Cisco ASA Series Firewall CLI Configuration Guide Software Version 9.1 For the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, and the ASA Services Module Released: December 3, 2012 Updated: March 31, 2014 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS About This Guide xxv Document Objectives Related Documentation Conventions xxv xxv xxv Obtaining Documentation and Submitting a Service Request PART Configuring Service Policies Using the Modular Policy Framework 1 CHAPTER xxvi 1 Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies 1-1 Supported Features 1-2 Feature Directionality 1-2 Feature Matching Within a Service Policy 1-3 Order in Which Multiple Feature Actions are Applied Incompatibi
Contents Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers Applying Inspection to HTTP Traffic with NAT 1-21 Feature History for Service Policies CHAPTER 2 1-22 Configuring Special Actions for Application Inspections (Inspection Policy Map) Information About Inspection Policy Maps Guidelines and Limitations 2-3 Defining Actions in an Inspection Policy Map 2-4 Identifying Traffic in an Inspection Class Map 2-5 Where to Go Next 2-7 Feature History for Inspection Policy
Contents Main Differences Between Network Object NAT and Twice NAT Information About Network Object NAT 3-14 Information About Twice NAT 3-14 NAT Rule Order 3-18 NAT Interfaces 3-19 Routing NAT Packets 3-19 Mapped Addresses and Routing 3-19 Transparent Mode Routing Requirements for Remote Networks Determining the Egress Interface 3-22 3-13 3-21 NAT for VPN 3-22 NAT and Remote Access VPN 3-23 NAT and Site-to-Site VPN 3-24 NAT and VPN Management Access 3-26 Troubleshooting NAT and VPN 3-28 DNS and NAT
Contents DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) 4-25 IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) 4-26 Feature History for Network Object NAT CHAPTER 5 Configuring Twice NAT 5-1 Information About Twice NAT 5-1 Licensing Requirements for Twice NAT Prerequisites for Twice NAT Guidelines and Limitations Default Settings 4-28 5-2 5-2 5-2 5-4 Configuring Twice
Contents Access Rules for Returning Traffic 6-5 Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules 6-5 Management Access Rules 6-6 Information About EtherType Rules 6-6 Supported EtherTypes and Other Traffic 6-6 Access Rules for Returning Traffic 6-7 Allowing MPLS 6-7 Licensing Requirements for Access Rules Prerequisites 6-7 6-7 Guidelines and Limitations 6-7 Default Settings 6-8 Configuring Access Rules 6-8 Monitoring Access Rules 6-10 Configuration Examples
Contents Configuring a RADIUS Server to Download Per-User Access Control List Names Configuring Accounting for Network Access 7-21 Using MAC Addresses to Exempt Traffic from Authentication and Authorization Feature History for AAA Rules PART 7-25 9 Getting Started with Application Layer Protocol Inspection Information about Application Layer Protocol Inspection How Inspection Engines Work 9-1 When to Use Application Protocol Inspection 9-2 Guidelines and Limitations 9-1 9-4 Configuring Application
Contents IP Options Inspection Overview 10-24 Configuring an IP Options Inspection Policy Map for Additional Inspection Control IPsec Pass Through Inspection 10-25 IPsec Pass Through Inspection Overview 10-26 Example for Defining an IPsec Pass Through Parameter Map IPv6 Inspection 10-26 Information about IPv6 Inspection 10-27 Default Settings for IPv6 Inspection 10-27 (Optional) Configuring an IPv6 Inspection Policy Map Configuring IPv6 Inspection 10-29 10-26 10-27 NetBIOS Inspection 10-30 NetBIOS Inspe
Contents Verifying and Monitoring MGCP Inspection 11-14 RTSP Inspection 11-14 RTSP Inspection Overview 11-15 Using RealPlayer 11-15 Restrictions and Limitations 11-15 Configuring an RTSP Inspection Policy Map for Additional Inspection Control SIP Inspection 11-18 SIP Inspection Overview 11-18 SIP Instant Messaging 11-19 Configuring a SIP Inspection Policy Map for Additional Inspection Control Configuring SIP Timeout Values 11-24 Verifying and Monitoring SIP Inspection 11-24 11-16 11-20 Skinny (SCCP) I
Contents RSH Inspection 13-10 SNMP Inspection 13-10 SNMP Inspection Overview 13-10 Configuring an SNMP Inspection Policy Map for Additional Inspection Control XDMCP Inspection PART 13-11 Configuring Unified Communications 5 CHAPTER 14 Information About Cisco Unified Communications Proxy Features 14-1 Information About the Adaptive Security Appliance in Cisco Unified Communications TLS Proxy Applications in Cisco Unified Communications 15 Using the Cisco Unified Communication Wizard 14-4 15-1
Contents Working with Certificates in the Unified Communication Wizard 15-23 Exporting an Identity Certificate 15-23 Installing a Certificate 15-23 Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy 15-24 Saving the Identity Certificate Request 15-25 Installing the ASA Identity Certificate on the Mobility Advantage Server 15-26 Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers 15-26 CHAPTER 16 Configuring the Cis
Contents Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster 16-20 Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster 16-21 Creating the Media Termination Instance 16-23 Creating the Phone Proxy Instance 16-24 Enabling the Phone Proxy with SIP and Skinny Inspection 16-26 Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy 16-27 Configuring Your Router 16-28 Troubleshooting the Phone Proxy 16-28 Debugging Information from the Security Appliance 16-28 Debugging Info
Contents CTL Client Overview 17-3 Licensing for the TLS Proxy 17-5 Prerequisites for the TLS Proxy for Encrypted Voice Inspection 17-7 Configuring the TLS Proxy for Encrypted Voice Inspection 17-7 Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection Creating Trustpoints and Generating Certificates 17-9 Creating an Internal CA 17-10 Creating a CTL Provider Instance 17-11 Creating the TLS Proxy Instance 17-12 Enabling the TLS Proxy Instance for Skinny or SIP Inspection 17-13 Monitorin
Contents Configuration Requirements for XMPP Federation Licensing for Cisco Unified Presence 19-6 19-7 Configuring Cisco Unified Presence Proxy for SIP Federation 19-8 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation Creating Trustpoints and Generating Certificates 19-9 Installing Certificates 19-10 Creating the TLS Proxy Instance 19-12 Enabling the TLS Proxy for SIP Inspection 19-13 Monitoring Cisco Unified Presence 19-9 19-14 Configuration Example for Cisco Unifi
Contents Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane 20-30 Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard Troubleshooting Cisco Intercompany Media Engine Proxy 20-33 Feature History for Cisco Intercompany Media Engine Proxy PART 20-36 Configuring Connection Settings and QoS 6 CHAPTER 22 Configuring Connection Settings 22-1 Information About Connection Settings 22-1 TCP Intercept and Limiting Embryonic Connections 22-2 Disabling TCP Intercept f
Contents Licensing Requirements for QoS Guidelines and Limitations 23-5 23-5 Configuring QoS 23-6 Determining the Queue and TX Ring Limits for a Standard Priority Queue 23-7 Configuring the Standard Priority Queue for an Interface 23-8 Configuring a Service Rule for Standard Priority Queuing and Policing 23-9 Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing (Optional) Configuring the Hierarchical Priority Queuing Policy 23-13 Configuring the Service Rule 23-14 23-13 Mon
Contents Cloud Web Security Actions 25-5 Bypassing Scanning with Whitelists 25-6 IPv4 and IPv6 Support 25-6 Failover from Primary to Backup Proxy Server 25-6 Licensing Requirements for Cisco Cloud Web Security Prerequisites for Cloud Web Security Guidelines and Limitations Default Settings 25-6 25-7 25-7 25-8 Configuring Cisco Cloud Web Security 25-8 Configuring Communication with the Cloud Web Security Proxy Server 25-8 (Multiple Context Mode) Allowing Cloud Web Security Per Security Context 25-9 C
Contents Botnet Traffic Filter Address Types 26-2 Botnet Traffic Filter Actions for Known Addresses 26-2 Botnet Traffic Filter Databases 26-2 Information About the Dynamic Database 26-2 Information About the Static Database 26-3 Information About the DNS Reverse Lookup Cache and DNS Host Cache How the Botnet Traffic Filter Works 26-5 Licensing Requirements for the Botnet Traffic Filter Prerequisites for the Botnet Traffic Filter Guidelines and Limitations Default Settings 26-4 26-6 26-6 26-6 26-6 Con
Contents Configuring Advanced Threat Detection Statistics 27-6 Information About Advanced Threat Detection Statistics 27-6 Guidelines and Limitations 27-6 Default Settings 27-7 Configuring Advanced Threat Detection Statistics 27-7 Monitoring Advanced Threat Detection Statistics 27-9 Feature History for Advanced Threat Detection Statistics 27-14 Configuring Scanning Threat Detection 27-15 Information About Scanning Threat Detection 27-15 Guidelines and Limitations 27-16 Default Settings 27-16 Configuring Sc
Contents Configuration Examples for Java Applet Filtering Feature History for Java Applet Filtering 29-6 29-5 Filtering URLs and FTP Requests with an External Server 29-6 Information About URL Filtering 29-6 Licensing Requirements for URL Filtering 29-7 Guidelines and Limitations for URL Filtering 29-7 Identifying the Filtering Server 29-8 Configuring Additional URL Filtering Settings 29-10 Buffering the Content Server Response 29-10 Caching Server Addresses 29-11 Filtering HTTP URLs 29-11 Filtering HTTP
Contents (ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module (ASA 5585-X) Changing the ASA CX Management IP Address 30-14 Configuring Basic ASA CX Settings at the ASA CX CLI 30-15 Configuring the Security Policy on the ASA CX Module Using PRSM 30-16 (Optional) Configuring the Authentication Proxy Port 30-17 Redirecting Traffic to the ASA CX Module 30-18 Creating the ASA CX Service Policy 30-18 Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) 30-20 30-12 Managing t
