits from the policy map configuration mode. Step 15 hostname(config)# service-policy policymap_name global Examples: hostname(config)# service-policy ime-policy global Enables the service policy for SIP inspection for all interfaces. Where policymap_name is the name of the policy map you created in Step 7 of this task.
PAGE 1116

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 1 Commands Purpose hostname(config)# crypto key generate rsa label key-pair-label hostname(config)# crypto ca trustpoint trustpoint_name hostname(config-ca-trustpoint)# enroll self hostname(config-ca-trustpoint)# keypair keyname hostname(config-ca-trustpoint)# subject-name x.
PAGE 1117

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 6 Commands Purpose hostname(config)# crypto ca authenticate trustpoint Example: hostname(config)# crypto ca authenticate local-ent-ucm Imports the certificate from local Cisco UCM. Where trustpoint is the trustpoint for the local Cisco UCM. Paste the certificate downloaded from the local Cisco UCM.
PAGE 1118

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy (Optional) Configuring Off Path Signaling Perform this task only when you are configuring the Cisco Intercompany Media Engine Proxy as part of an off path deployment. You might choose to have an off path deployment when you want to use the Cisco Intercompany Media Engine but do not want to replace your existing Internet firewall with an ASA enabled with the Cisco Intercompany Media Engine Proxy.
PAGE 1119

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 5 Command Purpose hostname(config)# uc-ime uc_ime_name Example: hostname(config)# uc-ime local-ent-ime Specifies the Cisco Intercompany Media Engine Proxy that you created in the task Creating the Cisco Intercompany Media Engine Proxy, page 52-18. Where uc_ime_name is the name you specified in Step 1 of Creating the Cisco Intercompany Media Engine Proxy, page 52-18.
PAGE 1120

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 2 Check the Enable Cisco UC-IME proxy check box to enable the feature. Step 3 In the Unified CM Servers area, enter an IP address or hostname for the Cisco Unified Communications Manager (Cisco UCM) or click the ellipsis to open a dialog and browse for an IP address or hostname. Step 4 In the Trunk Security Mode field, click a security option.
PAGE 1121

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Note Step 10 In the Fallback area, configure the fallback timer for the Cisco Intercompany Media Engine by specifying the following settings: a. In the Fallback Sensitivity File field, enter the path to a file in flash memory that the ASA uses for mid-call PSTN fallback. The file name that you enter must be the name of a file on disk that includes the .fbs file extension.
PAGE 1122

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Troubleshooting Cisco Intercompany Media Engine Proxy Step 4 Specify the public network settings. Step 5 Specify the media termination address settings of Cisco UCM. Step 6 Configure the local-side certificate management, namely the certificates that are exchanged between the local Cisco Unified Communications Manager servers and the ASA.
PAGE 1123

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Troubleshooting Cisco Intercompany Media Engine Proxy Local SRTP key set : Remote SRTP key set Remote Media (audio) conn: 192.168.10.51/19520 to 192.168.10.3/30930 Call-ID: ab6d7980-a7d11b08-50-1e0aa8c0@192.168.10.30 FB Sensitivity: 3 Session ID: 2948-32325449-0@81a985c9-f3a1-55a0-3b19-96549a027259 SIP Trunk URI: 81a985c9-f3a1-55a0-3b19-9654@UCM-30;maddr=192.168.10.
PAGE 1124

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Troubleshooting Cisco Intercompany Media Engine Proxy Sum_all_packets : 20196 Codec_payload_format : 9 RTP_ptime_ms : 20 Max_RBLR_pct_x100 : 0 Max_ITE_count_in_8_sec : 0 Max_BLS_ms : 0 Max_PDV_usec : 1000 Min_PDV_usec : 0 Mov_avg_PDV_usec : 109 Total_ITE_count : 0 Total_sec_count : 403 Concealed_sec_count : 0 Severely_concealed_sec_count : 0 Max_call_interval_ms : 118 Total_SequenceNumber_Resets : 0 Media-session: 192.168.10.
PAGE 1125

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy Table 52-1 lists the release history for this feature. Table 52-1 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information Cisco Intercompany Media Engine Proxy 8.3(1) The Cisco Intercompany Media Engine Proxy was introduced.
PAGE 1126

Chapter 52 Feature History for Cisco Intercompany Media Engine Proxy Cisco ASA 5500 Series Configuration Guide using the CLI 52-38 Configuring Cisco Intercompany Media Engine Proxy
PAGE 1127

PA R T 12 Configuring Connection Settings and QoS
PAGE 1128
PAGE 1129

CH A P T E R 53 Configuring Connection Settings This chapter describes how to configure connection settings for connections that go through the ASA, or for management connections, that go to the ASA.
PAGE 1130

Chapter 53 Configuring Connection Settings Information About Connection Settings TCP Intercept and Limiting Embryonic Connections Limiting the number of embryonic connections protects you from a DoS attack. The ASA uses the per-client limits and the embryonic connection limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets.
PAGE 1131

Chapter 53 Configuring Connection Settings Information About Connection Settings TCP Sequence Randomization Each TCP connection has two ISNs: one generated by the client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.
PAGE 1132

Chapter 53 Configuring Connection Settings Licensing Requirements for Connection Settings connection?) and assigning it to either the session management path (a new connection SYN packet), the fast path (an established connection), or the control plane path (advanced inspection). See the “Stateful Inspection Overview” section on page 1-27 for more detailed information about the stateful firewall.
PAGE 1133

Chapter 53 Configuring Connection Settings Guidelines and Limitations Guidelines and Limitations This section includes the following guidelines and limitations: • TCP State Bypass Guidelines and Limitations, page 53-5 TCP State Bypass Guidelines and Limitations Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent mode. Failover Guidelines Failover is supported.
PAGE 1134

Chapter 53 Configuring Connection Settings Configuring Connection Settings exceed-mss allow queue-limit 0 timeout 4 reserved-bits allow syn-data allow synack-data drop invalid-ack drop seq-past-window drop tcp-options range 6 7 clear tcp-options range 9 255 clear tcp-options selective-ack allow tcp-options timestamp allow tcp-options window-scale allow ttl-evasion-protection urgent-flag clear window-variation allow-connection Configuring Connection Settings This section includes the following topics: •
PAGE 1135

Chapter 53 Configuring Connection Settings Configuring Connection Settings Table 53-1 tcp-map Commands Command Notes check-retransmission Prevents inconsistent TCP retransmissions. checksum-verification Verifies the checksum. exceed-mss {allow | drop} Sets the action for packets whose data length exceeds the TCP maximum segment size. (Default) The allow keyword allows packets whose data length exceeds the TCP maximum segment size.
PAGE 1136

Chapter 53 Configuring Connection Settings Configuring Connection Settings Table 53-1 tcp-map Commands (continued) Command Notes queue-limit pkt_num [timeout seconds] Sets the maximum number of out-of-order packets that can be buffered and put in order for a TCP connection, between 1 and 250 packets.
PAGE 1137

Chapter 53 Configuring Connection Settings Configuring Connection Settings Table 53-1 tcp-map Commands (continued) Command Notes synack-data {allow | drop} Sets the action for TCP SYNACK packets that contain data. The allow keyword allows TCP SYNACK packets that contain data. (Default) The drop keyword drops TCP SYNACK packets that contain data. syn-data {allow | drop} Sets the action for SYN packets with data. (Default) The allow keyword allows SYN packets with data.
PAGE 1138

Chapter 53 Configuring Connection Settings Configuring Connection Settings Table 53-1 tcp-map Commands (continued) Command Notes urgent-flag {allow | clear} Sets the action for packets with the URG flag. The URG flag is used to indicate that the packet contains information that is of higher priority than other data within the stream.
PAGE 1139

Chapter 53 Configuring Connection Settings Configuring Connection Settings Detailed Steps Step 1 Command Purpose class-map name Creates a class map to identify the traffic for which you want to disable stateful firewall inspection. Example: hostname(config)# class-map bypass_traffic Step 2 match parameter Specifies the traffic in the class map. See the “Identifying Traffic (Layer 3/4 Class Maps)” section on page 32-12 for more information.
PAGE 1140

Chapter 53 Configuring Connection Settings Configuring Connection Settings Command Purpose set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]} Sets maximum connection limits or whether TCP sequence randomization is enabled. Example: If two servers are configured to allow simultaneous TCP and/or UDP connections, the connection limit is applied to each configured server separately.
PAGE 1141

Chapter 53 Configuring Connection Settings Configuring Connection Settings Command Purpose set connection timeout {[embryonic hh:mm:ss] {idle hh:mm:ss [reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]} Sets connection timeouts. Example: The idle hh:mm:ss keyword sets the idle timeout for all protocols between 0:0:1 and 1193:0:0. The default is 1:0:0. You can also set this value to 0, which means the connection never times out.
PAGE 1142

Chapter 53 Configuring Connection Settings Monitoring Connection Settings Command Purpose set connection advanced-options tcp-map-name Customizes the TCP normalizer. See the “Customizing the TCP Normalizer with a TCP Map” section on page 53-6 to create a TCP map. Example: hostname(config-pmap-c)# set connection advanced-options tcp_map1 Enables TCP state bypass.
PAGE 1143

Chapter 53 Configuring Connection Settings Configuration Examples for Connection Settings Configuration Examples for Connection Limits and Timeouts The following example sets the connection limits and timeouts for all traffic: hostname(config)# class-map CONNS hostname(config-cmap)# match any hostname(config-cmap)# policy-map CONNS hostname(config-pmap)# class CONNS hostname(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000 hostname(config-pmap-c)# set connection timeout idle 2:0:0 embr
PAGE 1144

Chapter 53 Configuring Connection Settings Feature History for Connection Settings Feature History for Connection Settings Table 53-2 lists each feature change and the platform release in which it was implemented. Table 53-2 Feature History for Connection Settings Feature Name Platform Releases TCP state bypass 8.2(1) This feature was introduced. The following command was introduced: set connection advanced-options tcp-state-bypass. Connection timeout for all protocols 8.
PAGE 1145

CH A P T E R 54 Configuring QoS Have you ever participated in a long-distance phone call that involved a satellite connection? The conversation might be interrupted with brief, but perceptible, gaps at odd intervals. Those gaps are the time, called the latency, between the arrival of packets being transmitted over the network. Some network traffic, such as voice and video, cannot tolerate long latency times.
PAGE 1146

Chapter 54 Configuring QoS Information About QoS Supported QoS Features The ASA supports the following QoS features: • Policing—To prevent individual flows from hogging the network bandwidth, you can limit the maximum bandwidth used per flow. See the “Information About Policing” section on page 54-3 for more information.
PAGE 1147

Chapter 54 Configuring QoS Information About QoS For traffic shaping, a token bucket permits burstiness but bounds it. It guarantees that the burstiness is bounded so that the flow will never send faster than the token bucket capacity, divided by the time interval, plus the established rate at which tokens are placed in the token bucket.
PAGE 1148

Chapter 54 Configuring QoS Information About QoS Information About Traffic Shaping Traffic shaping is used to match device and link speeds, thereby controlling packet loss, variable delay, and link saturation, which can cause jitter and delay. Note Traffic shaping is not supported on multi-processor models, such as the ASA 5580 or ASA 5585-X. • Traffic shaping must be applied to all outgoing traffic on a physical interface or in the case of the ASA 5505, on a VLAN.
PAGE 1149

Chapter 54 Configuring QoS Licensing Requirements for QoS You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed. For example, if you configure standard priority queuing for the global policy, and then configure traffic shaping for a specific interface, the feature you configured last is rejected because the global policy overlaps the interface policy.
PAGE 1150

Chapter 54 Configuring QoS Configuring QoS • (ASA 5512-X through ASA 5555-X) Priority queuing is not supported on the Management 0/0 interface. Additional Guidelines and Limitations • For traffic shaping, you can only use the class-default class map, which is automatically created by the ASA, and which matches all traffic. • For priority traffic, you cannot use the class-default class map.
PAGE 1151

Chapter 54 Configuring QoS Configuring QoS 1. For example, DSL might have an uplink speed of 768 Kbps. Check with your provider. 2. Determine this value from a codec or sampling size. For example, for VoIP over VPN, you might use 160 bytes. We recommend 256 bytes if you do not know what size to use. 3. The delay depends on your application. For example, the recommended maximum delay for VoIP is 200 ms. We recommend 500 ms if you do not know what delay to use.
PAGE 1152

Chapter 54 Configuring QoS Configuring QoS Detailed Steps Step 1 Command Purpose priority-queue interface_name Creatse the priority queue, where the interface_name argument specifies the physical interface name on which you want to enable the priority queue, or for the ASA 5505 or ASASM, the VLAN interface name. Example: hostname(config)# priority-queue inside Step 2 queue-limit number_of_packets Example: hostname(config-priority-queue)# queue-limit 260 Changes the size of the priority queues.
PAGE 1153

Chapter 54 Configuring QoS Configuring QoS Configuring a Service Rule for Standard Priority Queuing and Policing You can configure standard priority queuing and policing for different class maps within the same policy map. See the “How QoS Features Interact” section on page 54-4 for information about valid QoS configurations. To create a policy map, perform the following steps. Restrictions • You cannot use the class-default class map for priority traffic.
PAGE 1154

Chapter 54 Configuring QoS Configuring QoS Step 6 Command Purpose class policing_map_name Identifies the class map you created for policed traffic in Step 1. Example: hostname(config-pmap)# class policing_class Step 7 police {output | input} conform-rate [conform-burst] [conform-action [drop | transmit]] [exceed-action [drop | transmit]] Configures policing for the class.
PAGE 1155

Chapter 54 Configuring QoS Configuring QoS hostname(config)# class-map tcp_traffic hostname(config-cmap)# match access-list tcp_traffic In the following example, other, more specific match criteria are used for classifying traffic for specific, security-related tunnel groups.
PAGE 1156

Chapter 54 Configuring QoS Configuring QoS Example 54-2 Priority and Policing Example In this example, the maximum rate for traffic of the tcp_traffic class is 56,000 bits/second and a maximum burst size of 10,500 bytes per second. For the TG1-BestEffort class, the maximum rate is 200,000 bits/second, with a maximum burst of 37,500 bytes/second. Traffic in the TG1-voice class has no policed maximum speed or burst rate because it belongs to a priority class.
PAGE 1157

Chapter 54 Configuring QoS Configuring QoS Restrictions • For hierarchical priority queuing, for encrypted VPN traffic, you can only match traffic based on the DSCP or precedence setting; you cannot match a tunnel group. • For hierarchical priority queuing, IPsec-over-TCP traffic is not supported. Detailed Steps Step 1 Command Purpose class-map priority_map_name For hierarchical priority queuing, creates a class map to identify the traffic for which you want to perform priority queuing.
PAGE 1158

Chapter 54 Configuring QoS Configuring QoS Detailed Steps Step 1 Command Purpose policy-map name Adds or edits a policy map. This policy map must be different from the hierarchical priority-queuing map. Example: hostname(config)# policy-map shape_policy Step 2 class class-default Example: Identifies all traffic for traffic shaping; you can only use the class-default class map, which is defined as match any, because the ASA requires all traffic to be matched for traffic shaping.
PAGE 1159

Chapter 54 Configuring QoS Monitoring QoS hostname(config-pmap)# class voice_traffic hostname(config-pmap-c)# priority hostname(config-pmap-c)# class ike hostname(config-pmap-c)# priority hostname(config-pmap-c)# policy-map qos_outside_policy hostname(config-pmap)# class class-default hostname(config-pmap-c)# shape average 2000000 16000 hostname(config-pmap-c)# service-policy qos_class_policy hostname(config-pmap-c)# service-policy qos_outside_policy interface outside Monitoring QoS This section includes
PAGE 1160

Chapter 54 Configuring QoS Monitoring QoS Viewing QoS Standard Priority Statistics To view statistics for service policies implementing the priority command, use the show service-policy command with the priority keyword: hostname# show service-policy priority The following is sample output for the show service-policy priority command: hostname# show service-policy priority Global policy: Service-policy: global_fw_policy Interface outside: Service-policy: qos Class-map: TG1-voice Priority: Interface outs
PAGE 1161

Chapter 54 Configuring QoS Monitoring QoS Service-policy: voip Class-map: voip Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: class-default queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Viewing QoS Standard Priority Queue Statistics To display the priority-queue statistics for an interface, use the show priority-queue statistics command in privileged EXEC mode.
PAGE 1162

Chapter 54 Configuring QoS Feature History for QoS Feature History for QoS Table 54-3 lists each feature change and the platform release in which it was implemented. Table 54-3 Feature History for QoS Feature Name Platform Releases Feature Information Priority queuing and policing 7.0(1) We introduced QoS priority queuing and policing.
PAGE 1163

PA R T 13 Configuring Advanced Network Protection
PAGE 1164
PAGE 1165

CH A P T E R 55 Configuring the Botnet Traffic Filter Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address.
PAGE 1166

Chapter 55 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter • Botnet Traffic Filter Databases, page 55-2 • How the Botnet Traffic Filter Works, page 55-5 Botnet Traffic Filter Address Types Addresses monitored by the Botnet Traffic Filter include: • Known malware addresses—These addresses are on the blacklist identified by the dynamic database and the static blacklist. • Known allowed addresses—These addresses are on the whitelist.
PAGE 1167

Chapter 55 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter 3. In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter logs or drops any traffic to that IP address without having to inspect DNS requests. Database Files The database files are stored in running memory; they are not stored in flash memory. If you need to delete the database, use the dynamic-filter database purge command instead.
PAGE 1168

Chapter 55 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter blacklist and the whitelist are identified only as whitelist addresses in syslog messages and reports. Note that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic blacklist. When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache.
PAGE 1169

Chapter 55 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter How the Botnet Traffic Filter Works Figure 55-1 shows how the Botnet Traffic Filter works with the dynamic database plus DNS inspection with Botnet Traffic Filter snooping. Figure 55-1 How the Botnet Traffic Filter Works with the Dynamic Database Security Appliance DNS Reverse Lookup Cache Infected Host 3 DNS Server 1a. Match? DNS Snoop 3a. Match? 2 DNS Reply: 209.165.201.3 Internet Connection to: 209.
PAGE 1170

Chapter 55 Configuring the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter The following table shows the licensing requirements for this feature: Model License Requirement All models You need the following licenses: • Botnet Traffic Filter License. • Strong Encryption (3DES/AES) License to download the dynamic database. Guidelines and Limitations This section includes the guidelines and limitations for this feature.
PAGE 1171

Chapter 55 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter • Enabling DNS Snooping, page 55-10 • Adding Entries to the Static Database, page 55-9 • Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 55-12 • Blocking Botnet Traffic Manually, page 55-15 • Searching the Dynamic Database, page 55-16 Task Flow for Configuring the Botnet Traffic Filter To configure the Botnet Traffic Filter, perform the following steps: Step 1 Enable use of the
PAGE 1172

Chapter 55 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Prerequisites Enable ASA use of a DNS server according to the “Configuring the DNS Server” section on page 10-11. Detailed Steps Step 1 Command Purpose dynamic-filter updater-client enable Enables downloading of the dynamic database from the Cisco update server. In multiple context mode, enter this command in the system execution space.
PAGE 1173

Chapter 55 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Adding Entries to the Static Database The static database lets you augment the dynamic database with domain names or IP addresses that you want to blacklist or whitelist. Static blacklist entries are always designated with a Very High threat level. See the “Information About the Static Database” section on page 55-3 for more information.
PAGE 1174

Chapter 55 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Command Purpose name domain_name Adds a name to the whitelist. You can enter this command multiple times for multiple entries. You can add up to 1000 whitelist entries. Example: hostname(config-llist)# name good.example.com address ip_address mask Adds an IP address to the whitelist. You can enter this command multiple times for multiple entries. The mask can be for a single host or for a subnet.
PAGE 1175

Chapter 55 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Default DNS Inspection Configuration and Recommended Configuration The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does not have DNS snooping enabled. We suggest that you enable DNS snooping only on interfaces where external DNS requests are going.
PAGE 1176

Chapter 55 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Step 5 Command Purpose inspect dns [map_name] dynamic-filter-snoop Enables DNS inspection with Botnet Traffic Filter snooping. To use the default DNS inspection policy map for the map_name, specify preset_dns_map for the map name. See the “DNS Inspection” section on page 43-1 for more information about creating a DNS inspection policy map.
PAGE 1177

Chapter 55 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Recommended Configuration Although DNS snooping is not required, we recommend configuring DNS snooping for maximum use of the Botnet Traffic Filter (see the “Enabling DNS Snooping” section on page 55-10). Without DNS snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus any IP addresses in the dynamic database; domain names in the dynamic database are not used.
PAGE 1178

Chapter 55 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Step 3 Command Purpose (Optional) Automatically drops malware traffic. To manually drop traffic, see the “Blocking Botnet Traffic Manually” section on page 55-15.
PAGE 1179

Chapter 55 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Step 4 Command Purpose (Optional) If you configured the dynamic-filter drop blacklist command, then this command treats greylisted traffic as blacklisted traffic for dropping purposes. If you do not enable this command, greylisted traffic will not be dropped. See the “Botnet Traffic Filter Address Types” section on page 55-2 for more information about the greylist.
PAGE 1180

Chapter 55 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter See Chapter 15, “Adding an Extended Access List,” for more information about creating an access list, and see Chapter 34, “Configuring Access Rules,” for information about applying the access list to the interface. Note • Access lists block all future connections. To block the current connection, if it is still active, enter the clear conn command.
PAGE 1181

Chapter 55 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter hostname# dynamic-filter database find bad bad.example.com bad.example.net Found more than 2 matches, enter a more specific string to find an exact match Monitoring the Botnet Traffic Filter Whenever a known address is classified by the Botnet Traffic Filter, then a syslog message is generated. You can also monitor Botnet Traffic Filter statistics and other parameters by entering commands on the ASA.
PAGE 1182

Chapter 55 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Command Purpose show dynamic-filter reports infected-hosts {max-connections | latest-active | highest-threat | subnet ip_address netmask | all} Generates reports about infected hosts. These reports contain detailed history about infected hosts, showing the correlation between infected hosts, visited malware sites, and malware ports.
PAGE 1183

Chapter 55 Configuring the Botnet Traffic Filter Configuration Examples for the Botnet Traffic Filter horrible.example.net(10.232.224.2) nono.example.org(209.165.202.
PAGE 1184

Chapter 55 Configuring the Botnet Traffic Filter Configuration Examples for the Botnet Traffic Filter hostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop hostname(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside hostname(config)# dynamic-filter enable interface outside hostname(config)# dynamic-filter drop blacklist interface outside The following recommended example configuration for multiple context mode enables the Botnet Traffic Filter for two context
PAGE 1185

Chapter 55 Configuring the Botnet Traffic Filter Where to Go Next hostname/context1(config-llist)# address 10.1.1.1 255.255.255.0 hostname/context1(config-llist)# dynamic-filter whitelist hostname/context1(config-llist)# name good.example.com hostname/context1(config-llist)# name great.example.com hostname/context1(config-llist)# name awesome.example.com hostname/context1(config-llist)# address 10.1.1.2 255.255.255.
PAGE 1186

Chapter 55 Configuring the Botnet Traffic Filter Feature History for the Botnet Traffic Filter Feature History for the Botnet Traffic Filter Table 55-2 lists each feature change and the platform release in which it was implemented. Table 55-2 Feature History for the Botnet Traffic Filter Feature Name Platform Releases Feature Information Botnet Traffic Filter 8.2(1) This feature was introduced. Automatic blocking, and blacklist category and 8.2(2) threat level reporting.
PAGE 1187

CH A P T E R 56 Configuring Threat Detection This chapter describes how to configure threat detection statistics and scanning threat detection and includes the following sections: • Information About Threat Detection, page 56-1 • Licensing Requirements for Threat Detection, page 56-1 • Configuring Basic Threat Detection Statistics, page 56-2 • Configuring Advanced Threat Detection Statistics, page 56-6 • Configuring Scanning Threat Detection, page 56-15 • Configuration Examples for Threat Detec
PAGE 1188

Chapter 56 Configuring Threat Detection Configuring Basic Threat Detection Statistics Model License Requirement All models Base License. Configuring Basic Threat Detection Statistics Basic threat detection statistics include activity that might be related to an attack, such as a DoS attack.
PAGE 1189

Chapter 56 Configuring Threat Detection Configuring Basic Threat Detection Statistics For each received event, the ASA checks the average and burst rate limits; if both rates are exceeded, then the ASA sends two separate system messages, with a maximum of one message for each rate type per burst period. Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.
PAGE 1190

Chapter 56 Configuring Threat Detection Configuring Basic Threat Detection Statistics Table 56-1 Basic Threat Detection Default Settings (continued) Trigger Settings Packet Drop Reason Average Rate Denial by access lists 400 drops/sec over the last 600 800 drops/sec over the last 20 seconds. second period. 320 drops/sec over the last 3600 seconds. • Basic firewall checks failed • Packets failed application inspection Interface overload Burst Rate 640 drops/sec over the last 120 second period.
PAGE 1191

Chapter 56 Configuring Threat Detection Configuring Basic Threat Detection Statistics Monitoring Basic Threat Detection Statistics To monitor basic threat detection statistics, perform one of the following tasks: Command Purpose show threat-detection rate [min-display-rate min_display_rate] [acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack] Displays basic threat detection statistics.
PAGE 1192

Chapter 56 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Feature History for Basic Threat Detection Statistics Table 56-2 lists each feature change and the platform release in which it was implemented. Table 56-2 Feature History for Basic Threat Detection Statistics Feature Name Platform Releases Feature Information Basic threat detection statistics 8.0(2) Basic threat detection statistics was introduced.
PAGE 1193

Chapter 56 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Security Context Guidelines Only TCP Intercept statistics are available in multiple mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Types of Traffic Monitored Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection. Default Settings By default, statistics for access lists are enabled.
PAGE 1194

Chapter 56 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Step 3 Command Purpose threat-detection statistics host [number-of-rate {1 | 2 | 3}] (Optional) Enables statistics for hosts. Example: hostname(config)# threat-detection statistics host number-of-rate 2 The number-of-rate keyword sets the number of rate intervals maintained for host statistics. The default number of rate intervals is 1, which keeps the memory usage low.
PAGE 1195

Chapter 56 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Step 5 Command Purpose threat-detection statistics protocol [number-of-rate {1 | 2 | 3}] (Optional) Enables statistics for non-TCP/UDP IP protocols. The number-of-rate keyword sets the number of rate intervals maintained for protocol statistics. The default number of rate intervals is 1, which keeps the memory usage low. To view more rate intervals, set the value to 2 or 3.
PAGE 1196

Chapter 56 Configuring Threat Detection Configuring Advanced Threat Detection Statistics The ASA stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds.
PAGE 1197

Chapter 56 Configuring Threat Detection Configuring Advanced Threat Detection Statistics To monitor advanced threat detection statistics, perform one of the following tasks: Command Purpose show threat-detection statistics [min-display-rate min_display_rate] top [[access-list | host | port-protocol] [rate-1 | rate-2 | rate-3] | tcp-intercept [all] detail]] Displays the top 10 statistics.
PAGE 1198

Chapter 56 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Command Purpose show threat-detection statistics [min-display-rate min_display_rate] protocol [protocol_number | ah | eigrp | esp | gre | icmp | igmp | igrp | ip | ipinip | ipsec | nos | ospf | pcp | pim | pptp | snp | tcp | udp] Displays statistics for all IP protocols or for a specific protocol. show threat-detection memory Displays how much memory is used by advanced threat detection statistics.
PAGE 1199

Chapter 56 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Table 56-3 show threat-detection statistics host Command Fields (continued) Field Description fw-drop Shows the number of firewall drops.
PAGE 1200

Chapter 56 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Table 56-3 show threat-detection statistics host Command Fields (continued) Field Description 20-min, 1-hour, 8-hour, and 24-hour Shows statistics for these fixed rate intervals. Sent byte Shows the number of successful bytes sent from the host. Sent pkts Shows the number of successful packets sent from the host.
PAGE 1201

Chapter 56 Configuring Threat Detection Configuring Scanning Threat Detection Table 56-4 Feature History for Advanced Threat Detection Statistics (continued) Platform Releases Feature Name Customize port and protocol statistics rate intervals 8.3(1) Feature Information You can now customize the number of rate intervals for which statistics are collected. The default number of rates was changed from 3 to 1.
PAGE 1202

Chapter 56 Configuring Threat Detection Configuring Scanning Threat Detection Guidelines and Limitations This section includes the guidelines and limitations for this feature: Security Context Guidelines Supported in single mode only. Multiple mode is not supported. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Types of Traffic Monitored • Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
PAGE 1203

Chapter 56 Configuring Threat Detection Configuring Scanning Threat Detection Configuring Scanning Threat Detection Detailed Steps Step 1 Command Purpose threat-detection scanning-threat [shun [except {ip-address ip_address mask | object-group network_object_group_id}]] Enables scanning threat detection. By default, the system log message 733101 is generated when a host is identified as an attacker.
PAGE 1204

Chapter 56 Configuring Threat Detection Configuring Scanning Threat Detection Command Purpose clear threat-detection shun [ip_address [mask]] Releases a host from being shunned. If you do not specify an IP address, all hosts are cleared from the shun list. show threat-detection scanning-threat [attacker | target] Displays hosts that the ASA decides are attackers (including hosts on the shun list), and displays the hosts that are the target of an attack.
PAGE 1205

Chapter 56 Configuring Threat Detection Configuration Examples for Threat Detection Table 56-6 Feature History for Scanning Threat Detection (continued) Platform Releases Feature Name Feature Information Burst rate interval changed to 1/30th of the average rate. 8.2(1) In earlier releases, the burst rate interval was 1/60th of the average rate. To maximize memory usage, the sampling interval was reduced to 30 times during the average rate. Improved memory usage 8.
PAGE 1206

Chapter 56 Configuration Examples for Threat Detection Cisco ASA 5500 Series Configuration Guide using the CLI 56-20 Configuring Threat Detection
PAGE 1207

CH A P T E R 57 Using Protection Tools This chapter describes some of the many tools available to protect your network and includes the following sections: • Preventing IP Spoofing, page 57-1 • Configuring the Fragment Size, page 57-2 • Blocking Unwanted Connections, page 57-2 • Configuring IP Audit for Basic IPS Support, page 57-3 Preventing IP Spoofing This section lets you enable Unicast Reverse Path Forwarding on an interface.
PAGE 1208

Chapter 57 Using Protection Tools Configuring the Fragment Size Configuring the Fragment Size By default, the ASA allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. You might need to let fragments on your network if you have an application that routinely fragments packets, such as NFS over UDP. However, if you do not have an application that fragments traffic, we recommend that you do not allow fragments through the ASA. Fragmented packets are often used as DoS attacks.
PAGE 1209

Chapter 57 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature provides basic IPS support for the ASA that does not have an AIP SSM. It supports a basic list of signatures, and you can configure the ASA to perform one or more actions on traffic that matches a signature.
PAGE 1210

Chapter 57 Using Protection Tools Configuring IP Audit for Basic IPS Support IP Audit Signature List Table 57-1 lists supported signatures and system message numbers. Table 57-1 Signature IDs and System Message Numbers Signature Message ID Number Signature Title Signature Type Description 1000 400000 IP options-Bad Option List Informational Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed.
PAGE 1211

Chapter 57 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 57-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 1103 400009 IP Overlapping Fragments (Teardrop) Attack Triggers when two fragments contained within the same IP datagram have offsets that indicate that they share positioning within the datagram.
PAGE 1212

Chapter 57 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 57-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 2008 400018 ICMP Timestamp Reply Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 14 (Timestamp Reply).
PAGE 1213

Chapter 57 Using Protection Tools Configuring IP Audit for Basic IPS Support 1002 400002 IP options-Timestamp Informational Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 4 (Timestamp). 1003 400003 IP options-Security Informational Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 2 (Security options).
PAGE 1214

Chapter 57 Using Protection Tools Configuring IP Audit for Basic IPS Support 2002 400012 ICMP Source Quench Informational Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 4 (Source Quench). 2003 400013 ICMP Redirect Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect).
PAGE 1215

Chapter 57 Using Protection Tools Configuring IP Audit for Basic IPS Support 2150 400023 Fragmented ICMP Traffic Attack Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field. 2151 400024 Large ICMP Traffic Attack Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP) and the IP length > 1024.
PAGE 1216

Chapter 57 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 57-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 6051 400035 DNS Zone Transfer Informational Triggers on normal DNS zone transfers, in which the source port is 53. 6052 400036 DNS Zone Transfer from High Port Informational Triggers on an illegitimate DNS zone transfer, in which the source port is not equal to 53.
PAGE 1217

Chapter 57 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 57-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 6180 400049 rexd (remote execution daemon) Attempt Informational Triggers when a call to the rexd program is made. The remote execution daemon is the server responsible for remote program execution. This may be indicative of an attempt to gain unauthorized access to system resources.
PAGE 1218

Chapter 57 Configuring IP Audit for Basic IPS Support Cisco ASA 5500 Series Configuration Guide using the CLI 57-12 Using Protection Tools
PAGE 1219

PA R T 14 Configuring Modules
PAGE 1220
PAGE 1221

CH A P T E R 58 Configuring the ASA IPS Module This chapter describes how to configure the ASA IPS module. The ASA IPS module might be a physical module or a software module, depending on your ASA model. For a list of supported ASA IPS modules per ASA model, see the Cisco ASA Compatibility Matrix: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.
PAGE 1222

Chapter 58 Configuring the ASA IPS Module Information About the ASA IPS module How the ASA IPS module Works with the ASA The ASA IPS module runs a separate application from the ASA. The ASA IPS module might include an external management interface so you can connect to the ASA IPS module directly; if it does not have a management interface, you can connect to the ASA IPS module through the ASA interface.
PAGE 1223

Chapter 58 Configuring the ASA IPS Module Information About the ASA IPS module packet that you identify for inspection is analyzed before being allowed through. Also, the ASA IPS module can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput. • Promiscuous mode—This mode sends a duplicate stream of traffic to the ASA IPS module. This mode is less secure, but has little impact on traffic throughput.
PAGE 1224

Chapter 58 Configuring the ASA IPS Module Information About the ASA IPS module Figure 58-3 Security Contexts and Virtual Sensors ASA Context 1 Main System Context 2 Context 3 Sensor 1 251160 Sensor 2 IPS Figure 58-4 shows a single mode ASA paired with multiple virtual sensors (in inline mode); each defined traffic flow goes to a different sensor.
PAGE 1225

Chapter 58 Configuring the ASA IPS Module Licensing Requirements for the ASA IPS module – ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X—The IPS management interface is a separate external Gigabit Ethernet interface. If you cannot use the default address (see the “Default Settings” section on page 58-6), you can change the interface IP address and other network parameters. See the “Configuring Basic IPS Module Network Settings” section on page 58-10.
PAGE 1226

Chapter 58 Configuring the ASA IPS Module Default Settings Firewall Mode Guidelines Supported in routed and transparent firewall mode. Model Guidelines • See the Cisco ASA Compatibility Matrix for information about which models support which modules: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html • The ASA 5505 does not support multiple context mode, so multiple context features, such as virtual sensors, are not supported on the AIP SSC.
PAGE 1227

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module • Configuring Basic IPS Module Network Settings, page 58-10 • (ASA 5512-X through ASA 5555-X) Installing the Software Module, page 58-14 • Configuring the Security Policy on the ASA IPS module, page 58-14 • Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher), page 58-15 • Diverting Traffic to the ASA IPS module, page 58-17 Task Flow for the ASA IPS Module Configuring the ASA IPS module is a process that in
PAGE 1228

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps ASA 5505 The ASA 5505 does not have a dedicated management interface. You must use an ASA VLAN to access an internal management IP address over the backplane. For a factory default configuration, connect the management PC to one of the following ports: Ethernet 0/1 through 0/7, which are assigned to VLAN 1. Ports 1 − 7 VLAN 1 Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.
PAGE 1229

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Physical Module) Connect to the ASA Management 0/0 interface and the IPS Management 1/0 interface. ASA 5585-X IPS SSP IPS Management 1/0 192.168.1.
PAGE 1230

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Command Purpose Telnet session. Accesses the module using Telnet. You are prompted for the username and password. The default username is cisco, and the default password is cisco. For a physical module (for example, the ASA 5585-X): Note session 1 The first time you log in to the module, you are prompted to change the default password.
PAGE 1231

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Command Purpose Step 1 Session to the IPS module according to the “Sessioning to the Module from the ASA” section on page 58-9. Step 2 setup Runs the setup utility for initial configuration of the ASA IPS module. You are prompted for basic settings. Example: sensor# setup (ASA 5505) Configuring Basic Network Settings An ASA IPS module on the ASA 5505 does not have any external interfaces.
PAGE 1232

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module Restrictions Do not configure NAT for the management address if you intend to access it using ASDM. For initial setup with ASDM, you need to access the real address. After initial setup (where you set the password on the ASA IPS module), you can configure NAT and supply ASDM with the translated address for accessing the ASA IPS module.
PAGE 1233