Contents ASA 5512-X through ASA 5555-X (Software Module) 31-9 ASA 5505 31-10 Sessioning to the Module from the ASA 31-11 (ASA 5512-X through ASA 5555-X) Booting the Software Module 31-11 Configuring Basic IPS Module Network Settings 31-12 (ASA 5510 and Higher) Configuring Basic Network Settings 31-13 (ASA 5505) Configuring Basic Network Settings 31-13 Configuring the Security Policy on the ASA IPS Module 31-15 Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher) 31-16 Diverting Traffic to
Contents Additional References 32-18 Feature History for the CSC SSM INDEX Cisco ASA Series Firewall CLI Configuration Guide xxiv 32-19
About This Guide This preface introduces Cisco ASA Series Firewall CLI Configuration Guide and includes the following sections: • Document Objectives, page xxv • Related Documentation, page xxv • Conventions, page xxv • Obtaining Documentation and Submitting a Service Request, page xxvi Document Objectives The purpose of this guide is to help you configure the firewall features for ASA using the command-line interface.
italic font Document titles, new or emphasized terms, and arguments for which you supply values are in italic font. [ ] Elements in square brackets are optional. {x | y | z } Required alternative keywords are grouped in braces and separated by vertical bars. [x|y|z] Optional alternative keywords are grouped in brackets and separated by vertical bars. string A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.
PART 1 Configuring Service Policies Using the Modular Policy Framework
CH AP TE R 1 Configuring a Service Policy Using the Modular Policy Framework Service policies using Modular Policy Framework provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. A service policy consists of multiple actionsapplied to an interface or applied globally.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies Supported Features Table 1-1 lists the features supported by Modular Policy Framework. Table 1-1 Modular Policy Framework For Through Traffic? Feature Application inspection (multiple All except types) RADIUS accounting For Management Traffic? See: RADIUS accounting only • Chapter 9, “Getting Started with Application Layer Protocol Inspection.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies Note When you use a global policy, all features are unidirectional; features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies For example, if a packet matches a class map for connection limits, and also matches a class map for an application inspection, then both actions are applied. If a packet matches a class map for HTTP inspection, but also matches another class map that includes HTTP inspection, then the second class map actions are not applied.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies Incompatibility of Certain Feature Actions Some features are not compatible with each other for the same traffic. The following list may not include all incompatibilities; for information about compatibility of each feature, see the chapter or section for your feature: Note • You cannot configure QoS priority queueing and QoS policing for the same set of traffic.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Licensing Requirements for Service Policies class ftp inspect ftp Feature Matching for Multiple Service Policies For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), service policies operate on traffic flows, and not just individual packets.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Guidelines and Limitations • TCP normalization • TCP state bypass • User statistics for Identity Firewall Class Map Guidelines The maximum number of class mapsof all types is 255 in single mode or per context in multiple mode. Class maps include the following types: • Layer 3/4 class maps (for through traffic and management traffic).
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Default Settings Default Settings The following topics describe the default settings for Modular Policy Framework: • Default Configuration, page 1-8 • Default Class Maps, page 1-9 Default Configuration By default, the configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (a global policy).
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Task Flows for Configuring Service Policies inspect ip-options _default_ip_options_map inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp _default_esmtp_map inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp service-policy global_policy global Note See the “Incompatibility of Certain Feature Actions” section on page 1-5 for more information about the special match default-inspection-traffic com
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Task Flows for Configuring Service Policies Step 1 Identify the traffic—Identify the traffic on which you want to perform Modular Policy Framework actions by creating Layer 3/4 class maps. For example, you might want to perform actions on all traffic that passes through the ASA; or you might only want to perform certain actions on traffic from 10.1.1.0/24 to any destination address.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Task Flows for Configuring Service Policies Layer 3/4 Policy Map Connection Limits Connection Limits Service Policy Inspection Inspection 241508 IPS See the “Defining Actions (Layer 3/4 Policy Map)” section on page 1-15 and the “Applying Actions to an Interface (Service Policy)” section on page 1-17.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Identifying Traffic (Layer 3/4 Class Maps) Traffic shaping can only be applied the to class-default class map. Step 4 For the same class map, identify the priority policy map that you created in Step 2 using the service-policy priority_policy_map command. Step 5 Apply the shaping policy map to the interface accrding to “Applying Actions to an Interface (Service Policy)” section on page 1-17.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Identifying Traffic (Layer 3/4 Class Maps) Command Purpose match access-list access_list_name Matches traffic specified by an extended ACL. If the ASA is operating in transparent firewall mode, you can use an EtherType ACL. Example: hostname(config-cmap)# match access-list udp match port {tcp | udp} {eq port_num | range port_num port_num} Matches TCP or UDP destination ports, either a single port or a contiguous range of ports.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Identifying Traffic (Layer 3/4 Class Maps) Command Purpose match precedence value1 [value2] [value3] [value4] Matches up to four precedence values, represented by the TOS byte in the IP header, where value1 through value4 can be 0 to 7, corresponding to the possible precedences.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Defining Actions (Layer 3/4 Policy Map) Detailed Steps Step 1 Command Purpose class-map type management class_map_name ciscoasa(config)# class-map type management all_mgmt Creates a management class map, where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved. All types of class maps use the same name space, so you cannot reuse a name already used by another type of class map.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Defining Actions (Layer 3/4 Policy Map) Detailed Steps Command Purpose Step 1 policy-map policy_map_name Step 2 (Optional) Adds the policy map. The policy_map_name argument is the name of the policy map up to 40 characters in length. All types of policy maps use the same name space, so you cannot reuse a name Example: already used by another type of policy map.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Applying Actions to an Interface (Service Policy) The following example shows how traffic matches the first available class map, and will not match any subsequent class maps that specify actions in the same feature domain: ciscoasa(config)# class-map telnet_traffic ciscoasa(config-cmap)# match port tcp eq 23 ciscoasa(config)# class-map ftp_traffic ciscoasa(config-cmap)# match port tcp eq 21 ciscoasa(config)# class-map tcp_traffic ci
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Monitoring Modular Policy Framework Detailed Steps Command Purpose service-policy policy_map_name interface interface_name [fail-close] Creates a service policy by associating a policy map with an interface. Specify the fail-close option to generate a syslog (767001) for IPv6 traffic that is dropped by application inspections that do not support IPv6 traffic. By default, syslogs are not generated.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Configuration Examples for Modular Policy Framework Applying Inspection and QoS Policing to HTTP Traffic In this example (see Figure 1-1), any HTTP connection (TCP traffic on port 80) that enters or exits the ASA through the outside interface is classified for HTTP inspection. Any HTTP traffic that exits the outside interface is classified for policing. HTTP Inspection and QoS Policing Security appliance port 80 A insp.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Configuration Examples for Modular Policy Framework ciscoasa(config)# policy-map http_traffic_policy ciscoasa(config-pmap)# class http_traffic ciscoasa(config-pmap-c)# inspect http ciscoasa(config)# service-policy http_traffic_policy global Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers In this example (see Figure 1-3), any HTTP connection destined for Server A (TCP traffic on port 80) that enters th
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Configuration Examples for Modular Policy Framework ciscoasa(config)# service-policy policy_serverB interface inside ciscoasa(config)# service-policy policy_serverA interface outside Applying Inspection to HTTP Traffic with NAT In this example, the Host on the inside network has two addresses: one is the real IP address 192.168.1.1, and the other is a mapped IP address used on the outside network, 209.165.200.225.
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework Feature History for Service Policies Feature History for Service Policies Table 1-3 lists the release history for this feature. Table 1-3 Feature History for Service Policies Feature Name Releases Feature Information Modular Policy Framework 7.0(1) Modular Policy Framework was introduced. Management class map for use with RADIUS accounting traffic 7.
CH AP TE R 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as defined in an inspection policy map.
Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Guidelines and Limitations policy map is that you can create more complex match criteria and you can reuse class maps. However, you cannot set different actions for different matches. Note: Not all inspections support inspection class maps. • Parameters—Parameters affect the behavior of the inspection engine.
Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Default Inspection Policy Maps A class map is determined to be the same type as another class map or match command based on the lowest priority match command in the class map (the priority is based on the internal rules). If a class map has the same type of lowest priority match command as another class map, then the class maps are matched according to the order they are added to the policy map.
Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Defining Actions in an Inspection Policy Map Note There are other default inspection policy maps such as _default_esmtp_map. For example, inspect esmtp implicitly uses the policy map “_default_esmtp_map.” All the default policy maps can be shown by using the show running-config all policy-map command.
Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Identifying Traffic in an Inspection Class Map Step 5 Command Purpose action Specifies the action you want to perform on the matching traffic. Actions vary depending on the inspection and match type. Common actions include: drop, log, and drop-connection. For the actions available for each match, see the appropriate inspection chapter.
Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Identifying Traffic in an Inspection Class Map Restrictions Not all applications support inspection class maps. See the CLI help for class-map type inspect for a list of supported applications. Detailed Steps Step 1 Command Purpose (Optional) See the general operations configuration guide. Create a regular expression.
Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Where to Go Next Where to Go Next To use an inspection policy, see Chapter 1, “Configuring a Service Policy Using the Modular Policy Framework.” Feature History for Inspection Policy Maps Table 2-1 lists the release history for this feature. Table 2-1 Feature History for Service Policies Feature Name Releases Feature Information Inspection policy maps 7.2(1) The inspection policy map was introduced.
Chapter 2 Feature History for Inspection Policy Maps Cisco ASA Series Firewall CLI Configuration Guide 2-8 Configuring Special Actions for Application Inspections (Inspection Policy Map)
PART 2 Configuring Network Address Translation
CH AP TE R 3 Information About NAT This chapter provides an overview of how Network Address Translation (NAT) works on the ASA.
Chapter 3 Information About NAT NAT Terminology One of the main functions of NAT is to enable private IP networks to connect to the Internet. NAT replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet. In this way, NAT conserves public addresses because it can be configured to advertise at a minimum only one public address for the entire network to the outside world.
Chapter 3 Information About NAT NAT Types NAT Types • NAT Types Overview, page 3-3 • Static NAT, page 3-3 • Dynamic NAT, page 3-7 • Dynamic PAT, page 3-8 • Identity NAT, page 3-10 NAT Types Overview You can implement NAT using the following methods: • Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation. See the “Static NAT” section on page 3-3.
Chapter 3 Information About NAT NAT Types Figure 3-1 shows a typical static NAT scenario. The translation is always active so both real and remote hosts can initiate connections. Figure 3-1 Static NAT Security Appliance 209.165.201.1 10.1.1.2 209.165.201.2 130035 10.1.1.1 Inside Outside Note You can disable bidirectionality if desired. Information About Static NAT with Port Translation Static NAT with port translation lets you specify a real and mapped protocol (TCP or UDP) and port.
Chapter 3 Information About NAT NAT Types Note For applications that require application inspection for secondary channels (for example, FTP and VoIP), the ASA automatically translates the secondary ports. Static NAT with Identity Port Translation The following static NAT with port translation example provides a single address for remote users to access FTP, HTTP, and SMTP.
Chapter 3 Information About NAT NAT Types For example, you have a load balancer at 10.1.2.27. Depending on the URL requested, it redirects traffic to the correct web server. Information About Other Mapping Scenarios (Not Recommended) The ASA has the flexibility to allow any kind of static mapping scenario: one-to-one, one-to-many, but also few-to-many, many-to-few, and many-to-one mappings. We recommend using only one-to-one or one-to-many mappings.
Chapter 3 Information About NAT NAT Types Figure 3-5 shows a typical many-to-few static NAT scenario. Many-to-Few Static NAT Security Appliance 10.1.2.27 209.165.201.3 10.1.2.28 10.1.2.29 209.165.201.4 209.165.201.3 10.1.2.30 209.165.201.4 10.1.2.31 209.165.201.3 248770 Figure 3-5 Inside Outside Instead of using a static rule this way, we suggest that you create a one-to-one rule for the traffic that needs bidirectional initiation, and then create a dynamic rule for the rest of your addresses.
Chapter 3 Information About NAT NAT Types Note For the duration of the translation, a remote host can initiate a connection to the translated host if an access rule allows it. Because the address is unpredictable, a connection to the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule.
Chapter 3 Information About NAT NAT Types Figure 3-7 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned. Dynamic PAT Security Appliance 10.1.1.1:1025 209.165.201.1:2020 10.1.1.1:1026 209.165.201.1:2021 10.1.1.2:1025 209.165.201.1:2022 Inside Outside 130034 Figure 3-7 After the connection expires, the port translation also expires.
Chapter 3 Information About NAT NAT in Routed and Transparent Mode Identity NAT You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT. Figure 3-8 shows a typical identity NAT scenario.
Chapter 3 Information About NAT NAT in Routed and Transparent Mode NAT in Routed Mode Figure 3-9 shows a typical NAT example in routed mode, with a private network on the inside. Figure 3-9 NAT Example: Routed Mode Web Server www.cisco.com Outside 209.165.201.2 Originating Packet Security Appliance Translation 10.1.2.27 209.165.201.10 Responding Packet Undo Translation 209.165.201.10 10.1.2.27 10.1.2.1 10.1.2.27 130023 Inside 1. When the inside host at 10.1.2.
Chapter 3 Information About NAT NAT in Routed and Transparent Mode Figure 3-10 NAT Example: Transparent Mode www.example.com Internet Static route on router: 209.165.201.0/27 to 10.1.1.1 Source Addr Translation 10.1.1.75 209.165.201.15 Static route on ASA: 192.168.1.0/24 to 10.1.1.3 10.1.1.2 Management IP 10.1.1.1 ASA 10.1.1.75 10.1.1.3 Source Addr Translation 192.168.1.2 209.165.201.10 250261 192.168.1.1 Network 2 192.168.1.2 1. When the inside host at 10.1.1.