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module Step 5 Command Purpose hw-module module 1 ip ip_address netmask gateway Configures the management IP address for the ASA IPS module. Make sure this address is on the same subnet as the ASA VLAN IP address. For example, if you assigned 10.1.1.1 to the VLAN for the ASA, then assign another address on that network, such as 10.1.1.2, for the IPS management address. Example: hostname# hw-module module 1 ip 10.1.1.2 255.255.255.0 10.
PAGE 1234

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5512-X through ASA 5555-X) Installing the Software Module Your ASA typically ships with IPS module software present on Disk0. If the module is not running, however, you need to install the module. Detailed Steps Step 1 To view the IPS module software filename in flash memory, enter:. hostname# dir disk0: For example, look for a filename like IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip.
PAGE 1235

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module • Step 2 Connect to the IPS management interface using SSH. If you did not change it, the default management IP address is 192.168.1.2. The default username is cisco, and the default password is cisco. See the “Information About Management Access” section on page 58-4 for more information about the management interface. Configure the IPS security policy according to the IPS documentation.
PAGE 1236

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Command Purpose context name Identifies the context you want to configure. Enter this command in the system execution space. Example: hostname(config)# context admin hostname(config-ctx)# Step 2 allocate-ips sensor_name [mapped_name] [default] Example: hostname(config-ctx)# allocate-ips sensor1 highsec Enter this command for each sensor you want to assign to the context.
PAGE 1237

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module Examples The following example assigns sensor1 and sensor2 to context A, and sensor1 and sensor3 to context B. Both contexts map the sensor names to “ips1” and “ips2.” In context A, sensor1 is set as the default sensor, but in context B, no default is set so the default that is configured on the ASA IPS module is used.
PAGE 1238

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Command Purpose class-map name Creates a class map to identify the traffic for which you want to send to the ASA IPS module. Example: hostname(config)# class-map ips_class Step 2 match parameter If you want to send multiple traffic classes to the ASA IPS module, you can create multiple class maps for use in the security policy. Specifies the traffic in the class map.
PAGE 1239

Chapter 58 Configuring the ASA IPS Module Configuring the ASA IPS module Step 5 Command Purpose ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}] Specifies that the traffic should be sent to the ASA IPS module. Example: The fail-close keyword sets the ASA to block all traffic if the ASA IPS module is unavailable. hostname(config-pmap-c)# ips promiscuous fail-close The inline and promiscuous keywords control the operating mode of the ASA IPS module.
PAGE 1240

Chapter 58 Configuring the ASA IPS Module Monitoring the ASA IPS module Step 7 Command Purpose (Optional) Specifies that the second class of traffic should be sent to the ASA IPS module. ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}] Add as many classes as desired by repeating these steps.
PAGE 1241

Chapter 58 Configuring the ASA IPS Module Troubleshooting the ASA IPS module 209.165.202.158/32 209.165.200.
PAGE 1242

Chapter 58 Configuring the ASA IPS Module Troubleshooting the ASA IPS module Detailed Steps Step 1 Command Purpose For a physical module (for example, the ASA 5585-X): Specifies the location of the new image. sw-module module ips recover configure image disk0:file_path For a physical module—This command prompts you for the URL for the TFTP server, the management interface IP address and netmask, gateway address, and VLAN ID (ASA 5505 only).
PAGE 1243

Chapter 58 Configuring the ASA IPS Module Troubleshooting the ASA IPS module Uninstalling a Software Module Image To uninstall a software module image and associated configuration, perform the following steps. Detailed Steps Command Purpose sw-module module ips uninstall Permanently uninstalls the software module image and associated configuration. Example: hostname# sw-module module ips uninstall Module ips will be uninstalled.
PAGE 1244

Chapter 58 Configuring the ASA IPS Module Troubleshooting the ASA IPS module Reloading or Resetting the Module To reload or reset the module, enter one of the following commands at the ASA CLI. Detailed Steps Command Purpose For a physical module (for example, the ASA 5585-X): Reloads the module software.
PAGE 1245

Chapter 58 Configuring the ASA IPS Module Configuration Examples for the ASA IPS module Configuration Examples for the ASA IPS module The following example diverts all IP traffic to the ASA IPS module in promiscuous mode, and blocks all IP traffic if the ASA IPS module card fails for any reason: hostname(config)# access-list IPS permit ip any any hostname(config)# class-map my-ips-class hostname(config-cmap)# match access-list IPS hostname(config-cmap)# policy-map my-ips-policy hostname(config-pmap)# clas
PAGE 1246

Chapter 58 Configuring the ASA IPS Module Feature History for the ASA IPS module Table 58-2 Feature History for the ASA IPS module (continued) Feature Name Platform Releases Feature Information AIP SSC for the ASA 5505 8.2(1) We introduced support for the AIP SSC for the ASA 5505. The following commands were introduced: allow-ssc-mgmt, hw-module module ip, and hw-module module allow-ip. Support for the ASA IPS SSP-10, -20, -40, and 8.2(5)/ -60 for the ASA 5585-X 8.
PAGE 1247

CH A P T E R 59 Configuring the ASA CX Module This chapter describes how to configure the ASA CX module that runs on the ASA.
PAGE 1248

Chapter 59 Configuring the ASA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA The ASA CX module runs a separate application from the ASA. The ASA CX module includes external management interface(s) so you can connect to the ASA CX module directly. Any data interfaces on the ASA CX module are used for ASA traffic only. Traffic goes through the firewall checks before being forwarded to the ASA CX module.
PAGE 1249

Chapter 59 Configuring the ASA CX Module Information About the ASA CX Module • Policy Configuration and Management, page 59-3 Initial Configuration For initial configuration, you must use the CLI on the ASA CX module to run the setup command and configure other optional settings. To access the CLI, you can use the following methods: Note • ASA CX console port. • ASA CX Management 1/0 interface using SSH—You can connect to the default IP address (192.168.8.8.
PAGE 1250

Chapter 59 Configuring the ASA CX Module Licensing Requirements for the ASA CX Module Information About VPN and the ASA CX Module The ASA includes VPN client and user authentication metadata when forwarding traffic to the ASA CX module, which allows the ASA CX module to include this information as part of its policy lookup criteria. The VPN metadata is sent only at VPN tunnel establishment time along with a type-length-value (TLV) containing the session ID.
PAGE 1251

Chapter 59 Configuring the ASA CX Module Default Settings Failover Guidelines Does not support failover directly; when the ASA fails over, any existing ASA CX flows are transferred to the new ASA, but the traffic is allowed through the ASA without being inspected by the ASA CX. IPv6 Guidelines Supports IPv6. Model Guidelines Supported only on the ASA 5585-X. See the Cisco ASA Compatibility Matrix for more information: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.
PAGE 1252

Chapter 59 Configuring the ASA CX Module Configuring the ASA CX Module Task Flow for the ASA CX Module Configuring the ASA CX module is a process that includes configuration of the ASA CX security policy on the ASA CX module and then configuration of the ASA to send traffic to the ASA CX module. To configure the ASA CX module, perform the following steps: Step 1 Cable the ASA and ASA CX management interfaces and optionally, the console interface.
PAGE 1253

Chapter 59 Configuring the ASA CX Module Configuring the ASA CX Module ASA 5585-X ASA CX SSP ASA CX Management 1/0 ASA CX Console 0 1 SFP1 SFP0 7 6 5 4 3 2 1 0 1 MGMT 0 USB SFP1 SFP0 7 6 5 4 3 2 1 0 1 MGMT 0 USB OT R PW BO R PW BO M AR AL T AC VP T AC VP D1 1 0 PS HD 1 PS 0 HD N PS N PS D0 HD RESET AUX CONSOLE AUX CONSOLE 0 1 OT M AR AL D1 D0 HD RESET Switch PC (IP Address from DHCP) 333469 ASA Management 0/0 SSP What to Do Next •
PAGE 1254

Chapter 59 Configuring the ASA CX Module Configuring the ASA CX Module Detailed Steps Step 1 Step 2 Connect to the ASA CX CLI: • Using SSH to the ASA CX Management 1/0 interface—Log in with the username admin and the password Admin123. You will change the password as part of this procedure. • Using the ASA CX console port.
PAGE 1255

Chapter 59 Configuring the ASA CX Module Configuring the ASA CX Module Note Step 4 If you change the host name, the prompt does not show the new name until you log out and log back in. If you do not use NTP, configure the time settings. The default time zone is the UTC time zone. Use the show time command to see the current settings.
PAGE 1256

Chapter 59 Configuring the ASA CX Module Configuring the ASA CX Module What to Do Next • (Optional) Configure the authentication proxy port. See the “(Optional) Configuring the Authentication Proxy Port” section on page 59-10. • Divert traffic to the ASA CX module. See the “Redirecting Traffic to the ASA CX Module” section on page 59-11. (Optional) Configuring the Authentication Proxy Port The default authentication port is 885. To change the authentication proxy port, perform the following steps.
PAGE 1257

Chapter 59 Configuring the ASA CX Module Configuring the ASA CX Module Redirecting Traffic to the ASA CX Module This section identifies traffic to redirect from the ASA to the ASA CX module. Configure this policy on the ASA. Note When using PRSM in multiple device mode, you can configure the ASA policy for sending traffic to the ASA CX module within PRSM, instead of using ASDM or the ASA CLI.
PAGE 1258

Chapter 59 Configuring the ASA CX Module Monitoring the ASA CX Module Step 6 Command Purpose (Optional) If you created multiple class maps for ASA CX traffic, you can specify another class for the policy. class name2 Example: hostname(config-pmap)# class cx_class2 Step 7 See the “Feature Matching Within a Service Policy” section on page 32-3 for detailed information about how the order of classes matters within a policy map. Traffic cannot match more than one class map for the same action type.
PAGE 1259

Chapter 59 Configuring the ASA CX Module Monitoring the ASA CX Module Examples The following is sample output from the show module command for an ASA with an ASA CX SSP installed: hostname# show module Mod Card Type --- -------------------------------------------0 ASA 5585-X Security Services Processor-10 wi 1 ASA 5585-X CX Security Services Processor-10 Mod --0 1 MAC Address Range --------------------------------5475.d05b.1100 to 5475.d05b.110b 5475.d05b.2450 to 5475.d05b.
PAGE 1260

Chapter 59 Configuring the ASA CX Module Monitoring the ASA CX Module Monitoring Module Connections To show connections through the ASA CX module, enter the one of the following commands: Command Purpose show asp table classify domain cxsc Shows the NP rules created to send traffic to the ASA CX module. show asp table classify domain cxsc-auth-proxy Shows the NP rules created for the authentication proxy for the ASA CX module. show asp drop Shows dropped packets.
PAGE 1261

Chapter 59 Configuring the ASA CX Module Monitoring the ASA CX Module in id=0x7ffedb4acf40, priority=50, domain=cxsc, deny=false hits=15485658, user_data=0x7ffedb4ac840, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=outside, output_ifc=any in id=0x7ffedb4ad4a0, priority=50, domain=cxsc, deny=false hits=992053, user_data=0x7ffedb4ac840, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.
PAGE 1262

Chapter 59 Configuring the ASA CX Module Monitoring the ASA CX Module Output Table: L2 - Output Table: L2 - Input Table: Last clearing of hits counters: Never The following is sample output from the show asp drop command.
PAGE 1263

Chapter 59 Configuring the ASA CX Module Troubleshooting the ASA CX Module TCP outside 208.80.152.2:80 inside 192.168.1.20:59928, idle 0:00:10, bytes 79174, flags XUIO Capturing Module Traffic To configure and view packet captures for the ASA CX module, enter one of the following commands: Command Purpose capture name interface asa_dataplane Captures packets between ASA CX module and the ASA on the backplane. copy capture Copies the capture file to a server.
PAGE 1264

Chapter 59 Configuring the ASA CX Module Troubleshooting the ASA CX Module To reset the module password to the default of Admin123, perform the following steps. Detailed Steps Command Purpose hw-module module 1 password-reset Resets the module password to Admin123 for user admin. Example: hostname# hw-module module 1 password-reset Reloading or Resetting the Module To reload or reset the module, enter one of the following commands at the ASA CLI.
PAGE 1265

Chapter 59 Configuring the ASA CX Module Troubleshooting the ASA CX Module Shutting Down the Module If you restart the ASA, the module is not automatically restarted. To shut down the module, perform the following steps at the ASA CLI. Detailed Steps Command Purpose hw-module module 1 shutdown Shuts down the module.
PAGE 1266

Chapter 59 Configuring the ASA CX Module Troubleshooting the ASA CX Module CXSC CXSC CXSC CXSC CXSC CXSC CXSC CXSC CXSC CXSC CXSC CXSC CXSC CXSC CXSC CXSC Event: Event: Event: Event: Event: Event: Event: Event: Event: Event: Event: Event: Event: Event: Event: Event: tunnel->ClientVersion: Cisco AnyConnect VPN Agent for Windows 2.4.
PAGE 1267

Chapter 59 Configuring the ASA CX Module Configuration Examples for the ASA CX Module src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=192.168.0.100, mask=255.255.255.255, port=2000, dscp=0x0 input_ifc=inside, output_ifc=identity 3. In the packet captures, the redirect request should be going to destination port 2000.
PAGE 1268

Chapter 59 Configuring the ASA CX Module Feature History for the ASA CX Module Feature History for the ASA CX Module Table 59-2 lists each feature change and the platform release in which it was implemented. Table 59-2 Feature History for the ASA CX Module Feature Name Platform Releases ASA 5585-X support for the ASA CX SSP 8.4(4.1) Feature Information ASA CX module lets you enforce security based on the complete context of a situation.
PAGE 1269

CH A P T E R 60 Configuring the ASA CSC Module This chapter describes how to configure the Content Security and Control (CSC) application that is installed in a CSC SSM in the ASA.
PAGE 1270

Chapter 60 Configuring the ASA CSC Module Information About the CSC SSM Figure 60-1 Flow of Scanned Traffic with the CSC SSM ASA Main System modular service policy Request sent Request forwarded inside outside Reply forwarded Reply sent Diverted Traffic Server content security scan CSC SSM 148386 Client You use ASDM for system setup and monitoring of the CSC SSM.
PAGE 1271

Chapter 60 Configuring the ASA CSC Module Information About the CSC SSM Figure 60-2 CSC SSM Deployment with a Management Network ASA Trend Micro Update Server inside 192.168.100.1 Main System management port 192.168.50.1 Internet CSC SSM ASDM Syslog outside 10.6.13.67 192.168.50.
PAGE 1272

Chapter 60 Configuring the ASA CSC Module Information About the CSC SSM Based on the configuration shown in Figure 60-3, configure the ASA to divert to the CSC SSM only requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network, and incoming SMTP connections from outside hosts to the mail server on the DMZ network. Exclude from scanning HTTP requests from the inside network to the web server on the DMZ network.
PAGE 1273

Chapter 60 Configuring the ASA CSC Module Licensing Requirements for the CSC SSM In the outside-policy, outside-class matches SMTP traffic from any outside source to the DMZ network. This setting protects the SMTP server and inside users who download e-mail from the SMTP server on the DMZ network, without having to scan connections from SMTP clients to the server.
PAGE 1274

Chapter 60 Configuring the ASA CSC Module Guidelines and Limitations – Domain name and hostname for the CSC SSM. – An e-mail address and an SMTP server IP address and port number for e-mail notifications. – E-mail address(es) for product license renewal notifications. – IP addresses of hosts or networks that are allowed to manage the CSC SSM. The IP addresses for the CSC SSM management port and the ASA management interface can be in different subnets. – Password for the CSC SSM.
PAGE 1275

Chapter 60 Configuring the ASA CSC Module Configuring the CSC SSM Configuring the CSC SSM This section describes how to configure the CSC SSM and includes the following topics: • Before Configuring the CSC SSM, page 60-7 • Connecting to the CSC SSM, page 60-8 • Diverting Traffic to the CSC SSM, page 60-10 Before Configuring the CSC SSM Before configuring the ASA and the CSC SSM, perform the following steps: Step 1 If the CSC SSM did not come preinstalled in a Cisco ASA, install it and connect a net
PAGE 1276

Chapter 60 Configuring the ASA CSC Module Configuring the CSC SSM • If you manually control time settings, verify the clock settings, including time zone. Choose Configuration > Properties > Device Administration > Clock. • If you are using NTP, verify the NTP configuration. Choose Configuration > Properties > Device Administration > NTP. Step 6 Open ASDM. Step 7 Connect to and log in to the CSC SSM. For instructions, see the “Connecting to the CSC SSM” section on page 60-8.
PAGE 1277

Chapter 60 Configuring the ASA CSC Module Configuring the CSC SSM To connect to the CSC SSM, perform the following steps: Step 1 In the ASDM main application window, click the Content Security tab. Step 2 In the Connecting to CSC dialog box, click one of the following radio buttons: • To connect to the IP address of the management port on the SSM, click Management IP Address. ASDM automatically detects the IP address for the SSM in the ASA.
PAGE 1278

Chapter 60 Configuring the ASA CSC Module Configuring the CSC SSM What to Do Next See the “Diverting Traffic to the CSC SSM” section on page 60-10. Diverting Traffic to the CSC SSM You use Modular Policy Framework commands to configure the ASA to divert traffic to the CSC SSM. Prerequisites Before configuring the ASA to divert traffic to the CSC SSM, see Chapter 32, “Configuring a Service Policy Using the Modular Policy Framework,” which introduces Modular Policy Framework concepts and common commands.
PAGE 1279

Chapter 60 Configuring the ASA CSC Module Configuring the CSC SSM Step 6 Command Purpose set connection per-client-max n Lets you configure limits to thwart DoS attacks. The per-client-max parameter limits the maximum number of connections that individual clients can open. If a client uses more network resources simultaneously than is desired, you can enforce a per-client limit for simultaneous connections that the ASA diverts to the CSC SSM.
PAGE 1280

Chapter 60 Configuring the ASA CSC Module Configuring the CSC SSM Step 7 Command Purpose csc {fail-close | fail-open} Enables traffic scanning with the CSC SSM and assigns the traffic identified by the class map as traffic to be sent to the CSC SSM. Must be part of a service policy, which can be applied globally or to specific interfaces.
PAGE 1281

Chapter 60 Configuring the ASA CSC Module Monitoring the CSC SSM What to Do Next See the “Monitoring the CSC SSM” section on page 60-13. Monitoring the CSC SSM To check the status of a module, enter one of the following commands: Command Purpose show module Displays the status. show module 1 details Displays additional status information. show module 1 recover Displays the network parameters for transferring an image to the module.
PAGE 1282

Chapter 60 Configuring the ASA CSC Module Troubleshooting the CSC Module Port Mask: 255.255.224.0 Gateway IP Address: 209.165.200.
PAGE 1283

Chapter 60 Configuring the ASA CSC Module Troubleshooting the CSC Module Detailed Steps Step 1 Command Purpose hw-module module 1 recover configure Specifies the location of the new image. This command prompts you for the URL for the TFTP server, the management interface IP address and netmask, gateway address, and VLAN ID (ASA 5505 only).
PAGE 1284

Chapter 60 Configuring the ASA CSC Module Configuration Examples for the CSC SSM Reloading or Resetting the Module To reload or reset the module, enter one of the following commands at the ASA CLI. Detailed Steps Command Purpose hw-module module 1 reload Reloads the module software. Example: hostname# hw-module module 1 reload hw-module module 1 reset Performs a reset, and then reloads the module.
PAGE 1285

Chapter 60 Configuring the ASA CSC Module Configuration Examples for the CSC SSM • The second policy, csc_in_policy, is applied to the outside interface and uses the csc_in access list to ensure that requests for SMTP and HTTP originating on the outside interface and destined for the DMZ network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from HTTP file uploads. hostname(config)# access-list hostname(config)# access-list 255.255.255.
PAGE 1286

Chapter 60 Configuring the ASA CSC Module Where to Go Next Where to Go Next For instructions about how to use the CSC SSM GUI, see the Cisco Content Security and Control (CSC) SSM Administrator Guide. Additional References For additional information related to implementing the CSC SSM, see the following documents: Related Topic Document Title Assistance with SSM hardware installation and connection to the ASA. hardware guide Accessing ASDM for the first time and assistance with the Startup Wizard.
PAGE 1287

PA R T 15 Configuring High Availability
PAGE 1288
PAGE 1289

CH A P T E R 61 Information About High Availability This chapter provides an overview of the failover features that enable you to achieve high availability on the Cisco 5500 series ASAs. For information about configuring high availability, see Chapter 63, “Configuring Active/Active Failover” or Chapter 62, “Configuring Active/Standby Failover.
PAGE 1290

Chapter 61 Information About High Availability Failover System Requirements Note When the security appliance is configured for Active/Active Stateful Failover, you cannot enable IPsec or SSL VPN. Therefore, these features are unavailable. VPN failover is available for Active/Standby failover configurations only. Failover System Requirements This section describes the hardware, software, and license requirements for ASAs in a failover configuration.
PAGE 1291

Chapter 61 Information About High Availability Failover and Stateful Failover Links Failover and Stateful Failover Links This section describes the failover and the Stateful Failover links, which are dedicated connections between the two units in a failover configuration.
PAGE 1292

Chapter 61 Information About High Availability Failover and Stateful Failover Links Although you can configure failover and failover state links on a port channel link, this port channel cannot be shared with other firewall traffic. Stateful Failover Link To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You have three options for configuring a Stateful Failover link: • You can use a dedicated Ethernet interface for the Stateful Failover link.
PAGE 1293

Chapter 61 Information About High Availability Failover and Stateful Failover Links Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the ASA is used to terminate VPN tunnels, this information includes any usernames, passwords, and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk.
PAGE 1294

Chapter 61 Information About High Availability Failover and Stateful Failover Links Depending upon their network topologies, several primary/secondary failure scenarios exist in ASA failover pairs, as shown in the following scenarios. Scenario 1—Not Recommended If a single switch or a set of switches are used to connect both failover and data interfaces between two ASAs, then when a switch or inter-switch-link is down, both ASAs become active.
PAGE 1295

Information About High Availability Failover and Stateful Failover Links Scenario 3—Recommended If the ASA data interfaces are connected to more than one set of switches, then a failover interface can be connected to one of the switches, preferably the switch on the secure side of network, as shown in Figure 61-5.
PAGE 1296

Chapter 61 Information About High Availability Active/Active and Active/Standby Failover Connecting with Inter-switch Links Switch 1 outside Switch 2 Switch 3 Primary ASA Active redundant failover link Switch 4 Active redundant failover link ISL Switch 5 Standby redundant failover link Secondary ASA Switch 6 Standby redundant failover link ISL Switch 7 inside outside ISL Switch 8 ISL inside 236376 Figure 61-7 Active/Active and Active/Standby Failover Two types of failover configurations
PAGE 1297

Chapter 61 Information About High Availability Stateless (Regular) and Stateful Failover Note The ASA 5505 does not support multiple context mode or Active/Active failover. VPN is not supported in multiple context mode or Active/Active failover. If you are running the ASA in multiple context mode, then you can configure either Active/Active failover or Active/Standby failover. • To allow both members of the failover pair to share the traffic, use Active/Active failover.
PAGE 1298

Chapter 61 Information About High Availability Stateless (Regular) and Stateful Failover Stateful Failover When Stateful Failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session. In Version 8.
PAGE 1299

Chapter 61 Information About High Availability Transparent Firewall Mode Requirements The following clientless SSL VPN features are not supported with Stateful Failover: Note • Smart Tunnels • Port Forwarding • Plugins • Java Applets • IPv6 clientless or Anyconnect sessions • Citrix authentication (Citrix users must reauthenticate after failover) If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to
PAGE 1300

Chapter 61 Information About High Availability Auto Update Server Support in Failover Configurations Auto Update Server Support in Failover Configurations You can use the Auto Update Server to deploy software images and configuration files to ASAs in an Active/Standby failover configuration. To enable Auto Update on an Active/Standby failover configuration, enter the Auto Update Server configuration on the primary unit in the failover pair.
PAGE 1301

Chapter 61 Information About High Availability Auto Update Server Support in Failover Configurations f. The update process starts again at Step 1. 5. If the ASA determines that the ASDM file needs to be updated for either the primary or secondary unit, the following occurs: a. The primary unit retrieves the ASDM image file from the HTTP server using the URL provided by the Auto Update Server. b. The primary unit copies the ASDM image to the standby unit, if needed. c.
PAGE 1302

Chapter 61 Information About High Availability Failover Health Monitoring Auto-update client: update img on active unit...
PAGE 1303

Chapter 61 Information About High Availability Failover Health Monitoring You can configure the frequency of the hello messages and the hold time before failover occurs. A faster poll time and shorter hold time speed the detection of unit failures and make failover occur more quickly, but it can also cause “false” failures due to network congestion delaying the keepalive packets. Interface Monitoring You can monitor up to 250 interfaces divided between all contexts.
PAGE 1304

Chapter 61 Information About High Availability Failover Times Failover Times Table 61-3 shows the minimum, default, and maximum failover times. Table 61-3 Cisco ASA 5500 Series ASA Failover Times Failover Condition Minimum Default Maximum Active unit loses power or stops normal operation. 800 milliseconds 15 seconds 45 seconds Active unit main board interface link down. 500 milliseconds 5 seconds 15 seconds Active unit 4GE module interface link down.
PAGE 1305

Chapter 61 Information About High Availability Failover Messages SNMP To receive SNMP syslog traps for failover, configure the SNMP agent to send SNMP traps to SNMP management stations, define a syslog host, and compile the Cisco syslog MIB into your SNMP management station. See Chapter 79, “Configuring SNMP” for more information.
PAGE 1306

Chapter 61 Failover Messages Cisco ASA 5500 Series Configuration Guide using the CLI 61-18 Information About High Availability
PAGE 1307

CH A P T E R 62 Configuring Active/Standby Failover This chapter describes how to configure Active/Standby failover and includes the following sections: • Information About Active/Standby Failover, page 62-1 • Licensing Requirements for Active/Standby Failover, page 62-6 • Prerequisites for Active/Standby Failover, page 62-6 • Guidelines and Limitations, page 62-6 • Configuring Active/Standby Failover, page 62-7 • Controlling Failover, page 62-16 • Monitoring Active/Standby Failover, page 62-
PAGE 1308

Chapter 62 Configuring Active/Standby Failover Information About Active/Standby Failover Note For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately. Primary/Secondary Status and Active/Standby Status The main differences between the two units in a failover pair are related to which unit is active and which unit is standby, namely which IP addresses to use and which unit actively passes traffic.
PAGE 1309

Chapter 62 Configuring Active/Standby Failover Information About Active/Standby Failover On the standby unit, the configuration exists only in running memory. To save the configuration to flash memory after synchronization, do the following: Note • For single context mode, enter the write memory command on the active unit. The command is replicated to the standby unit, which proceeds to write its configuration to flash memory.
PAGE 1310

Chapter 62 Configuring Active/Standby Failover Information About Active/Standby Failover For multiple context mode, when you enter the write standby command in the system execution space, all contexts are replicated. If you enter the write standby command within a context, the command replicates only the context configuration. Replicated commands are stored in the running configuration.
PAGE 1311

Chapter 62 Configuring Active/Standby Failover Information About Active/Standby Failover Table 62-2 shows the failover action for each failure event. For each failure event, the table shows the failover policy (failover or no failover), the action taken by the active unit, the action taken by the standby unit, and any special notes about the failover condition and actions.
PAGE 1312

Chapter 62 Configuring Active/Standby Failover Licensing Requirements for Active/Standby Failover Optional Active/Standby Failover Settings You can configure the following Active/Standby failover options when you initially configuring failover or after failover has been configured: • HTTP replication with Stateful Failover—Allows connections to be included in the state information replication.
PAGE 1313

Chapter 62 Configuring Active/Standby Failover Configuring Active/Standby Failover Firewall Mode Guidelines • Supported in transparent and routed firewall mode. IPv6 Guidelines • IPv6 failover is supported. Model Guidelines • Stateful failover is not supported on the ASA 5505. Additional Guidelines and Limitations Configuring port security on the switch(es) connected to an ASA failover pair can cause communication problems when a failover event occurs.
PAGE 1314

Chapter 62 Configuring Active/Standby Failover Configuring Active/Standby Failover Task Flow for Configuring Active/Standby Failover To configure Active/Standby failover, perform the following steps: Step 1 Configure the primary unit, as shown in the “Configuring the Primary Unit” section on page 62-8. Step 2 Configure the secondary unit, as shown in the “Configuring the Secondary Unit” section on page 62-11.
PAGE 1315

Chapter 62 Configuring Active/Standby Failover Configuring Active/Standby Failover Detailed Steps Command Purpose Step 1 failover lan unit primary Designates the unit as the primary unit. Step 2 failover lan interface if_name interface_id Specifies the interface to be used as the failover interface. This interface should not be used for any other purpose (except, optionally, the Stateful Failover link).
PAGE 1316

Chapter 62 Configuring Active/Standby Failover Configuring Active/Standby Failover Step 5 Command Purpose failover link if_name interface_id (Optional) Specifies the interface to be used as the Stateful Failover link. This interface should not be used for any other purpose (except, optionally, the failover link).
PAGE 1317

Chapter 62 Configuring Active/Standby Failover Configuring Active/Standby Failover Step 8 Command Purpose failover Enables failover. Example: hostname(config)# failover Step 9 copy running-config startup-config Saves the system configuration to flash memory. Example: hostname(config)# copy running-config startup-config Configuring the Secondary Unit The only configuration required on the secondary unit is for the failover interface.
PAGE 1318

Chapter 62 Configuring Active/Standby Failover Configuring Active/Standby Failover Step 3 Command Purpose interface interface_id Enables the interface. no shutdown Example: hostname(config)# interface vlan100 hostname(config-if)# no shutdown Step 4 failover lan unit secondary Example: hostname(config)# failover lan unit secondary Step 5 Note This step is optional because, by default, units are designated as secondary unless previously configured. Enables failover.
PAGE 1319

Chapter 62 Configuring Active/Standby Failover Configuring Active/Standby Failover Enabling HTTP Replication with Stateful Failover To allow HTTP connections to be included in the state information replication, you need to enable HTTP replication. Because HTTP connections are typically short-lived, and because THTTP clients typically retry failed connection attempts, HTTP connections are not automatically included in the replicated state information.
PAGE 1320

Chapter 62 Configuring Active/Standby Failover Configuring Active/Standby Failover Disables health monitoring for an interface. no monitor-interface if_name Example: hostname(config)# no monitor-interface lanlink Enables health monitoring for an interface. monitor-interface if_name Example: hostname(config)# monitor-interface lanlink Configuring Failover Criteria You can specify a specific number of interface or a percentage of monitored interfaces that must fail before failover occurs.
PAGE 1321

Chapter 62 Configuring Active/Standby Failover Configuring Active/Standby Failover Command Purpose failover polltime interface [msec] time [holdtime time] Changes the interface poll and hold times. Example: hostname (config): failover polltime interface msec 500 holdtime 5 Valid values for poll time are from 1 to 15 seconds or, if the optional msec keyword is used, from 500 to 999 milliseconds.
PAGE 1322

Chapter 62 Configuring Active/Standby Failover Controlling Failover Command Purpose failover mac address phy_if active_mac standby_mac Configures the virtual MAC address for an interface. Example: hostname (config): failover mac address Ethernet0/2 00a0.c969.87c8 00a0.c918.95d8 The phy_if argument is the physical name of the interface, such as Ethernet1. The active_mac and standby_mac arguments are MAC addresses in H.H.H format, where H is a 16-bit hexadecimal digit.
PAGE 1323

Chapter 62 Configuring Active/Standby Failover Controlling Failover Disabling Failover To disable failover, enter the following command: Command Purpose no failover Disables failover. Disabling failover on an Active/Standby pair causes the active and standby state of each unit to be maintained until you restart. For example, the standby unit remains in standby mode so that both units do not start passing traffic.
PAGE 1324

Chapter 62 Configuring Active/Standby Failover Monitoring Active/Standby Failover Monitoring Active/Standby Failover Note After a failover event you should either re-launch ASDM or switch to another device in the Devices pane and then come back to the original ASA to continue monitoring the device. This action is necessary because the monitoring connection does not become re-established when ASDM is disconnected from and then reconnected to the device.
PAGE 1325

CH A P T E R 63 Configuring Active/Active Failover This chapter describes how to configure Active/Active failover and includes the following sections: • Information About Active/Active Failover, page 63-1 • Licensing Requirements for Active/Active Failover, page 63-6 • Prerequisites for Active/Active Failover, page 63-7 • Guidelines and Limitations, page 63-7 • Configuring Active/Active Failover, page 63-8 • Remote Command Execution, page 63-21 • Monitoring Active/Active Failover, page 63-25
PAGE 1326

Chapter 63 Configuring Active/Active Failover Information About Active/Active Failover The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring, failover, and active/standby status are all attributes of a failover group rather than the unit. When an active failover group fails, it changes to the standby state while the standby failover group becomes active.
PAGE 1327

Chapter 63 Configuring Active/Active Failover Information About Active/Active Failover – You manually force a failover. – You configured preemption for the failover group, which causes the failover group to automatically become active on the preferred unit when the unit becomes available. • When both units boot at the same time, each failover group becomes active on its preferred unit after the configurations have been synchronized.
PAGE 1328

Chapter 63 Configuring Active/Active Failover Information About Active/Active Failover • Commands entered in the admin context are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state. Failure to enter the commands on the appropriate unit for command replication to occur causes the configurations to be out of synchronization. Those changes may be lost the next time the initial configuration synchronization occurs.
PAGE 1329

Chapter 63 Configuring Active/Active Failover Information About Active/Active Failover • The unit has a power failure. • The unit has a software failure. • You force a failover. (See Forcing Failover, page 63-23.) Failover is triggered at the failover group level when one of the following events occurs: • Too many monitored interfaces in the group fail. • You force a failover. (See Forcing Failover, page 63-23.
PAGE 1330

Chapter 63 Configuring Active/Active Failover Licensing Requirements for Active/Active Failover Table 63-2 Failover Behavior for Active/Active Failover (continued) Active Group Action Standby Group Action Failure Event Policy Notes Failover link failed at startup No failover Become active Become active If the failover link is down at startup, both failover groups on both units become active.
PAGE 1331

Chapter 63 Configuring Active/Active Failover Prerequisites for Active/Active Failover Prerequisites for Active/Active Failover In Active/Active failover, both units must have the following: • The same hardware model. • The same number of interfaces. • The same types of interfaces. • The same software version, with the same major (first number) and minor (second number) version numbers.
PAGE 1332

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover • Entering the failover group command puts you in the failover group command mode. The primary, secondary, preempt, replication http, interface-policy, mac address, and polltime interface commands are available in the failover group configuration mode. Use the exit command to return to global configuration mode.
PAGE 1333

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover Restrictions Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated Stateful Failover interface. You use the failover interface ip command to configure a dedicated Stateful Failover interface in a later step.
PAGE 1334

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover Step 5 Command Purpose failover interface ip if_name [ip_address mask standby ip_address | ipv6_address/prefix standbyipv6_address] (Optional) Assigns an active and standby IP address to the Stateful Failover link. You can assign either an IPv4 or an IPv6 address to the interface. You cannot assign both types of addresses to the Stateful Failover link. Example: hostname(config)# failover interface ip folink 172.27.48.
PAGE 1335

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover Step 9 Command Purpose failover Enables failover. Example: hostname(config)# failover Step 10 copy running-config startup-config Saves the system configuration to flash memory. Example: hostname(config)# copy running-config startup-config Configuring the Secondary Failover Unit Follow the steps in this section to configure the secondary unit in an Active/Active failover configuration.
PAGE 1336

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover Step 4 Command Purpose failover lan unit secondary (Optional) Designates this unit as the secondary unit: Example: hostname(config)# failover lan unit secondary Step 5 This step is optional because, by default, units are designated as secondary unless previously configured. Enables failover.
PAGE 1337

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover failover occurs, or unless the failover group is configured with the preempt command. The preempt command causes a failover group to become active on the designated unit automatically when that unit becomes available. To configure preemption for the specified failover group, enter the following commands: Step 1 Command Purpose failover group {1 | 2} Specifies the failover group.
PAGE 1338

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover Enabling HTTP Replication with Stateful Failover To allow HTTP connections to be included in the state information, you need to enable HTTP replication. Because HTTP connections are typically short-lived, and because HTTP clients typically retry failed connection attempts, HTTP connections are not automatically included in the replicated state information.
PAGE 1339

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover • Failed—No traffic is received on the interface, yet traffic is heard on the peer interface. In Active/Active failover, this command is only valid within a context. To enable or disable interface monitoring for specific interfaces, enter one of the following commands: Do one of the following: no monitor-interface if_name Disables health monitoring for an interface.
PAGE 1340

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover Example The following partial example shows a possible configuration for a failover group. The interface poll time is set to 500 milliseconds and the hold time to 5 seconds for data interfaces in failover group 1.
PAGE 1341