Chapter 3 Information About NAT NAT and IPv6 NAT and IPv6 You can use NAT to translate between IPv6 networks, and also to translate between IPv4 and IPv6 networks (routed mode only). We recommend the following best practices: • NAT66 (IPv6-to-IPv6)—We recommend using static NAT. Although you can use dynamic NAT or PAT, IPv6 addresses are in such large supply, you do not have to use dynamic NAT.
Chapter 3 Information About NAT How NAT is Implemented • How source and destination NAT is implemented. – Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination. – Twice NAT—A single rule translates both the source and destination.
Information About NAT How NAT is Implemented Twice NAT also lets you use service objects for static NAT with port translation; network object NAT only accepts inline definition. To start configuring twice NAT, see Chapter 5, “Configuring Twice NAT.” Figure 3-11 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host accesses the server at 209.165.200.
Chapter 3 Information About NAT How NAT is Implemented Figure 3-12 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the real address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the real address is translated to 209.165.202.130.
Information About NAT How NAT is Implemented Figure 3-13 shows a remote host connecting to a mapped host. The mapped host has a twice static NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to that network, nor can a host on that network connect to the translated host. Figure 3-13 Twice Static NAT with Destination Address Translation 209.165.
Chapter 3 Information About NAT NAT Rule Order NAT Rule Order Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3, until a match is found. For example, if a match is found in section 1, sections 2 and 3 are not evaluated. Table 3-1 shows the order of rules within each section.
Chapter 3 Information About NAT NAT Interfaces For section 2 rules, for example, you have the following IP addresses defined within network objects: 192.168.1.0/24 (static) 192.168.1.0/24 (dynamic) 10.1.1.0/24 (static) 192.168.1.1/32 (static) 172.16.1.0/24 (dynamic) (object def) 172.16.1.0/24 (dynamic) (object abc) The resultant ordering would be: 192.168.1.1/32 (static) 10.1.1.0/24 (static) 192.168.1.0/24 (static) 172.16.1.0/24 (dynamic) (object abc) 172.16.1.0/24 (dynamic) (object def) 192.168.1.
Chapter 3 Information About NAT Routing NAT Packets Mapped Addresses and Routing When you translate the real address to a mapped address, the mapped address you choose determines how to configure routing, if necessary, for the mapped address. See additional guidelines about mapped IP addresses in Chapter 4, “Configuring Network Object NAT,” and Chapter 5, “Configuring Twice NAT.” See the following mapped address types: • Addresses on the same network as the mapped interface.
Chapter 3 Information About NAT Routing NAT Packets Figure 3-14 Proxy ARP Problems with Identity NAT 209.165.200.230 3 ARP Response Too late 209.165.200.231 209.165.200.225 Inside Outside ARP for 209.165.200.230. 1 Proxy ARP for 209.165.200.230. 2 Identity NAT for “any” with Proxy ARP 4 Traffic incorrectly sent to ASA. In rare cases, you need proxy ARP for identity NAT; for example for virtual Telnet.
Chapter 3 Information About NAT NAT for VPN Determining the Egress Interface When the ASA receives traffic for a mapped address, the ASA unstranslates the destination address according to the NAT rule, and then it sends the packet on to the real address.
Chapter 3 Information About NAT NAT for VPN NAT and Remote Access VPN Figure 3-17 shows both an inside server (10.1.1.6) and a VPN client (209.165.201.10) accessing the Internet. Unless you configure split tunnelling for the VPN client (where only specified traffic goes through the VPN tunnel), then Internet-bound VPN traffic must also go through the ASA. When the VPN traffic enters the ASA, the ASA decrypts the packet; the resulting packet includes the VPN client local address (10.3.3.10) as the source.
Chapter 3 Information About NAT NAT for VPN Figure 3-18 Identity NAT for VPN Clients 2. ASA decrypts packet; src address is now local address 209.165.201.10 10.3.3.10 3. Identity NAT between inside and VPN Client NWs Src: 10.3.3.10 Dst: 10.1.1.6 1. SMTP request to 10.1.1.6 10.3.3.10 10.1.1.6 Src: 209.165.201.10 4. SMTP request to 10.1.1.6 Src: 10.3.3.10 VPN Client 209.165.201.10 Internet Inside 10.1.1.6 5. SMTP response to VPN Client 8. SMTP response to VPN Client Src: 10.1.1.6 Dst: 10.3.3.
Information About NAT NAT for VPN Figure 3-19 Interface PAT and Identity NAT for Site-to-Site VPN 2. Identity NAT between NWs connected by VPN Src: 10.1.1.6 Dst: 10.2.2.78 1. IM to 10.2.2.78 10.1.1.6 10.2.2.78 3. IM received Src: 10.1.1.6 Src: 10.1.1.6 ASA Outside IP: 203.0.113.1 Internet Inside Boulder ASA1 10.1.1.6 Src: 10.1.1.6 A. HTTP to www.example.com Site-to-Site VPN Tunnel ASA2 203.0.113.1:6070 10.2.2.78 www.example.com B. ASA performs interface PAT for outgoing traffic. Src: 203.0.
Chapter 3 Information About NAT NAT for VPN object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside Boulder network, & perform object interface PAT when going to Internet: object network boulder_inside subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface ! Identify inside San Jose network for use in twice NAT rule: object network sanjose_inside subnet 10.2.2.0 255.255.255.
Information About NAT NAT for VPN Figure 3-21 shows a VPN client Telnetting to the ASA inside interface. When you use a management-access interface, and you configure identity NAT according to the “NAT and Remote Access VPN” or “NAT and Site-to-Site VPN” section, you must configure NAT with the route lookup option.
Chapter 3 Information About NAT DNS and NAT ! Use twice NAT to pass traffic between the inside network and the VPN client without ! address translation (identity NAT), w/route-lookup: nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup Troubleshooting NAT and VPN See the following monitoring tools for troubleshooting NAT issues with VPN: • Packet tracer—When used correctly, a packet tracer shows which NAT rules a packet is hitting.
Information About NAT DNS and NAT Figure 3-22 shows a DNS server that is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the ASA to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to ftp.cisco.
Chapter 3 Information About NAT DNS and NAT a static rule between the inside and DMZ, then you also need to enable DNS reply modification on this rule. The DNS reply will then be modified two times.In this case, the ASA again translates the address inside the DNS reply to 192.168.1.10 according to the static rule between inside and DMZ. Figure 3-23 DNS Reply Modification, DNS Server, Host, and Server on Separate Networks DNS Server 1 DNS Query ftp.cisco.com? 2 DNS Reply 209.165.201.
Information About NAT DNS and NAT Figure 3-24 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation.
Chapter 3 Information About NAT DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) you need to configure DNS reply modification for the static translation. This example also includes a static NAT translation for the DNS server, and a PAT rule for the inside IPv6 hosts. Figure 3-25 DNS64 Reply Modification Using Outside NAT DNS Server 209.165.201.15 Static Translation on Inside to: 2001:DB8::D1A5:C90F ftp.cisco.com 209.165.200.
Chapter 3 Information About NAT Where to Go Next Figure 3-26 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user performs a reverse DNS lookup for 10.1.2.56, the ASA modifies the reverse DNS query with the real address, and the DNS server responds with the server name, ftp.cisco.com. Figure 3-26 PTR Modification, DNS Server on Host Network ftp.cisco.com 209.165.201.10 Static Translation on Inside to: 10.1.2.
Chapter 3 Where to Go Next Cisco ASA Series Firewall CLI Configuration Guide 3-34 Information About NAT
CH AP TE R 4 Configuring Network Object NAT All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a single IP address, a range of addresses, or a subnet. After you configure the network object, you can then identify the mapped address for that object.