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover Note If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined.
PAGE 1342

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover hostname(config)# Configuring Support for Asymmetrically Routed Packets When running in Active/Active failover, a unit may receive a return packet for a connection that originated through its peer unit. Because the ASA that receives the packet does not have any connection information for the packet, the packet is dropped.
PAGE 1343

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover hostname/ctx(config)# interface phy_if hostname/ctx(config-if)# asr-group num Valid values for num range from 1 to 32. You need to enter the command for each interface that participates in the asymmetric routing group. You can view the number of ASR packets transmitted, received, or dropped by an interface using the show interface detail command.
PAGE 1344

Chapter 63 Configuring Active/Active Failover Configuring Active/Active Failover interface GigabitEthernet0/5 no shutdown failover failover lan unit primary failover lan interface folink GigabitEthernet0/1 failover link folink failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11 failover group 1 primary failover group 2 secondary admin-context admin context admin description admin allocate-interface GigabitEthernet0/2 allocate-interface GigabitEthernet0/3 config-url flash:/admin.
PAGE 1345

Chapter 63 Configuring Active/Active Failover Remote Command Execution 3. Normally the return traffic would be dropped because there is no session information for the traffic on interface 192.168.2.2. However, the interface is configured with the command asr-group 1. The unit looks for the session on any other interface configured with the same ASR group ID. 4. The session information is found on interface outsideISP-A (192.168.1.2), which is in the standby state on the unit SecAppB.
PAGE 1346

Chapter 63 Configuring Active/Active Failover Remote Command Execution Changing Command Modes The failover exec command maintains a command mode state that is separate from the command mode of your terminal session. By default, the failover exec command mode starts in global configuration mode for the specified device. You can change that command mode by sending the appropriate command (such as the interface command) using the failover exec command.
PAGE 1347

Chapter 63 Configuring Active/Active Failover Controlling Failover Security Considerations The failover exec command uses the failover link to send commands to and receive the output of the command execution from the peer unit. You should use the failover key command to encrypt the failover link to prevent eavesdropping or man-in-the-middle attacks.
PAGE 1348

Chapter 63 Configuring Active/Active Failover Controlling Failover hostname# failover active group group_id Or, enter the following command in the system execution space of the unit where the failover group is in the active state: hostname# no failover active group group_id Entering the following command in the system execution space causes all failover groups to become active: hostname# failover active Disabling Failover Disabling failover on an Active/Active failover pair causes the failover groups
PAGE 1349

Chapter 63 Configuring Active/Active Failover Monitoring Active/Active Failover Step 5 When you are finished, you can restore the unit or failover group to active status by enter the following command on the unit where the failover group containing the interface connecting your hosts is active: hostname(config)# failover active group group_id Monitoring Active/Active Failover To monitor Active/Active Failover, perform one of the following tasks.
PAGE 1350

Chapter 63 Feature History for Active/Active Failover Cisco ASA 5500 Series Configuration Guide using the CLI 63-26 Configuring Active/Active Failover
PAGE 1351

PA R T 16 Configuring VPN
PAGE 1352
PAGE 1353

CH A P T E R 64 Configuring IPsec and ISAKMP This chapter describes how to configure Internet Protocol Security (IPsec) and the Internet Security Association and Key Management Protocol (ISAKMP) standards to build Virtual Private Networks VPNs).
PAGE 1354

Chapter 64 Configuring IPsec and ISAKMP Information About Tunneling, IPsec, and ISAKMP The ASA functions as a bidirectional tunnel endpoint. It can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.
PAGE 1355

Chapter 64 Configuring IPsec and ISAKMP Licensing Requirements for Remote Access IPsec VPNs With IKEv1 policies, you set one value for each parameter. For IKEv2, you can configure multiple encryption and authentication types, and multiple integrity algorithms for a single policy. The ASA orders the settings from the most secure to the least secure and negotiates with the peer using that order.
PAGE 1356

Chapter 64 Configuring IPsec and ISAKMP Licensing Requirements for Remote Access IPsec VPNs Model ASA 5520 License Requirement1 • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, or 750 sessions. Optional Shared licenses2: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1357

Chapter 64 Configuring IPsec and ISAKMP Licensing Requirements for Remote Access IPsec VPNs Model ASA 5580 License Requirement1 • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, 5000, or 10000 sessions. Optional Shared licenses2: Participant or Server.
PAGE 1358

Chapter 64 Configuring IPsec and ISAKMP Licensing Requirements for Remote Access IPsec VPNs License Requirement1 Model ASA 5545-X • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, or 2500 sessions. Optional Shared licenses2: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1359

Chapter 64 Configuring IPsec and ISAKMP Licensing Requirements for Remote Access IPsec VPNs Model ASA 5585-X with SSP-10 License Requirement1 • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, or 5000 sessions. Optional Shared licenses2: Participant or Server.
PAGE 1360

Chapter 64 Configuring IPsec and ISAKMP Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single context mode only. Does not support multiple context mode. Firewall Mode Guidelines Supported in routed firewall mode only. Does not support transparent firewall mode. Failover Guidelines IPsec VPN sessions are replicated in Active/Standby failover configurations only.
PAGE 1361

Chapter 64 Configuring IPsec and ISAKMP Configuring ISAKMP Configuring IKEv1 and IKEv2 Policies To create an IKE policy, enter the crypto ikev1 | ikev2 policy command from global configuration mode. The prompt displays IKE policy configuration mode. For example: hostname(config)# crypto ikev1 policy 1 hostname(config-ikev1-policy)# After creating the policy, you can specify the settings for the policy.
PAGE 1362

Chapter 64 Configuring IPsec and ISAKMP Configuring ISAKMP Table 64-1 IKEv1 Policy Keywords for CLI Commands (continued) Command Keyword Meaning Description group 1 Group 1 (768-bit) 2 (default) Group 2 (1024-bit) 5 Group 5 (1536-bit) Specifies the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. The lower the Diffie-Hellman group number, the less CPU time it requires to execute.
PAGE 1363

Chapter 64 Configuring IPsec and ISAKMP Configuring ISAKMP Table 64-2 IKEv2 Policy Keywords for CLI Commands (continued) Command Keyword Meaning Description prf sha (default) SHA-1 (HMAC variant) Specifies the pseudo random function (PRF)—the algorithm used to generate keying material. md5 MD5 (HMAC variant) The default is SHA-1. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.
PAGE 1364

Chapter 64 Configuring IPsec and ISAKMP Configuring ISAKMP There is an implicit trade-off between security and performance when you choose a specific value for each parameter. The level of security the default values provide is adequate for the security requirements of most organizations. If you are interoperating with a peer that supports only one of the values for a parameter, your choice is limited to that value. Note New ASA configurations do not have a default IKEv1 or IKEv2 policy.
PAGE 1365

Chapter 64 Configuring IPsec and ISAKMP Configuring ISAKMP For example: hostname(config-ikev1-policy)# lifetime 14400 Enabling IKE on the Outside Interface You must enable IKE on the interface that terminates the VPN tunnel. Typically this is the outside, or public interface.
PAGE 1366

Chapter 64 Configuring IPsec and ISAKMP Configuring ISAKMP Address Uses the IP addresses of the hosts exchanging ISAKMP identity information. Automatic Determines ISAKMP negotiation by connection type: • IP address for preshared key. • Cert Distinguished Name for certificate authentication. Hostname Uses the fully qualified domain name of the hosts exchanging ISAKMP identity information (default). This name comprises the hostname and the domain name.
PAGE 1367

Chapter 64 Configuring IPsec and ISAKMP Configuring ISAKMP When you enable NAT-T, the ASA automatically opens port 4500 on all IPsec-enabled interfaces. The ASA supports multiple IPsec peers behind a single NAT/PAT device operating in one of the following networks, but not both: • LAN-to-LAN • Remote access In a mixed environment, the remote access tunnels fail the negotiation because all peers appear to be coming from the same public IP address, address of the NAT device.
PAGE 1368

Chapter 64 Configuring IPsec and ISAKMP Configuring ISAKMP The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard IPsec, IPsec over TCP, NAT-Traversal, or IPsec over UDP. You enable IPsec over TCP on both the ASA and the client to which it connects. You can enable IPsec over TCP for up to 10 ports that you specify.
PAGE 1369

Chapter 64 Configuring IPsec and ISAKMP Configuring Certificate Group Matching for IKEv1 For example: hostname(config)# crypto isakmp disconnect-notify Configuring Certificate Group Matching for IKEv1 Tunnel groups define user connection terms and permissions. Certificate group matching lets you match a user to a tunnel group using either the Subject DN or Issuer DN of the user certificate. Note Certificate group matching applies to IKEv1 and IKEv2 LAN-to-LAN connections only.
PAGE 1370

Chapter 64 Configuring IPsec and ISAKMP Configuring Certificate Group Matching for IKEv1 policy Specifies the policy for deriving the tunnel group name from the certificate. Policy can be one of the following: ike-id—Indicates that if a tunnel group is not determined based on a rule lookup or taken from the OU, then the certificate-based ISAKMP sessions are mapped to a tunnel group based on the content of the phase1 ISAKMP ID.
PAGE 1371

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec Using the Tunnel-group-map default-group Command This command specifies a default tunnel group to use when the configuration does not specify a tunnel group. The syntax is tunnel-group-map [rule-index] default-group tunnel-group-name where rule-index is the priority for the rule, and tunnel-group name must be for a tunnel group that already exists.
PAGE 1372

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec With IKEv1 transform sets, you set one value for each parameter. For IKEv2 proposals, you can configure multiple encryption and authentication types and multiple integrity algorithms for a single proposal. The ASA orders the settings from the most secure to the least secure and negotiates with the peer using that order.
PAGE 1373

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec The crypto map that matches the packet determines the security settings used in the SA negotiations. If the local ASA initiates the negotiation, it uses the policy specified in the static crypto map to create the offer to send to the specified peer.
PAGE 1374

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec ACEs containing deny statements filter out outbound traffic that does not require IPsec protection (for example, routing protocol traffic). Therefore, insert initial deny statements to filter outbound traffic that should not be evaluated against permit statements in a crypto access list. For an inbound, encrypted packet, the security appliance uses the source address and ESP SPI to determine the decryption parameters.
PAGE 1375

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec Crypto Map Seq_No_1 deny packets from A.3 to B deny packets from A.3 to C permit packets from A to B permit packets from A to C Crypto Map Seq_No_2 permit packets from A.3 to B permit packets from A.3 to C After creating the ACLs, you assign a transform set to each crypto map to apply the required IPsec to each matching packet.
PAGE 1376

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec Figure 64-2 Cascading ACLs in a Crypto Map Set Crypto Map 1 Deny A.3 B Deny A.3 C Permit AB Permit AC Apply IPSec assigned to Crypto Map 1 Crypto Map 2 Permit A.3 B Apply IPSec assigned to Crypto Map 2 Route as clear text 143513 Permit A.3 C Security Appliance A evaluates a packet originating from Host A.3 until it matches a permit ACE and attempts to assign the IPsec security associated with the crypto map.
PAGE 1377

Configuring IPsec and ISAKMP Configuring IPsec To complete the security appliance configuration in the example network, we assign mirror crypto maps to Security Appliances B and C. However, because security appliances ignore deny ACEs when evaluating inbound, encrypted traffic, we can omit the mirror equivalents of the deny A.3 B and deny A.3 C ACEs, and therefore omit the mirror equivalents of Crypto Map 2. So the configuration of cascading ACLs in Security Appliances B and C is unnecessary.
PAGE 1378

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec The tables that follow combine the IP addresses shown in Figure 64-3 to the concepts shown in Table 64-4. The real ACEs shown in these tables ensure that all IPsec packets under evaluation within this network receive the proper IPsec settings. Table 64-5 Example Permit and Deny Statements for Security Appliance A Security Appliance Crypto Map Sequence No. ACE Pattern Real ACEs A 1 deny A.3 B deny 192.168.3.3 255.255.255.192 192.168.12.
PAGE 1379

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec The crypto map access list bound to the outgoing interface either permits or denies IPsec packets through the VPN tunnel. IPsec authenticates and deciphers packets that arrive from an IPsec tunnel, and subjects them to evaluation against the ACL associated with the tunnel. Access lists define which IP traffic to protect. For example, you can create access lists to protect all IP traffic between two subnets or two hosts.
PAGE 1380

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec Figure 64-4 How Crypto Access Lists Apply to IPsec IPSec peers Host 10.2.2.2 Internet Host 10.0.0.1 outside outside Security Appliance Firewall A Security Appliance Firewall B IPSec Access List at "outside" interface: access-list 101 permit ip host 10.0.0.1 host 10.2.2.2 Traffic exchanged between hosts 10.0.0.1 and 10.2.2.
PAGE 1381

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec • Requires protection for all inbound traffic. In this scenario, the ASA silently drops all inbound packets that lack IPsec protection. Be sure that you define which packets to protect. If you use the any keyword in a permit statement, preface it with a series of deny statements to filter out traffic that would otherwise fall within that permit statement that you do not want to protect.
PAGE 1382

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec access-list access-list-name {deny | permit} ip source source-netmask destination destination-netmask For example: hostname(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0 In this example, the permit keyword causes all traffic that matches the specified conditions to be protected by crypto.
PAGE 1383

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec crypto map map-name seq-num set ikev1 transform-set transform-set-name1 [transform-set-name2, …transform-set-name11] crypto map map-name seq-num set ikev2 ipsec-proposal proposal-name1 [proposal-name2, … proposal-name11] For example (for IKEv1): crypto map mymap 10 set ikev1 transform-set myset1 myset2 In this example, when traffic matches access list 101, the SA can use either myset1 (first priority) or myset2 (second priority) depending on whic
PAGE 1384

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec • Peers with dynamically assigned private IP addresses. Peers requesting remote access tunnels typically have private IP addresses assigned by the headend. Generally, LAN-to-LAN tunnels have a predetermined set of private networks that are used to configure static maps and therefore used to establish IPsec SAs.
PAGE 1385

Chapter 64 Configuring IPsec and ISAKMP Configuring IPsec crypto dynamic-map dynamic-map-name dynamic-seq-num match address access-list-name This determines which traffic should be protected and not protected. For example: crypto dynamic-map dyn1 10 match address 101 In this example, access list 101 is assigned to dynamic crypto map dyn1. The map sequence number is 10. Step 2 Specify which IKEv1 transform sets or IKEv2 proposals are allowed for this dynamic crypto map.
PAGE 1386

Chapter 64 Configuring IPsec and ISAKMP Clearing Security Associations Providing Site-to-Site Redundancy You can define multiple IKEv1 peers by using crypto maps to provide redundancy. This configuration is useful for site-to-site VPNs. This feature is not supported with IKEv2. If one peer fails, the ASA establishes a tunnel to the next peer associated with the crypto map. It sends data to the peer that it has successfully negotiated with, and that peer becomes the active peer.
PAGE 1387

Chapter 64 Configuring IPsec and ISAKMP Clearing Crypto Map Configurations Table 64-7 Commands to Clear and Reinitialize IPsec SAs (continued) Command Purpose clear configure crypto map Removes all crypto maps. Includes keywords that let you remove specific crypto maps. clear configure crypto isakmp Removes the entire ISAKMP configuration. clear configure crypto isakmp policy Removes all ISAKMP policies or a specific policy. clear crypto isakmp sa Removes the entire ISAKMP SA database.
PAGE 1388

Chapter 64 Configuring IPsec and ISAKMP Supporting the Nokia VPN Client Nokia 92xx Communicator Service Requirement Remote Access DMZ Firewall/ VPN gateway Internet SSM server and database SSM enrollment gateway Operator mobile network SSM management station Nokia SSM Web server Windows Clients/ Mobile Devices/ Mobile Devices Laptop Policy Policy Telecommuters RADIUS or LDAP server SAP database Corporate E-mail Corporate Web services 132777 Figure 64-5 To support the Nokia VPN client, perform
PAGE 1389

Chapter 64 Configuring IPsec and ISAKMP Supporting the Nokia VPN Client To learn more about the Nokia services required to support the CRACK protocol on Nokia clients, and to ensure they are installed and configured properly, contact your local Nokia representative.
PAGE 1390

Chapter 64 Supporting the Nokia VPN Client Cisco ASA 5500 Series Configuration Guide using the CLI 64-38 Configuring IPsec and ISAKMP
PAGE 1391

CH A P T E R 65 Configuring L2TP over IPsec This chapter describes how to configure L2TP over IPsec/IKEv1 on the ASA.
PAGE 1392

Chapter 65 Configuring L2TP over IPsec Information About L2TP over IPsec/IKEv1 The minimum IPsec security association lifetime supported by the Windows client is 300 seconds. If the lifetime on the ASA is set to less than 300 seconds, the Windows client ignores it and replaces it with a 300 second lifetime. IPsec Transport and Tunnel Modes By default, the ASA uses IPsec tunnel mode—the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet.
PAGE 1393

Chapter 65 Configuring L2TP over IPsec Licensing Requirements for L2TP over IPsec Licensing Requirements for L2TP over IPsec The following table shows the licensing requirements for this feature: Note Model ASA 5505 This feature is not available on No Payload Encryption models. License Requirement1 • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license and Security Plus license: 2 sessions.
PAGE 1394

Chapter 65 Configuring L2TP over IPsec Licensing Requirements for L2TP over IPsec Model ASA 5540 License Requirement1 • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, or 2500 sessions. Optional Shared licenses2: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1395

Chapter 65 Configuring L2TP over IPsec Licensing Requirements for L2TP over IPsec Model ASA 5512-X License Requirement1 • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, or 250 sessions. Optional Shared licenses2: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1396

Chapter 65 Configuring L2TP over IPsec Licensing Requirements for L2TP over IPsec License Requirement1 Model ASA 5555-X • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, or 5000 sessions. Optional Shared licenses2: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1397

Chapter 65 Configuring L2TP over IPsec Prerequisites for Configuring L2TP over IPsec 3. The AnyConnect Essentials license enables AnyConnect VPN client access to the ASA. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license. Note: With the AnyConnect Essentials license, VPN users can use a Web browser to log in, and download and start (WebLaunch) the AnyConnect client.
PAGE 1398

Chapter 65 Configuring L2TP over IPsec Configuring L2TP over IPsec IPv6 Guidelines There is no native IPv6 tunnel setup support for L2TP over IPsec. Authentication Guidelines The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers.
PAGE 1399

Chapter 65 Configuring L2TP over IPsec Configuring L2TP over IPsec • IKEv1 phase 1—3DES encryption with SHA1 hash method. • IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method. • PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred). • Pre-shared key (only for iPhone).
PAGE 1400

Chapter 65 Configuring L2TP over IPsec Configuring L2TP over IPsec Step 7 Command Purpose default-group-policy name Links the name of a group policy to the connection profile (tunnel group). Example: hostname(config)# tunnel-group DefaultRAGroup general-attributes hostname(config-tunnel-general)# default-group-policy DfltGrpPolicy Step 8 ip local pool pool_name starting_address-ending_address mask subnet_mask (Optional) Creates an IP address pool.
PAGE 1401

Chapter 65 Configuring L2TP over IPsec Configuring L2TP over IPsec Step 14 Command Purpose l2tp tunnel hello seconds Configures the interval (in seconds) between hello messages. The range is 10 through 300 seconds. The default is 60 seconds. Example: hostname(config)# l2tp tunnel hello 100 Step 15 (Optional) Enables NAT traversal so that ESP packets can pass through one or more NAT devices.
PAGE 1402

Chapter 65 Configuring L2TP over IPsec Configuring L2TP over IPsec Creating IKE Policies to Respond to Windows 7 Proposals Windows 7 L2TP/IPsec clients send several IKE policy proposals to establish a VPN connection with the ASA. Define one of the following IKE policies to facilitate connections from Windows 7 VPN native clients. Command Purpose Step 1 Detailed CLI Configuration Steps, page 65-9 Follow the Detailed CLI Configuration Steps procedure through step Step 18.
PAGE 1403

Chapter 65 Configuring L2TP over IPsec Configuring L2TP over IPsec Detailed CLI Configuration Steps Step 1 Command Purpose crypto ipsec ike_version transform-set transform_name ESP_Encryption_Type ESP_Authentication_Type Creates a transform set with a specific ESP encryption type and authentication type.
PAGE 1404

Chapter 65 Configuring L2TP over IPsec Configuring L2TP over IPsec Step 8 Command Purpose tunnel-group name type remote-access Creates a connection profile (tunnel group). Example: hostname(config)# tunnel-group sales-tunnel type remote-access Step 9 default-group-policy name Links the name of a group policy to the connection profile (tunnel group).
PAGE 1405

Chapter 65 Configuring L2TP over IPsec Configuring L2TP over IPsec Step 15 Command Purpose crypto isakmp nat-traversal seconds (Optional) Enables NAT traversal so that ESP packets can pass through one or more NAT devices. Example: If you expect multiple L2TP clients behind a NAT device to attempt L2TP over IPsec connections to the adaptive security appliance, you must enable NAT traversal.
PAGE 1406

Chapter 65 Configuring L2TP over IPsec Configuring L2TP over IPsec Creating IKE Policies to Respond to Windows 7 Proposals Windows 7 L2TP/IPsec clients send several IKE policy proposals to establish a VPN connection with the ASA. Define one of the following IKE policies to facilitate connections from Windows 7 VPN native clients. Command Purpose Step 1 Detailed CLI Configuration Steps, page 65-13 Follow the Detailed CLI Configuration Steps procedure through step Step 18.
PAGE 1407

Chapter 65 Configuring L2TP over IPsec Configuring L2TP over IPsec Configuration Example for L2TP over IPsec Using ASA 8.2.5 The following example shows configuration file commands that ensure ASA compatibility with a native VPN client on any operating system: ip local pool sales_addresses 209.165.202.129-209.165.202.158 group-policy sales_policy internal group-policy sales_policy attributes wins-server value 209.165.201.3 209.165.201.4 dns-server value 209.165.201.1 209.165.201.
PAGE 1408

Chapter 65 Configuring L2TP over IPsec Feature History for L2TP over IPsec crypto map vpn interface outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 Feature History for L2TP over IPsec Table 65-2 lists the release history for this feature. Table 65-2 Feature History for L2TP over IPsec Feature Name L2TP over IPsec Releases Feature Information 7.
PAGE 1409

CH A P T E R 66 Setting General VPN Parameters The ASA implementation of virtual private networking includes useful features that do not fit neatly into categories. This chapter describes some of these features.
PAGE 1410

Chapter 66 Setting General VPN Parameters Permitting Intra-Interface Traffic (Hairpinning) The following example enables IPsec traffic through the ASA without checking ACLs: hostname(config)# sysopt connection permit-vpn Note Decrypted through-traffic is permitted from the client despite having an access group on the outside interface, which calls a deny ip any any access list, while no sysopt connection permit-vpn is configured.
PAGE 1411

Chapter 66 Setting General VPN Parameters Setting Maximum Active IPsec or SSL VPN Sessions To configure this feature, use the same-security-traffic command in global configuration mode with its intra-interface argument. The command syntax is same-security-traffic permit {inter-interface | intra-interface}.
PAGE 1412

Chapter 66 Setting General VPN Parameters Using Client Update to Ensure Acceptable IPsec Client Revision Levels The following example shows how to set a maximum Anyconnect VPN session limit of 450: hostname(config)# vpn-sessiondb max-anyconnect-premium-or-essentials-limit 450 hostname(config)# Using Client Update to Ensure Acceptable IPsec Client Revision Levels Note The information in this section applies to IPsec connections only.
PAGE 1413

Chapter 66 Setting General VPN Parameters Using Client Update to Ensure Acceptable IPsec Client Revision Levels Note For all Windows clients, you must use the protocol http:// or https:// as the prefix for the URL. For the VPN 3002 hardware client, you must specify protocol tftp:// instead. The following example configures client update parameters for the remote access tunnel group. It designates the revision number 4.6.1 and the URL for retrieving the update, which is https://support/updates.
PAGE 1414

Chapter 66 Setting General VPN Parameters Understanding Load Balancing If the user’s client’s revision number matches one of the specified revision numbers, there is no need to update the client, and no notification message is sent to the user. VPN 3002 clients update without user intervention and users receive no notification message.
PAGE 1415

Chapter 66 Setting General VPN Parameters Understanding Load Balancing Comparing Load Balancing to Failover Both load balancing and failover are high-availability features, but they function differently and have different requirements. In some circumstances you can use both load balancing and failover. The following sections describe the differences between these features.
PAGE 1416

Chapter 66 Setting General VPN Parameters Understanding Load Balancing Note VPN load balancing requires an active 3DES/AES license. The ASA checks for the existence of this crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the ASA prevents the enabling of load balancing and also prevents internal configuration of 3DES by the load balancing system unless the license permits this usage. Prerequisites Load balancing is disabled by default.
PAGE 1417

Chapter 66 Setting General VPN Parameters Understanding Load Balancing master device redirects the IPsec and SSL VPN tunnel to the device with the lowest load until it is 1% higher than the rest. When all backup cluster members are 1% higher than the master, the master device redirects to itself. For example, if you have one master and two backup cluster members, the following cycle applies: Note All nodes start with 0%, and all percentages are rounded half-up. 1.
PAGE 1418

Chapter 66 Setting General VPN Parameters Understanding Load Balancing Some Typical Mixed Cluster Scenarios If you have a mixed configuration—that is, if your load-balancing cluster includes devices running a mixture of ASA software releases or at least one ASA running ASA Release 7.1(1) or later and a VPN 3000 concentrator—the difference in weighting algorithms becomes an issue if the initial cluster master fails and another device takes over as master.
PAGE 1419

Chapter 66 Setting General VPN Parameters Configuring Load Balancing Configuring Load Balancing To use load balancing, configure the following elements for each device that participates in the cluster: • Public and private interfaces • VPN load-balancing cluster attributes Note All participants in the cluster must have an identical cluster configuration, except for the device priority within the cluster.
PAGE 1420

Chapter 66 Setting General VPN Parameters Configuring Load Balancing hostname(config-load-balancing)# nat 192.168.30.
PAGE 1421

Chapter 66 Setting General VPN Parameters Configuring Load Balancing Note When using encryption, you must have previously configured the load-balancing inside interface. If that interface is not enabled on the load-balancing inside interface, you get an error message when you try to configure cluster encryption.
PAGE 1422

Chapter 66 Setting General VPN Parameters Configuring Load Balancing For example: hostname(config)# vpn load-balancing hostname(config-load-balancing)# redirect-fqdn enable hostname(config-load-balancing)# Step 2 Add an entry for each of your ASA outside interfaces into your DNS server if such entries are not already present. Each ASA outside IP address should have a DNS entry associated with it for lookups. These DNS entries must also be enabled for reverse lookup.
PAGE 1423

Chapter 66 Setting General VPN Parameters Configuring Load Balancing Using Load Balancing and Failover on the Same Device Q: Can a single device use both load balancing and failover? A: Yes. In this configuration, the client connects to the IP address of the cluster and is redirected to the least-loaded ASA in the cluster. If that device fails, the standby unit takes over immediately, and there is no impact to the VPN tunnel.
PAGE 1424

Chapter 66 Setting General VPN Parameters Configuring VPN Session Limits The following example shows 100 SSL sessions (active only) and a 2 percent SSL load. These numbers do not include the inactive sessions. In other words, inactive sessions do not count towards the load for load balancing. hostname# show vpn load-balancing Status : enabled Role : Master Failover : Active Encryption : enabled Cluster IP : 192.168.1.100 Peers : 1 Load % Sessions Public IP 192.168.1.9 192.168.1.
PAGE 1425

Chapter 66 Setting General VPN Parameters Configuring VPN Session Limits VPN-3DES-AES Security Contexts GTP/GPRS AnyConnect Premium Peers AnyConnect Essentials Other VPN Peers Total VPN Peers Shared License AnyConnect for Mobile AnyConnect for Cisco VPN Phone Advanced Endpoint Assessment UC Phone Proxy Sessions Total UC Proxy Sessions Botnet Traffic Filter Intercompany Media Engine : : : : : : : : : : : : : : : Enabled 2 Disabled 250 Disabled 250 250 Disabled Disabled Disabled Enabled 2 2 Disabled Disab
PAGE 1426

Chapter 66 Configuring VPN Session Limits Cisco ASA 5500 Series Configuration Guide using the CLI 66-18 Setting General VPN Parameters
PAGE 1427

CH A P T E R 67 Configuring Connection Profiles, Group Policies, and Users This chapter describes how to configure VPN connection profiles (formerly called “tunnel groups”), group policies, and users. This chapter includes the following sections.
PAGE 1428

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Connection Profiles and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Connection profiles and group policies provide the flexibility to do so securely. Note The ASA also includes the concept of object groups, which are a superset of network lists. Object groups let you define VPN access to ports as well as networks.
PAGE 1429

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Connection Profiles General Connection Profile Connection Parameters General parameters are common to all VPN connections. The general parameters include the following: • Connection profile name—You specify a connection-profile name when you add or edit a connection profile.
PAGE 1430

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Connection Profiles IPsec Tunnel-Group Connection Parameters IPsec parameters include the following: • A client authentication method: preshared keys, certificates, or both. – For IKE connections based on preshared keys, this is the alphanumeric key itself (up to 128 characters long), associated with the connection policy.
PAGE 1431

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Connection Profiles Note If you have a LAN-to-LAN configuration using IKE main mode, make sure that the two peers have the same IKE keepalive configuration. Both peers must have IKE keepalives enabled or both peers must have it disabled.
PAGE 1432

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Table 67-1 Connection Profile Attributes for SSL VPN Command Function override-svc-download Overrides downloading the group-policy or username attributes configured for downloading the AnyConnect VPN client to the remote user. radius-reject-message Enables the display of the RADIUS reject message on the login screen when authentication is rejected.
PAGE 1433

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Default IPsec Remote Access Connection Profile Configuration The contents of the default remote-access connection profile are as follows: tunnel-group DefaultRAGroup type remote-access tunnel-group DefaultRAGroup general-attributes no address-pool no ipv6-address-pool authentication-server-group LOCAL accounting-server-group RADIUS default-group-policy DfltGrpPolicy no dhcp-server no strip-realm no passwo
PAGE 1434

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles – Cisco ASA5500 Easy VPN hardware client (connecting with IPsec/IKEv1) – Cisco VPM 3002 hardware client (connecting with IPsec/IKEv1) We also provide a default group policy named DfltGrpPolicy. To configure an remote-access connection profile, first configure the tunnel-group general attributes, then the remote-access attributes.
PAGE 1435

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Step 3 Specify the name of the authorization-server group, if any, to use. When you configure this value, users must exist in the authorization database to connect: hostname(config-tunnel-general)# authorization-server-group groupname hostname(config-tunnel-general)# The name of the authorization server group can be up to 16 characters long.
PAGE 1436

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles The following example inherits the authentication server group from the default remote access group. hostname(config-group-policy)# no nac-authentication-server-group hostname(config-group-policy) Note Step 8 NAC requires a Cisco Trust Agent on the remote host. Specify whether to strip the group or the realm from the username before passing it on to the AAA server.
PAGE 1437

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Note The password-management command, entered in tunnel-group general-attributes configuration mode replaces the deprecated radius-with-expiry command that was formerly entered in tunnel-group ipsec-attributes mode. When you configure the password-management command, the ASA notifies the remote user at login that the user’s current password is about to expire or has expired.
PAGE 1438

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles For example, the following command specifies the use of the CN attribute as the username for authorization: hostname(config-tunnel-general)# authorization-dn-attributes CN hostname(config-tunnel-general)# The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA (E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality), N (Name), O (Orga
PAGE 1439

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles The values for the DN fields to extract from the certificate for use as a secondary username are the same as for the primary username-from-certificate command. Alternatively, you can specify the use-script keyword, which directs the ASA to use a script file generated by ASDM.
PAGE 1440

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Step 1 To specify the IPsec attributes of an remote-access tunnel-group, enter tunnel-group ipsec-attributes mode by entering the following command.
PAGE 1441

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles For example, the following command sets the IKE keepalive threshold value to 15 seconds and sets the retry interval to 10 seconds: hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10 hostname(config-tunnel-ipsec)# The default value for the threshold parameter is 300 for remote-access and 10 for LAN-to-LAN, and the default value for the retry parameter is 2.
PAGE 1442

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles hostname(config)# tunnel-group tunnel-group-name type remote-access hostname(config)# tunnel-group tunnel-group-name ppp-attributes hostname(config-tunnel-ppp)# For example, the following command designates that the tunnel-group ppp-attributes mode commands that follow pertain to the connection profile named TG1.
PAGE 1443

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Configuring LAN-to-LAN Connection Profiles An IPsec LAN-to-LAN VPN connection profile applies only to LAN-to-LAN IPsec client connections. While many of the parameters that you configure are the same as for IPsec remote-access connection profiles, LAN-to-LAN tunnels have fewer parameters.
PAGE 1444

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles For example, for the connection profile named docs, enter the following command: hostname(config)# tunnel-group_docs general-attributes hostname(config-tunnel-general)# Step 2 Specify the name of the accounting-server group, if any, to use: hostname(config-tunnel-general)# accounting-server-group groupname hostname(config-tunnel-general)# For example, the following command specifies the use of the acc
PAGE 1445

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles The available options are req (required), cert (if supported by certificate), and nocheck (do not check). The default is req. For example, the following command sets the peer-id-validate option to nocheck: hostname(config-tunnel-ipsec)# peer-id-validate nocheck hostname(config-tunnel-ipsec)# Step 4 Specify whether to enable sending of a certificate chain.
PAGE 1446

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Note Before the authentication type can be set to hybrid, you must configure the authentication server, create a preshared key, and configure a trustpoint.
PAGE 1447

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles The authentication-server-group name identifies a previously configured authentication server or group of servers. Use the aaa-server command to configure authentication servers. The maximum length of the group tag is 16 characters. You can also configure interface-specific authentication by including the name of an interface in parentheses before the group name.
PAGE 1448

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles hostname(config-tunnel-general)# accounting-server-group comptroller hostname(config-tunnel-general)# Step 7 Optionally, specify the name of the default group policy.
PAGE 1449

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Note The password-management command, entered in tunnel-group general-attributes configuration mode replaces the deprecated radius-with-expiry command that was formerly entered in tunnel-group ipsec-attributes mode. When you configure this command, the ASA notifies the remote user at login that the user’s current password is about to expire or has expired.
PAGE 1450

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles hostname(config-tunnel-webvpn)# Applying Customization Customizations determine the appearance of the windows that the user sees upon login. You configure the customization parameters as part of configuring clientless SSL VPN.
PAGE 1451

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles The timeout interval can range from 1 through 30 seconds (default 2), and the number of retries can be in the range 0 through 10 (default 2). The nbns-server command in tunnel-group webvpn-attributes configuration mode replaces the deprecated nbns-server command in webvpn configuration mode. Step 4 To specify alternative names for the group, use the group-alias command.
PAGE 1452

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles hostname(config-tunnel-general)# tunnel-group RadiusServer webvpn-attributes hostname(config-tunnel-webvpn)# group-alias “Cisco Remote Access” enable hostname(config-tunnel-webvpn)# group-url http://www.cisco.com enable hostname(config-tunnel-webvpn)# group-url http://192.168.10.
PAGE 1453

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles hostname(config-tunnel-webvpn)# Step 9 (Optional) To specify whether to override the group policy or username attributes configuration for downloading an AnyConnect or SSL VPN client, use the override-svc-download command. This feature is disabled by default.
PAGE 1454

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles hostname(config-username-webvpn)# customization value salesgui hostname(config-username-webvpn)# exit hostname(config-username)# exit hostname# Step 3 In global configuration mode, create a tunnel-group for clientless SSL VPN sessions named sales: hostname# tunnel-group sales type webvpn hostname(config-tunnel-webvpn)# Step 4 Specify that you want to use the salesgui customization for this connection
PAGE 1455

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles The following sections assume that you are using an LDAP directory server for authentication.
PAGE 1456

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Figure 67-2 Active Directory—User Must Change Password at Next Logon The next time this user logs on, the ASA displays the following prompt: “New password required. Password change required. You must enter a new password with a minimum length n to continue.
PAGE 1457

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Figure 67-3 Note Active Directory—Maximum Password Age The radius-with-expiry command, formerly configured as part of tunnel-group remote-access configuration to perform the password age function, is deprecated. The password-management command, entered in tunnel-group general-attributes mode, replaces it.
PAGE 1458

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Figure 67-4 Active Directory—Override Account Disabled The user should be able to log on successfully, even though a AAA server provides an account-disabled indicator.
PAGE 1459

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Figure 67-5 Active Directory—Minimum Password Length Using Active Directory to Enforce Password Complexity To enforce complex passwords—for example, to require that a password contain upper- and lowercase letters, numbers, and special characters—specify the password-management command in tunnel-group general-attributes configuration mode on the ASA and do the following steps under Active Directory: Step
PAGE 1460

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles Figure 67-6 Active Directory—Enforce Password Complexity Enforcing password complexity takes effect only when the user changes passwords; for example, when you have configured Enforce password change at next login or Password expires in n days. At login, the user receives a prompt to enter a new password, and the system will accept only a complex password.
PAGE 1461

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring Connection Profiles During authentication, the RADIUS server presents access challenge messages to the ASA. Within these challenge messages are reply messages containing text from the SDI server. The message text is different when the ASA is communicating directly with an SDI server than when communicating through the RADIUS proxy.
PAGE 1462

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies Message Code Default RADIUS Reply Message Text Function new-pin-meth Do you want to enter your Requests from the user which new PIN method to use to own pin create a new PIN. new-pin-req Enter your new Alpha-Numerical PIN Indicates a user-generated PIN and requests that the user enter the PIN. new-pin-reenter Reenter PIN: Used internally by the ASA for user-supplied PIN confirmation.
PAGE 1463

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies • Hardware client settings • Filters • Client configuration settings • Connection settings Default Group Policy The ASA supplies a default group policy. You can modify this default group policy, but you cannot delete it. A default group policy, named DfltGrpPolicy, always exists on the ASA, but this default group policy does not take effect unless you configure the ASA to use it.
PAGE 1464

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.
PAGE 1465

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies unix-auth-uid 65534 unix-auth-gid 65534 file-entry enable file-browsing enable url-entry enable deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features.
PAGE 1466

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies For example, the following command creates an external group policy named ExtGroup that gets its attributes from an external RADIUS server named ExtRAD and specifies that the password to use when retrieving the attributes is newpassword: hostname(config)# group-policy ExtGroup external server-group ExtRAD password newpassword hostname(config)# Note You can configure several vendor-specific attributes (VSAs), as describ
PAGE 1467

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies hostname(config-group-policy)# The first IP address specified is that of the primary WINS server. The second (optional) IP address is that of the secondary WINS server. Specifying the none keyword instead of an IP address sets WINS servers to a null value, which allows no WINS servers and prevents inheriting a value from a default or specified group policy.
PAGE 1468

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies Configuring VPN-Specific Attributes Follow the steps in this section to set the VPN attribute values. The VPN attributes control the access hours, the number of simultaneous logins allowed, the timeouts, the egress VLAN or ACL to apply to VPN sessions, and the tunnel protocol: Step 1 Set the VPN access hours.
PAGE 1469

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies hostname(config-group-policy)# AnyConnect (SSL IPsec/IKEv2): Use the global WebVPN default-idle-timeout value (seconds) from the command: hostname(config-webvpn)# default-idle-timeout The range for this value in the WebVPN default-idle-timeout command is 60-86400 seconds; the default Global WebVPN Idle timeout in seconds -- default is 1800 seconds (30 min).
PAGE 1470

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies The following example shows how to set the vpn-session-timeout alert-interval so that users will be notified 20 minutes before their VPN session is disconnected. You can specify a range of 1-30 minutes. hostname(config-webvpn)# vpn-session-timeout alert-interval 20 The none parameter of the command indicates that users will not receive an alert.
PAGE 1471

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies A vpn-filter command is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel. An ACL that is used for a vpn-filter should NOT also be used for an interface access-group.
PAGE 1472

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies The default is IPsec. To remove the attribute from the running configuration, enter the no form of this command. The parameter values for this command follow: • ikev1—Negotiates an IPsec IKEv1 tunnel between two peers (the Cisco VPN Client or another secure gateway). Creates security associations that govern authentication, encryption, encapsulation, and key management.
PAGE 1473

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies Step 2 Specify whether to enable IP compression, which is disabled by default. Note IP compression is not supported for IPsec IKEv2 connections. hostname(config-group-policy)# ip-comp {enable | disable} hostname(config-group-policy)# To enable LZS IP compression, enter the ip-comp command with the enable keyword in group-policy configuration mode.
PAGE 1474

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies hostname(config-group-policy)# group-lock {value tunnel-grp-name | none} hostname(config-group-policy)# no group-lock hostname(config-group-policy)# The tunnel-grp-name variable specifies the name of an existing connection profile that the ASA requires for the user to connect.
PAGE 1475

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies Configuring IPsec-UDP Attributes for IKEv1 IPsec over UDP, sometimes called IPsec through NAT, lets a Cisco VPN client or hardware client connect via UDP to a ASA that is running NAT. It is disabled by default. IPsec over UDP is proprietary; it applies only to remote-access connections, and it requires mode configuration. The ASA exchanges configuration parameters with the client while negotiating SAs.
PAGE 1476

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies Differences in Client Split Tunneling Behavior for Traffic within the Subnet The AnyConnect client and the legacy Cisco VPN client (the IPsec/IKEv1 client) behave differently when passing traffic to sites within the same subnet as the IP address assigned by the ASA.
PAGE 1477

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling. The ASA makes split tunneling decisions on the basis of a network list, which is an ACL that consists of a list of addresses on the private network. If you use extended ACLs, the source network determines the split-tunneling network. The destination network is ignored.
PAGE 1478

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# default-domain value FirstDomain Defining a List of Domains for Split Tunneling Enter a list of domains to be resolved through the split tunnel. Enter the split-dns command in group-policy configuration mode. To delete a list, enter the no form of this command.
PAGE 1479

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies The following example shows how to set DHCP Intercepts for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# intercept-dhcp enable Configuring Attributes for VPN Hardware Clients The commands in this section enable or disable secure unit authentication and user authentication, and set a user authentication timeout value for VPN hardware clients.
PAGE 1480

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies To disable user authentication, enter the disable keyword. To remove the user authentication attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value for user authentication from another group policy. If you require user authentication on the primary ASA, be sure to configure it on any backup servers as well.
PAGE 1481

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies Note You must configure mac-exempt to exempt the clients from authentication. Refer to the “Configuring Device Pass-Through” section on page 71-8 for more information. Configuring LEAP Bypass When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN 3002 hardware client travel across a VPN tunnel prior to user authentication.
PAGE 1482

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.
PAGE 1483

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies The following example shows how to configure backup servers with IP addresses 10.10.10.1 and 192.168.10.14, for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# backup-servers 10.10.10.1 192.168.10.14 Configuring Browser Client Parameters The following commands configure the proxy server parameters for a client.
PAGE 1484

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies The following example shows how to configure auto-detect as the browser proxy setting for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# msie-proxy method auto-detect hostname(config-group-policy)# The following example configures the proxy setting for the group policy named FirstGroup to use the server QAserver, port 1001 as the server for the clie
PAGE 1485

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies Configuring Network Admission Control Parameters The group-policy NAC commands in this section all have default values. Unless you have a good reason for changing them, accept the default values for these parameters. The security appliance uses Extensible Authentication Protocol (EAP) over UDP (EAPoUDP) messaging to validate the posture of remote hosts.
PAGE 1486

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies hostname(config-group-policy)# nac-reval-period seconds hostname(config-group-policy)# To inherit the value of the Revalidation Timer from the default group policy, access the alternative group policy from which to inherit it, then use the no form of this command: hostname(config-group-policy)# no nac-reval-period [seconds] hostname(config-group-policy)# The following example changes the revalidation timer to 86400 sec
PAGE 1487

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies Step 4 Configure NAC exemptions for VPN. By default, the exemption list is empty.The default value of the filter attribute is none. Enter the vpn-nac-exempt once for each operating system (and ACL) to be matched to exempt remote hosts from posture validation. To add an entry to the list of remote computer types that are exempt from posture validation, use the vpn-nac-exempt command in group-policy configuration mode.
PAGE 1488

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies The following example removes the same entry from the exemption list, regardless of whether it is disabled: hostname(config-group-policy)# no vpn-nac-exempt os "Windows 98" filter acl-1 hostname(config-group-policy) The following example disables inheritance and specifies that all hosts will be subject to posture validation: hostname(config-group-policy)# no vpn-nac-exempt none hostname(config-group-policy) The followi
PAGE 1489

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Group Policies hostname(config-group-policy)# address-pools none hostname(config-group-policy)# The command no address pools none removes the address-pools none command from the configuration, restoring the default value, which is to allow inheritance.
PAGE 1490

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it periodic “are you there?” messages; if no reply comes, the VPN client knows the firewall is down and terminates its connection to the ASA.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.
PAGE 1491

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server Note The current release of the ASA supports one Integrity server at a time, even though the user interfaces support the configuration of up to five Integrity servers. If the active Integrity server fails, configure another one on the ASA and then reestablish the VPN client session.
PAGE 1492

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server Step 6 Command Purpose zonelabs-integrity fail-open Returns the configured VPN client connection fail state to the default and ensures that the client connections remain open. Example: hostname(config)# zonelabs-integrity fail-open Step 7 Specifies that the Integrity server connects to port 300 (the default is port 80) on the ASA to request the server SSL certificate.
PAGE 1493

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server Custom Firewall hostname(config-group-policy)# client-firewall {opt | req} custom vendor-id num product-id num policy {AYT | CPP acl-in ACL acl-out ACL} [description string] Zone Labs Firewalls hostname(config-group-policy)# client-firewall {opt | req} zonelabs-integrity Note When the firewall type is zonelabs-integrity, do not include arguments.
PAGE 1494

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server Table 67-4 client-firewall Command Keywords and Variables none Indicates that there is no client firewall policy. Sets a firewall policy with a null value, thereby disallowing a firewall policy. Prevents inheriting a firewall policy from a default or specified group policy. opt Indicates an optional firewall type. product-id Identifies the firewall product.
PAGE 1495

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server To delete all rules, enter the no client-access-rule command without arguments. This deletes all configured rules, including a null rule if you created one by issuing the client-access-rule command with the none keyword. By default, there are no access rules. When there are no client access rules, users inherit any rules that exist in the default group policy.
PAGE 1496

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server Configuring Group-Policy Attributes for Clientless SSL VPN Sessions Clientless SSL VPN lets users establish a secure, remote-access VPN tunnel to the ASA using a web browser. There is no need for either a software or hardware client. Clientless SSL VPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTPS Internet sites.
PAGE 1497

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server The following example shows how to enter group-policy webvpn configuration mode for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# Applying Customization Customizations determine the appearance of the windows that the user sees upon login.
PAGE 1498

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server The default deny message is: “Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.” The first command in the following example creates an internal group policy named group2.
PAGE 1499

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server Specifying the User Home Page Specify a URL for the web page that displays when a user in this group logs in by using the homepage command in group-policy webvpn configuration mode. There is no default home page. To remove a configured home page, including a null value created by issuing the homepage none command, enter the no form of this command.
PAGE 1500

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server Specifying the Access List for Clientless SSL VPN Sessions Specify the name of the access list to use for clientless SSL VPN sessions for this group policy or username by using the filter command in webvpn mode. Clientless SSL VPN access lists do not apply until you enter the filter command to specify them.
PAGE 1501

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server Table 67-7 url-list Command Keywords and Variables none Sets a null value for url lists. Prevents inheriting a list from a default or specified group policy. value name Specifies the name of a previously configured list of urls. To configure such a list, use the url-list command in global configuration mode.
PAGE 1502

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server The listname string following the keyword value identifies the list of applications users of clientless SSL VPN sessions can access. Enter the port-forward command in webvpn configuration mode to define the list. Using the command a second time overrides the previous setting.
PAGE 1503

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server hostname(config-group-webvpn)# http-comp {gzip | none} hostname(config-group-webvpn)# To remove the command from the configuration and cause the value to be inherited, use the no form of the command: hostname(config-group-webvpn)# no http-comp {gzip | none} hostname(config-group-webvpn)# The syntax of this command is as follows: • gzip—Specifies compression is enabled for the group or user.
PAGE 1504

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Supporting a Zone Labs Integrity Server Step 1 Enter group policy webvpn configuration mode. For example: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn Step 2 To disable the permanent installation of the AnyConnect client on the endpoint computer, use the anyconnect keep-installer command with the none keyword.
PAGE 1505

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes anyconnect ssl rekey {method {ssl | new-tunnel} | time minutes | none}} By default, re-key is disabled. Specifying the method as new-tunnel specifies that the AnyConnect client establishes a new tunnel during SSL re-key. Specifying the method as none disables re-key. Specifying the method as ssl specifies that SSL renegotiation takes place during re-key.
PAGE 1506

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes The internal user authentication database consists of the users entered with the username command. The login command uses this database for authentication. To add a user to the ASA database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username you want to remove.
PAGE 1507

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes Configuring VPN User Attributes The VPN user attributes set values specific to VPN connections, as described in the following sections. Configuring Inheritance You can let users inherit from the group policy the values of attributes that you have not configured at the username level. To specify the name of the group policy from which this user inherits attributes, enter the vpn-group-policy command.
PAGE 1508

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes The following example shows how to allow a maximum of 4 simultaneous logins for the user named anyuser: hostname(config)# username anyuser attributes hostname(config-username)# vpn-simultaneous-logins 4 hostname(config-username)# Configuring the Idle Timeout Specify the idle timeout period in minutes, or enter none to disable the idle timeout.
PAGE 1509

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes You configure ACLs to permit or deny various types of traffic for this user. You then use the vpn-filter command to apply those ACLs. hostname(config-username)# vpn-filter {value ACL_name | none} hostname(config-username)# no vpn-filter hostname(config-username)# Note Clientless SSL VPN does not use ACLs defined in the vpn-filter command.
PAGE 1510

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes The parameter values for this command are as follows: • IPsec—Negotiates an IPsec tunnel between two peers (a remote access client or another secure gateway). Creates security associations that govern authentication, encryption, encapsulation, and key management.
PAGE 1511

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes hostname(config)# username anyuser attributes hostname(config-username)# password-storage enable hostname(config-username) Configuring Clientless SSL VPN Access for Specific Users The following sections describe how to customize a configuration for specific users of clientless SSL VPN sessions. Enter username webvpn configuration mode by using the webvpn command in username configuration mode.
PAGE 1512

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes • AnyConnect Secure Mobility Client • keep-alive ignore • HTTP compression The following example shows how to enter username webvpn configuration mode for the username anyuser attributes: hostname(config)# username anyuser attributes hostname(config-username)# webvpn hostname(config-username-webvpn)# Specifying the Content/Objects to Filter from the HTML To filter Java, ActiveX, images, scripts, and c
PAGE 1513

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes The none keyword indicates that there is no clientless SSL VPN home page. It sets a null value, thereby disallowing a home page and prevents inheriting a home page. The url-string variable following the keyword value provides a URL for the home page. The string must begin with either http:// or https://. There is no default home page.
PAGE 1514

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes The no deny-message value command removes the message string, so that the remote user does not receive a message. The no deny-message none command removes the attribute from the connection profile policy configuration. The policy inherits the attribute value.
PAGE 1515

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes Applying a URL List You can specify a list of URLs to appear on the home page for a user who has established a clientless SSL VPN session. First, you must create one or more named lists by entering the url-list command in global configuration mode. To apply a list of servers and URLs to a particular user of clientless SSL VPN, enter the url-list command in username webvpn configuration mode.
PAGE 1516

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes To remove the port forwarding attribute from the configuration, including a null value created by issuing the port-forward none command, enter the no form of this command. The no option allows inheritance of a list from the group policy. To disallow filtering and prevent inheriting a port forwarding list, enter the port-forward command with the none keyword.
PAGE 1517

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes hostname(config-group-webvpn)# keep-alive-ignore 5 hostname(config-group-webvpn)# Configuring Auto-Signon To automatically submit the login credentials of a particular user of clientless SSL VPN to internal servers using NTLM, basic HTTP authentication or both, use the auto-signon command in username webvpn configuration mode.
PAGE 1518

Chapter 67 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes • none—Specifies compression is disabled for the group or user. For clientless SSL VPN session, the compression command configured from global configuration mode overrides the http-comp command configured in group policy and username webvpn modes.
PAGE 1519

CH A P T E R 68 Configuring IP Addresses for VPNs This chapter describes IP address assignment methods. IP addresses make internetwork connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network. Once that connection is made, the second set connects client and server through the VPN tunnel.
PAGE 1520

Chapter 68 Configuring IP Addresses for VPNs Configuring an IP Address Assignment Method Configuring Local IP Address Pools To configure IP address pools to use for VPN remote access tunnels, enter the ip local pool command in global configuration mode. To delete address pools, enter the no form of this command. The ASA uses address pools based on the tunnel group for the connection.
PAGE 1521

Chapter 68 Configuring IP Addresses for VPNs Configuring an IP Address Assignment Method hostname(config)# vpn-addr-assign aaa hostname(config)# Step 2 To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter the tunnel-group command with the type keyword. The following example configures a remote access tunnel group.
PAGE 1522

Chapter 68 Configuring IP Addresses for VPNs Configuring an IP Address Assignment Method Step 1 To configure DHCP as the address assignment method, enter the vpn-addr-assign command with the dhcp argument: hostname(config)# vpn-addr-assign dhcp hostname(config)# Step 2 To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter the tunnel-group command with the type keyword. The following example configures a remote access tunnel group.
PAGE 1523

Chapter 68 Configuring IP Addresses for VPNs Configuring an IP Address Assignment Method Cisco ASA 5500 Series Configuration Guide using the CLI 68-5
PAGE 1524

Chapter 68 Configuring an IP Address Assignment Method Cisco ASA 5500 Series Configuration Guide using the CLI 68-6 Configuring IP Addresses for VPNs
PAGE 1525

CH A P T E R 69 Configuring Remote Access IPsec VPNs This chapter describes how to configure Remote Access IPsec VPNs and includes the following sections: • Information About Remote Access IPsec VPNs, page 69-1 • Licensing Requirements for Remote Access IPsec VPNs, page 69-2 • Guidelines and Limitations, page 69-7 • Configuring Remote Access IPsec VPNs, page 69-7 • Configuration Examples for Remote Access IPsec VPNs, page 69-14 • Feature History for Remote Access VPNs, page 69-15 Information A
PAGE 1526

Chapter 69 Configuring Remote Access IPsec VPNs Licensing Requirements for Remote Access IPsec VPNs A transform set protects the data flows for the access list specified in the associated crypto map entry. You can create transform sets in the ASA configuration, and then specify a maximum of 11 of them in a crypto map or dynamic crypto map entry.
PAGE 1527

Chapter 69 Configuring Remote Access IPsec VPNs Licensing Requirements for Remote Access IPsec VPNs Model ASA 5520 License Requirement1 • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, or 750 sessions. Optional Shared licenses2: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1528

Chapter 69 Configuring Remote Access IPsec VPNs Licensing Requirements for Remote Access IPsec VPNs License Requirement1 Model ASA 5580 • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, 5000, or 10000 sessions. Optional Shared licenses2: Participant or Server.
PAGE 1529

Chapter 69 Configuring Remote Access IPsec VPNs Licensing Requirements for Remote Access IPsec VPNs Model ASA 5545-X License Requirement1 • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, or 2500 sessions. Optional Shared licenses2: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1530

Chapter 69 Configuring Remote Access IPsec VPNs Licensing Requirements for Remote Access IPsec VPNs License Requirement1 Model ASA 5585-X with SSP-10 • IPsec remote access VPN using IKEv2 (use one of the following): – AnyConnect Premium license: Base license: 2 sessions. Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, or 5000 sessions. Optional Shared licenses2: Participant or Server.
PAGE 1531

Chapter 69 Configuring Remote Access IPsec VPNs Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single context mode only. Does not support multiple context mode. Firewall Mode Guidelines Not supported in routed or transparent firewall mode. Failover Guidelines IPsec VPN sessions are replicated in Active/Standby failover configurations only.
PAGE 1532

Chapter 69 Configuring Remote Access IPsec VPNs Configuring Remote Access IPsec VPNs Detailed Steps Step 1 Command Purpose interface {interface} Enters interface configuration mode from global configuration mode. Example: hostname(config)# interface ethernet0 hostname(config-if)# Step 1 ip address ip_address [mask] [standby ip_address] Sets the IP address and subnet mask for the interface. Example: hostname(config)# interface ethernet0 hostname(config-if)# hostname(config-if)# ip address 10.10.
PAGE 1533

Chapter 69 Configuring Remote Access IPsec VPNs Configuring Remote Access IPsec VPNs Step 3 Command Purpose crypto ikev1 policy priority hash {md5 | sha} Specifies the hash algorithm for an IKE policy (also called the HMAC variant).
PAGE 1534

Chapter 69 Configuring Remote Access IPsec VPNs Configuring Remote Access IPsec VPNs Command Purpose ip local pool poolname first-address—last-address [mask mask] Creates an address pool with a range of IP addresses, from which the ASA assigns addresses to the clients. Example: hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 hostname(config)# The address mask is optional.
PAGE 1535

Chapter 69 Configuring Remote Access IPsec VPNs Configuring Remote Access IPsec VPNs Command Purpose To configure an IKEv1 transform set: Configures an IKEv1 transform set that specifies the IPsec IKEv1 encryption and hash algorithms to be used to ensure data integrity.
PAGE 1536

Chapter 69 Configuring Remote Access IPsec VPNs Configuring Remote Access IPsec VPNs There are two default tunnel groups in the ASA system: DefaultRAGroup, which is the default remote-access tunnel group, and DefaultL2Lgroup, which is the default LAN-to-LAN tunnel group. You can change them but not delete them. The ASA uses these groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation.
PAGE 1537

Chapter 69 Configuring Remote Access IPsec VPNs Configuring Remote Access IPsec VPNs Dynamic crypto map entries identify the transform set for the connection. You also enable reverse routing, which lets the ASA learn routing information for connected clients, and advertise it via RIP or OSPF. Use the command syntax in the following examples as a guide.
PAGE 1538

Chapter 69 Configuring Remote Access IPsec VPNs Configuration Examples for Remote Access IPsec VPNs Detailed Steps Step 1 Command Purpose crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name Creates a crypto map entry that uses a dynamic crypto map. Example: hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1 hostname(config)# Step 2 crypto map map-name interface interface-name Applies the crypto map to the outside interface.
PAGE 1539

Chapter 69 Configuring Remote Access IPsec VPNs Feature History for Remote Access VPNs hostname(config)# crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac hostname(config)# tunnel-group testgroup type remote-access hostname(config)# tunnel-group testgroup general-attributes hostname(config-general)# address-pool testpool hostname(config)# tunnel-group testgroup ipsec-attributes hostname(config-ipsec)# ikev1 pre-shared-key 44kkaol59636jnfx hostname(config)# crypto dynamic-map dyn1 1 set ikev1
PAGE 1540

Chapter 69 Feature History for Remote Access VPNs Cisco ASA 5500 Series Configuration Guide using the CLI 69-16 Configuring Remote Access IPsec VPNs
PAGE 1541

C H A P T E R 70 Configuring Network Admission Control This chapter includes the following sections: • Information about Network Admission Control, page 70-1 • Licensing Requirements, page 70-2 • Prerequisites for NAC, page 70-4 • Guidelines and Limitations, page 70-4 • Viewing the NAC Policies on the Security Appliance, page 70-5 • Adding, Accessing, or Removing a NAC Policy, page 70-7 • Configuring a NAC Policy, page 70-8 • Assigning a NAC Policy to a Group Policy, page 70-13 • Changing
PAGE 1542

Chapter 70 Configuring Network Admission Control Licensing Requirements In a NAC Framework configuration involving the ASA, only a Cisco Trust Agent running on the client can fulfill the role of posture agent, and only a Cisco Access Control Server (ACS) can fulfill the role of posture validation server. The ACS uses dynamic ACLs to determine the access policy for each client.
PAGE 1543

Chapter 70 Configuring Network Admission Control Licensing Requirements Model License Requirement1,2 ASA 5540 AnyConnect Premium license: ASA 5550 ASA 5580 ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X • Base License: 2 sessions. • Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, or 2500 sessions. • Optional Shared licenses3: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1544

Chapter 70 Configuring Network Admission Control Prerequisites for NAC Model License Requirement1,2 ASA 5555-X AnyConnect Premium license: ASA 5585-X with SSP-10 ASA 5585-X with SSP-20, -40, and -60 • Base License: 2 sessions. • Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, or 5000 sessions. • Optional Shared licenses3: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1545

Chapter 70 Configuring Network Admission Control Viewing the NAC Policies on the Security Appliance Viewing the NAC Policies on the Security Appliance Before configuring the NAC policies to be assigned to group policies, we recommend that you view any that may already be set up on the ASA. Because the default configuration does not contain NAC policies, entering this command is a useful way to determine whether anyone has added any.
PAGE 1546

Chapter 70 Configuring Network Admission Control Viewing the NAC Policies on the Security Appliance Detailed Steps. Step 1 Command Purpose show running-config nac-policy Views any NAC policies that are already set up on the ASA.
PAGE 1547

Chapter 70 Configuring Network Admission Control Adding, Accessing, or Removing a NAC Policy Step 3 Command Purpose show nac-policy Displays the assignment of NAC policies to group policies. Example: Shows which NAC policies are unassigned and the usage count for each NAC policy. asa2(config)# show nac-policy nac-policy framework1 nac-framework applied session count = 0 applied group-policy count = 2 group-policy list: GroupPolicy2 GroupPolicy1 nac-policy framework2 nac-framework is not in use.
PAGE 1548

Chapter 70 Configuring Network Admission Control Configuring a NAC Policy Detailed Steps Command Purpose Step 1 global Switches to global configuration mode. Step 2 nac-policy nac-policy-name nac-framework Adds or modifies a NAC policy. nac-policy-name is the name of a new NAC policy or one that is already present. The name is a string of up to 64 characters. nac-framework specifies that a NAC Framework configuration will provide a network access policy for remote hosts.
PAGE 1549

Chapter 70 Configuring Network Admission Control Configuring a NAC Policy Detailed Steps Command Purpose Step 1 aaa-server host Names the Access Control Server group even if the group contains only one server. Step 2 (Optional) Displays the AAA server configuration. show running-config aaa-server Example: hostname(config)# show running-config aaa-server aaa-server acs-group1 protocol radius aaa-server acs-group1 (outside) host 192.168.22.
PAGE 1550

Chapter 70 Configuring Network Admission Control Configuring a NAC Policy Detailed Steps Command Purpose Step 1 nac-policy-nac-framework Switches to nac-policy-nac-framework configuration mode. Step 2 sq-period seconds Changes the status query interval. Example: seconds must be in the range 30 to 1800 seconds (5 to 30 minutes). hostname(config-group-policy)# sq-period 1800 hostname(config-group-policy) Changes the query timer to 1800 seconds. (Optional) Turns off the status query timer.
PAGE 1551

Chapter 70 Configuring Network Admission Control Configuring a NAC Policy Detailed Steps Command Purpose Step 1 nac-policy-nac-framework Switches to nac-policy-nac-framework configuration mode. Step 2 default-acl acl-name Specifies which ACL to use as the default ACL for NAC sessions. acl-name is the name of the access control list to be applied to the session.
PAGE 1552

Chapter 70 Configuring Network Admission Control Configuring a NAC Policy Detailed Steps Command Purpose Step 1 nac-policy-nac-framework Switches to nac-policy-nac-framework configuration mode. Step 2 exempt-list os "os-name" [ disable | filter acl-name [ disable ] Adds an entry to the list of remote computer types that are exempt from NAC posture validation. • os-name is the operating system name. Use quotation marks if the name includes a space (for example, “Windows XP”).
PAGE 1553

Chapter 70 Configuring Network Admission Control Assigning a NAC Policy to a Group Policy Assigning a NAC Policy to a Group Policy Upon completion of each tunnel setup, the ASA applies the NAC policy, if it is assigned to the group policy, to the session. By default, the nac-settings command is not present in the configuration of each group policy. The ASA automatically enables NAC for a group policy when you assign a NAC policy to it.
PAGE 1554

Chapter 70 Configuring Network Admission Control Changing Global NAC Framework Settings Enabling and Disabling Clientless Authentication Clientless authentication is enabled by default. The default configuration contains the eou allow clientless configuration. Restrictions The eou commands apply only to NAC Framework sessions. Detailed Steps Follow these steps to enable clientless authentication for a NAC Framework configuration: Command Purpose Step 1 global Switches to global configuration mode.
PAGE 1555

Chapter 70 Configuring Network Admission Control Changing Global NAC Framework Settings Command Purpose Step 1 global Switches to global configuration mode. Step 2 eou clientless username username Changes the username used for clientless authentication. Example: username must match the username configured on the Access Control Server to support clientless hosts.
PAGE 1556

Chapter 70 Configuring Network Admission Control Changing Global NAC Framework Settings Detailed Steps Command Purpose Step 1 global Switches to global configuration mode. Step 2 eou port port_number The default port number is 21862. This command changes the port number (on the client endpoint) used for EAP over UDP communication with posture agents. Example: port_number must match the port number configured on the CTA. Enter a value in the range 1024 to 65535.
PAGE 1557

Chapter 70 Configuring Network Admission Control Changing Global NAC Framework Settings Step 7 Command Purpose (Optional) Changes the maximum number of retransmission retries to its default value. no eou max-retry Example: hostname(config)# no eou max-retry hostname(config)# Step 8 eou timeout hold-period seconds Example: hostname(config)# eou timeout hold-period 120 hostname(config)# Changes the session reinitialization timer.
PAGE 1558

Chapter 70 Changing Global NAC Framework Settings Cisco ASA 5500 Series Configuration Guide using the CLI 70-18 Configuring Network Admission Control
PAGE 1559

CH A P T E R 71 Configuring Easy VPN Services on the ASA 5505 This chapter describes how to configure the ASA 5505 as an Easy VPN hardware client. This chapter assumes you have configured the switch ports and VLAN interfaces of the ASA 5505 (see Chapter 7, “Starting Interface Configuration (ASA 5505)”). Note The Easy VPN hardware client configuration specifies the IP address of its primary and secondary (backup) Easy VPN servers.
PAGE 1560

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Specifying the Primary and Secondary Servers • no vpnclient enable to specify the role of the ASA 5505 as server The following example shows how to specify the ASA 5505 as an Easy VPN hardware client: hostname(config)# vpnclient enable hostname(config)# The CLI responds with an error message indicating that you must remove certain data elements if you switch from server to hardware client, depending on whether the elements are present in the con
PAGE 1561

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Specifying the Mode ip_primary_address is the IP address or DNS name of the primary Easy VPN server. ip_secondary_address_n (Optional) is a list of the IP addresses or DNS names of up to ten backup Easy VPN servers. Use a space to separate the items in the list. For example, enter the following command to configure a VPN client to use Easy VPN Server 10.10.10.15 as the primary server, and 10.10.10.30 and 192.168.10.
PAGE 1562

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Configuring Automatic Xauth Authentication In this scenario, the security appliance builds the tunnel only for vlan1, the interface with the highest security level. If you want to encrypt traffic from vlan12, you must change the security level of interface vlan1 to a lower value than that of vlan 12.
PAGE 1563

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Comparing Tunneling Options If you configure an ASA 5505 to use TCP-encapsulated IPsec, enter the following command to let it send large packets over the outside interface: hostname(config)# crypto ipsec df-bit clear-df outside hostname(config)# This command clears the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within the IP header that determines whether the packet can be fragmented.
PAGE 1564

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Specifying the Tunnel Group or Trustpoint Cisco does not support the use of the vpnclient management command if a NAT device is present between the client and the Internet. Caution • Use of the vpnclient mode command to specify one of the following modes of operation: – client to use Port Address Translation (PAT) mode to isolate the addresses of the inside hosts, relative to the client, from the enterprise network.
PAGE 1565

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Specifying the Tunnel Group or Trustpoint Specifying the Tunnel Group Enter the following command in global configuration mode to specify the name of the VPN tunnel group and password for the Easy VPN client connection to the server: vpnclient vpngroup group_name password preshared_key group_name is the name of the VPN tunnel group configured on the Easy VPN server. You must configure this tunnel group on the server before establishing a connection.
PAGE 1566

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Configuring Split Tunneling hostname(config)# no vpnclient trustpoint hostname(config)# Configuring Split Tunneling Split tunneling lets a remote-access IPsec client conditionally direct packets over an IPsec tunnel in encrypted form or to a network interface in clear text form. The Easy VPN server pushes the split tunneling attributes from the group policy to the Easy VPN Client for use only in the work zone.
PAGE 1567

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Configuring Remote Management The next example provides greater security but less flexibility because it exempts one specific Cisco IP phone: hostname(config)# vpnclient mac-exempt 0003.6b54.b213 ffff.ffff.ffff hostname(config)# Make sure you have Individual User Authentiction and User Bypass configured on the headend device.
PAGE 1568

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Guidelines for Configuring the Easy VPN Server hostname(config)# no vpnclient management hostname(config)# Guidelines for Configuring the Easy VPN Server The following sections address the Easy VPN hardware client considerations that apply to the Easy VPN server: • Group Policy and User Attributes Pushed to the Client • Authentication Options Group Policy and User Attributes Pushed to the Client Upon tunnel establishment, the Easy VPN server p
PAGE 1569

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Guidelines for Configuring the Easy VPN Server Table 71-2 Group Policy and User Attributes Pushed to the Cisco ASA 5505 Configured as an EasyVPN Hardware Client (continued) Command Description pfs Commands the VPN client to use perfect forward secrecy. re-xauth Requires XAUTH authentication when IKE rekeys. Note: Disable re-xauth if secure unit authentication is enabled.
PAGE 1570

Chapter 71 Configuring Easy VPN Services on the ASA 5505 Guidelines for Configuring the Easy VPN Server Note IPsec NAT-T connections are the only IPsec connection types supported on the home VLAN of a Cisco ASA 5505. IPsec over TCP and native IPsec connections are not supported. Authentication Options The ASA 5505 supports the following authentication mechanisms, which it obtains from the group policy stored on the Easy VPN Server.
PAGE 1571

CH A P T E R 72 Configuring the PPPoE Client This section describes how to configure the PPPoE client provided with the ASA.
PAGE 1572

Chapter 72 Configuring the PPPoE Client Configuring the PPPoE Client Username and Password Note PPPoE is not supported when failover is configured on the ASA, or in multiple context or transparent mode. PPPoE is only supported in single, routed mode, without failover. Configuring the PPPoE Client Username and Password To configure the username and password used to authenticate the ASA to the access concentrator, use the vpdn command.
PAGE 1573

Chapter 72 Configuring the PPPoE Client Enabling PPPoE Enabling PPPoE Note You must complete the configuration using the vpdn command, described in “Configuring the PPPoE Client Username and Password,” before enabling PPPoE. The PPPoE client functionality is turned off by default.
PAGE 1574

Chapter 72 Configuring the PPPoE Client Monitoring and Debugging the PPPoE Client This command causes the ASA to use the specified address instead of negotiating with the PPPoE server to assign an address dynamically. Replace ipaddress and mask with the IP address and subnet mask assigned to your ASA. For example: hostname(config-if)# ip address outside 201.n.n.n 255.255.255.
PAGE 1575

Chapter 72 Configuring the PPPoE Client Clearing the Configuration Local Internet Address 199.99.99.
PAGE 1576

Chapter 72 Using Related Commands Cisco ASA 5500 Series Configuration Guide using the CLI 72-6 Configuring the PPPoE Client
PAGE 1577

CH A P T E R 73 Configuring LAN-to-LAN IPsec VPNs A LAN-to-LAN VPN connects networks in different geographic locations. The ASA supports LAN-to-LAN VPN connections to Cisco or third-party peers when the two peers have IPv4 inside and outside networks (IPv4 addresses on the inside and outside interfaces).
PAGE 1578

Chapter 73 Configuring LAN-to-LAN IPsec VPNs Configuring Interfaces hostname(config)# interface ethernet0/0 hostname(config-if)# ip address 10.10.4.100 255.255.0.
PAGE 1579

Chapter 73 Configuring LAN-to-LAN IPsec VPNs Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface hostname(config-if)## Step 4 To enable the interface, enter the no version of the shutdown command. By default, interfaces are disabled. hostname(config-if)# no shutdown hostname(config-if)# Step 5 To save your changes, enter the write memory command. hostname(config-if)# write memory hostname(config-if)# Step 6 To configure a second interface, use the same procedure.
PAGE 1580

Chapter 73 Configuring LAN-to-LAN IPsec VPNs Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface • Configuring ISAKMP Policies for IKEv2 Connections, page 73-4 Configuring ISAKMP Policies for IKEv1 Connections To configure ISAKMP policies for IKEv1 connections, use the crypto ikev1 policy command to enter IKEv1 policy configuration mode where you can configure the IKEv1 parameters: crypto ikev1 policy priority Perform the following steps and use the command syntax in the following ex
PAGE 1581

Chapter 73 Configuring LAN-to-LAN IPsec VPNs Creating an IKEv1 Transform Set Perform the following steps and use the command syntax in the following examples as a guide: Step 1 Enter IPsec IKEv2 policy configuration mode. For example: hostname(config)# crypto ikev2 policy 1 hostname(config-ikev2-policy)# Step 2 Set the encryption method. The following example configures 3DES: hostname(config-ikev2-policy)# encryption 3des hostname(config-ikev2-policy)# Step 3 Set the Diffie-Hellman group.
PAGE 1582