Chapter 4 Configuring Network Object NAT Licensing Requirements for Network Object NAT Licensing Requirements for Network Object NAT The following table shows the licensing requirements for this feature: Model License Requirement All models Base License.
Chapter 4 Configuring Network Object NAT Default Settings Additional Guidelines • You can only define a single NAT rule for a given object; if you want to configure multiple NAT rules for an object, you need to create multiple objects with different names that specify the same IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02, and so on.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT Configuring Network Object NAT This section describes how to configure network object NAT and includes the following topics: • Adding Network Objects for Mapped Addresses, page 4-4 • Configuring Dynamic NAT, page 4-5 • Configuring Dynamic PAT (Hide), page 4-7 • Configuring Static NAT or Static NAT-with-Port-Translation, page 4-11 • Configuring Identity NAT, page 4-14 • Configuring Per-Session PAT Rules, page 4-16 Adding N
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT Detailed Steps Command Purpose object network obj_name {host ip_address | range ip_address_1 ip_address_2 | subnet subnet_address netmask} Adds a network object, either IPv4 or IPv6. Example: ciscoasa(config)# object network TEST ciscoasa(config-network-object)# range 10.1.1.1 10.1.1.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT Step 3 Command Purpose {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} If you are creating a new network object, defines the real IP address(es) (either IPv4 or IPv6) that you want to translate. Example: ciscoasa(config-network-object)# subnet 10.1.1.0 255.255.255.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT ciscoasa(config-network-object)# host 10.10.10.21 ciscoasa(config-network-object)# object-group network nat-pat-grp ciscoasa(config-network-object)# network-object object nat-range1 ciscoasa(config-network-object)# network-object object pat-ip1 ciscoasa(config-network-object)# object network my_net_obj5 ciscoasa(config-network-object)# subnet 10.76.11.0 255.255.255.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT • If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT pool as the PAT address in a separate static NAT-with-port-translation rule. For example, if the PAT pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1 as the PAT address. • If you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT Step 4 Command Purpose nat [(real_ifc,mapped_ifc)] dynamic {mapped_inline_host_ip | mapped_obj | pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]] | interface [ipv6]} [interface [ipv6]] [dns] Configures dynamic PAT for the object IP addresses. You can only define a single NAT rule for a given object. See the “Additional Guidelines” section on page 4-3.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT Command Purpose (continued) – Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT The following example configures dynamic PAT with a PAT pool to translate the inside IPv6 network to an outside IPv4 network: ciscoasa(config)# object network ciscoasa(config-network-object)# ciscoasa(config)# object network ciscoasa(config-network-object)# ciscoasa(config-network-object)# IPv4_POOL range 203.0.113.1 203.0.113.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT Step 3 Command Purpose {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} If you are creating a new network object, defines the real IP address(es) (IPv4 or IPv6) that you want to translate. Example: ciscoasa(config-network-object)# subnet 10.2.1.0 255.255.255.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT Step 4 Command Purpose nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface [ipv6]} [net-to-net] [dns | service {tcp | udp} real_port mapped_port] [no-proxy-arp] Configures static NAT for the object IP addresses. You can only define a single NAT rule for a given object. • Interfaces—(Required for transparent mode) Specify the real and mapped interfaces. Be sure to include the parentheses in your command.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT Examples The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside with DNS rewrite enabled. ciscoasa(config)# object network my-host-obj1 ciscoasa(config-network-object)# host 10.1.1.1 ciscoasa(config-network-object)# nat (inside,outside) static 10.2.2.2 dns The following example configures static NAT for the real host 10.1.1.1 on the inside to 2.2.2.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT Step 3 Command Purpose {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} If you are creating a new network object, defines the real IP address(es) (IPv4 or IPv6) to which you want to perform identity NAT. If you configured a network object for the mapped addresses in Step 1, then these addresses must match. Example: ciscoasa(config-network-object)# subnet 10.1.1.0 255.255.255.
Chapter 4 Configuring Network Object NAT Configuring Network Object NAT The following example maps a host address to itself using a network object: ciscoasa(config)# object network my-host-obj1-identity ciscoasa(config-network-object)# host 10.1.1.1 ciscoasa(config-network-object)# object network my-host-obj1 ciscoasa(config-network-object)# host 10.1.1.
Chapter 4 Configuring Network Object NAT Monitoring Network Object NAT Detailed Steps Command Purpose xlate per-session {permit | deny} {tcp | udp} source_ip [operator src_port] destination_ip operator dest_port Creates a permit or deny rule. This rule is placed above the default rules, but below any other manually-created rules. Be sure to create your rules in the order you want them applied.
Chapter 4 Configuring Network Object NAT Configuration Examples for Network Object NAT Command Purpose show running-config nat Shows the NAT configuration. Note You cannot view the NAT configuration using the show running-config object command. You cannot reference objects or object groups that have not yet been created in nat commands.
Chapter 4 Configuring Network Object NAT Configuration Examples for Network Object NAT Providing Access to an Inside Web Server (Static NAT) The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. (See Figure 4-1). Figure 4-1 Static NAT for an Inside Web Server 209.165.201.12 Outside 209.165.201.1 Undo Translation 10.1.2.
Chapter 4 Configuring Network Object NAT Configuration Examples for Network Object NAT Figure 4-2 Dynamic NAT for Inside, Static NAT for Outside Web Server Web Server 209.165.201.12 Outside 209.165.201.1 10.1.2.10 Translation 209.165.201.20 Security Appliance Undo Translation 209.165.201.12 10.1.2.20 10.1.2.1 Inside 248773 myInsNet 10.1.2.
Chapter 4 Configuring Network Object NAT Configuration Examples for Network Object NAT Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) The following example shows an inside load balancer that is translated to multiple IP addresses. When an outside host accesses one of the mapped IP addresses, it is untranslated to the single load balancer address. Depending on the URL requested, it redirects traffic to the correct web server. (See Figure 4-3).
Chapter 4 Configuring Network Object NAT Configuration Examples for Network Object NAT Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) The following static NAT-with-port-translation example provides a single address for remote users to access FTP, HTTP, and SMTP. These servers are actually different devices on the real network, but for each server, you can specify static NAT-with-port-translation rules that use the same mapped IP address, but different ports. (See Figure 4-4.
Chapter 4 Configuring Network Object NAT Configuration Examples for Network Object NAT Step 5 Create a network object for the SMTP server address: ciscoasa(config)# object network SMTP_SERVER Step 6 Define the SMTP server address, and configure static NAT with identity port translation for the SMTP server: ciscoasa(config-network-object)# host 10.1.2.29 ciscoasa(config-network-object)# nat (inside,outside) static 209.165.201.
Chapter 4 Configuring Network Object NAT Configuration Examples for Network Object NAT When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The ASA refers to the static rule for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly.
Chapter 4 Configuring Network Object NAT Configuration Examples for Network Object NAT DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) Figure 4-6 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.201.10.
Chapter 4 Configuring Network Object NAT Configuration Examples for Network Object NAT IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) Figure 4-6 shows an FTP server and DNS server on the outside IPv4 network. The ASA has a static translation for the outside server. In this case, when an inside IPv6 user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.200.225.
Chapter 4 Configuring Network Object NAT Configuration Examples for Network Object NAT Step 2 Configure NAT for the DNS server. a. Create a network object for the DNS server address. ciscoasa(config)# object network DNS_SERVER b. Define the DNS server address, and configure static NAT using the net-to-net method. ciscoasa(config-network-object)# host 209.165.201.
Chapter 4 Configuring Network Object NAT Feature History for Network Object NAT Feature History for Network Object NAT Table 4-1 lists each feature change and the platform release in which it was implemented. Table 4-1 Feature History for Network Object NAT Feature Name Platform Releases Feature Information Network Object NAT 8.3(1) Configures NAT for a network object IP address(es).
Chapter 4 Configuring Network Object NAT Feature History for Network Object NAT Table 4-1 Feature History for Network Object NAT (continued) Feature Name Platform Releases Flat range of PAT ports for a PAT pool 8.4(3) Feature Information If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535.