Chapter 73 Configuring LAN-to-LAN IPsec VPNs Creating an IKEv2 Proposal Table 73-1 Valid Encryption and Authentication Methods Valid Encryption Methods Valid Authentication Methods esp-aes-256 esp-null Tunnel Mode is the usual way to implement IPsec between two ASAs that are connected over an untrusted network, such as the public Internet. Tunnel mode is the default and requires no configuration.
PAGE 1583

Chapter 73 Configuring LAN-to-LAN IPsec VPNs Configuring an ACL hostname(config-ipsec-proposal)# Step 2 Then enter a protocol and encryption types. ESP is the only supported protocol. For example: hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des hostname(config-ipsec-proposal)# Step 3 Enter an integrity type. For example: hostname(config-ipsec-proposal)# protocol esp integrity sha-1 hostname(config-ipsec-proposal)# Step 4 Save your changes.
PAGE 1584

Chapter 73 Configuring LAN-to-LAN IPsec VPNs Defining a Tunnel Group There are two default tunnel groups in the ASA: DefaultRAGroup, which is the default IPsec remote-access tunnel group, and DefaultL2Lgroup, which is the default IPsec LAN-to-LAN tunnel group. You can modify them but not delete them. You can also create one or more new tunnel groups to suit your environment.
PAGE 1585

Chapter 73 Configuring LAN-to-LAN IPsec VPNs Creating a Crypto Map and Applying It To an Interface Creating a Crypto Map and Applying It To an Interface Crypto map entries pull together the various elements of IPsec security associations, including the following: • Which traffic IPsec should protect, which you define in an access list. • Where to send IPsec-protected traffic, by identifying the peer. • What IPsec security applies to this traffic, which a transform set specifies.
PAGE 1586

Chapter 73 Configuring LAN-to-LAN IPsec VPNs Creating a Crypto Map and Applying It To an Interface Step 3 To specify an IKEv1 transform set for a crypto map entry, enter the crypto map ikev1 set transform-set command. The syntax is crypto map map-name seq-num ikev1 set transform-set transform-set-name. In the following example the transform set name is FirstSet.
PAGE 1587

C H A P T E R 74 Configuring Clientless SSL VPN This chapter describes how to configure clientless SSL VPN and includes the following sections: • Information About Clientless SSL VPN, page 74-1 • Licensing Requirements, page 74-2 • Prerequisites for Clientless SSL VPN, page 74-4 • Guidelines and Limitations, page 74-4 • Configuring Application Helper, page 74-11 • Using Single Sign-on with Clientless SSL VPN, page 74-13 • Encoding, page 74-29 • Configuring Connection Profile Attributes for
PAGE 1588

Chapter 74 Configuring Clientless SSL VPN Licensing Requirements Clientless SSL VPN lets users establish a secure, remote-access VPN tunnel to an ASA using a web browser. Users do not need a software or hardware client. Clientless SSL VPN provides secure and easy access to a broad range of web resources and both web-enabled and legacy applications from almost any computer that can reach HTTP Internet sites.
PAGE 1589

Chapter 74 Configuring Clientless SSL VPN Licensing Requirements Model License Requirement1,2 ASA 5540 AnyConnect Premium license: ASA 5550 ASA 5580 ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X • Base License: 2 sessions. • Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, or 2500 sessions. • Optional Shared licenses3: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1590

Chapter 74 Configuring Clientless SSL VPN Prerequisites for Clientless SSL VPN Model License Requirement1,2 ASA 5555-X AnyConnect Premium license: ASA 5585-X with SSP-10 ASA 5585-X with SSP-20, -40, and -60 • Base License: 2 sessions. • Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, or 5000 sessions. • Optional Shared licenses3: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000.
PAGE 1591

Chapter 74 Configuring Clientless SSL VPN Observing Clientless SSL VPN Security Precautions • DSA certificates. The ASA does support RSA certificates. • Remote HTTPS certificates. • Requirements of some domain-based security products. Because the ASA encodes the URL, requests actually originate from the ASA, which in some cases do not satisfy the requirements of domain-based security products. • Inspection features under the Modular Policy Framework, inspecting configuration control.
PAGE 1592

Chapter 74 Configuring Clientless SSL VPN Using SSL to Access the Central Site Figure 74-1 Example URL Typed by User Figure 74-2 Same URL Rewritten by Security Appliance and displayed on the Browser Window Disabling URL on the Portal Page The portal page is the page that opens when the user establishes a browser-based connection. Follow these steps to disable the URL entry on the portal page.
PAGE 1593

Chapter 74 Configuring Clientless SSL VPN Using SSL to Access the Central Site • Configuring Clientless SSL VPN and ASDM Ports, page 74-7 • Configuring Support for Proxy Servers, page 74-8 • Configuring SSL/TLS Encryption Protocols, page 74-10 Using HTTPS for Clientless SSL VPN Sessions To permit clientless SSL VPN sessions on an interface, perform the following steps: Prerequisites In a web browser, users enter the ASA IP address in the format https:// address where address is the IP address or DN
PAGE 1594

Chapter 74 Configuring Clientless SSL VPN Using SSL to Access the Central Site Command Purpose Step 1 webvpn Switches to webvpn configuration mode. Step 2 port port_number Changes the SSL listening port for clientless SSL VPN. Example: Enables clientless SSL VPN on port 444 of the outside interface. With this configuration, remote users initiating clientless SSL VPN sessions enter https://:444 in the browser. hostname(config)# http server enable hostname(config)# http 192.168.3.
PAGE 1595

Chapter 74 Configuring Clientless SSL VPN Using SSL to Access the Central Site Command Step 4 https-proxy host [port] [exclude url] [username username {password password}] Step 5 http-proxy pac url Step 6 (Optional) Purpose Excludes URLs from those that can be sent to the proxy server. exclude Step 7 host Provides the hostname or IP address for the external proxy server.
PAGE 1596

Chapter 74 Configuring Clientless SSL VPN Using SSL to Access the Central Site Step 16 Command Example: Purpose hostname(config-webvpn)# http-proxy 209.165.201.1 user jsmith password mysecretdonttell hostname(config-webvpn) Step 17 Example: hostname(config-webvpn)# http-proxy 209.165.201.1 exclude www.example.com username jsmith password mysecretdonttell hostname(config-webvpn) Step 18 Example: hostname(config-webvpn)# http-proxy pac http://www.example.
PAGE 1597

Chapter 74 Configuring Clientless SSL VPN Configuring Application Helper • (Optional) Click Find to search for a web ACL. Start typing in the field, and the tool searches the beginning characters of every field for a match. You can use wild cards to expand your search. For example, typing sal in the Find field matches a web ACL named sales but not a customization object named wholesalers. If you type *sal in the Find field, the search finds the first instance of either sales or wholesalers in the table.
PAGE 1598

Chapter 74 Configuring Clientless SSL VPN Configuring Application Helper Managing Passwords Optionally, you can configure the ASA to warn end users when their passwords are about to expire. The ASA supports password management for the RADIUS and LDAP protocols. It supports the “password-expire-in-days” option for LDAP only. You can configure password management for IPsec remote access and SSL VPN tunnel-groups.
PAGE 1599

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Detailed Steps Note This command does not change the number of days before the password expires, but rather, the number of days ahead of expiration that the ASA starts warning the user that the password is about to expire. Command Purpose Step 1 tunnel-group general-attributes Switches to general-attributes mode. Step 2 password-management Notifies remote users that their password is about to expire.
PAGE 1600

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Configuring SSO with HTTP Basic or NTLM Authentication This section describes single sign-on with HTTP Basic or NTLM authentication. You can configure the ASA to implement SSO using either or both of these methods. The auto-signon command configures the ASA to automatically pass clientless SSL VPN user login credentials (username and password) on to internal servers. You can enter multiple auto-signon commands.
PAGE 1601

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Configuring SSO Authentication Using SiteMinder This section describes configuring the ASA to support SSO with SiteMinder. You would typically choose to implement SSO with SiteMinder if your website security infrastucture already incorporates SiteMinder. With this method, SSO authentication is separate from AAA and happens once the AAA process completes. Prerequisites • Specifying the SSO server.
PAGE 1602

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Step 5 Command Purpose policy-server-secret Specifies a secret key to secure the authentication communication between the ASA and SiteMinder. Example: Step 6 hostname(config-webvpn-sso-siteminder)# policy-server-secret AtaL8rD8! hostname(config-webvpn-sso-siteminder)# Creates a secret key AtaL8rD8!.
PAGE 1603

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Detailed Steps This section presents general tasks, not a complete procedure. To configure the Cisco authentication scheme on your SiteMinder Policy Server, perform the following steps: Step 1 With the SiteMinder Administration utility, create a custom authentication scheme, being sure to use the following specific arguments: • In the Library field, enter smjavaapi.
PAGE 1604

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Optionally, in addition to these required tasks, you can do the following configuration tasks: • Configure the authentication request timeout (the request-timeout command) • Configure the number of authentication request retries (the max-retry-attempts command) • SAML SSO is supported only for clientless SSL VPN sessions. • The ASA currently supports only the Browser Post Profile type of SAML SSO Server.
PAGE 1605

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Step 8 Command Purpose (Optional) Configures the number of times the ASA retries a failed SSO authentication attempt before the authentication times out. max-retry-attempts Example: hostname(config-webvpn-sso-saml)# max-retry-attempts 4 hostname(config-webvpn-sso-saml)# Sets the number of retries to 4. The default is 3 retry attempts, and the possible range is 1 to 5 attempts.
PAGE 1606

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN • Subject Name format is uid= Configuring SSO with the HTTP Form Protocol This section describes using the HTTP Form protocol for SSO. HTTP Form protocol is an approach to SSO authentication that can also qualify as a AAA method. It provides a secure method for exchanging authentication information between users of clientless SSL VPN and authenticating web servers.
PAGE 1607

Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Figure 74-4 SSO Authentication Using HTTP Forms 2 1 3 4 5 Auth Web server Tunnel Web VPN server 5 Other protected web server 148147 Chapter 74 While you would expect to configure form parameters that let the ASA include POST data such as the username and password, you initially might not be aware of additional hidden parameters that the web server requires.
PAGE 1608

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Command Purpose Step 1 aaa-server-host Switches to the aaa-server-host configuration mode. Step 2 start-url If the authenticating web server requires it, specifies the URL from which to retrieve a pre-login cookie from the authenticating web server. Example: Step 3 hostname(config)# aaa-server testgrp1 protocol http-form hostname(config)# aaa-server testgrp1 host 10.0.0.
PAGE 1609

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Step 6 Command Purpose hidden-parameter Specifies hidden parameters for exchange with the authenticating web server. Example: SMENC=ISO-8859-1&SMLOCALE=US-EN&target=https%3A%2F%2 Fwww.example.com%2Femco%2Fappdir%2FAreaRoot.do%3FEMC OPageCode%3DENG&smauthreason=0 To specify this hidden parameter, enter the following commands: hostname(config)# aaa-server testgrp1 host example.
PAGE 1610

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Step 11 Command Purpose hidden-parameter Specifies hidden parameters for exchange with the authenticating web server. Example: SMENC=ISO-8859-1&SMLOCALE=US-EN&target=https%3A%2F%2 Fwww.example.com%2Femco%2Fappdir%2FAreaRoot.do%3FEMC OPageCode%3DENG&smauthreason=0 To specify this hidden parameter, enter the following commands: hostname(config)# aaa-server testgrp1 host example.
PAGE 1611

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Detailed Steps Step 1 Start your browser and HTTP header analyzer, and connect directly to the web server login page without going through the ASA. Step 2 After the web server login page has loaded in your browser, examine the login sequence to determine if a cookie is being set during the exchange. If the web server has loaded a cookie with the login page, configure this login page URL as the start-URL.
PAGE 1612

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Figure 74-5 Action-uri, hidden, username and password parameters 1 2 3 1 249533 2 3 Step 6 1 Action URI parameter 2 Hidden parameters 3 Username and password parameters If you successfully log in to the web server, examine the server response with the HTTP header analyzer to locate the name of the session cookie set by the server in your browser. This is the auth-cookie-name parameter.
PAGE 1613

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Set-Cookie: SMSESSION=yN4Yp5hHVNDgs4FT8dn7+Rwev41hsE49XlKc+1twie0gqnjbhkTkUnR8XWP3hvDH6PZP bHIHtWLDKTa8ngDB/lbYTjIxrbDx8WPWwaG3CxVa3adOxHFR8yjD55GevK3ZF4ujgU1lhO6fta0dSS OSepWvnsCb7IFxCw+MGiw0o88uHa2t4l+SillqfJvcpuXfiIAO06D/gtDF40Ow5YKHEl2KhDEvv+yQ zxwfEz2cl7Ef5iMr8LgGcDK7qvMcvrgUqx68JQOK2+RSwtHQ15bCZmsDU5vQVCvSQWC8OMHNGwpS25 3XwRLvd/h6S/tM0k98QMv+i3N8oOdj1V7flBqecH7+kVrU01F6oFzr0zM1kMyLr5HhlVDh7B0k9wp0 dUFZiAzaf43jupD5
PAGE 1614

Chapter 74 Configuring Clientless SSL VPN Using Single Sign-on with Clientless SSL VPN Configuring SSO for Plug-ins Plug-ins support single sign-on (SSO). They use the same credentials (username and password) entered to authenticate the clientless SSL VPN session. Because the plug-ins do not support macro substitution, you do not have the option to perform SSO on different fields, such as the internal domain password or the attribute on a RADIUS or LDAP server.
PAGE 1615

Chapter 74 Configuring Clientless SSL VPN Encoding The CSCO_WEBVPN_MACRO1 macro substitution with RADIUS is performed by VSA#223 (see Table 74-1). Table 74-1 VSA#223 WebVPN-Macro-Value1 Y 223 String Single Unbounded WebVPN-Macro-Value2 Y 224 String Single Unbounded A value such as www.cisco.com/email dynamically populates a bookmark on the Clientless SSL VPN portal, such as https://CSCO_WEBVPN_MACRO1 or https://CSCO_WEBVPN_MACRO2 for the particular DAP or group policy.
PAGE 1616

Chapter 74 Configuring Clientless SSL VPN Encoding • big5 • gb2312 • ibm-850 • iso-8859-1 • shift_jis Note If you are using Japanese Shift_jis Character encoding, click Do not specify in the Font Family area of the associated Select Page Font pane to remove the font family. • unicode • windows-1252 • none Note If you click none or specify a value that the browser on the clientless SSL VPN session does not support, it uses its own default encoding.
PAGE 1617

Chapter 74 Configuring Clientless SSL VPN Creating and Applying Clientless SSL VPN Policies for Accessing Resources You can type a string consisting of up to 40 characters, and equal to one of the valid character sets identified in http://www.iana.org/assignments/character-sets. You can use either the name or the alias of a character set listed on that page. The string is case-insensitive. The command interpreter converts upper-case to lower-case when you save the ASA configuration.
PAGE 1618

Chapter 74 Configuring Clientless SSL VPN Configuring Connection Profile Attributes for Clientless SSL VPN For example, to assign a clientless SSL VPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value of OU=SSL_VPN; (Do not omit the semicolon.
PAGE 1619

Chapter 74 Configuring Clientless SSL VPN Configuring Group Policy and User Attributes for Clientless SSL VPN Table 74-2 Connection Profile Attributes for Clientless SSL VPN Command Function dns-group Identifies the DNS server group that specifies the DNS server name, domain name, name server, number of retries, and timeout values .
PAGE 1620

Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Plug-ins Table 74-3 Group Policy and User Attributes for Clientless SSL VPN Command Function http-proxy Configures the ASA to use an external proxy server to handle HTTP requests. Note Proxy NTLM authentication is not supported in http-proxy. Only proxy without authentication and basic authentication are supported. keep-alive-ignore Sets the maximum object size to ignore for updating the session timer.
PAGE 1621

Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Plug-ins • Populates the drop-down menu next to the URL attributes in ASDM. • Enables the plug-in for all future clientless SSL VPN sessions, and adds a main menu option and an option to the drop-down menu next to the Address field of the portal page. Table 74-4 shows the changes to the main menu and address field of the portal page when you add the plug-ins described in the following sections.
PAGE 1622

Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Plug-ins • The plug-ins support single sign-on (SSO). They use the same credentials entered to open the clientless SSL VPN session. Because the plug-ins do not support macro substitution, you do not have the options to perform SSO on different fields such as the internal domain password or on an attribute on a RADIUS or LDAP server. • A stateful failover does not retain sessions established using plug-ins.
PAGE 1623

Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Plug-ins • Create a temporary directory named “plugins” on a local TFTP or FTP server (for example, with the hostname “local_tftp_server”), and download the plug-ins from the Cisco web site to the “plugins” directory. Restrictions Table 74-5 Plug-ins Redistributed by Cisco Cisco Download Link Protocol Description Source of Redistributed Plug-in * rdp-plugin.090915.
PAGE 1624

Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Plug-ins Detailed Steps Follow these steps to provide clientless SSL VPN browser access to a plug-in redistributed by Cisco. Note Step 1 The ASA does not retain the import webvpn plug-in protocol command in the configuration. Instead, it loads the contents of the csco-config/97/plugin directory automatically. A secondary ASA obtains the plug-ins from the primary ASA.
PAGE 1625

Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Plug-ins Restrictions • Cisco does not provide direct support for or recommend any particular plug-ins that are not redistributed by Cisco. As a provider of clientless SSL VPN services, you are responsible for reviewing and complying with any license agreements required for the use of plug-ins. • It is strictly an HTML/JavaScript code and not a JAVA plug-in. It contains no client components. • No support on Firefox.
PAGE 1626

Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Plug-ins For additional information on configuring SSO and the required parameters, refer to the SSL VPN deployment guide (http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html #wp1002989).
PAGE 1627

Chapter 74 Configuring Clientless SSL VPN Why a Microsoft Kerberos Constrained Delegation Solution Step 5 Open a CLI session with the ASA and install the plug-in by entering the following command in privileged EXEC mode: import webvpn plug-in protocol ica URL URL is the host name or IP address and path to the ica-plugin.zip file.
PAGE 1628

Chapter 74 Configuring Clientless SSL VPN Understanding How KCD Works and One-time Passwords (OTP), the SSO feature falls short in meeting that demand, because it only forwards conventional user credentials, such as static username and password, to clientless web-based resources when authentication is required. For example, neither certificate- or OTP-based authentication methods encompass a conventional username and password necessary for the ASA to seamlessly perform SSO access to web-based resources.
PAGE 1629

Chapter 74 Configuring Clientless SSL VPN Understanding How KCD Works application trust boundaries by limiting where application services can act on a user’s behalf. This flexibility improves application security designs by reducing the chance of compromise by an untrusted service. For more information on constrained delegation, see RFC 1510 via the IETF website (http://www.ietf.org).
PAGE 1630

Chapter 74 Configuring Clientless SSL VPN Understanding How KCD Works Note KCD for Clientless SSL VPN is supported for all authentication methods (RADIUS, RSA/SDI, LDAP, digital certificates, and so on). Refer to the AAA Support table at http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/access_a aa.html#wp1069492. 2. Based on the HTTP headers in the challenge, ASA determines whether the server requires Kerberos authentication. (This is part of the SPNEGO mechanism.
PAGE 1631

Chapter 74 Configuring Clientless SSL VPN Understanding How KCD Works Step 1 Command Purpose ntp hostname Joins the Active Directory domain. Shows a 10.1.1.10 domain controller (which is reachable inside the interface) with a domain name of private.net and a service account on the domain controller using dcuser as the username and dcuser123! as the password. Example: hostname(config)# config t -----Create an alias for the Domain Controller------------hostname(config)# name 10.1.1.
PAGE 1632

Chapter 74 Configuring Clientless SSL VPN Understanding How KCD Works Detailed Steps Command Purpose Step 1 webvpn Switches to webvpn configuration mode. Step 2 kcd-server Step 3 kcd-server aaa-server-group Specifies the domain controller name and realm. The AAA server group must be a Kerberos type. Example: Step 4 ASA(config)# aaa-server KG protocol kerberos ASA(config)# aaa-server KG (inside) host DC ASA(config-aaa-server-host_# kerberos-realm test.
PAGE 1633

Chapter 74 Configuring Clientless SSL VPN Understanding How KCD Works Showing Cached Kerberos Tickets To display all Kerberos tickets cached on the ASA, enter the following commands: Command Function Step 1 webvpn Switches to webvpn configuration mode. Step 2 show aaa kerberos Displays all Kerberos tickets cached on the ASA.
PAGE 1634

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Clearing Cached Kerberos Tickets To clear all Kerberos ticket information on the ASA, follow these commands: Command Purpose Step 1 webvpn Switches to webvpn configuration mode. Step 2 clear aaa kerberos Clears all Kerberos ticket information on the ASA.
PAGE 1635

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access • Enabling and Disabling Smart Tunnel Access About Smart Tunnels A smart tunnel is a connection between a TCP-based application and a private site, using a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the ASA as a proxy server. You can identify applications to which you want to grant smart tunnel access, and specify the local path to each application.
PAGE 1636

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Note Browser-based VPN access does not support Windows Shares (CIFS) Web Folders on Windows 7, Vista, Internet Explorer 8, Mac OS, and Linux. Windows XP SP2 requires a Microsoft hotfix to support Web Folders. • Only Winsock 2, TCP-based applications are eligible for smart tunnel access. • Smart tunnel supports Mac OS running on an Intel processor only. • Java Web Start must be enabled on the browser.
PAGE 1637

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access • In a Mac OS, applications using TCP that are dynamically linked to the SSL library can work over a smart tunnel. • Smart tunnel does not support the following on Mac OS: – Proxy services. – Auto sign-on. – Applications that use two-level name spaces. – Console-based applications, such as Telnet, SSH, and cURL. – Applications using dlopen or dlsym to locate libsocket calls.
PAGE 1638

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Command Purpose Step 1 webvpn Switches to webvpn configuration mode. Step 2 smart-tunnel list list application path [platform OS] [hash] Adds an entry to a list of applications that can use a clientless SSL VPN session to connect to private sites. • platform is windows or mac to indicate the host OS of the application. The default value is platform windows.
PAGE 1639

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Step 4 Command Purpose (Optional) Removes an entire list of applications from the ASA configuration. no smart-tunnel list list • list is the name for a list of applications or programs. Use quotation marks around the name if it includes a space. The CLI creates the list if it is not present in the configuration. Otherwise, it adds the entry to the list.
PAGE 1640

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Step 5 Command Purpose smart-tunnel list Enter once for each path to authorize an application for smart tunnel access when it is present on one of several paths on the remote host.
PAGE 1641

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Step 6 Command Example: Purpose smart-tunnel list apps LotusSametime connect.exe (Windows) Adds Lotus SameTime to a smart tunnel list named apps. smart-tunnel smart-tunnel smart-tunnel smart-tunnel list list list list apps apps apps apps lotusnotes notes.exefs lotusnlnotes nlnotes.exe lotusntaskldr ntaskldr.exe lotusnfileret nfileret.exe ((Windows) Adds the Lotus 6.0 thick client with Domino Server 6.5.5.
PAGE 1642

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access • Start smart tunnel access automatically upon user login. • Enable smart tunnel access upon user login, but require the user to start it manually, using the Application Access > Start Smart Tunnels button on the clientless SSL VPN Portal Page. Restrictions These options are mutually exclusive for each group policy and username. Use only one. The following smart tunnel commands are available to each group policy and username.
PAGE 1643

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Detailed Steps Command Purpose Step 1 webvpn Switches to webvpn configuration mode. Step 2 [no] smart-tunnel network ip Creates a list of hosts to use for configuring smart tunnel policies. is the name to apply to the tunnel policy. is the IP address of the network. is the netmask of the network.
PAGE 1644

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Step 4 Command Purpose ciscoasa(config-webvpn)# [no] smart-tunnel network ip ciscoasa(config-webvpn)# [no] smart-tunnel network host Name of network to apply to tunnel policy IP address of a network Netmask of a network Hostname mask, such as *.cisco.com Applies a tunnel policy to a group-policy/user policy.
PAGE 1645

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Detailed Steps Command Purpose Step 1 webvpn Switches to webvpn configuration mode. Step 2 smart-tunnel auto-signon list [use-domain] {ip ip-address [netmask] | host hostname-mask} Use for each server you want to add to the server list Step 3 (Optional) • list —names the list of remote servers. Use quotation marks around the name if it includes a space. The string can be up to 64 characters.
PAGE 1646

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Following the configuration of the smart tunnel auto sign-on server list, you must assign it to a group policy or a local user policy for it to become active, as described in the next section. Adding or Editing a Smart Tunnel Auto Sign-on Server Entry This section describes how to list the servers for which to provide auto sign-on in smart tunnel connections and assign the lists to group policies or usernames.
PAGE 1647

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Step 4 Command Purpose (Optional) Disables smart tunnel auto sign-on clientless SSL VPN session, removes it from the group policy or username, and uses the default. [no] smart-tunnel auto-signon enable list [domain domain] [host host name] [realm realm string] [port port number] • list—The name of a smart tunnel auto sign-on list already present in the ASA webvpn configuration.
PAGE 1648

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Requirements For Mac OS X, you must click the link for the application in the portal’s Application Access panel, with or without auto-start configured. Detailed Steps Command Purpose Step 1 webvpn Switches to webvpn configuration mode. Step 2 group-policy webvpn Switches to group-policy webvpn configuration mode. OR Step 3 username webvpn Switches to username webvpn configuration mode.
PAGE 1649

Chapter 74 Configuring Clientless SSL VPN Configuring Application Access Command Purpose Step 4 show running-config webvpn Shows the smart tunnel list entries in the SSL VPN configuration. Step 5 (Optional) Removes the smart-tunnel command from the group policy or local user policy and reverts to the default group-policy. no smart-tunnel Step 6 (Optional) Disables smart tunnel access.
PAGE 1650

Chapter 74 Configuring Clientless SSL VPN Configuring Port Forwarding Detailed Steps Step 1 Command Purpose [no] smart-tunnel notification-icon Allows administrators to turn on the notification icon on a global basis. This command configures log out properties and controls whether the user is presented with a logout icon for logging out, as opposed to having logout triggered by closing browser windows.
PAGE 1651

Chapter 74 Configuring Clientless SSL VPN Configuring Port Forwarding Information About Port Forwarding Port forwarding lets users access TCP-based applications over a clientless SSL VPN connection. Such applications include the following: • Lotus Notes • Microsoft Outlook • Microsoft Outlook Express • Perforce • Sametime • Secure FTP (FTP over SSH) • SSH • TELNET • Windows Terminal Service • XDDTS Other TCP-based applications may also work, but we have not tested them.
PAGE 1652

Chapter 74 Configuring Clientless SSL VPN Configuring Port Forwarding For details, go to the Safari, Mac OS X 10.5.3: Changes in client certificate authentication. • Users of Microsoft Windows Vista who use port forwarding or smart tunnels must add the URL of the ASA to the Trusted Site zone. To access the Trusted Site zone, they must start Internet Explorer and choose the Tools > Internet Options > Security tab.
PAGE 1653

Chapter 74 Configuring Clientless SSL VPN Configuring Port Forwarding Step 1 Command Purpose dns server-group Enters the dns server-group mode. Example: hostname(config)# dns server-group example.com hostname(config-dns-server-group)# domain-name example.com hostname(config-dns-server-group)# name-server 192.168.10.10 Configures a DNS server group named example.com. Step 2 domain-name Specifies the domain name. The default setting of domain-name is DefaultDNS.
PAGE 1654

Chapter 74 Configuring Clientless SSL VPN Configuring Port Forwarding Step 3 Command Purpose port-forward {list_name local_port remote_server remote_port description} Adds a port forwarding entry to a list. • list_name—Name for a set of applications (technically, a set of forwarded TCP ports) for users of clientless SSL VPN sessions to access. The ASA creates a list using the name you enter if it does not recognize it. Otherwise, it adds the port forwarding entry to the list. Maximum 64 characters.
PAGE 1655

Chapter 74 Configuring Clientless SSL VPN Configuring Port Forwarding Following the configuration of a port forwarding list, assign the list to group policies or usernames, as described in the next section. Step 7 (Optional) Highlight a port forwarding list and click Assign to assign the selected list to one or more group policies, dynamic access policies, or user policies.
PAGE 1656

Chapter 74 Configuring Clientless SSL VPN Configuring Port Forwarding For details, go to the section that addresses the option you want to use. Automating Port Forwarding To start port forwarding automatically upon user login, enter the following commands: Detailed Steps Command Purpose Step 1 webvpn Switches to webvpn configuration mode. Step 2 group-policy webvpn username webvpn Switches to group-policy webvpn configuration mode. Switches to username webvpn configuration mode.
PAGE 1657

Chapter 74 Configuring Clientless SSL VPN Application Access User Notes Detailed Steps Step 1 Command Purpose port-forward [enable list_name | disable] Enables port forwarding. You do not have to start port forwarding manually if you entered port-forward auto-start list_name from the previous table. list_name is the name of the port forwarding list already present in the ASA webvpn configuration. You cannot assign more than one port forwarding list to a group policy or username.
PAGE 1658

Chapter 74 Configuring Clientless SSL VPN Application Access User Notes Recovering from hosts File Errors When Using Application Access The following errors can occur if you do not close the Application Access window properly: • The next time you try to start Application Access, it might be disabled; you receive a Backup HOSTS error message. File Found • The applications themselves might be disabled or might malfunction, even when you are running them locally.
PAGE 1659

Chapter 74 Configuring Clientless SSL VPN Application Access User Notes Stopping Application Access Improperly When Application Access terminates abnormally, the hosts file remains in a clientless SSL VPN-customized state. Clientless SSL VPN checks the state the next time you start Application Access by searching for a hosts.webvpn file. If it finds one, a Backup HOSTS File Found error message appears, and Application Access is temporarily disabled.
PAGE 1660

Chapter 74 Configuring Clientless SSL VPN Configuring File Access server1.example.com invalid.cisco.com # added by WebVpnPortForward server2 # added by WebVpnPortForward server2.example.com invalid.cisco.com # added by WebVpnPortForward server3 # added by WebVpnPortForward server3.example.com invalid.cisco.com # added by WebVpnPortForward # # # # # # # # # # # # # # # # # Copyright (c) 1993-1999 Microsoft Corp. This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
PAGE 1661

Chapter 74 Configuring Clientless SSL VPN Configuring File Access The ASA uses a master browser, WINS server, or DNS server, typically on the same network as the ASA or reachable from that network, to query the network for a list of servers when the remote user clicks Browse Networks in the menu of the portal page or on the toolbar displayed during the clientless SSL VPN session.
PAGE 1662

Chapter 74 Configuring Clientless SSL VPN Configuring File Access Command Step 3 nbns-server {IPaddress | timeout] [retry retries] Purpose hostname} [master] [timeout Browses a network or domain for each NetBIOS Name Server (NBNS). • master is the computer designated as the master browser. The master browser maintains the list of computers and shared resources.
PAGE 1663

Chapter 74 Configuring Clientless SSL VPN Configuring File Access Step 5 Command (Optional) Purpose character-encoding charset Specifies the character set to encode in clientless SSL VPN portal pages delivered to remote users. By default, the encoding type set on the remote browser determines the character set for clientless SSL VPN portal pages, so you need to set the character encoding only if it is necessary to ensure proper encoding on the browser.
PAGE 1664

Chapter 74 Configuring Clientless SSL VPN Ensuring Clock Accuracy for SharePoint Access Ensuring Clock Accuracy for SharePoint Access The clientless SSL VPN server on the ASA uses cookies to interact with applications such as Microsoft Word on the endpoint. The cookie expiration time set by the ASA can cause Word to malfunction when accessing documents on a SharePoint server if the time on the ASA is incorrect. To prevent this malfunction, set the ASA clock properly.
PAGE 1665

Chapter 74 Configuring Clientless SSL VPN Using E-Mail over Clientless SSL VPN Using E-Mail over Clientless SSL VPN Clientless SSL VPN supports several ways to access e-mail. This section includes the following methods: • Configuring E-mail Proxies • Configuring Web E-mail: MS Outlook Web App Configuring E-mail Proxies Clientless SSL VPN supports IMAP4S, POP3S, and SMTPS e-mail proxies. The following attributes apply globally to e-mail proxy users.
PAGE 1666

Chapter 74 Configuring Clientless SSL VPN Configuring Portal Access Rules Command Purpose Step 9 name-separator Defines the separator between the e-mail and VPN usernames and passwords. The default is colon (:). Step 10 outstanding Configures the maximum number of outstanding non-authenticated sessions. The default is 20. Step 11 port Sets the port the e-mail proxy listens to.
PAGE 1667

Chapter 74 Configuring Clientless SSL VPN Optimizing Clientless SSL VPN Performance Detailed Steps Step 1 Command Purpose webvpn Enter webvpn configuration mode. Example: hostname(config)# webvpn Step 2 portal-access-rule priority [{permit | deny [code code]} {any | user-agent match string} Permit or deny the creation of a clientless SSL VPN session based on an HTTP header code or a string in the HTTP header.
PAGE 1668

Chapter 74 Configuring Clientless SSL VPN Optimizing Clientless SSL VPN Performance Detailed Steps Command Purpose Step 1 webvpn Switches to webvpn configuration mode. Step 2 disable Disables caching. Step 3 expiry-time Configures an expiration time for caching objects. Step 4 lmfactor Configures terms for revalidating cached objects. Step 5 max-object-size Sets a maximum size for objects to cache. Step 6 min-object-size Sets a minimum size for objects to cache.
PAGE 1669

Chapter 74 Configuring Clientless SSL VPN Optimizing Clientless SSL VPN Performance Detailed Steps Command Purpose Step 1 crypto ca import Imports a certificate. Step 2 ava-trustpoint Employs a certificate. Example:t hostname(config)# crypto ca import mytrustpoint pkcs12 mypassphrase Enter the base 64 encoded PKCS12. End with the word “quit” on a line by itself. [ PKCS12 data omitted ] quit INFO: Import PKCS12 operation completed successfully.
PAGE 1670

Chapter 74 Configuring Clientless SSL VPN Optimizing Clientless SSL VPN Performance If you configure proxy bypass using ports rather than path masks, depending on your network configuration, you might need to change your firewall configuration to allow these ports access to the ASA. Use path masks to avoid this restriction. Be aware, however, that path masks can change, so you might need to use multiple pathmask statements to exhaust the possibilities. A path is everything in a URL after the .com or .
PAGE 1671

Chapter 74 Configuring Clientless SSL VPN Optimizing Clientless SSL VPN Performance APCF Syntax APCF profiles use XML format, and sed script syntax, with the XML tags in Table 74-7. Guidelines Misuse of an APCF profile can result in reduced performance and undesired rendering of content. In most cases, Cisco Engineering supplies APCF profiles to solve specific application rendering issues. Table 74-7 APCF XML Tags Tag Use ... The mandatory root element that opens any APCF XML file.
PAGE 1672

Chapter 74 Configuring Clientless SSL VPN Optimizing Clientless SSL VPN Performance Table 74-7 APCF XML Tags (continued) Tag Use … Wraps one or more actions to perform on the content under specified conditions; you can use the following tags to define these actions (shown below): , , , , .
PAGE 1673

Chapter 74 Configuring Clientless SSL VPN Clientless SSL VPN End User Setup *.example.com Example: 1.0 Change MIME type for all .xyz objects *.
PAGE 1674

Chapter 74 Configuring Clientless SSL VPN Clientless SSL VPN End User Setup Defining the End User Interface The clientless SSL VPN end user interface consists of a series of HTML panels. A user logs on to clientless SSL VPN by entering the IP address of an ASA interface in the format https://address. The first panel that displays is the login screen (Figure 74-9). Figure 74-9 Clientless SSL VPN Login Screen Viewing the Clientless SSL VPN Home Page After the user logs in, the portal page opens.
PAGE 1675

Chapter 74 Configuring Clientless SSL VPN Clientless SSL VPN End User Setup Figure 74-10 Clientless SSL VPN Application Access Window This window displays the TCP applications configured for this clientless SSL VPN connection. To use an application with this panel open, the user starts the application in the normal way. Note A stateful failover does not retain sessions established using Application Access. Users must reconnect following a failover.
PAGE 1676

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages Be aware of the following characteristics of the floating toolbar: • The toolbar lets you enter URLs, browse file locations, and choose preconfigured web connections without interfering with the main browser window. • If you configure your browser to block popups, the floating toolbar cannot display. • If you close the toolbar, the ASA prompts you to confirm that you want to end the clientless SSL VPN session.
PAGE 1677

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages Customization Objects, Connection Profiles, and Group Policies Initially, when a user first connects, the default customization object (named DfltCustomization) identified in the connection profile (tunnel group) determines how the logon screen appears.
PAGE 1678

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages disable Language: en English zh ä¸-å›½ (Chinese) ja æ—¥æœ¬ (Japanese) ru Ð ÑƒÑÑÐºÐ¸Ð¹ (Russian) ua Ð£ÐºÑ Ð°Ñ—Ð½
PAGE 1679

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages #858A91 enable /+CSCOU+/csco_logo.
PAGE 1680

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages enable net-access AnyConnect 4 enable help Help 1000000 enable Logout Address PAGE 1681
Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages standard Figure 74-12 shows the Logon page and its customizing XML tags. All these tags are nested within the higher-level tag .
PAGE 1682

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages Figure 74-14 Information Panel on Logon Screen and Associated XML Tags 191905 Figure 74-15 shows the Portal page and the XML tags for customizing this feature. These tags are nested within the higher-level tag.
PAGE 1683

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages Importing a Customization Object After you edit and save the XML file, import it into cache memory of the ASA using the following commands: Detailed Steps Step 1 Command Purpose import webvpn customization Imports an XML file into cache memory of the ASA. When you import the customization object, the ASA checks the XML code for validity. If the code is valid, the ASA stores the object in a hidden location in cache memory.
PAGE 1684

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages Detailed Steps Command Purpose Step 1 webvpn Switches to webvpn configuration mode. Step 2 tunnel-group webvpn Switches to tunnel-group webvpn configuration mode. OR group-policy webvpn Switches to group-policy webvpn configuration. OR Step 3 username webvpn Switches to username webvpn configuration. customization name Applies a customization to a connection profile.
PAGE 1685

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages Step 4 Command Purpose (Optional) Removes the command from the configuration and removes a customization from the connection profile. [no] customization name OR Step 5 [no] customization {none | value name} Removes the command from the configuration and reverts to the default. customization command followed by a question mark (?) Shows a list of existing customizations.
PAGE 1686

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages Figure 74-17 Language Selector Drop-down List Figure 74-18 shows a simple example of a custom login screen enabled by the Full Customization feature.