Chapter 4 Configuring Network Object NAT Feature History for Network Object NAT Table 4-1 Feature History for Network Object NAT (continued) Feature Name Platform Releases Automatic NAT rules to translate a VPN peer’s 8.4(3) local IP address back to the peer’s real IP address Feature Information In rare situations, you might want to use a VPN peer’s real IP address on the inside network instead of an assigned local IP address.
Chapter 4 Configuring Network Object NAT Feature History for Network Object NAT Table 4-1 Feature History for Network Object NAT (continued) Feature Name Platform Releases NAT support for reverse DNS lookups 9.0(1) NAT now supports translation of the DNS PTR record for reverse DNS lookups when using IPv4 NAT, IPv6 NAT, and NAT64 with DNS inspection enabled for the NAT rule. Per-session PAT 9.
Chapter 4 Feature History for Network Object NAT Cisco ASA Series Firewall CLI Configuration Guide 4-32 Configuring Network Object NAT
CH AP TE R 5 Configuring Twice NAT Twice NAT lets you identify both the source and destination address in a single rule.
Chapter 5 Configuring Twice NAT Licensing Requirements for Twice NAT Twice NAT also lets you use service objects for static NAT-with-port-translation; network object NAT only accepts inline definition. For detailed information about the differences between twice NAT and network object NAT, see the “How NAT is Implemented” section on page 3-13. Twice NAT rules are added to section 1 of the NAT rules table, or if specified, section 3.
Chapter 5 Configuring Twice NAT Guidelines and Limitations • For routed mode, you can also translate between IPv4 and IPv6. • For transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating between two IPv6 networks, or between two IPv4 networks is supported. • For transparent mode, a PAT pool is not supported for IPv6. • For static NAT, you can specify an IPv6 subnet up to /64. Larger subnets are not supported.
Chapter 5 Configuring Twice NAT Default Settings • You can use the same objects in multiple rules. • The mapped IP address pool cannot include: – The mapped interface IP address. If you specify any interface for the rule, then all interface IP addresses are disallowed. For interface PAT (routed mode only), use the interface keyword instead of the IP address. – (Transparent mode) The management IP address. – (Dynamic NAT) The standby interface IP address when VPN is enabled.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Guidelines • A network object group can contain objects and/or inline addresses of either IPv4 or IPv6 addresses. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. • See the “Guidelines and Limitations” section on page 5-2 for information about disallowed mapped IP addresses. • Source Dynamic NAT: – You typically configure a larger group of real addresses to be mapped to a smaller group.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Command Purpose object network obj_name {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} Adds a network object, either IPv4 or IPv6. Example: ciscoasa(config)# object network MyInsNet ciscoasa(config-network-object)# subnet 10.1.1.0 255.255.255.
Chapter 5 Configuring Twice NAT Configuring Twice NAT • Source Dynamic PAT (Hide)—Source Dynamic PAT does not support port translation. • Source Static NAT or Static NAT with port translation—A service object can contain both a source and destination port; however, you should specify either the source or the destination port for both service objects.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Step 1 Step 2 Command Purpose Create network objects or groups for the: See the “Adding Network Objects for Real and Mapped Addresses” section on page 5-4.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Step 3 Command Purpose nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}] source dynamic {real_obj | any} {mapped_obj [interface [ipv6]]} [destination static {mapped_obj | interface [ipv6]} real_obj] [service mapped_dest_svc_obj real_dest_svc_obj] [dns] [unidirectional] [inactive] [description desc] Configure dynamic NAT. See the following guidelines: • Interfaces—(Required for transparent mode) Specify the real and mapped interfaces.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Command Purpose (Continued) • Destination addresses (Optional): – Mapped—Specify a network object or group, or for static interface NAT with port translation only, specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword. For this option, you must configure a specific interface for the real_ifc.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Examples The following example configures dynamic NAT for inside network 10.1.1.0/24 when accessing servers on the 209.165.201.1/27 network as well as servers on the 203.0.113.0/24 network: ciscoasa(config)# object network INSIDE_NW ciscoasa(config-network-object)# subnet 10.1.1.0 255.255.255.0 ciscoasa(config)# object network MAPPED_1 ciscoasa(config-network-object)# range 209.165.200.225 209.165.200.
Chapter 5 Configuring Twice NAT Configuring Twice NAT • If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Step 1 Command Purpose Create network objects or groups for the: See the “Adding Network Objects for Real and Mapped Addresses” section on page 5-4. • Source real addresses • Source mapped addresses • Destination real addresses • Destination mapped addresses If you want to translate all source traffic, you can skip adding an object for the source real addresses, and instead specify the any keyword in the nat command.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Step 3 Command Purpose nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}] source dynamic {real-obj | any} {mapped_obj [interface [ipv6]] | [pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]] [interface [ipv6]] | interface [ipv6]} [destination static {mapped_obj | interface [ipv6]} real_obj] [service mapped_dest_svc_obj real_dest_svc_obj] [dns] [unidirectional] [inactive] [description desc] Configures dynamic PAT (hide).
Chapter 5 Configuring Twice NAT Configuring Twice NAT Command Purpose (continued) For a PAT pool, you can specify one or more of the following options: -- Round robin—The round-robin keyword enables round-robin address allocation for a PAT pool. Without round robin, by default all ports for a PAT address will be allocated before the next PAT address is used.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Command Purpose (continued) • Destination addresses (Optional): – Mapped—Specify a network object or group, or for static interface NAT with port translation only (routed mode), specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword. For this option, you must configure a specific interface for the real_ifc.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Examples The following example configures interface PAT for inside network 192.168.1.0/24 when accessing outside Telnet server 209.165.201.23, and Dynamic PAT using a PAT pool when accessing any server on the 203.0.113.0/24 network. ciscoasa(config)# object network INSIDE_NW ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0 ciscoasa(config)# object network PAT_POOL ciscoasa(config-network-object)# range 209.165.200.225 209.165.200.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Configuring Static NAT or Static NAT-with-Port-Translation This section describes how to configure a static NAT rule using twice NAT. For more information about static NAT, see the “Static NAT” section on page 3-3. Detailed Steps Step 1 Command Purpose Create network objects or groups for the: See the “Adding Network Objects for Real and Mapped Addresses” section on page 5-4.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Step 3 Command Purpose nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}] source static real_ob [mapped_obj | interface [ipv6]] [destination static {mapped_obj | interface [ipv6]} real_obj] [service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj][net-to-net] [dns] [unidirectional | no-proxy-arp] [inactive] [description desc] Configures static NAT.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Command Purpose (Continued) • Ports—(Optional) Specify the service keyword along with the real and mapped service objects. For source port translation, the objects must specify the source service. The order of the service objects in the command for source port translation is service real_obj mapped_obj. For destination port translation, the objects must specify the destination service.
Chapter 5 Configuring Twice NAT Configuring Twice NAT to the command keywords; the actual source and destination address and port in a packet depends on which host sent the packet. In this example, connections are originated from outside to inside, so the “source” address and port of the FTP server is actually the destination address and port in the originating packet.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Command Step 1 Create network objects or groups for the: Step 2 (Optional) Create service objects for the: See the “Adding Network Objects for Real and Mapped Addresses” section on page 5-4.
Chapter 5 Configuring Twice NAT Configuring Twice NAT Step 3 Command Purpose nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}] source static {nw_obj nw_obj | any any} [destination static {mapped_obj | interface [ipv6]} real_obj] [service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj] [no-proxy-arp] [route-lookup] [inactive] [description desc] Configures identity NAT. See the following guidelines: • Interfaces—(Required for transparent mode) Specify the real and mapped interfaces.
Chapter 5 Configuring Twice NAT Monitoring Twice NAT Command Purpose (Continued) • No Proxy ARP—(Optional) Specify no-proxy-arp to disable proxy ARP for incoming packets to the mapped IP addresses. See the “Mapped Addresses and Routing” section on page 3-20 for more information. • Route lookup—(Optional; routed mode only; interface(s) specified) Specify route-lookup to determine the egress interface using a route lookup instead of using the interface specified in the NAT command.
Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Configuration Examples for Twice NAT This section includes the following configuration examples: • Different Translation Depending on the Destination (Dynamic PAT), page 5-25 • Different Translation Depending on the Destination Address and Port (Dynamic PAT), page 5-27 Different Translation Depending on the Destination (Dynamic PAT) Figure 5-1 shows a host on the 10.1.2.0/24 network accessing two different servers.
Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Step 4 Configure the first twice NAT rule: ciscoasa(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress1 destination static DMZnetwork1 DMZnetwork1 Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the real and mapped destination addresses.
Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Different Translation Depending on the Destination Address and Port (Dynamic PAT) Figure 5-2 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129:port.
Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Step 5 Configure the first twice NAT rule: ciscoasa(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress1 destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj Because you do not want to translate the destination address or port, you need to configure identity NAT for them by specifying the same address for the real and mapped destination addresses, and the same port for the real and mapped
Chapter 5 Configuring Twice NAT Feature History for Twice NAT Feature History for Twice NAT Table 5-1 lists each feature change and the platform release in which it was implemented. Table 5-1 Feature History for Twice NAT Feature Name Platform Releases Twice NAT 8.3(1) Feature Information Twice NAT lets you identify both the source and destination address in a single rule. We modified or introduced the following commands: nat, show nat, show xlate, show nat pool.
Chapter 5 Configuring Twice NAT Feature History for Twice NAT Table 5-1 Feature History for Twice NAT (continued) Feature Name Platform Releases Round robin PAT pool allocation uses the same 8.4(3) IP address for existing hosts Feature Information When using a PAT pool with round robin allocation, if a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available. We did not modify any commands. This feature is not available in 8.
Chapter 5 Configuring Twice NAT Feature History for Twice NAT Table 5-1 Feature History for Twice NAT (continued) Feature Name Platform Releases Automatic NAT rules to translate a VPN peer’s 8.4(3) local IP address back to the peer’s real IP address Feature Information In rare situations, you might want to use a VPN peer’s real IP address on the inside network instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local IP address to access the inside network.
Chapter 5 Configuring Twice NAT Feature History for Twice NAT Table 5-1 Feature History for Twice NAT (continued) Feature Name Platform Releases NAT support for reverse DNS lookups 9.0(1) NAT now supports translation of the DNS PTR record for reverse DNS lookups when using IPv4 NAT, IPv6 NAT, and NAT64 with DNS inspection enabled for the NAT rule. Per-session PAT 9.
PART 3 Configuring Access Control
CH AP TE R 6 Configuring Access Rules This chapter describes how to control network access through the ASA using access rules and includes the following sections: Note • Information About Access Rules, page 6-1 • Licensing Requirements for Access Rules, page 6-7 • Prerequisites, page 6-7 • Guidelines and Limitations, page 6-7 • Default Settings, page 6-8 • Configuring Access Rules, page 6-8 • Monitoring Access Rules, page 6-10 • Configuration Examples for Permitting or Denying Network Acc
Chapter 6 Configuring Access Rules Information About Access Rules • Information About EtherType Rules, page 6-6 General Information About Rules This section describes information for both access rules and EtherType rules, and it includes the following topics: • Implicit Permits, page 6-2 • Information About Interface Access Rules and Global Access Rules, page 6-2 • Using Access Rules and EtherType Rules on the Same Interface, page 6-2 • Implicit Deny, page 6-3 • Inbound and Outbound Rules, pag
Chapter 6 Configuring Access Rules Information About Access Rules Implicit Deny ACLs have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the ASA except for particular addresses, then you need to deny the particular addresses and then permit all others.
Chapter 6 Configuring Access Rules Information About Access Rules Figure 6-1 Outbound ACL Web Server: 209.165.200.225 ASA Outside ACL Outbound Permit HTTP from 10.1.1.14, 10.1.2.67, and 10.1.3.34 to 209.165.200.225 Deny all others ACL Inbound Permit from any to any 10.1.1.14 209.165.201.4 Static NAT HR ACL Inbound Permit from any to any 10.1.2.67 209.165.201.6 Static NAT Eng ACL Inbound Permit from any to any 10.1.3.34 209.165.201.
Chapter 6 Configuring Access Rules Information About Access Rules Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6. Additional Guidelines and Limitations Evaluate the following alternatives before using the transactional commit model: • While using large rules, try to optimize the number of rules by using the Object Group Search setting in Advanced Access Rule Configuration settings.
Chapter 6 Configuring Access Rules Information About Access Rules Table 6-1 lists common traffic types that you can allow through the transparent firewall. Table 6-1 Transparent Firewall Special Traffic Traffic Type Protocol or Port Notes DHCP UDP ports 67 and 68 If you enable the DHCP server, then the ASA does not pass DHCP packets. EIGRP Protocol 88 — OSPF Protocol 89 — Multicast streams The UDP ports vary depending on the application.
Chapter 6 Configuring Access Rules Licensing Requirements for Access Rules Access Rules for Returning Traffic Because EtherTypes are connectionless, you need to apply the rule to both interfaces if you want traffic to pass in both directions.
Chapter 6 Configuring Access Rules Guidelines and Limitations Per-User ACL Guidelines • The per-user ACL uses the value in the timeout uauth command, but it can be overridden by the AAA per-user session timeout value. • If traffic is denied because of a per-user ACL, syslog message 109025 is logged. If traffic is permitted, no syslog message is generated. The log option in the per-user ACL has no effect. Default Settings See the “Implicit Permits” section on page 6-2.
Chapter 6 Configuring Access Rules Guidelines and Limitations Detailed Steps Command Purpose access-group access_list {{in | out} interface interface_name [per-user-override | control-plane] | global} Binds an ACL to an interface or applies it globally. Example: For an interface-specific rule: ciscoasa(config)# access-group outside_access in interface outside Specify the extended or EtherType ACL name. You can configure one access-group command per ACL type per interface.
Chapter 6 Configuring Access Rules Monitoring Access Rules Monitoring Access Rules To monitor network access, enter the following command: Command Purpose show running-config access-group Displays the current ACL bound to the interfaces. Configuration Examples for Permitting or Denying Network Access This section includes typical configuration examples for permitting or denying network access.
Chapter 6 Configuring Access Rules Feature History for Access Rules hostname hostname hostname hostname hostname (config-service)# (config-service)# (config-service)# (config-service)# (config-service)# service-object service-object service-object service-object service-object tcp source range 2000 3000 tcp source range 3000 3010 destinatio$ ipsec udp destination range 1002 1006 icmp echo ciscoasa(config)# access-list outsideacl extended permit object-group myaclog interface inside any Feature Histor
Chapter 6 Configuring Access Rules Feature History for Access Rules Table 6-2 Feature History for Access Rules (continued) Feature Name Platform Releases Unified ACL for IPv4 and IPv6 9.0(1) Feature Information ACLs now support IPv4 and IPv6 addresses. You can even specify a mix of IPv4 and IPv6 addresses for the source and destination. The any keyword was changed to represent IPv4 and IPv6 traffic. The any4 and any6 keywords were added to represent IPv4-only and IPv6-only traffic, respectively.
CH AP TE R 7 Configuring AAA Rules for Network Access This chapter describes how to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the general operations configuration guide.