PAGE 1687

Chapter 74 Configuring Clientless SSL VPN Customizing Clientless SSL VPN Pages SSL VPN Service by the Cisco ASA5500

PAGE 1688

Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins






		Loading... PAGE 1689 Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins • About Installing Browser Plug-ins • Preparing the Security Appliance for a Plug-in • Installing Plug-ins Redistributed By Cisco About Installing Browser Plug-ins A browser plug-in is a separate program that a web browser invokes to perform a dedicated function, such as connect a client to a server within the browser window. PAGE 1690 Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins Prerequisites • Note The plug-ins do not work if the security appliance configures the clientless session to use a proxy server. The remote desktop protocol plug-in does not support load balancing with a session broker. Because of the way the protocol handles the redirect from the session broker, the connection fails. If a session broker is not used, the plug-in works. PAGE 1691 Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins Preparing the Security Appliance for a Plug-in Before installing a plug-in, prepare the ASA by performing the following steps: Step 1 Make sure clientless SSL VPN (“webvpn”) is enabled on an ASA interface. Step 2 Install an SSL certificate onto the ASA interface to which remote users use a fully-qualified domain name (FQDN) to connect. PAGE 1692 Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins Command Step 4 Purpose Import the file as a new customization object Example: hostname# import webvpn customization sales_vpn_login tftp://10.21.50. PAGE 1693 Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins language is the abbreviation of the language rendered by the browser. This field is not used for file translation; it indicates the language used in the file. To specify a particular language code, copy the language abbreviation from the list of languages rendered by your browser. PAGE 1694 Chapter 74 Configuring Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins Step 7 Make sure the filename matches the one in Table 74-9, and that it does not have an extra filename extension. See “Importing a Help File to Flash Memory” to import the modified file for display in clientless SSL VPN sessions. Creating Help Files for Languages Not Provided by Cisco Use HTML to create help files in other languages. PAGE 1695 Chapter 74 Configuring Clientless SSL VPN Communicating Security Tips Detailed Steps Step 1 Command Purpose export webvpn webcontent source_url destination_url Retrieves a previously imported help content file for subsequent edits. Example: hostname# export webvpn webcontent /+CSCOE+/help/en/file-access-hlp.inc tftp://209.165.200.225/file-access-hlp.inc • source_url is the string in “URL of Help File in Flash Memory of the Security Appliance” in Table 74-9. • destination_url is the target URL. PAGE 1696 Chapter 74 Configuring Clientless SSL VPN Configuring Remote Systems to Use Clientless SSL VPN Features Clientless SSL VPN ensures the security of data transmission between the remote PC or workstation and the ASA on the corporate network. Advise users that using clientless SSL VPN does not ensure that communication with every site is secure. PAGE 1697 Chapter 74 Configuring Clientless SSL VPN Configuring Remote Systems to Use Clientless SSL VPN Features • You must have a URL for clientless SSL VPN. The URL must be an https address in the following form: https://address, where address is the IP address or DNS hostname of an interface of the ASA (or load balancing cluster) on which SSL VPN is enabled. For example, https://cisco.example.com. • You must have a clientless SSL VPN username and password. PAGE 1698 Chapter 74 Configuring Clientless SSL VPN Configuring Remote Systems to Use Clientless SSL VPN Features Restrictions Also, depending on how you configured a particular account, it might be that: • Some websites are blocked • Only the websites that appear as links on the clientless SSL VPN Home page are available Browsing the Network (File Management) Users might not be familiar with how to locate their files through your organization network. PAGE 1699 Chapter 74 Configuring Clientless SSL VPN Configuring Remote Systems to Use Clientless SSL VPN Features b. Verify that no JAVA icons are in the computer task bar. c. Close all instances of JAVA. d. Establish a clientless SSL VPN session and launch the port forwarding JAVA applet. • You must have Javascript enabled on the browser. By default, it is enabled. • If necessary, you must configure client applications. Note The Microsoft Outlook client does not require this configuration step. PAGE 1700 Chapter 74 Configuring Clientless SSL VPN Configuring Remote Systems to Use Clientless SSL VPN Features Restrictions We have tested Microsoft Outlook Express versions 5.5 and 6.0. Clientless SSL VPN should support other SMTPS, POP3S, or IMAP4S e-mail programs via port forwarding, such as Lotus Notes and Eudora, but we have not verified them. Using E-mail Via Web Access The following e-mail applications are supported: • Microsoft Outlook Web App to Exchange Server 2010. PAGE 1701 Chapter 74 Configuring Clientless SSL VPN Translating the Language of User Messages Prerequisites • Smart tunnel requires either ActiveX or JRE on Windows and Java Web Start on Mac OS. • You must enable cookies on the browser. (By default, they are enabled.) • You must install Sun Microsystems Java Runtime Environment (JRE) version 1.4.x and 1.5.x. • You must enable Javascript on the browser. (By default, it is enabled.) • Mac OS does not support a front-side proxy. PAGE 1702 Chapter 74 Configuring Clientless SSL VPN Translating the Language of User Messages Table 74-11 Translation Domains and Functional Areas Affected (continued) Translation Domain Functional Areas Translated plugin-rdp Messages for the Remote Desktop Protocol plug-in. plugin-telnet,ssh Messages for the Telnet and SSH plug-in. plugin-vnc Messages for the VNC plug-in. PAGE 1703 Chapter 74 Configuring Clientless SSL VPN Translating the Language of User Messages Detailed Steps Step 1 Command Purpose export webvpn translation-table Exports a translation table template to a computer. Example: Shows available translation table templates and tables. PAGE 1704 Chapter 74 Configuring Clientless SSL VPN Translating the Language of User Messages Step 2 Command Purpose Edit the translation table XML file Shows a portion of the template that was exported as portal. The end of this output includes a message ID field (msgid) and a message string field (msgstr) for the message SSL VPN, which is displayed on the portal page when a user establishes a clientless SSL VPN session. The complete template contains many pairs of message fields. PAGE 1705 Chapter 74 Configuring Clientless SSL VPN Translating the Language of User Messages Prerequisites For the customization object to call these translation tables correctly, the tables must have been previously imported using the same names. These names must be compatible with language options of the browser. Detailed Steps Step 1 Command Function export webvpn customization template Exports a customization template to a URL where you can edit it. PAGE 1706 Chapter 74 Configuring Clientless SSL VPN Translating the Language of User Messages Step 4 Command Function import webvpn customization Imports the customization template as a new object. Example: hostname# import webvpn customization sales tftp://209.165.200.225/sales hostname# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Step 5 show import webvpn customization Shows the new customization object sales. Example: hostname# import webvpn customization sales tftp://209.165.200. PAGE 1707 Chapter 74 Configuring Clientless SSL VPN Capturing Data Command Purpose Step 2 group-policy webvpn Switches to group-policy webvpn configuration mode. Step 3 customization Enables the customization object. Example: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# customization value sales Shows the customization object sales enabled in the group policy sales. PAGE 1708 Chapter 74 Configuring Clientless SSL VPN Capturing Data Detailed Steps Step 1 Command Purpose capture capture_name type webvpn user webvpn_username Starts the capture utility for clientless SSL VPN. • capture_name is a name you assign to the capture, which is also prepended to the name of the capture files. • webvpn_user is the username to match for capture. Example: hostname# capture hr type webvpn user user2 WebVPN capture started. PAGE 1709 Chapter 74 Configuring Clientless SSL VPN Capturing Data Detailed Steps Step 1 Step 2 Command Purpose capture capture_name type webvpn user webvpn_username Starts the capture utility for clientless SSL VPN. (Optional) capture_name is a name you assign to the capture, which is also prepended to the name of the capture files. • webvpn_user is the username to match for capture. Stops the capture utility from capturing packets after a user has logged in and began a clientless SSL VPN session. PAGE 1710 Chapter 74 Capturing Data Cisco ASA 5500 Series Configuration Guide using the CLI 74-124 Configuring Clientless SSL VPN PAGE 1711 CH A P T E R 75 Configuring AnyConnect VPN Client Connections This section describes how to configure AnyConnect VPN Client Connections and covers the following topics: • Information About AnyConnect VPN Client Connections, page 75-1 • Licensing Requirements for AnyConnect Connections, page 75-2 • Guidelines and Limitations, page 75-5 • Configuring AnyConnect Connections, page 75-5 • Configuring Advanced AnyConnect Features, page 75-14 • Configuration Examples for Enabling AnyConnect Connection PAGE 1712 Chapter 75 Configuring AnyConnect VPN Client Connections Licensing Requirements for AnyConnect Connections The ASA downloads the client based on the group policy or username attributes of the user establishing the connection. You can configure the ASA to automatically download the client, or you can configure it to prompt the remote user about whether to download the client. PAGE 1713 Chapter 75 Configuring AnyConnect VPN Client Connections Licensing Requirements for AnyConnect Connections Model License Requirement1,2 ASA 5540 Use one of the following: • AnyConnect Premium license: – Base license: 2 sessions. – Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, or 2500 sessions. – Optional Shared licenses3: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. PAGE 1714 Chapter 75 Configuring AnyConnect VPN Client Connections Licensing Requirements for AnyConnect Connections Model License Requirement1,2 ASA 5525-X Use one of the following: • AnyConnect Premium license: – Base license: 2 sessions. – Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, or 750 sessions. – Optional Shared licenses3: Participant or Server. For the Server license, 500-50,000 in increments of 500 and 50,000-545,000 in increments of 1000. PAGE 1715 Chapter 75 Configuring AnyConnect VPN Client Connections Guidelines and Limitations 1. If you start a clientless SSL VPN session and then start an AnyConnect client session from the portal, 1 session is used in total. However, if you start the AnyConnect client first (from a standalone client, for example) and then log into the clientless SSL VPN portal, then 2 sessions are used. 2. The maximum combined VPN sessions of all types cannot exceed the maximum sessions shown in this table. PAGE 1716 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections • Enabling AnyConnect Client Profile Downloads, page 75-10 • Enabling Additional AnyConnect Client Features, page 75-11 • Enabling Start Before Logon, page 75-11 • Translating Languages for AnyConnect User Messages, page 75-12 • Configuring Advanced AnyConnect Features, page 75-14 • Updating AnyConnect Client Images, page 75-18 • Enabling IPv6 VPN Access, page 75-18 Configuring the ASA to Web-Deploy PAGE 1717 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections Step 4 Command Purpose ip local pool poolname startaddr-endaddr mask mask (Optional) Creates an address pool. You can use another method of address assignment, such as DHCP and/or user-assigned addressing. Example: hostname(config)# ip local pool vpn_users 209.165.200.225-209.165.200.254 mask 255.255.255.224 Step 5 address-pool poolname Assigns an address pool to a tunnel group. PAGE 1718 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections anyconnect keep-installer installer The default is that permanent installation of the client is enabled. The client remains on the remote computer at the end of the session. PAGE 1719 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections anyconnect ask enable default timeout value prompts the remote user to download the client or go to the clientless portal page and waits the duration of value before taking the default action—downloading the client. PAGE 1720 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections Enabling AnyConnect Client Profile Downloads You enable Cisco AnyConnect Secure Mobility client features in the AnyConnect profiles—XML files that contain configuration settings for the core client with its VPN functionality and for the optional client modules Network Access Manager (NAM), posture, telemetry, and Web Security. The ASA deploys the profiles during AnyConnect installation and updates. PAGE 1721 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections Step 4 Enter group policy webvpn configuration mode and specify a client profile for a group policy with the anyconnect profiles command: You can enter the anyconnect profiles value command followed by a question mark (?) to view the available profiles. PAGE 1722 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections false The tag determines whether the client uses SBL. To turn SBL on, replace false with true. The example below shows the tag with SBL turned on: true Step 4 Save the changes to AnyConnectProfile. PAGE 1723 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections customization AnyConnect CSD PortForwarder url-list webvpn Citrix-plugin RPC-plugin Telnet-SSH-plugin VNC-plugin Translation Tables: Then the user exports the translation table for the AnyConnect translation domain. The filename of the XML file created is named client and contains empty message fields: hostname# export webvpn translation-table AnyConnect template tftp://209.165.200. PAGE 1724 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections Be sure to save the file. Step 3 Import the translation table using the import webvpn translation-table command from privileged EXEC mode. Be sure to specify the name of the new translation table with the abbreviation for the language that is compatible with the browser. PAGE 1725 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections Configuring the rekey method as ssl or new-tunnel specifies that the client establishes a new tunnel during rekey instead of the SSL renegotiation taking place during the rekey. See the Cisco ASA 5500 Series Command Reference, 8.4 for a history of the anyconnect ssl rekey command. PAGE 1726 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections Enabling Keepalive You can adjust the frequency of keepalive messages to ensure that an SSL VPN connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. PAGE 1727 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections In the following example, compression is disabled for all SSL VPN connections globally: hostname(config)# no compression Changing Compression for Groups and Users To change compression for a specific group or user, use the anyconnect ssl compression command in the group-policy and username webvpn modes: compression {deflate \| none} no anyconnect ssl compression {deflate \| none} By default, for groups and users, S PAGE 1728 Chapter 75 Configuring AnyConnect VPN Client Connections Configuring AnyConnect Connections hostname(config)# group-policy hostname(config-group-policy)# hostname(config-group-webvpn)# hostname(config-group-webvpn)# telecommuters attributes webvpn vpn-idle-timeout 10 default-idle-timeout 1200 Updating AnyConnect Client Images You can update the client images on the ASA at any time using the following procedure: Step 1 Copy the new client images to the ASA using the copy command from privileged EXEC mo PAGE 1729 Chapter 75 Configuring AnyConnect VPN Client Connections Monitoring AnyConnect Connections Step 2 Configure an 'ipv6 local pool' (used for IPv6 address assignment): ipv6 local pool ipv6pool 2001:DB8:1:1::5/32 100 Note Step 3 You still need to configure an IPv4 address pool when using IPv6 (using the ip local pool command) Add the ipv6 address pool to your tunnel group policy (or group-policy): tunnel-group YourTunGrp1 general-attributes Note Step 4 ; Use your IPv6 prefix here ipv6-address-pool ip PAGE 1730 Chapter 75 Configuring AnyConnect VPN Client Connections Logging Off AnyConnect VPN Sessions Filter Name : hostname# vpn-sessiondb logoff INFO: Number of sessions of type "" logged off : 1 hostname# vpn-sessiondb logoff name tester Do you want to logoff the VPN session(s)? [confirm] INFO: Number of sessions with name "tester" logged off : 1 Logging Off AnyConnect VPN Sessions To log off all VPN sessions, use the vpn-sessiondb logoff command in global configuration mode: vpn-sessiondb logoff The follow PAGE 1731 Chapter 75 Configuring AnyConnect VPN Client Connections Configuration Examples for Enabling AnyConnect Connections Configuration Examples for Enabling AnyConnect Connections The following example shows how to configure L2TP over IPsec: ip local pool sales_addresses 209.165.202.129-209.165.202. PAGE 1732 Chapter 75 Feature History for AnyConnect Connections Cisco ASA 5500 Series Configuration Guide using the CLI 75-22 Configuring AnyConnect VPN Client Connections PAGE 1733 CH A P T E R 76 Configuring AnyConnect Host Scan The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operating system, anti-virus, anti-spyware, and firewall software installed on the host. The Host Scan application gathers this information. PAGE 1734 Chapter 76 Configuring AnyConnect Host Scan Host Scan Packaging • AnyConnect Telemetry Module System Requirements The posture module can be installed on any of these platforms: • Windows XP (x86 and x86 running on x64) • Windows Vista (x86 and x86 running on x64) • Windows 7 (x86 and x86 running on x64) • Mac OS X 10.5,10. PAGE 1735 Chapter 76 Configuring AnyConnect Host Scan Installing and Enabling Host Scan on the ASA Installing and Enabling Host Scan on the ASA These tasks describe installing and enabling Host Scan on the ASA: • Installing or Upgrading Host Scan • Enabling or Disabling a Host Scan • Viewing the Host Scan Version Enabled on the ASA • Uninstalling Host Scan • Assigning AnyConnect Feature Modules to Group Policies Installing or Upgrading Host Scan Use this procedure to install or upgrade the Host Scan packa PAGE 1736 Chapter 76 Configuring AnyConnect Host Scan Installing and Enabling Host Scan on the ASA Enabling or Disabling a Host Scan These commands enable or disable an installed Host Scan image using the command line interface of the ASA. Prerequisites Log on to the ASA and enter global configuration mode. In global configuration mode, the ASA displays this prompt: hostname(config)# Detailed Steps for Enabling Host Scan Step 1 Command Purpose webvpn Enter webvpn configuration mode. PAGE 1737 Chapter 76 Configuring AnyConnect Host Scan Installing and Enabling Host Scan on the ASA Viewing the Host Scan Version Enabled on the ASA Use this procedure to determine the enabled Host Scan version using ASA’s command line interface. Prerequisites Log on to the ASA and enter privileged exec mode. In privileged exec mode, the ASA displays this prompt: hostname# Command Purpose show webvpn csd hostscan Show the version of Host Scan enabled on the ASA. PAGE 1738 Chapter 76 Configuring AnyConnect Host Scan Installing and Enabling Host Scan on the ASA Step 4 Command Purpose write memory Saves the running configuration to flash. Example: After successfully saving the new configuration to flash memory, you receive the message [OK]. hostname(webvpn)# write memory Assigning AnyConnect Feature Modules to Group Policies This procedure associates AnyConnect feature modules with a group policy. PAGE 1739 Chapter 76 Configuring AnyConnect Host Scan Other Important Documentation Addressing Host Scan Step 4 Command Purpose hostname(config-group-webvpn)# anyconnect modules value AnyConnect Module Name Configures the group policy to download AnyConnect feature modules for all users in the group. The value of the anyconnect module command can contain one or more of the following values. When specifying more than one module, separate the values with a comma. PAGE 1740 Chapter 76 Other Important Documentation Addressing Host Scan Cisco ASA 5500 Series Configuration Guide using the CLI 76-8 Configuring AnyConnect Host Scan PAGE 1741 PA R T 17 Configuring Logging, SNMP, and Smart Call Home PAGE 1742 PAGE 1743 C H A P T E R 77 Configuring Logging This chapter describes how to configure and manage logs for the ASA and includes the following sections: • Information About Logging, page 77-1 • Licensing Requirements for Logging, page 77-5 • Prerequisites for Logging, page 77-5 • Guidelines and Limitations, page 77-5 • Configuring Logging, page 77-6 • Monitoring the Logs, page 77-19 • Configuration Examples for Logging, page 77-20 • Feature History for Logging, page 77-20 Information About Logging Sy PAGE 1744 Chapter 77 Configuring Logging Information About Logging This section includes the following topics: • Logging in Multiple Context Mode, page 77-2 • Analyzing Syslog Messages, page 77-2 • Syslog Message Format, page 77-3 • Severity Levels, page 77-3 • Message Classes and Range of Syslog IDs, page 77-4 • Filtering Syslog Messages, page 77-4 • Using Custom Message Lists, page 77-4 Logging in Multiple Context Mode Each security context includes its own logging configuration and generates its o PAGE 1745 Chapter 77 Configuring Logging Information About Logging Syslog Message Format Syslog messages begin with a percent sign (%) and are structured as follows: %ASA Level Message_number: Message_text Field descriptions are as follows: ASA The syslog message facility code for messages that are generated by the ASA. This value is always ASA. Level 1 through 7. The level reflects the severity of the condition described by the syslog message—the lower the number, the more severe the condition. PAGE 1746 Chapter 77 Configuring Logging Information About Logging Message Classes and Range of Syslog IDs For a list of syslog message classes and the ranges of syslog message IDs that are associated with each class, see the syslog message guide. Filtering Syslog Messages You can filter generated syslog messages so that only certain syslog messages are sent to a particular output destination. PAGE 1747 Chapter 77 Configuring Logging Licensing Requirements for Logging • Select syslog messages with the severity levels of 1 and 2 and send them to one or more e-mail addresses. • Select all syslog messages associated with a message class (such as ha) and save them to the internal buffer. A message list can include multiple criteria for selecting messages. However, you must add each message selection criterion with a new command entry. PAGE 1748 Chapter 77 Configuring Logging Configuring Logging • The ASA supports the configuration of 16 syslog servers with the logging host command in single context mode. In multiple context mode, the limitation is 4 servers per context. PAGE 1749 Chapter 77 Configuring Logging Configuring Logging • Generating Syslog Messages in EMBLEM Format to a Syslog Server, page 77-14 • Generating Syslog Messages in EMBLEM Format to Other Output Destinations, page 77-14 • Changing the Amount of Internal Flash Memory Available for Logs, page 77-15 • Configuring the Logging Queue, page 77-15 • Sending All Syslog Messages in a Class to a Specified Output Destination, page 77-16 • Enabling Secure Logging, page 77-16 • Including the Device ID in Non-EM PAGE 1750 Chapter 77 Configuring Logging Configuring Logging Sending Syslog Messages to an External Syslog Server You can archive messages according to the available disk space on the external syslog server, and manipulate logging data after it is saved. For example, you could specify actions to be executed when certain types of syslog messages are logged, extract data from the log and save the records to another file for reporting, or track statistics using a site-specific script. PAGE 1751 Chapter 77 Configuring Logging Configuring Logging Sending Syslog Messages to the Internal Log Buffer To send syslog messages to the internal log buffer, perform the following steps: Step 1 Command Purpose logging buffered {severity_level \| message_list} Specifies which syslog messages should be sent to the internal log buffer, which serves as a temporary storage location. New messages are appended to the end of the list. PAGE 1752 Chapter 77 Configuring Logging Configuring Logging Command Purpose logging ftp-server server path username password Identifies the FTP server on which you want to store log buffer content. The server argument specifies the IP address of the external FTP server. The path argument specifies the directory path on the FTP server where the log buffer data is to be saved. This path is relative to the FTP root directory. PAGE 1753 Chapter 77 Configuring Logging Configuring Logging Sending Syslog Messages to ASDM To send syslog messages to ASDM, perform the following steps: Step 1 Command Purpose logging asdm {severity_level \| message_list} Specifies which syslog messages should be sent to ASDM. The ASA sets aside a buffer area for syslog messages waiting to be sent to ASDM and saves messages in the buffer as they occur. The ASDM log buffer is a different buffer than the internal log buffer. PAGE 1754 Chapter 77 Configuring Logging Configuring Logging Sending Syslog Messages to a Telnet or SSH Session To send syslog messages to a Telnet or SSH session, perform the following steps: Step 1 Command Purpose logging monitor {severity_level \| message_list} Specifies which syslog messages should be sent to a Telnet or SSH session. PAGE 1755 Chapter 77 Configuring Logging Configuring Logging Creating a Custom Event List To create a custom event list, perform the following steps: Step 1 Command Purpose logging list name {level level [class message_class] \| message start_id[-end_id]} Specifies criteria for selecting messages to be saved in the internal log buffer. For example, if you set the severity level to 3, then the ASA sends syslog messages for severity levels 3, 2, and 1. PAGE 1756 Chapter 77 Configuring Logging Configuring Logging Generating Syslog Messages in EMBLEM Format to a Syslog Server To generate syslog messages in EMBLEM format to a syslog server, enter the following command: Command Purpose logging host interface_name ip_address {tcp[/port] \| udp[/port]] [format emblem] Sends syslog messages in EMBLEM format to a syslog server over UDP using port 514. Example: hostname(config)# logging host interface_1 127.0.0. PAGE 1757 Chapter 77 Configuring Logging Configuring Logging Changing the Amount of Internal Flash Memory Available for Logs To change the amount of internal flash memory available for logs, perform the following steps: Step 1 Command Purpose logging flash-maximum-allocation kbytes Specifies the maximum amount of internal flash memory available for saving log files. By default, the ASA can use up to 1 MB of internal flash memory for log data. PAGE 1758 Chapter 77 Configuring Logging Configuring Logging Sending All Syslog Messages in a Class to a Specified Output Destination To send all syslog messages in a class to a specified output destination, enter the following command: Command Purpose logging class message_class {buffered \| console \| history \| mail \| monitor \| trap} [severity_level] Overrides the configuration in the specified output destination command. PAGE 1759 Chapter 77 Configuring Logging Configuring Logging Including the Device ID in Non-EMBLEM Format Syslog Messages To include the device ID in non-EMBLEM format syslog messages, enter the following command: Command Purpose logging device-id [context-name \| hostname \| ipaddress interface_name \| string text] Configures the ASA to include a device ID in non-EMBLEM-format syslog messages. You can specify only one type of device ID for syslog messages. PAGE 1760 Chapter 77 Configuring Logging Configuring Logging Including the Date and Time in Syslog Messages To include the date and time in syslog messages, enter the following command: Command Purpose logging timestamp hostname(config)# logging timestamp Specifies that syslog messages should include the date and time that they were generated. To remove the date and time from syslog messages, enter the no logging timestamp command. Example: hostname(config)# logging timestamp LOG-2008-10-24-081856. PAGE 1761 Chapter 77 Configuring Logging Monitoring the Logs Limiting the Rate of Syslog Message Generation To limit the rate of syslog message generation, enter the following command: Command Purpose logging rate-limit {unlimited \| {num [interval]}} message syslog_id \| level severity_level Applies a specified severity level (1 through 7) to a set of messages or to an individual message (not the destination) within a specified time period. PAGE 1762 Chapter 77 Configuring Logging Configuration Examples for Logging History logging: disabled Device ID: 'inside' interface IP address “10.1.1. PAGE 1763 Chapter 77 Configuring Logging Feature History for Logging Table 77-2 Feature History for Logging (continued) Feature Name Platform Releases Secure logging 8.0(2) Feature Information Specifies that the connection to the remote logging host should use SSL/TLS. This option is valid only if the protocol selected is TCP. We modified the following command: logging host. Logging class 8.0(4), 8.1(1) Added support for the ipaa event class of logging messages. PAGE 1764 Chapter 77 Feature History for Logging Cisco ASA 5500 Series Configuration Guide using the CLI 77-22 Configuring Logging PAGE 1765 C H A P T E R 78 Configuring NetFlow Secure Event Logging (NSEL) This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL. PAGE 1766 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Information About NSEL • Tracks flow-create, flow-teardown, and flow-denied events, and generates appropriate NSEL data records. • Triggers flow-update events and generates appropriate NSEL data records. • Defines and exports templates that describe the progression of a flow. Templates describe the format of the data records that are exported through NetFlow. Each event has several record formats or templates associated with it. PAGE 1767 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Licensing Requirements for NSEL Table 78-1 Syslog Messages and Equivalent NSEL Events (continued) Syslog Message Description NSEL Event ID NSEL Extended Event ID 106023 When a flow was denied by an ACL attached to an interface through the access-group command. 3—Flow was denied. 1001—Flow was denied by the ingress ACL. 302013, 302015, 302017, 302020 TCP, UDP, GRE, and ICMP connection creation. 1—Flow was created. 0—Ignore. PAGE 1768 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6 for the class-map, match any and class-default commands. The match access-list commands only support IPv4 access lists. PAGE 1769 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Configuring NSEL Configuring NSEL Collectors To configure NSEL collectors, enter the following command: Command Purpose flow-export destination interface-name ipv4-address\|hostname udp-port Adds, edits, or deletes an NSEL collector to which NetFlow packets are sent. The destination keyword indicates that a NSEL collector is being configured. PAGE 1770 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Configuring NSEL Step 3 Command Purpose policy-map flow_export_policy Defines the policy map to apply flow-export actions to the defined classes. The flow_export_policy argument is the name of the policy map. Example: hostname(config)# policy-map flow_export_policy If you create a new policy map and apply it globally according to Step 6, the remaining inspection policies are deactivated. PAGE 1771 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Configuring NSEL What to Do Next See the “Configuring Template Timeout Intervals” section on page 78-7. Configuring Template Timeout Intervals To configure template timeout intervals, enter the following command: Command Purpose flow-export template timeout-rate minutes Specifies the interval at which template records are sent to all configured output destinations. The template keyword indicates the template-specific configurations. PAGE 1772 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Configuring NSEL What to Do Next See the “Changing the Time Interval for Sending Flow-Update Events to a Collector” section on page 78-8. PAGE 1773 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Configuring NSEL What to Do Next See the “Delaying Flow-Create Events” section on page 78-9. Delaying Flow-Create Events To delay the sending of flow-create events, enter the following command: Command Purpose flow-export delay flow-create seconds Delays the sending of a flow-create event by the specified number of seconds. The seconds argument indicates the amount of time allowed for the delay in seconds. PAGE 1774 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Monitoring NSEL What to Do Next See the “Clearing Runtime Counters” section on page 78-10. Clearing Runtime Counters To reset runtime counters, enter the following command: Command Purpose clear flow-export counters Resets all runtime counters for NSEL to zero. Example: hostname# clear flow-export counters What to Do Next See the “Monitoring NSEL” section on page 78-10. PAGE 1775 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Monitoring NSEL destination: inside 209.165.200. PAGE 1776 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Configuration Examples for NSEL Configuration Examples for NSEL The following examples show how to filter NSEL events, with the specified collectors already configured: • flow-export destination inside 209.165.200.2055 • flow-export destination outside 209.165.201.29 2055 • flow-export destination outside 209.165.201.27 2055 Log all events between hosts 209.165.200.224 and hosts 209.165.201.224 to 209.165.200. PAGE 1777 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Where to Go Next hostname hostname hostname hostname hostname hostname hostname (config)# access-list flow_export_acl permit ip any any (config)# class-map flow_export_class (config-cmap)# match access-list flow_export_acl (config)# policy-map flow_export_policy (config-pmap)# class flow_export_class (config-pmap-c)# flow-export event-type all destination 209.165.201. PAGE 1778 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Feature History for NSEL Related Documents Related Topic Document Title Using NSEL and Syslog Messages, page 78-2 syslog message guide Information about the implementation of NSEL on the Cisco ASA 5500 Series Implementation Note for NetFlow Collectors ASA and ASASM See the following article at https://supportforums.cisco.com/docs/DOC-6113. Configuring NetFlow on the ASA and ASASM using ASDM See the following article at https://supportforums. PAGE 1779 Chapter 78 Configuring NetFlow Secure Event Logging (NSEL) Feature History for NSEL Table 78-2 Feature History for NSEL Feature Name Platform Releases NetFlow 8.1(1) Feature Information The NetFlow feature enhances the ASA logging capabilities by logging flow-based events through the NetFlow protocol. NetFlow Version 9 services are used to export information about the progression of a flow from start to finish. PAGE 1780 Chapter 78 Feature History for NSEL Cisco ASA 5500 Series Configuration Guide using the CLI 78-16 Configuring NetFlow Secure Event Logging (NSEL) PAGE 1781 CH A P T E R 79 Configuring SNMP This chapter describes how to configure SNMP to monitor the ASA and includes the following sections: • Information About SNMP, page 79-1 • Licensing Requirements for SNMP, page 79-17 • Prerequisites for SNMP, page 79-17 • Guidelines and Limitations, page 79-17 • Configuring SNMP, page 79-18 • Troubleshooting Tips, page 79-24 • Monitoring SNMP, page 79-26 • Configuration Examples for SNMP, page 79-28 • Where to Go Next, page 79-29 • Additional References, PAGE 1782 Chapter 79 Configuring SNMP Information About SNMP You can configure the ASA to send traps, which are unsolicited messages from the managed device to the management station for certain events (event notifications) to an NMS, or you can use the NMS to browse the MIBs on the ASA. MIBs are a collection of definitions, and the ASA maintains a database of values for each definition. Browsing a MIB means issuing a series of GET-NEXT or GET-BULK requests of the MIB tree from the NMS to determine values. PAGE 1783 Chapter 79 Configuring SNMP Information About SNMP ftp://ftp-sj.cisco.com/pub/mibs Download a complete list of Cisco MIBs, traps, and OIDs from the following location: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml In addition, download Cisco OIDs by FTP from the following location: ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz Note In software versions 7.2(1), 8.0(2), and later, the interface information accessed through SNMP refreshes about every 5 seconds. PAGE 1784 Chapter 79 Configuring SNMP Information About SNMP Table 79-2 SNMP Object Identifiers (continued) ASA5585-SSP20 ciscoASA5585Ssp20sc (ciscoProducts 1199) ASA 5585-X SSP-20 security context ASA5585-SSP40 ciscoASA5585Ssp40sc (ciscoProducts 1200) ASA 5585-X SSP-40 security context ASA5585-SSP60 ciscoASA5585Ssp60sc (ciscoProducts 1201) ASA 5585-X SSP-60 security context ASA5585-SSP10 ciscoASA5585Ssp10sy (ciscoProducts 1202) ASA 5585-X SSP-10 system context ASA5585-SSP20 ciscoASA5585Ssp20sy (cis PAGE 1785 Chapter 79 Configuring SNMP Information About SNMP Table 79-2 SNMP Object Identifiers (continued) ASA 5525 System Context ciscoASA5525sy (ciscoProducts1417) ASA 5525 Adaptive Security Appliance System Context ASA 5545 System Context ciscoASA5545sy (ciscoProducts 1418) ASA 5545 Adaptive Security Appliance System Context ASA 5555 System Context ciscoASA5555sy (ciscoProducts 1419) ASA 5555 Adaptive Security Appliance System Context ASA 5515 Security Context ciscoASA5515sc (ciscoProducts 1420) ASA 5 PAGE 1786 Chapter 79 Information About SNMP Table 79-3 SNMP Physical Vendor Type Values (continued) Cisco Adaptive Security Appliance (ASA) 5545 Adaptive Security Appliance cevChassisASA5545 (cevChassis 1116) Cisco Adaptive Security Appliance (ASA) 5545 Adaptive Security Appliance with No Payload Encryption cevChassisASA5545K7 (cevChassis 1111 ) ASA 5550 chassis cevChassisASA5550 (cevChassis 564) Cisco Adaptive Security Appliance (ASA) 5555 Adaptive Security Appliance cevChassisASA5555 (cevChassis 1117) Ci PAGE 1787 Chapter 79 Configuring SNMP Information About SNMP Table 79-3 SNMP Physical Vendor Type Values (continued) CPU for Cisco ASA Services Module for Catalyst switches cevCpuAsaSm1 (cevModuleCpuType 222) CPU for Cisco ASA Services Module with No Payload Encryption for Catalyst switches cevCpuAsaSm1K7 (cevModuleCpuType 223) Chassis Cooling Fan in Adapative Security Appliance cevFanASA5512ChassisFan (cevFan 163) 5512 Chassis Cooling Fan in Adapative Security Appliance cevFanASA5512K7ChassisFan (cevFan 172) PAGE 1788 Chapter 79 Configuring SNMP Information About SNMP Table 79-3 SNMP Physical Vendor Type Values (continued) Power Supply unit in Adapative Security Appliance 5555 cevPowerSupplyASA5555PSInput (cevPowerSupply 324) Presence Sensor for Power Supply input in Adaptive cevPowerSupplyASA5555PSPresence (cevPowerSupply 322) Security Appliance 5555 Power supply input for ASA 5580 cevPowerSupplyASA5580PSInput (cevPowerSupply 292) Power supply input for ASA 5585 cevPowerSupplyASA5585PSInput (cevPowerSupply 304 PAGE 1789 Chapter 79 Configuring SNMP Information About SNMP Table 79-3 SNMP Physical Vendor Type Values (continued) Cisco Adaptive Security Appliance (ASA) 5525 with cevSensorASA5525K7ChassisFanSensor (cevSensor 127) No Payload Encryption Chassis Fan sensor Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5525 with No Payload Encryption cevSensorASA5525K7CPUTemp (cevSensor 104) Sensor for Chassis Cooling Fan in Adapative Security cevSensorASA5525K7PSFanSensor (cevSensor 114) App PAGE 1790 Chapter 79 Configuring SNMP Information About SNMP Table 79-3 SNMP Physical Vendor Type Values (continued) Cisco Adaptive Security Appliance (ASA) 5555 with cevSensorASA5555K7ChassisFanSensor (cevSensor 129) No Payload Encryption Chassis Fan sensor Chassis Ambient Temperature Sensor for Cisco Adaptive Security Appliance 5555 with No Payload Encryption cevSensorASA5555K7ChassisTemp (cevSensor 111) Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5555 with No Payload Enc PAGE 1791 Chapter 79 Configuring SNMP Information About SNMP Supported Tables in MIBs Table 79-4 lists the supported tables and objects for the specified MIBs. PAGE 1792 Chapter 79 Configuring SNMP Information About SNMP Supported Traps (Notifications) Table 79-5 lists the supported traps (notifications) and their associated MIBs. Table 79-5 Supported Traps (Notifications) Trap and MIB Name Varbind List Description authenticationFailure — For SNMP Version 1 or 2, the community string provided in the SNMP request is incorrect. For SNMP Version 3, a report PDU is generated instead of a trap if the auth or priv passwords or usernames are incorrect. PAGE 1793 Chapter 79 Configuring SNMP Information About SNMP Table 79-5 Supported Traps (Notifications) (continued) ceSensorExtThresholdNotification (CISCO-ENTITY-SENSOR-EXT-MIB) Note Not supported on the ASA Services Module. ceSensorExtThresholdValue, entPhySensorValue, entPhySensorType, entPhysicalName The snmp-server enable traps entity [power-supply-failure \| fan-failure \| cpu-temperature] command is used to enable transmission of the entity threshold notifications. PAGE 1794 Chapter 79 Configuring SNMP Information About SNMP Table 79-5 Supported Traps (Notifications) (continued) clogMessageGenerated (CISCO-SYSLOG-MIB) clogHistFacility, clogHistSeverity, clogHistMsgName, clogHistMsgText, clogHistTimestamp Syslog messages are generated. The value of the clogMaxSeverity object is used to decide which syslog messages are sent as traps. The snmp-server enable traps syslog command is used to enable and disable transmission of these traps. PAGE 1795 Chapter 79 Configuring SNMP Information About SNMP Table 79-5 Supported Traps (Notifications) (continued) mteTriggerFired (DISMAN-EVENT-MIB) mteTriggerFired (DISMAN-EVENT-MIB) Note Not supported on the ASA Services Module. natPacketDiscard mteHotTrigger, mteHotTargetName, mteHotContextName, mteHotOID, mteHotValue, cempMemPoolName, cempMemPoolHCUsed The snmp-server enable traps memory-threshold command is used to enable the memory threshold notification. The mteHotOID is set to cempMemPoolHCUsed. PAGE 1796 Chapter 79 Configuring SNMP Information About SNMP (USM) and View-based Access Control Model (VACM). The ASA also support the creation of SNMP groups and users, as well as hosts, which is required to enable transport authentication and encryption for secure SNMP communications. Security Models For configuration purposes, the authentication and privacy options are grouped together into security models. PAGE 1797 Chapter 79 Configuring SNMP Licensing Requirements for SNMP • You must remove users, groups, and hosts in the correct sequence. • Use of the snmp-server host command creates an ASA rule to allow incoming SNMP traffic. Licensing Requirements for SNMP The following table shows the licensing requirements for this feature: License Requirement Base License: Base (DES). PAGE 1798 Chapter 79 Configuring SNMP Configuring SNMP • Does not support SNMP Version 3 for the AIP SSM or AIP SSC. • Does not support SNMP debugging. • Does not support retireval of ARP information. • Does not support SNMP SET commands. • When using NET-SNMP Version 5.4.2.1, only supports the encryption algorithm version of AES128. Does not support the encryption algorithm versions of AES256 or AES192. PAGE 1799 Chapter 79 Configuring SNMP Configuring SNMP • Sends traps (event notifications) to NMSs. To enable the SNMP agent and identify an NMS that can connect to the SNMP server, enter the following command: Command Purpose snmp-server enable Ensures that the SNMP server on the ASA is enabled. By default, the SNMP server is enabled. PAGE 1800 Chapter 79 Configuring SNMP Configuring SNMP What to Do Next See the “Configuring SNMP Traps” section on page 79-20. PAGE 1801 Chapter 79 Configuring SNMP Configuring SNMP What to Do Next See the “Configuring a CPU Usage Threshold” section on page 79-21. Configuring a CPU Usage Threshold To configure the CPU usage threshold, enter the following command: Command Purpose snmp cpu threshold rising threshold_value monitoring_period Configures the threshold value for a high CPU threshold and the threshold monitoring period. To clear the threshold value and monitoring period of the CPU utilization, use the no form of this command. PAGE 1802 Chapter 79 Configuring SNMP Configuring SNMP Using SNMP Version 1 or 2c To configure parameters for SNMP Version 1 or 2c, perform the following steps: Detailed Steps Step 1 Command Purpose snmp-server host interface) hostname \| ip_address} [trap \| poll] [community community-string] [version {1 \| 2c username}] [udp-port port] Specifies the recipient of an SNMP notification, indicates the interface from which traps are sent, and identifies the name and IP address of the NMS or SNMP manager that can c PAGE 1803 Chapter 79 Configuring SNMP Configuring SNMP What to Do Next See the “Monitoring SNMP” section on page 79-26. Using SNMP Version 3 To configure parameters for SNMP Version 3, perform the following steps: Detailed Steps Step 1 Command Purpose snmp-server group group-name v3 [auth \| noauth \| priv] Specifies a new SNMP group, which is for use only with SNMP Version 3. PAGE 1804 Chapter 79 Configuring SNMP Troubleshooting Tips Step 3 Command Purpose snmp-server host interface {hostname \| ip_address} [trap \| poll] [community community-string] [version {1 \| 2c \| 3 username}] [udp-port port] Specifies the recipient of an SNMP notification. Indicates the interface from which traps are sent. Identifies the name and IP address of the NMS or SNMP manager that can connect to the ASA. The trap keyword limits the NMS to receiving traps only. PAGE 1805 Chapter 79 Configuring SNMP Troubleshooting Tips The output is based on the SNMP group of the SNMPv2-MIB. PAGE 1806 Chapter 79 Configuring SNMP Monitoring SNMP • VLAN-only—SNMP uses logical statistics for ifInOctets and ifOutOctets. The examples in Table 79-6 show the differences in SNMP traffic statistics. Example 1 shows the difference in physical and logical output statistics for the show interface command and the show traffic command. Example 2 shows output statistics for a VLAN-only interface for the show interface command and the show traffic command. PAGE 1807 Chapter 79 Configuring SNMP Monitoring SNMP SNMP Syslog Messaging SNMP generates detailed syslog messages that are numbered 212nnn. Syslog messages indicate the status of SNMP requests, SNMP traps, SNMP channels, and SNMP responses from the ASA to a specified host on a specified interface. For detailed information about syslog messages, see syslog message guide. Note SNMP polling fails if SNMP syslog messages exceed a high rate (approximately 4000 per second). PAGE 1808 Chapter 79 Configuring SNMP Configuration Examples for SNMP 0 Get-bulk PDUs 0 Set-request PDUs (Not supported) 0 SNMP packets output 0 Too big errors (Maximum packet size 512) 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs The following example shows how to display the SNMP server running configuration: hostname(config)# show running-config snmp-server no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown colds PAGE 1809 Chapter 79 Configuring SNMP Where to Go Next Where to Go Next To configure the syslog server, see Chapter 77, “Configuring Logging. PAGE 1810 Chapter 79 Additional References [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53] [54] [55] [56] [57] [58] [59] [60] [61] [62] [63] [64] [65] [66] [67] [68] [69] 1.3.6.1.2.1.1.7. 1.3.6.1.2.1.2.1. 1.3.6.1.2.1.2.2.1.1. 1.3.6.1.2.1.2.2.1.2. 1.3.6.1.2.1.2.2.1.3. 1.3.6.1.2.1.2.2.1.4. 1.3.6.1.2.1.2.2.1.5. 1.3.6.1.2.1.2.2.1.6. PAGE 1811 Chapter 79 Configuring SNMP Feature History for SNMP [70] 1.3.6.1.2.1.31.1.1.1.6. ifHCInOctets --More-- Application Services and Third-Party Tools For information about SNMP support, see the following URL: http://www.cisco.com/en/US/tech/tk648/tk362/tk605/tsd_technology_support_sub-protocol_home.htm l For information about using third-party tools to walk SNMP Version 3 MIBs, see the following URL: http://www.cisco.com/en/US/docs/security/asa/asa83/snmp/snmpv3_tools. PAGE 1812 Chapter 79 Configuring SNMP Feature History for SNMP Table 79-7 Feature History for SNMP (continued) Feature Name SNMP traps and MIBs Platform Releases 8.4(1) Feature Information Supports the following additional keywords: connection-limit-reached, cpu threshold rising, entity cpu-temperature, entity fan-failure, entity power-supply, ikev2 stop \| start, interface-threshold, memory-threshold, nat packet-discard, warmstart. PAGE 1813 CH A P T E R 80 Configuring Anonymous Reporting and Smart Call Home The Smart Call Home feature provides personalized, e-mail-based and web-based notification to customers about critical events involving their individual systems, often before customers know that a critical event has occurred. The Anonymous Reporting feature is a subfeature of the Smart Call Home feature and allows Cisco to anonymously receive minimal error and health information from the device. PAGE 1814 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Information About Anonymous Reporting and Smart Call Home Information About Anonymous Reporting Customers can help to improve the ASA platform by enabling Anonymous Reporting, which allows Cisco to securely receive minimal error and health information from the device. If you enable the feature, your customer identity will remain anonymous, and no identifying information will be sent. PAGE 1815 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Information About Anonymous Reporting and Smart Call Home • show call-home registered-module status—Displays the registered module status. If you use system configuration mode, the command displays system module status based on the entire device, not per context. PAGE 1816 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Licensing Requirements for Anonymous Reporting and Smart Call Home If you did not receive the prompt, you may enable Anonymous Reporting or Smart Call Home by performing the steps in the “Configuring Anonymous Reporting” section on page 80-6 or the “Configuring Smart Call Home” section on page 80-7. PAGE 1817 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Prerequisites for Smart Call Home and Anonymous Reporting Prerequisites for Smart Call Home and Anonymous Reporting Smart Call Home and Anonymous Reporting have the following prerequisites: • DNS must be configured. (See the “DNS Requirement” section on page 80-3 and see the “Configuring the DNS Server” section on page 10-11.) Guidelines and Limitations Firewall Mode Guidelines Supported in routed and transparent firewall modes. PAGE 1818 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home While Anonymous Reporting is a subfeature of the Smart Call Home feature and allows Cisco to anonymously receive minimal error and health information from the device, the Smart Call Home feature is more robust and allows for customized support of your system health, allowing Cisco TAC to monitor your devices and open a case when there is an PAGE 1819 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Configuring Smart Call Home This section describes how to configure the Smart Call Home feature. PAGE 1820 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Declaring and Authenticating a CA Trust Point If Smart Call Home is configured to send messages to a web server through HTTPS, you need to configure the ASA to trust the certificate of the web server or the certificate of the Certificate Authority (CA) that issued the certificate. The Cisco Smart Call Home Production server certificate is issued by Verisign. PAGE 1821 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Step 1 dns domain-lookup name Enables DNS lookup on a specific interface. Example: hostname(config)# dns domain-lookup corp Step 2 Step 3 dns server-group group name Enters the server group submode to configure the parameters for that server group. Example: hostname(config)# DNS server-group DefaultDNS We suggest that you use the default server group name: DefaultDNS. PAGE 1822 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Table 80-1 Severity and Syslog Level Mapping Level Keyword Equivalent Syslog Level Description 9 catastrophic N/A Network-wide catastrophic failure. 8 disaster N/A Significant network impact. 7 fatal Emergency (0) System is unusable. 6 critical Alert (1) Critical conditions, immediate attention needed. 5 major Critical (2) Major conditions. PAGE 1823 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Step 5 Command Purpose subscribe-to-alert-group environment [severity {catastrophic \| disaster \| emergencies \| alert \| critical \| errors \| warnings \| notifications \| informational \| debugging}] Subscribes to group events with the specified severity level. The alert group can be configured to filter messages based on severity, as described in Table 80-1. PAGE 1824 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Sending a Smart Call Home Test Message Manually To manually send a Smart Call Home test message, perform this task: Command Purpose call-home test [test-message] profile profile-name Sends a test message using a profile configuration. PAGE 1825 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Optional Configuration Procedures This section includes the following topics: • Configuring Smart Call Home Customer Contact Information, page 80-13 • Configuring the Mail Server, page 80-15 • Configuring Call Home Traffic Rate Limiting, page 80-15 • Destination Profile Management, page 80-16 Configuring Smart Call Home Customer Contact Information Obtain the following customer contac PAGE 1826 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Step 5 Command Purpose (Optional) Specifies the customer name, which can be up to 128 characters long. contact-name contact name Example: ciscoasa(cfg-call-home)# contact-name contactname1234 Step 6 (Optional) customer-id customer-id-string Specifies the customer ID, which can be up to 64 characters long. PAGE 1827 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Configuring the Mail Server We recommend that you use HTTPS for message transport, as it is the most secure. However, you can configure an e-mail destination for Smart Call Home and then configure the mail server to use the e-mail message transport. To configure the mail server, perform this task: Step 1 Command Purpose call-home Enters call home configuration mode. PAGE 1828 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home This example shows how to configure Smart Call Home traffic rate limiting: hostname# configure terminal hostname(config)# call-home ciscoasa(cfg-call-home)# rate-limit 5 Destination Profile Management These sections describe destination profile management: • Configuring a Destination Profile, page 80-16 • Activating and Deactivating a Destination Profile, page 80-17 • Copying a Destina PAGE 1829 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Activating and Deactivating a Destination Profile Smart Call Home destination profiles are automatically activated when you create them. If you do not want to use a profile right away, you can deactivate the profile. To activate or deactivate a destination profile, perform this task: Step 1 Command Purpose call-home Enters call home configuration mode. PAGE 1830 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting and Smart Call Home Copying a Destination Profile To create a new destination profile by copying an existing profile, perform this task: Step 1 Command Purpose call-home Enters call home configuration mode. Example: hostname(config)# call-home Step 2 profile profilename Specifies the profile to copy. PAGE 1831 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Monitoring Smart Call Home ciscoasa(cfg-call-home-profile)# rename profile profile1 profile2 Monitoring Smart Call Home To monitor the Smart Call Home feature,enter one of the following commands: Command Purpose show call-home detail Shows the current Smart Call Home detail configuration. show call-home mail-server status Shows the current mail server status. PAGE 1832 Chapter 80 Configuring Anonymous Reporting and Smart Call Home Feature History for Anonymous Reporting and Smart Call Home Feature History for Anonymous Reporting and Smart Call Home Table 80-2 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. PAGE 1833 PA R T 18 System Administration PAGE 1834 PAGE 1835 CH A P T E R 81 Managing Software and Configurations This chapter describes how to manage the ASA software and configurations and includes the following sections: • Managing the Flash File System, page 81-1 • Downloading Software or Configuration Files to Flash Memory, page 81-2 • Configuring the Application Image and ASDM Image to Boot, page 81-4 • Configuring the File to Boot as the Startup Configuration, page 81-5 • Deleting Files from a USB Drive on the ASA 5500-X Series, page 81-5 • Perfor PAGE 1836 Chapter 81 Managing Software and Configurations Downloading Software or Configuration Files to Flash Memory 2513 2788 2927 • -rw-rw-rw- 4634 21601 8670632 19:32:48 Sep 17 2004 20:51:46 Nov 23 2004 20:42:48 Dec 08 2004 first-backup backup.cfg asdmfile.bin To view extended information about a specific file, enter the following command: hostname# show file information [path:/]filename The default path is the root directory of the internal flash memory (disk0:/). PAGE 1837 Chapter 81 Managing Software and Configurations Downloading Software or Configuration Files to Flash Memory Downloading a File to a Specific Location This section describes how to download the application image, ASDM software, a configuration file, or any other file that needs to be downloaded to flash memory. To download a file to the running or startup configuration, see the “Downloading a File to the Startup or Running Configuration” section on page 81-3. PAGE 1838 Chapter 81 Managing Software and Configurations Configuring the Application Image and ASDM Image to Boot Note When you copy a configuration to the running configuration, you merge the two configurations. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. PAGE 1839 Chapter 81 Managing Software and Configurations Configuring the File to Boot as the Startup Configuration • tftp://[user[:password]@]server[:port]/[path/]filename Note The TFTP option is only supported for the ASA. You can enter up to four boot system command entries to specify different images to boot from in order; the ASA boots the first image it finds. Only one boot system tftp command can be configured, and it must be the first one configured. PAGE 1840 Chapter 81 Managing Software and Configurations Performing Zero Downtime Upgrades for Failover Pairs Performing Zero Downtime Upgrades for Failover Pairs The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. PAGE 1841 Chapter 81 Managing Software and Configurations Performing Zero Downtime Upgrades for Failover Pairs Note Use the show failover command to verify that the standby unit is in the Standby Ready state. PAGE 1842 Chapter 81 Managing Software and Configurations Backing Up Configuration Files or Other Files Backing Up Configuration Files or Other Files This section includes the following topics: • Backing up the Single Mode Configuration or Multiple Mode System Configuration, page 81-8 • Backing Up a Context Configuration or Other File in Flash Memory, page 81-8 • Backing Up a Context Configuration within a Context, page 81-9 • Copying the Configuration from the Terminal Display, page 81-9 • Backing Up Add PAGE 1843 Chapter 81 Managing Software and Configurations Backing Up Configuration Files or Other Files • To copy from the ASA using HTTPS, enter the following URL in your browser: https://ASA_IP/disk{0 \| 1}/filename • To copy to local flash memory, enter the following command: hostname# copy disk{0 \| 1}:/[path/]filename disk{0 \| 1}:/[path/]newfilename Note Be sure that the destination directory exists. If it does not exist, first create the directory using the mkdir command. PAGE 1844 Chapter 81 Managing Software and Configurations Backing Up Configuration Files or Other Files hostname # show import webvpn plug-in ica rdp ssh, telnet vnc Step 2 Run the export command for the file that you want to back up (in this example, the rdp file): hostname # export webvpn plug-in protocol rdp tftp://tftpserver/backupfilename Using a Script to Back Up and Restore Files You can use a script to back up and restore the configuration files on your ASA, including all extensions that you import via PAGE 1845 Chapter 81 Managing Software and Configurations Backing Up Configuration Files or Other Files Step 4 The system prompts you for values for each option. Alternatively, you can enter values for the options when you enter the Perl scriptname command before you press Enter. Either way, the script requires that you enter a value for each option. Step 5 The script starts running, printing out the commands that it issues, which provides you with a record of the CLIs. PAGE 1846 Chapter 81 Managing Software and Configurations Backing Up Configuration Files or Other Files do customization($exp); do plugin($exp); do url_list($exp); do webcontent($exp); do dap($exp); do csd($exp); close(OUT); } do finish($exp); sub enable { $obj = shift; $obj->send(“enable\n”); unless ($obj->expect(15, ‘Password:’)) { print “timed out waiting for Password:\n”; } $obj->send(“$enable\n”); unless ($obj->expect(15, “$prompt#”)) { print “timed out waiting for $prompt#\n”; } } sub lang_trans { $obj = shi PAGE 1847 Chapter 81 Managing Software and Configurations Backing Up Configuration Files or Other Files for (@items) { chop; next if /^Template/ or /show import/ or /^\s$/; $cli = “export webvpn customization $_ $storage/$prompt-$date-cust-$_. PAGE 1848 Chapter 81 Managing Software and Configurations Backing Up Configuration Files or Other Files $cli=“copy /noconfirm dap.xml $storage/$prompt-$date-dap.xml”; $ocli=“copy /noconfirm $storage/$prompt-$date-dap.xml disk0:/dap. PAGE 1849 Chapter 81 Managing Software and Configurations Backing Up Configuration Files or Other Files unless ($obj->expect(15, “$prompt>” )) { die “timeout waiting for $prompt>\n”; } } sub finish { $obj = shift; $obj->hard_close(); print “\n\n”; } sub restore { $obj = shift; my $file = shift; my $output; open(IN,“$file”) or die “can't open $file\n”; while () { $obj->send(“$_”); $obj->expect(15, “$prompt#” ); $output = $obj->before(); print “$output\n”; } close(IN); } sub process_options { if (defined($options PAGE 1850 Chapter 81 Managing Software and Configurations Configuring Auto Update Support chop($prompt=<>); } if (defined ($options{e})) { $enable = $options{e}; } else { print “Enter enable password:”; chop($enable=<>); } if (defined ($options{r})) { $restore = 1; $restore_file = $options{r}; } } Configuring Auto Update Support Auto Update is a protocol specification that allows an Auto Update Server to download configurations and software images to many ASAs and can provide basic monitoring of the ASAs from a c PAGE 1851 Chapter 81 Managing Software and Configurations Configuring Auto Update Support The source interface keyword and argument specify which interface to use when sending requests to the Auto Update Server. If you specify the same interface specified by the management-access command, the Auto Update requests travel over the same IPsec VPN tunnel used for management access. The verify-certificate keyword verifies the certificate returned by the Auto Update Server. PAGE 1852 Chapter 81 Managing Software and Configurations Configuring Auto Update Support Step 5 (Optional) If the Auto Update Server has not been contacted for a certain period of time, entering the following command causes it to stop passing traffic: hostname(config)# auto-update timeout period The period argument specifies the timeout period in minutes between 1 and 35791. The default is to never time out (zero minutes). To restore the default, enter the no form of this command. PAGE 1853 Chapter 81 Managing Software and Configurations Downgrading Your Software • asa5510: Cisco 5510 ASA • asa5520: Cisco 5520 ASA • asa5540: Cisco 5540 ASA The url url-string parameter specifies the URL for the software/firmware image. This URL must point to a file appropriate for this client. For all Auto Update clients, you must use the protocol “http://” or “https://” as the prefix for the URL. Configure the parameters for the client update that you want to apply to all ASAs of a particular type. PAGE 1854 Chapter 81 Managing Software and Configurations Downgrading Your Software Information About Activation Key Compatibility Your activation key remains compatible if you upgrade to the latest version from any previous version. However, you might have issues if you want to maintain downgrade capability: • Downgrading to Version 8.1 or earlier versions—After you upgrade, if you activate additional feature licenses that were introduced before 8. PAGE 1855 Chapter 81 Managing Software and Configurations Downgrading Your Software Cisco ASA 5500 Series Configuration Guide using the CLI 81-21 PAGE 1856 Chapter 81 Downgrading Your Software Cisco ASA 5500 Series Configuration Guide using the CLI 81-22 Managing Software and Configurations PAGE 1857 C H A P T E R 82 Troubleshooting This chapter describes how to troubleshoot the ASA and includes the following sections: • Testing Your Configuration, page 82-1 • Reloading the ASA, page 82-8 • Performing Password Recovery, page 82-8 • Using the ROM Monitor to Load a Software Image, page 82-11 • Erasing the Flash File System, page 82-12 • Other Troubleshooting Tools, page 82-13 • Common Problems, page 82-14 Testing Your Configuration This section describes how to test connectivity for the si PAGE 1858 Chapter 82 Troubleshooting Testing Your Configuration Enabling ICMP Debugging Messages and Syslog Messages Debugging messages and syslog messages can help you troubleshoot why your pings are not successful. The ASA only shows ICMP debugging messages for pings to the ASA interfaces, and not for pings through the ASA to other hosts. PAGE 1859 Chapter 82 Troubleshooting Testing Your Configuration Examples The following example shows a successful ping from an external host (209.165.201.2) to the ASA outside interface (209.165.201.1): hostname(config)# debug icmp trace Inbound ICMP echo reply (len 32 id Outbound ICMP echo request (len 32 Inbound ICMP echo reply (len 32 id Outbound ICMP echo request (len 32 Inbound ICMP echo reply (len 32 id Outbound ICMP echo request (len 32 Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165. PAGE 1860 Chapter 82 Troubleshooting Testing Your Configuration Network Diagram with Interfaces, Routers, and Hosts Host Host Host 10.1.1.56 10.1.1.2 209.265.200.230 Router dmz1 192.1 68.1. 10.1.3.6 10.1.3.2 209.265.200.226 192.168.1.2 209.165.201.24 209.165.201.1 Router Router 209.165.201.2 outside 209.165.201.1 security0 Host 192.168.3.2 Router 10.1.0.1 dmz3 192.1 68.3. outside security0 Transp. Security Appliance 10.1.0.3 Routed Security Appliance dmz2 192.168.2.1 security40 192.168.2. PAGE 1861 Chapter 82 Troubleshooting Testing Your Configuration Figure 82-3 Ping Failure Because of IP Addressing Problems Ping Router 192.168.1.2 192.168.1.1 Security Appliance 126696 192.168.1.2 Host Step 3 Ping each ASA interface from a remote host. For transparent mode, ping the management IP address. This test checks whether the directly connected router can route the packet between the host and the ASA, and whether the ASA can correctly route the packet back to the host. PAGE 1862 Chapter 82 Troubleshooting Testing Your Configuration Step 3 class-map ICMP-CLASS match access-list ICMPACL policy-map ICMP-POLICY class ICMP-CLASS inspect icmp service-policy ICMP-POLICY global Example: hostname(config)# class-map ICMP-CLASS hostname(config-cmap)# match access-list ICMPACL hostname(config)# policy-map ICMP-POLICY hostname(config-pmap)# class ICMP-CLASS hostname(config-pmap)# inspect icmp hostname(config)# service-policy ICMP-POLICY global Step 4 Enables the ICMP inspection engine an PAGE 1863 Chapter 82 Troubleshooting Testing Your Configuration Disabling the Test Configuration After you complete your testing, disable the test configuration that allows ICMP to and through the ASA and that prints debugging messages. If you leave this configuration in place, it can pose a serious security risk. Debugging messages also slow the ASA performance. To disable the test configuration, perform the following steps: Step 1 Command Purpose no debug icmp trace Disables ICMP debugging messages. PAGE 1864 Chapter 82 Troubleshooting Reloading the ASA • Debug all packet drops in a production network. • Verify the configuration is working as intended. • Show all rules applicable to a packet, along with the CLI commands that caused the rule addition. • Show a time line of packet changes in a data path. • Inject tracer packets into the data path. • Search for an IPv4 or IPv6 address based on the user identity and the FQDN. PAGE 1865 Chapter 82 Troubleshooting Performing Password Recovery • Disabling Password Recovery, page 82-10 • Resetting the Password on the SSM Hardware Module, page 82-11 Recovering Passwords for the ASA To recover passwords for the ASA, perform the following steps: Step 1 Connect to the ASA console port according to the instructions in “Accessing the Appliance Command-Line Interface” section on page 2-1. Step 2 Power off the ASA, and then power it on. PAGE 1866 Chapter 82 Troubleshooting Performing Password Recovery Step 14 Change the passwords, as required, in the default configuration by entering the following commands: hostname(config)# password password hostname(config)# enable password password hostname(config)# username name password password Step 15 Load the default configuration by entering the following command: hostname(config)# no config-register The default configuration register value is 0x1. PAGE 1867 Chapter 82 Troubleshooting Using the ROM Monitor to Load a Software Image Resetting the Password on the SSM Hardware Module To reset the password to the default of “cisco” on the SSM hardware module, enter the following command: Note Make sure that the SSM hardware module is in the Up state and supports password reset. Command Purpose hw-module module 1 password-reset Reset the password on module in slot 1? [confirm] y hostname# y Where 1 is the specified slot number on the SSM hardware module. PAGE 1868 Chapter 82 Troubleshooting Erasing the Flash File System ADDRESS=10.132.44.177 SERVER=10.129.0.30 GATEWAY=10.132.44.1 PORT=Ethernet0/0 VLAN=untagged IMAGE=f1/asa840-232-k8.bin CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20 Step 6 Ping the TFTP server by entering the ping server command. rommon #7> ping server Sending 20, 100-byte ICMP Echoes to server 10.129.0.30, timeout is 4 seconds: Success rate is 100 percent (20/20) Step 7 Load the software image by entering the tftp command. PAGE 1869 Chapter 82 Troubleshooting Other Troubleshooting Tools Step 4 Enter the erase command, which overwrites all files and erases the file system, including hidden system files. rommon #1> erase [disk0: \| disk1: \| flash:] Other Troubleshooting Tools The ASA provides other troubleshooting tools that you can use. PAGE 1870 Chapter 82 Troubleshooting Common Problems of less network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. To enable debugging messages, see the debug commands in the command reference. Capturing Packets Capturing packets is sometimes useful when troubleshooting connectivity problems or monitoring suspicious activity. PAGE 1871 Chapter 82 Troubleshooting Common Problems Symptom You cannot make a Telnet or SSH connection to the ASA interface. Possible Cause You did not enable Telnet or SSH to the ASA. Recommended Action Enable Telnet or SSH to the ASA according to the instructions in the “Configuring ASA Access for ASDM, Telnet, or SSH” section on page 37-1. Symptom You cannot ping the ASA interface. Possible Cause You disabled ICMP to the ASA. Recommended Action Enable ICMP to the ASA for your IP address using the icmp command. PAGE 1872 Chapter 82 Common Problems Cisco ASA 5500 Series Configuration Guide using the CLI 82-16 Troubleshooting PAGE 1873 PA R T 19 Reference PAGE 1874 PAGE 1875 A P P E N D I X A Using the Command-Line Interface This appendix describes how to use the CLI on the ASA and includes the following sections: Note • Firewall Mode and Security Context Mode, page A-1 • Command Modes and Prompts, page A-2 • Syntax Formatting, page A-3 • Abbreviating Commands, page A-3 • Command-Line Editing, page A-3 • Command Completion, page A-4 • Command Help, page A-4 • Filtering show Command Output, page A-4 • Command Output Paging, page A-5 • Adding Comments, page PAGE 1876 Appendix A Using the Command-Line Interface Command Modes and Prompts Command Modes and Prompts The ASA CLI includes command modes. Some commands can only be entered in certain modes. For example, to enter commands that show sensitive information, you need to enter a password and enter a more privileged mode. Then, to ensure that configuration changes are not entered accidentally, you have to enter a configuration mode. PAGE 1877 Appendix A Using the Command-Line Interface Syntax Formatting From global configuration mode, some commands enter a command-specific configuration mode. All user EXEC, privileged EXEC, global configuration, and command-specific configuration commands are available in this mode. For example, the interface command enters interface configuration mode. PAGE 1878 Appendix A Using the Command-Line Interface Command Completion Command Completion To complete a command or keyword after entering a partial string, press the Tab key. The ASA only completes the command or keyword if the partial string matches only one command or keyword. For example, if you enter s and press the Tab key, the ASA does not complete the command because it matches more than one command. However, if you enter dis, the Tab key completes the disable command. PAGE 1879 Appendix A Using the Command-Line Interface Command Output Paging Replace regexp with any Cisco IOS regular expression. The regular expression is not enclosed in quotes or double-quotes, so be careful with trailing white spaces, which will be taken as part of the regular expression. When creating regular expressions, you can use any letter or number that you want to match. In addition, certain keyboard characters called metacharacters have special meaning when used in regular expressions. PAGE 1880 Appendix A Using the Command-Line Interface Text Configuration Files How Commands Correspond with Lines in the Text File The text configuration file includes lines that correspond with the commands described in this guide. In examples, commands are preceded by a CLI prompt. PAGE 1881 Appendix A Using the Command-Line Interface Text Configuration Files Automatic Text Entries When you download a configuration to the ASA, it inserts some lines automatically. For example, the ASA inserts lines for default settings or for the time the configuration was modified. You do not need to enter these automatic entries when you create your text file. Line Order For the most part, commands can be in any order in the file. PAGE 1882 Appendix A Using the Command-Line Interface Supported Character Sets Supported Character Sets The ASA CLI currently supports UTF-8 encoding only. UTF-8 is the particular encoding scheme for Unicode symbols, and has been designed to be compatible with an ASCII subset of symbols. ASCII characters are represented in UTF-8 as one-byte characters. All other characters are represented in UTF-8 as multibyte symbols. The ASCII printable characters (0x20 to 0x7e) are fully supported. PAGE 1883 A P P E N D I X B Addresses, Protocols, and Ports This appendix provides a quick reference for IP addresses, protocols, and applications. This appendix includes the following sections: • IPv4 Addresses and Subnet Masks, page B-1 • IPv6 Addresses, page B-5 • Protocols and Applications, page B-11 • TCP and UDP Ports, page B-11 • Local Ports and Protocols, page B-14 • ICMP Types, page B-15 IPv4 Addresses and Subnet Masks This section describes how to use IPv4 addresses in the ASA. PAGE 1884 Appendix B Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks • Class B addresses (128.0.xxx.xxx through 191.255.xxx.xxx) use the first two octets as the network prefix. • Class C addresses (192.0.0.xxx through 223.255.255.xxx) use the first three octets as the network prefix. Because Class A addresses have 16,777,214 host addresses, and Class B addresses 65,534 hosts, you can use subnet masking to break these huge networks into smaller subnets. PAGE 1885 Appendix B Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks Determining the Subnet Mask To determine the subnet mask based on how many hosts you want, see Table B-1. Table B-1 Hosts, Bits, and Dotted-Decimal Masks Hosts1 /Bits Mask Dotted-Decimal Mask 16,777,216 /8 255.0.0.0 Class A Network 65,536 /16 255.255.0.0 Class B Network 32,768 /17 255.255.128.0 16,384 /18 255.255.192.0 8192 /19 255.255.224.0 4096 /20 255.255.240.0 2048 /21 255.255.248.0 1024 /22 255.255. PAGE 1886 Appendix B Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks Table B-2 Class C-Size Network Address (continued) Subnet with Mask /29 (255.255.255.248) Address Range1 192.168.0.16 192.168.0.16 to 192.168.0.31 — — 192.168.0.248 192.168.0.248 to 192.168.0.255 1. The first and last address of a subnet are reserved. In the first subnet example, you cannot use 192.168.0.0 or 192.168.0.7. PAGE 1887 Appendix B Addresses, Protocols, and Ports IPv6 Addresses IPv6 Addresses IPv6 is the next generation of the Internet Protocol after IPv4. It provides an expanded address space, a simplified header format, improved support for extensions and options, flow labeling capability, and authentication and privacy capabilities. IPv6 is described in RFC 2460. The IPv6 addressing architecture is described in RFC 3513. PAGE 1888 Appendix B Addresses, Protocols, and Ports IPv6 Addresses Note Two colons (::) can be used only once in an IPv6 address to represent successive fields of zeros. An alternative form of the IPv6 format is often used when dealing with an environment that contains both IPv4 and IPv6 addresses. This alternative has the format x:x:x:x:x:x:y.y.y. PAGE 1889 Appendix B Addresses, Protocols, and Ports IPv6 Addresses Global Address The general format of an IPv6 global unicast address is a global routing prefix followed by a subnet ID followed by an interface ID. The global routing prefix can be any prefix not reserved by another IPv6 address type (see the “IPv6 Address Prefixes” section on page B-10, for information about the IPv6 address type prefixes). PAGE 1890 Appendix B Addresses, Protocols, and Ports IPv6 Addresses Unspecified Address The unspecified address, 0:0:0:0:0:0:0:0, indicates the absence of an IPv6 address. For example, a newly initialized node on an IPv6 network may use the unspecified address as the source address in its packets until it receives its IPv6 address. Note The IPv6 unspecified address cannot be assigned to an interface. PAGE 1891 Appendix B Addresses, Protocols, and Ports IPv6 Addresses Figure B-1 IPv6 Multicast Address Format 128 bits 1111 1111 F F 8 bits 4 bits 4 bits Flag Scope 8 bits Interface ID Flag = 0 if permanent 1 if temporary 1 = node 2 = link Scope = 4 = admin 5 = site 8 = organization E = global 92617 0 IPv6 nodes (hosts and routers) are required to join the following multicast groups: • The All Nodes multicast addresses: – FF01:: (interface-local) – FF02:: (link-local) • The Solicited-Node Address PAGE 1892 Appendix B Addresses, Protocols, and Ports IPv6 Addresses • Note An anycast address cannot be assigned to an IPv6 host; it can only be assigned to an IPv6 router. Anycast addresses are not supported on the ASA. PAGE 1893 Appendix B Addresses, Protocols, and Ports Protocols and Applications Protocols and Applications Table B-6 lists the protocol literal values and port numbers; either can be entered in ASA commands. Table B-6 Protocol Literal Values Literal Value Description ah 51 Authentication Header for IPv6, RFC 1826. eigrp 88 Enhanced Interior Gateway Routing Protocol. esp 50 Encapsulated Security Payload for IPv6, RFC 1827. gre 47 Generic Routing Encapsulation. PAGE 1894 Appendix B Addresses, Protocols, and Ports TCP and UDP Ports • To assign a port for DNS access, use the domain literal value, not dns. If you use dns, the ASA assumes you meant to use the dnsix literal value. Port numbers can be viewed online at the IANA website: http://www.iana. PAGE 1895 Appendix B Addresses, Protocols, and Ports TCP and UDP Ports Table B-7 Port Literal Values (continued) Literal TCP or UDP? Value Description klogin TCP 543 KLOGIN kshell TCP 544 Korn Shell ldap TCP 389 Lightweight Directory Access Protocol ldaps TCP 636 Lightweight Directory Access Protocol (SSL) lpd TCP 515 Line Printer Daemon - printer spooler login TCP 513 Remote login lotusnotes TCP 1352 IBM Lotus Notes mobile-ip UDP 434 MobileIP-Agent nameserver UDP 42 Host Nam PAGE 1896 Appendix B Addresses, Protocols, and Ports Local Ports and Protocols Table B-7 Port Literal Values (continued) Literal TCP or UDP? Value Description tftp UDP 69 Trivial File Transfer Protocol time UDP 37 Time uucp TCP 540 UNIX-to-UNIX Copy Program who UDP 513 Who whois TCP 43 Who Is www TCP 80 World Wide Web xdmcp UDP 177 X Display Manager Control Protocol Local Ports and Protocols Table B-8 lists the protocols, TCP ports, and UDP ports that the ASA may open to process tr PAGE 1897 Appendix B Addresses, Protocols, and Ports ICMP Types Table B-8 Protocols and Ports Opened by Features and Services (continued) Feature or Service Protocol Port Number Comments PIM 103 N/A Protocol only open on destination IP address 224.0.0.13 RIP UDP 520 — RIPv2 UDP 520 Port only open on destination IP address 224.0.0.9 SNMP UDP 161 Configurable. SSH TCP 22 — Stateful Update 8 and 9 N/A — Telnet TCP 23 — VPN Load Balancing UDP 9023 Configurable. PAGE 1898 Appendix B ICMP Types Cisco ASA 5500 Series Configuration Guide using the CLI B-16 Addresses, Protocols, and Ports PAGE 1899 A P P E N D I X C Configuring an External Server for Authorization and Authentication This appendix describes how to configure an external LDAP, RADIUS, or TACACS+ server to support AAA on the ASA. Before you configure the ASA to use an external server, you must configure the server with the correct ASA authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. PAGE 1900 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server For LDAP servers, any attribute name can be used to set the group policy for the session. The LDAP attribute map that you configure on the ASA maps the LDAP attribute to the Cisco attribute IETF-Radius-Class. 4. PAGE 1901 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Note For more information about the LDAP protocol, see RFCs 1777, 2251, and 2849. PAGE 1902 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server • Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the level immediately below it, or it can search the entire subtree. A single level search is quicker, but a subtree search is more extensive. PAGE 1903 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Note As an LDAP client, the ASA does not support the transmission of anonymous binds or requests. PAGE 1904 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 ASA Supported Cisco Attributes for LDAP Authorization Attribute Name VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values Access-Hours Y Y Y String Single Allow-Network-Extension- Mode Y Y Y Boolean Single 0 = Disabled 1 = Enabled Authenticated-User-Idle- Timeout Y Y Y Integer Single 1 - 35791394 minutes Authorization-Required Y Integer S PAGE 1905 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 ASA Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name VPN 3000 ASA PIX Group-Policy Y Y Syntax/ Type Single or Multi-Valued Possible Values String Single Sets the group policy for the remote access VPN session. For version 8.2 and later, use this attribute instead of IETF-Radius-Class. PAGE 1906 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 ASA Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values IETF-Radius-Service-Type Y Y Y Integer Single 1 = Login 2 = Framed 5 = Remote access 6 = Administrative 7 = NAS prompt IETF-Radius-Session-Timeout Y Y Y Integer Single Seconds IKE-Keep-Alives Y Y Y Boolean Sing PAGE 1907 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 ASA Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values IPsec-Over-UDP-Port Y Y Y Integer Single 4001 - 49151; The default is 10000. PAGE 1908 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 ASA Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values Primary-DNS Y Y Y String Single An IP address Primary-WINS Y Y Y String Single An IP address Integer Single For usernames, 0 - 15 Privilege-Level Required-ClientFirewall-Vendor-Code Y Y Y Integer Single 1 PAGE 1909 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 ASA Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values Tunneling-Protocols Y Integer Single Use-Client-Address Y Boolean Single 0 = Disabled 1 = Enabled User-Auth-Server-Name Y String Single IP address or hostname User-Auth-Server-Port Y Integer Single Port number fo PAGE 1910 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 ASA Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values WebVPN-Macro-SubstitutionValue1 Y String Single Y See the SSL VPN Deployment Guide for examples at the following URL: http://supportwiki.cisco.com/View Wiki/index.php/Cisco_ASA_5500_ SSL_VPN_Deployment_Guide%2 C_Version_8. PAGE 1911 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 ASA Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values WebVPN-SVC-Rekey-Period Y Y Integer Single 0 = Disabled n = Retry period in minutes (4 - 10080) WebVPN-SVC-Required-Enable Y Y Integer Single 0 = Disabled 1 = Enabled WebVPN-URL-Entry-Enable Y Y Integer Single 0 PAGE 1912 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-3 AV-Pair Attribute Syntax Rules (continued) Field Description Source Network or host that sends the packet. Specify it as an IP address, a hostname, or the any keyword. If using an IP address, the source wildcard mask must follow. This field does not apply to Clientless SSL VPN because the ASA has the role of the source or proxy. PAGE 1913 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server The following URL types are supported. any All URLs https:// post:// ssh:// cifs:// ica:// rdp:// telnet:// citrix:// imap4:// rdp2:// vnc:// citrixs:// ftp:// smart-tunnel:// http:// pop3:// smtp:// The URLs listed in this table appear in CLI or ASDM menus based on whether or not the associated plug-in is enabled. PAGE 1914 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-5 ASA-Supported Tokens (continued) Token Syntax Field Description gt Operator Greater than value eq Operator Equal to value neq Operator Not equal to value range Operator Inclusive range. Should be followed by two values. PAGE 1915 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Step 2 Click the General tab and enter banner text in the Office field, which uses the AD/LDAP attribute physicalDeliveryOfficeName. Figure C-3 Step 3 LDAP User Configuration Create an LDAP attribute map on the ASA. PAGE 1916 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Figure C-4 Banner Displayed Placing LDAP Users in a Specific Group Policy The following example shows how to authenticate User1 on the AD LDAP server to a specific group policy on the ASA. On the server, use the Department field of the Organization tab to enter the name of the group policy. Then create an attribute map and map Department to the Cisco attribute IETF-Radius-Class. PAGE 1917 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Figure C-5 Step 3 AD/LDAP Department Attribute Define an attribute map for the LDAP configuration shown in Step 1. The following example shows how to map the AD attribute Department to the Cisco attribute IETF-Radius-Class. PAGE 1918 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server [29] Retrieved Attributes: [29] department: value = Group-Policy-1 [29] mapped to IETF-Radius-Class: value = Group-Policy-1 Enforcing Static IP Address Assignment for AnyConnect Tunnels In this example, configure the AnyConnect client user Web1 to receive a static IP address. then enter the address in the Assign Static IP Address field of the Dialin tab on the AD LDAP server. PAGE 1919 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server The following example shows how to map the AD attribute msRADIUSFramedIPAddress used by the Static Address field to the Cisco attribute IETF-Radius-Framed-IP-Address: hostname(config)# ldap attribute-map static_address hostname(config-ldap-attribute-map)# map-name msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address Step 4 Associate the LDAP attribute map to the AAA server. PAGE 1920 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Figure C-8 Step 7 AnyConnect Session Established Use the show vpn-sessiondb svc command to view the session details and verify the address assigned: hostname# show vpn-sessiondb svc Session Type: SVC Username : web1 Index : 31 Assigned IP : 10.1.1.2 Public IP : 10.86.181. PAGE 1921 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-6 Bitmap Values for Cisco Tunneling-Protocol Attribute (continued) Value Tunneling Protocol 16 Clientless SSL 32 SSL client—AnyConnect or SSL VPN client 64 IPsec (IKEv2) 1. IPsec and L2TP over IPsec are not supported simultaneously. Therefore, the values 4 and 8 are mutually exclusive. 2. See note 1. PAGE 1922 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Note Step 3 If you select the Control access through the Remote Access Policy option, then a value is not returned from the server, and the permissions that are enforced are based on the internal group policy settings of the ASA. Create an attribute map to allow both an IPsec and AnyConnect connection, but deny a clientless SSL connection. PAGE 1923 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Figure C-11 Login Denied Message for AnyConnect Client User Enforcing Logon Hours and Time-of-Day Rules The following example shows how to configure and enforce the hours that a clientless SSL user (such as a business partner) is allowed to access the network. On the AD server, use the Office field to enter the name of the partner, which uses the physicalDeliveryOfficeName attribute. PAGE 1924 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Figure C-12 Step 3 Active Directory Properties Dialog Box Create an attribute map. The following example shows how to create the attribute map access_hours and map the AD attribute physicalDeliveryOfficeName used by the Office field to the Cisco attribute Access-Hours. PAGE 1925 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Configuring an External RADIUS Server This section presents an overview of the RADIUS configuration procedure and defines the Cisco RADIUS attributes. PAGE 1926 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server are sent from the ASA to the RADIUS server for authentication and authorization requests. All four previously listed attributes are sent from the ASA to the RADIUS server for accounting start, interim-update, and stop requests. Upstream RADIUS attributes 146, 150, 151, and 152 were introduced in ASA Version 8.4.3. PAGE 1927 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-7 ASA Supported RADIUS Attributes and Values (continued) Single or MultiValued Attribute Name VPN 3000 ASA PIX Attr. No. PAGE 1928 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-7 ASA Supported RADIUS Attributes and Values (continued) Single or MultiValued Attribute Name VPN 3000 ASA PIX Attr. No. Syntax/ Type IPsec-Over-UDP Y Y Y 34 Boolean Single 0 = Disabled 1 = Enabled IPsec-Over-UDP-Port Y Y Y 35 Integer Single 4001 - 49151. The default is10000. PAGE 1929 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-7 ASA Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr. No. PAGE 1930 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-7 ASA Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr. No. PAGE 1931 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-7 ASA Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr. No. PAGE 1932 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-7 ASA Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr. No. PAGE 1933 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-7 ASA Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr. No. PAGE 1934 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-7 ASA Supported RADIUS Attributes and Values (continued) VPN 3000 ASA PIX Attribute Name IPv6-VPN-Filter Y Privilege-Level Y WebVPN-Macro-Value1 Y Y Attr. No. Syntax/ Type Single or MultiValued 219 String Single ACL value 220 Integer Single An integer between 0 and 15. 223 String Single Unbounded. PAGE 1935 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-8 ASA Supported IETF RADIUS Attributes and Values IETF-Radius-Service-Type Y Y Y 6 Integer Single Seconds. Possible Service Type values: .Administrative—User is allowed access to configure prompt. .NAS-Prompt—User is allowed access to exec prompt. . PAGE 1936 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External TACACS+ Server Configuring an External TACACS+ Server The ASA provides support for TACACS+ attributes. TACACS+ separates the functions of authentication, authorization, and accounting. The protocol supports two types of attributes: mandatory and optional. Both the server and client must understand a mandatory attribute, and the mandatory attribute must be applied to the user. PAGE 1937 Appendix C Configuring an External Server for Authorization and Authentication Configuring an External TACACS+ Server Table C-10 Supported TACACS+ Accounting Attributes (continued) Attribute Description task_id Specifies a unique task ID for the accounting transaction. username Indicates the name of the user. PAGE 1938 Appendix C Configuring an External TACACS+ Server Cisco ASA 5500 Series Configuration Guide using the CLI C-40 Configuring an External Server for Authorization and Authentication PAGE 1939 GLOSSARY Numerics \| A \| B \| C \| D \| E \| F \| G \| H \| I \| J \| K \| L \| M \| N \| O \| P \| Q \| R \| S \| T \| U \| V \| W \| X Numerics 3DES See DES. A AAA Authentication, authorization, and accounting. See also TACACS+ and RADIUS. ABR Area Border Router. In OSPF, a router with interfaces in multiple areas. ACE access control entry. Information entered into the configuration that lets you specify what type of traffic to permit or deny on an interface. PAGE 1940 Glossary A record address “A” stands for address, and refers to name-to-address mapped records in DNS. APCF Application Profile Customization Framework. Lets the security appliance handle nonstandard applications so that they render correctly over a clientless SSL VPN connection. ARP Address Resolution Protocol. A low-level TCP/IP protocol that maps a hardware address, or MAC address, to an IP address. An example hardware address is 00:00:a6:00:01:ba. PAGE 1941 Glossary C CA Certificate Authority, Certification Authority. A third-party entity that is responsible for issuing and revoking certificates. Each device with the public key of the CA can authenticate a device that has a certificate issued by the CA. The term CA also refers to software that provides CA services. See also certificate, CRL, public key, RA. PAGE 1942 Glossary Content Rewriting/Transfor mation Interprets and modifies applications so that they render correctly over a clientless SSL VPN connection. cookie A cookie is a object stored by a browser. Cookies contain information, such as user preferences, to persistent storage. CPU Central Processing Unit. Main processor. CRC Cyclical Redundancy Check. PAGE 1943 Glossary data origin authentication A security service where the receiver can verify that protected data could have originated only from the sender. This service requires a data integrity service plus a key distribution mechanism, where a secret key is shared only between the sender and receiver. decryption Application of a specific algorithm or cipher to encrypted data so as to render the data comprehensible to those who are authorized to see the information. See also encryption. PAGE 1944 Glossary Dynamic NAT See NAT and address translation. Dynamic PAT Dynamic Port Address Translation. Dynamic PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the ASA chooses a unique port number from the PAT IP address for each outbound translation slot (xlate). This feature is valuable when an ISP cannot allocate enough unique IP addresses for your outbound connections. The global pool addresses always come first, before a PAT address is used. PAGE 1945 Glossary FragGuard Provides IP fragment protection and performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the ASA. FTP File Transfer Protocol. Part of the TCP/IP protocol stack, used for transferring files between hosts. G GGSN gateway GPRS support node. A wireless gateway that allows mobile cell phone users to access the public data network or specified private IP networks. PAGE 1946 Glossary H.323 Allows dissimilar communication devices to communicate with each other by using a standardized communication protocol. H.323 defines a common set of CODECs, call setup and negotiating procedures, and basic data transport methods. H.323 RAS Registration, admission, and status signaling protocol. Enables devices to perform registration, admissions, bandwidth changes, and status and disengage procedures between VoIP gateway and the gatekeeper. H.450. PAGE 1947 Glossary IKE Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IPsec) that require keys. Before any IPsec traffic can be passed, each ASA must verify the identity of its peer. Identification can be done by manually entering preshared keys into both hosts or by a CA service. IKE is a hybrid protocol that uses part Oakley and part of another protocol suite called SKEME inside the ISAKMP framework. PAGE 1948 Glossary intranet Intranetwork. A LAN that uses IP. See also network and Internet. IP Internet Protocol. IP protocols are the most popular nonproprietary protocols because they can be used to communicate across any set of interconnected networks and are equally well suited for LAN and WAN communications. IPS Intrusion Prevention Service. An in-line, deep-packet inspection-based solution that helps mitigate a wide range of network attacks. IP address An IP protocol address. PAGE 1949 Glossary K key A data object used for encryption, decryption, or authentication. L L2TP Layer Two Tunneling Protocol. An IETF standards track protocol defined in RFC 2661 that provides tunneling of PPP. L2TP is an extension to the PPP. L2TP merges the older Cisco Layer Two Forwarding (L2F) protocol with PPTP. L2TP can be used with IPsec encryption and is considered more secure against attack than PPTP. LAN Local area network. A network residing in one location, such as a single building or campus. PAGE 1950 Glossary MGCP Media Gateway Control Protocol. Media Gateway Control Protocol is a protocol for the control of VoIP calls by external call-control elements known as media gateway controllers or call agents. MGCP merges the IPDC and SGCP protocols. Mode See Access Modes. Mode Config See IKE Mode Configuration. Modular Policy Framework A means of configuring ASA features in a manner similar to Cisco IOS software Modular QoS CLI. MS mobile station. PAGE 1951 Glossary node Devices such as routers and printers that would not normally be called hosts. See also host, network. nonvolatile storage, Storage or memory that, unlike RAM, retains its contents without power. Data in a nonvolatile storage memory device survives a power-off, power-on cycle. NSAPI network service access point identifier. One of two components of a GTP tunnel ID, the other component being the IMSI. See also IMSI. NSSA not-so-stubby-area. An OSPF feature described by RFC 1587. PAGE 1952 Glossary PFS Perfect Forwarding Secrecy. PFS enhances security by using a different security key for the IPsec Phase 1 and Phase 2 SAs. Without PFS, the same security key is used to establish SAs in both phases. PFS ensures that a given IPsec SA key was not derived from any other secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. PAGE 1953 Glossary PPTP Point-to-Point Tunneling Protocol. PPTP was introduced by Microsoft to provide secure remote access to Windows networks; however, because it is vulnerable to attack, PPTP is commonly used only when stronger security methods are not available or are not required. PPTP Ports are pptp, 1723/tcp, 1723/udp, and pptp. For more information about PPTP, see RFC 2637. See also PAC, PPTP GRE, PPTP GRE tunnel, PNS, PPTP session, and PPTP TCP. PPTP GRE Version 1 of GRE for encapsulating PPP traffic. PAGE 1954 Glossary Q quality of service. Measure of performance for a transmission system that reflects its transmission quality and service availability. QoS R RA Registration Authority. An authorized proxy for a CA. RAs can perform certificate enrollment and can issue CRLs. See also CA, certificate, public key. RADIUS Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. PAGE 1955 Glossary RSH Remote Shell. A protocol that allows a user to execute commands on a remote system without having to log in to the system. For example, RSH can be used to remotely examine the status of a number of access servers without connecting to each communication server, executing the command, and then disconnecting from the communication server. RTCP RTP Control Protocol. Protocol that monitors the QoS of an IPv6 RTP connection and conveys information about the ongoing session. See also RTP. PAGE 1956 Glossary security context You can partition a single ASA into multiple virtual firewalls, known as security contexts. Each context is an independent firewall, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple stand-alone firewalls. security services See cryptography. serial transmission A method of data transmission in which the bits of a data character are transmitted sequentially over a single channel. PAGE 1957 Glossary spoofing A type of attack designed to foil network security mechanisms such as filters and access lists. A spoofing attack sends a packet that claims to be from an address from which it was not actually sent. SQLNet Structured Query Language Protocol. An Oracle protocol used to communicate between client and server processes. SSC Security Services Card for the ASA 5505. For example, the AIP SSC. SSH Secure Shell. PAGE 1958 Glossary TCP Intercept With the TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN bound for the affected server is intercepted. For each SYN, the ASA responds on behalf of the server with an empty SYN/ACK segment. The ASA retains pertinent state information, drops the packet, and waits for the client acknowledgment. PAGE 1959 Glossary tunnel A method of transporting data in one protocol by encapsulating it in another protocol. Tunneling is used for reasons of incompatibility, implementation simplification, or security. For example, a tunnel lets a remote VPN client have encrypted access to a private network. Turbo ACL Increases ACL lookup speeds by compiling them into a set of lookup tables. Packet headers are used to access the tables in a small, fixed number of lookups, independent of the existing number of ACL entries. PAGE 1960 Glossary VoIP Voice over IP. VoIP carries normal voice traffic, such as telephone calls and faxes, over an IP-based network. DSP segments the voice signal into frames, which are coupled in groups of two and stored in voice packets. These voice packets are transported using IP in compliance with ITU-T specification H.323. VPN Virtual Private Network. PAGE 1961 Glossary xauth See IKE Extended Authentication. xlate An xlate, also referred to as a translation entry, represents the mapping of one IP address to another, or the mapping of one IP address/port pair to another. PAGE 1962 Glossary Cisco ASA 5500 Series Configuration Guide using the CLI GL-24 PAGE 1963 INDEX adding Symbols types /bits subnet masks B-3 35-11 35-1 support summary ? web clients command string help A-4 35-3 38-6 abbreviating commands A-4 A-3 ABR definition of 24-2 Access Control Server Numerics 70-4, 70-13 Access Group pane description 4GE SSM connector types 26-7 access hours, username attribute 6-12 67-81 fiber 6-12 accessing the security appliance using SSL SFP 6-12 accessing the security appliance using TKS1 802.1Q tagging 802. PAGE 1964 Index object groups outbound device initialization 13-2 primary unit 34-3 phone proxy remarks triggers 15-5 scheduling activation types username for Clientless SSL VPN 67-88 62-4 Active Directory procedures ActiveX filtering 7-7 C-16 to ?? 39-2 Adaptive Security Algorithm ACEs description activation key entering 3-33 location 3-32 obtaining actions description about 63-1 using ICMP for 63-3 37-11 administrative distance configuring asymmetric routing support failover criteri PAGE 1965 Index application inspection about protected switch ports Security Plus license 42-1 applying server (headend) 42-6 configuring SPAN 42-6 inspection class map 7-4 about Application Profile Customization Framework 74-84 59-1 ARP inspection basic settings cabling 4-12 failover 61-15 ASA (Adaptive Security Algorithm) 59-19 59-4 management access Base license 59-2 management defaults 7-2 client 59-5 management IP address authentication monitoring 71-12 configuration restrictio PAGE 1966 Index asymmetric routing support username attribute for Clientless SSL VPN 63-18 attacks Auto-Update, configuring DNS request for all records DNS zone transfer 57-10 57-10 DNS zone transfer from high port fragmented ICMP traffic IP fragment B 57-10 57-6, 57-9 backup server attributes, group policy 57-4, 57-7 ping of death 57-4, 57-7 banner message, group policy 57-6, 57-9 See threat detection proxied RPC request 57-10 before configuring KCD statd buffer overflow 57-11 bits subnet ma PAGE 1967 Index graylist cascading access lists description CA server 55-2 dropping traffic 55-13 guidelines and limitations information about licensing 55-6 55-1 41-4 Geotrust 41-4 Godaddy 41-4 41-4 Netscape 55-17 static database 41-4 RSA Keon adding entries syslog messages Thawte 55-9 information about task flow Digicert iPlanet 55-6 monitoring 41-4 41-4 certificate 55-3 authentication, e-mail proxy 55-17 55-7 threat level dropping traffic 64-23 Cisco Unified Mobility 50-5 Ci PAGE 1968 Index architecture client 50-2 ASA role 47-2, 47-3 VPN 3002 hardware, forcing client update certificate 50-5 Windows, client update notification functionality client access rules, group policy 50-1 NAT and PAT requirements trust relationship 50-3, 50-4 clientless authentication 50-5 Cisco Unified Presence ASA role debugging the TLS Proxy 51-8 51-14 NAT and PAT requirements sample configuration 51-2 client mode client update, performing cluster mixed scenarios Class A, B, and C addre PAGE 1969 Index connection blocking group policy attribute 57-2 connection limits 67-71 login windows for users 67-27 configuring 53-1 username attribute per context 5-17 username attribute for Clientless SSL VPN connect time, maximum, username attribute console port logging logging output destination AAA performance about contexts See security contexts about 74-10 basic settings cabling 64-35 crypto map failover acccess lists definition dynamic monitoring 69-12 64-20 59-3 reload 59-18 s PAGE 1970 Index date and time in messages DDNS server 77-18 transparent firewall 12-2 debug messages DHCP Relay panel class DHCP services 5-9 DefaultL2Lgroup Group 5 67-1 domain name, group policy group policy LAN-to-LAN tunnel group SSL 22-4 default configuration 32-7 C-3 disabling content rewrite 74-83 DMZ, definition dynamic 22-4 77-18 77-18 1-24 about flow-create events 43-1 rewrite, about 78-9 deleting files from Flash deny in a crypto map 43-2 managing delay sending deny flows PAGE 1971 Index dynamic crypto map creating DUAL algorithm 64-32 69-12 See also crypto map Dynamic DNS dynamic NAT about hello interval 27-13 hello packets 27-1 hold time 12-2 27-2 27-2, 27-13 neighbor discovery stub routing 29-8 network object NAT twice NAT 27-3 stuck-in-active 30-4 27-1 27-2 e-mail 31-4 configuring for WebVPN dynamic PAT network object NAT proxies, WebVPN 30-6 74-79 74-79 See also NAT proxy, certificate authentication twice NAT WebVPN, configuring 31-8 E enable c PAGE 1972 Index passive 6-6 forcing monitoring 6-33 guidelines overview 60-6, 79-17 health monitoring 6-5 port priority 62-16, 63-23 interface health 6-27 system priority 61-15 interface monitoring 6-29 Ethernet interface tests Auto-MDI/MDIX duplex speed 6-11, 7-5 61-15 61-3 MAC addresses jumbo frames, ASA 5580 8-11, 9-14 61-15 link communications 6-2, 7-4 6-11, 7-5 MTU 61-14 about 6-32 62-2 automatically assigning monitoring, health EtherType access list network tests compatibi PAGE 1973 Index servers supported group-lock, username attribute 39-6 show command output URLs group policy A-4 address pools 39-1, 39-7 filtering messages attributes 77-4 firewall custom configuring 67-66 Cisco Security Agent definition 67-67 firewall policy 67-63 IP phone bypass 67-63 removing files LEAP Bypass 81-2 flash memory available for logs 67-54 flow control for 10 Gigabit Ethernet flow-export actions 78-4 format of messages 77-3 fragmentation policy, IPsec split-tunneling d PAGE 1974 Index port forward errors 67-75 port-forward-name sso-server url-list reconfiguring 67-76 WebVPN 67-77 HSRP 67-74 groups SNMP 74-73 74-72 4-4 html-content-filter group policy attribute for Clientless SSL VPN 79-16 GTP inspection about 74-72 username attribute for Clientless SSL VPN 67-72 67-86 HTTP 46-3 configuring filtering 46-3 39-1 HTTP(S) authentication H filtering H. PAGE 1975 Index IKE enabling benefits failover monitoring 64-2, 73-3 creating policies fiber 64-11 keepalive setting, tunnel group 67-4 pre-shared key, Easy VPN client on the ASA 5505 71-7 IDs IM 5-22 manually assigning to interfaces 45-1 mapped name inbound access lists 79-16 redundant 34-3 SFP Individual user authentication 71-12 information reply, ICMP message information request, ICMP message B-15 inheritance tunnel group inside, definition 6-11, 7-5 subinterfaces internal group policy PAGE 1976 Index modes command support for 65-2 over UDP, group policy, configuring attributes remote-access tunnel group format 67-49 67-8 setting maximum active VPN sessions 66-3 IPsec access list 64-27 basic configuration with static crypto maps Cisco VPN Client configuring B-10 types of B-6 B-6 28-11 64-2 64-1 disabling in aggressive mode 64-15 keepalive setting, tunnel group 64-19 IPSec parameters, tunnel group 67-8 58-1 J Java applet filtering 58-7 58-2 Java object signing sending traf PAGE 1977 Index Kerberos tickets obtaining 3-33 clearing 74-48 ASA 5505 3-2 showing 74-47 ASA 5510 3-3, 3-8 ASA 5520 3-4 ASA 5540 3-5 ASA 5550 3-6 ASA 5580 3-7 L L2TP description LACP 65-1 ASA 5585-X 6-6 LAN-to-LAN tunnel group, configuring large ICMP traffic attack 67-17 Cisco Unified Communications Proxy features 57-6, 57-9 default reducing 3-21 evaluation 54-1 configuring failover 54-2, 54-3 54-8 Layer 2 firewall 3-21 3-31 guidelines 3-31 managing 3-1 preinstalled See t PAGE 1978 Index cluster configurations concepts logging feature history 66-9 logging queue 66-6 eligible clients configuring 66-8 eligible platforms implementing banner, configuring 66-7 console 66-10 FTP 66-8 local user database adding a user 35-20 logging in support local user 37-20 password 10-1 SSH 35-8 2-2 67-81 37-5 Telnet 37-31 logging access lists 38-3 simultaneous, username attribute 37-20 lockout recovery 2-1 global configuration mode 35-20 configuring 37-7 2-1 enable PAGE 1979 Index default settings mgmt0 interfaces 16-2, 17-2, 18-2, 34-7 management IP address, transparent firewall man-in-the-middle attack 9-7 MIBs 4-10 mapped addresses guidelines reply, ICMP message Microsoft Internet Explorer client parameters, configuring 67-57 B-15 request, ICMP message B-15 Microsoft KCD 10-6 74-41, 74-42 Microsoft Windows CA, supported match commands 33-4 Layer 3/4 class map 32-12, 32-15 matching, certificate group 64-17 MMP inspection maximum connect time,username a PAGE 1980 Index See also policy map MPLS LDP TDP 29-16 29-21 comparison with twice NAT description about 67-57 29-17 configuring 8-11, 9-14 MTU size, Easy VPN client, ASA 5505 multicast traffic 71-5 4-4 multiple context mode 77-2 See security contexts 30-1 dynamic NAT 30-4 dynamic PAT 30-6 examples 30-15 guidelines 30-2 identity NAT monitoring 30-12 30-14 prerequisites N static NAT no proxy ARP NAC 29-1 bidirectional initiation 21-11 routed mode 29-13 route lookup 30-13, 31-24 ru PAGE 1981 Index flat range for PAT network extension mode 31-8 twice NAT 71-3 network extension mode, group policy about Network Ice firewall 29-17 comparison with network object NAT configuring 29-16 67-67 network object NAT about 31-1 29-17 dynamic NAT 31-4 comparison with twice NAT dynamic PAT 31-8 configuring 31-24 dynamic NAT 30-4 guidelines 31-2 dynamic PAT 30-6 31-20 monitoring 31-24 prerequisites static NAT examples 30-15 guidelines 30-2 identity NAT 31-2 monitoring 31- PAGE 1982 Index See network object NAT open ports packet flow routed firewall B-14 operating systems, posture validation exemptions 70-11 OSPF area authentication 24-11 area MD5 authentication area parameters 82-7 paging screen displays A-5 parameter problem, ICMP message B-15 82-11 24-9 defining a static neighbor interaction with NAT interface parameters 24-12 24-2 24-8 link-state advertisement 24-2 logging neighbor states 24-13 changing 10-2 recovery 82-8 security appliance 10-1 usernam PAGE 1983 Index NAT and PAT requirements ports exemptions 48-8 revalidation timer 48-7 rate limiting 48-16 sample configurations SAST keys 48-43 power over Ethernet 7-4 PPPoE, configuring 72-1 to 72-5 TLS Proxy on ASA, described CSC SSM 47-3 60-5 pre-shared key, Easy VPN client on the ASA 5505 48-27 ping primary unit, failover See ICMP printers ping of death attack PKI protocol 70-1 prerequisites for use 48-41 troubleshooting 70-10 uses, requirements, and limitations 48-11 required cer PAGE 1984 Index rate limit Q 77-19 rate limiting QoS 54-3 rate limiting, phone proxy about 54-1, 54-3 RealPlayer DiffServ preservation DSCP preservation redirect, ICMP message 54-4 IPSec anti-replay window 54-12 EtherChannel converting existing interfaces 54-15 configuring traffic shaping failover 54-4 viewing statistics 6-25 6-10 MAC address 54-15 6-4 Quality of Service setting the active interface See QoS Registration Authority description regular expression question mark command stri PAGE 1985 Index unlimited RTSP inspection 5-9 resource usage about 5-32 revalidation timer, Network Admission Control revoked certificates rewrite, disabling configuring 70-10 ICMP 37-10 running configuration 79-29 copying RIP authentication definition of enabling 2-16 25-1 S 25-2 RIP panel same security level communication limitations 25-3 enabling RIP Version 2 Notes 25-3 SAST keys about 4-1 NAT 29-13 setting about 48-41 44-25 configuration route map 23-1 23-4 configuring 44- PAGE 1986 Index security contexts about sending messages to a syslog server sending messages to a Telnet or SSH session 5-1 adding sending messages to the console port 5-18 admin context about applying 5-24 default 5-21 changing between changing 37-16 configuration URL, setting list of 5-25 77-1 77-3 severity levels, of system messages 5-21 definition 5-7 MAC addresses 77-3 SHA, IKE policy keywords (table) automatically assigning classifying using 5-3 mapped interface name backup server PAGE 1987 Index username attribute for Clientless SSL VPN reset 67-92 SIP inspection about routing configuring shutdown 44-19 instant messaging 37-19 concurrent connections 44-24 site-to-site VPNs, redundancy Smart Call Home monitoring login 64-34 80-19 74-48 43-31 SNMP 37-2 37-5 password 10-1 RSA key 37-4 username 37-5 certificate 74-11 SSL about 79-1 failover used to access the security appliance 79-17 management station prerequisites SNMP groups SNMP hosts configuring WebVPN 79- PAGE 1988 Index SSO with WebVPN about 74-13 to ?? configuring HTTP Basic and NTLM authentication 74-14 configuring HTTP form protocol configuring SiteMinder 74-20 74-15, 74-17 startup configuration copying saving 57-11 Stateful Failover stateful inspection about 45-3 45-3 access ports protected SPAN 61-4 4-15 Static Group pane 7-8, 7-10 7-4 static NAT 7-9 Sygate Personal Firewall 67-67 SYN attacks, monitoring 5-33 SYN cookies 26-6 5-33 syntax formatting few-to-many mapping 29-7 many-to- PAGE 1989 Index disabling logging of NAT 77-1 filtering by message class SSMs and SSCs 77-4 managing in groups TCP Intercept by message class output destinations 53-5 53-5 53-5 TCP normalization 77-16 53-5 unsupported features 77-1, 77-6 53-5 syslog message server 77-6 TCP SYN+FIN flags attack Telnet or SSH session 77-6 Telnet allowing management access severity levels about 57-6, 57-9 authentication 77-3 changing the severity level of a message timestamp, including 77-1 37-19 concurrent PAGE 1990 Index viewing static bridge entry 56-9 time exceeded, ICMP message time ranges, access lists unsupported features B-15 VRRP 13-16 timestamp, including in system log messages timestamp reply, ICMP message 77-18 74-6 TLS Proxy H.323 44-9 licenses 51-1 51-8 47-4, 49-5, 50-6, 51-7, 52-8 tocken bucket SIP 74-89 troubleshooting SNMP trunk, 802. PAGE 1991 Index remote-access, configuring definition 67-8 tunnel-group user access, restricting remote general attributes tunneling, about accessing 64-1 prompt 65-2 2-1 A-2 username adding 29-17 comparison with network object NAT configuring 35-20 clientless authentication 29-16 encrypted 31-1 31-4 management tunnels dynamic PAT 31-8 password 35-23 WebVPN 74-109 examples 31-24 guidelines 31-2 identity NAT monitoring static NAT tx-ring-limit 71-9 Xauth for Easy VPN client access hour PAGE 1992 Index url-list NAT rules 67-89 username configuration, viewing username webvpn mode 67-79 67-85 users VPN Client, IPsec attributes 64-2 vpn-filter username attribute 67-82 VPN flex license SNMP U-turn 29-20 3-21 vpn-framed-ip-address username attribute 79-16 67-83 VPN hardware client, group policy attributes 64-26 vpn-idle-timeout username attribute 67-53 67-82 vpn load balancing V See load balancing VeriSign, configuring CAs example viewing QoS statistics viewing RMS 81-19 virt PAGE 1993 Index hosts files, reconfiguring 74-73 HTTP/HTTPS proxy, setting Java object signing PDA support 74-82 74-78 security preautions security tips 74-11 74-5, 74-13 74-109 setting HTTP/HTTPS proxy 74-8 SSL/TLS encryption protocols supported applications troubleshooting 74-110 74-72 unsupported features use of HTTPS 74-10 74-4 74-7 usernames and passwords use suggestions 74-109 74-87, 74-110 WebVPN, Application Access Panel 74-88 webvpn attributes group policy 67-70 welcome message, gro PAGE 1994 Index Cisco ASA 5500 Series Configuration Guide using the CLI IN-32 Who We Are About Us Company Careers Terms & Privacy Resources List of Manufacturers Support For the Press Media assets FAQ Get in touch Blog Email DMCA ManualShelf © 2013-2025