Chapter 7 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6. Additional Guidelines In clustering, this feature is only supported on the master unit.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access One-Time Authentication A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command in the command reference for timeout values.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Note If you use HTTP authentication, by default the username and password are sent from the client to the ASA in clear text; in addition, the username and password are sent on to the destination web server as well. See the “Enabling Secure Authentication of Web Clients” section on page 7-10 for information to secure your credentials.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access • For Telnet and FTP traffic, users must log in through the cut-through proxy server and again to the Telnet and FTP servers. • A user can specify an Active Directory domain while providing login credentials (in the format, domain\username). The ASA automatically selects the associated AAA server group for the specified domain.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access nat (inside,outside) static 10.48.66.155 service tcp 111 889 Then users do not see the authentication page. Instead, the ASA sends an error message to the web browser, indicating that the user must be authenticated before using the requested service. When a mapped address is used for static PAT, it is automatically placed into the dynamic PAT pool.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Configuring Network Access Authentication To configure network access authentication, perform the following steps: Step 1 Command Purpose aaa-server Identifies your AAA servers. If you have already identified them, continue to the next step.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Step 4 Command Purpose aaa authentication listener http[s] interface_name [port portnum] redirect (Optional) Enables the redirection method of authentication for HTTP or HTTPS connections. Example: ciscoasa(config)# aaa authentication listener http inside redirect The interface_name argument is the interface on which you want to enable listening ports.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access The following example shows a typical cut-through proxy configuration to allow a user to log in through the ASA. In this example, the following conditions apply: • The ASA IP address is 192.168.123.10. • The Active Directory domain controller has the IP address 10.1.2.10. • The end user client has the IP address 192.168.123.10 and uses HTTPS to log in through a web portal.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access For more information about authentication, see the “Information About Authentication” section on page 7-2. Enabling Secure Authentication of Web Clients If you use HTTP authentication, by default the username and password are sent from the client to the ASA in clear text; in addition, the username and password are sent to the destination web server as well.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access nat (inside,outside) static 10.132.16.200 service tcp 443 443 Authenticating Directly with the ASA If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the ASA but want to authenticate other types of traffic, you can authenticate with the ASA directly using HTTP, HTTPS, or Telnet.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Command Purpose virtual http Redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the ASA. The ASA prompts for the AAA server username and password. After the AAA server authenticates the user, the ASA redirects the HTTP connection back to the original server, but it does not include the AAA server username and password.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Command Purpose virtual telnet ip_address Configures a virtual Telnet server. Example: The ip_address argument sets the IP address for the virtual Telnet server. Make sure this address is an unused address that is routed to the ASA. ciscoasa(config)# virtual telnet 209.165.202.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authorization for Network Access Configuring Authorization for Network Access After a user authenticates for a given connection, the ASA can use authorization to further control traffic from the user.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authorization for Network Access To configure TACACS+ authorization, perform the following steps: Step 1 Command Purpose aaa-server Identifies your AAA servers. If you have already identified them, continue to the next step.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authorization for Network Access Step 5 Command Purpose aaa local authentication attempts max-fail number (Optional) Uses the local database for network access authentication and limits the number of consecutive failed login attempts that the ASA allows any given user account (with the exception of users with a privilege level of 15. This feature does not affect level 15 users). The number argument value is between 1 and 16.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authorization for Network Access ciscoasa(config-aaa-server-host)# key TACPlusUauthKey ciscoasa(config-aaa-server-host)# exit ciscoasa(config)# aaa authentication match TELNET_AUTH inside AuthOutbound ciscoasa(config)# aaa authorization match SERVER_AUTH inside AuthOutbound Configuring RADIUS Authorization When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept message sent by a RADIUS server.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authorization for Network Access • Simplified and centralized management of ACLs—Downloadable ACLs enable you to write a set of ACLs once and apply it to many user or group profiles and distribute it to many ASAs.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authorization for Network Access . ip:inacl#n=ACE-n ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 6.
Chapter 7 Configuring AAA Rules for Network Access Configuring Authorization for Network Access The downloaded ACL on the ASA consists of the following lines: access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL
Chapter 7 Configuring AAA Rules for Network Access Configuring Accounting for Network Access Converting Wildcard Netmask Expressions in Downloadable ACLs If a RADIUS server provides downloadable ACLs to Cisco VPN 3000 series concentrators as well as to the ASA, you may need the ASA to convert wildcard netmask expressions to standard netmask expressions. This is because Cisco VPN 3000 series concentrators support wildcard netmask expressions, but the ASA only supports standard netmask expressions.
Chapter 7 Configuring AAA Rules for Network Access Configuring Accounting for Network Access To configure accounting, perform the following steps: Step 1 Command Purpose access-list If you want the ASA to provide accounting data per user, you must enable authentication. For more information, see the “Configuring Network Access Authentication” section on page 7-7. If you want the ASA to provide accounting data per IP address, enabling authentication is not necessary.
Chapter 7 Configuring AAA Rules for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization ciscoasa(config)# aaa accounting match SERVER_AUTH inside AuthOutbound AAA provides an extra level of protection and control for user access than using ACLs alone. For example, you can create an ACL allowing all outside users to access Telnet on a server on the DMZ network.
Chapter 7 Configuring AAA Rules for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization To use MAC addresses to exempt traffic from authentication and authorization, perform the following steps: Step 1 Command Purpose mac-list id {deny | permit} mac macmask Configures a MAC list. Example: ciscoasa(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff The id argument is the hexadecimal number that you assign to the MAC list.
Chapter 7 Configuring AAA Rules for Network Access Feature History for AAA Rules The following example bypasses authentication for a a group of MAC addresses except for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches the permit statement as well, and if it is first, the deny statement will never be matched. ciscoasa(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff ciscoasa(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.
Chapter 7 Feature History for AAA Rules Cisco ASA Series Firewall CLI Configuration Guide 7-26 Configuring AAA Rules for Network Access
PART 4 Configuring Application Inspection
CH AP TE R 9 Getting Started with Application Layer Protocol Inspection This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports.
Chapter 9 Getting Started with Application Layer Protocol Inspection Information about Application Layer Protocol Inspection Figure 9-1 How Inspection Engines Work ACL 2 Client ASA 6 7 5 3 XLATE CONN Server 4 Inspection 132875 1 In Figure 9-1, operations are numbered in the order they occur, and are described as follows: 1. A TCP SYN packet arrives at the ASA to establish a new connection. 2. The ASA checks the ACL database to determine if the connection is permitted. 3.
Chapter 9 Getting Started with Application Layer Protocol Inspection Guidelines and Limitations When you enable application inspection for a service that embeds IP addresses, the ASA translates embedded addresses and updates any checksum or other fields that are affected by the translation.
Chapter 9 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations Inspected protocols are subject to advanced TCP-state tracking, and the TCP state of these connections is not automatically replicated. While these connections are replicated to the standby unit, there is a best-effort attempt to re-establish a TCP state.
Chapter 9 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations Table 9-1 Supported Application Inspection Engines (continued) Application1 Default Port NAT Limitations Standards2 Comments ICMP ERROR — — — — ILS (LDAP) TCP/389 No extended PAT. — — RFC 3860 — No NAT64. Instant Messaging (IM) Varies by client No extended PAT. IP Options — No NAT64. RFC 791, RFC 2113 — IPsec Pass Through UDP/500 No PAT. — — IPv6 — No NAT64.
Chapter 9 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations Table 9-1 Supported Application Inspection Engines (continued) Application1 Default Port NAT Limitations Standards2 Comments SIP TCP/5060 UDP/5060 RFC 2543 — — Does not handle TFTP uploaded Cisco IP Phone configurations under certain circumstances. — No outside NAT. No NAT on same security interfaces. No extended PAT. No per-session PAT. No NAT64. (Clustering) No static PAT.
Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 dns-guard protocol-enforcement nat-rewrite policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 _default_h323_map inspect h323 ras _default_h323_map inspect ip
Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic to specific IP addresses. Because the match default-inspection-traffic command specifies the ports to match, any ports in the ACL are ignored.
Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Step 3 • H323—See the “Configuring an H.323 Inspection Policy Map for Additional Inspection Control” section on page 11-6 • HTTP—See the “Configuring an HTTP Inspection Policy Map for Additional Inspection Control” section on page 10-16.
Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection class in Step 5. Do not add another class that matches SNMP.
Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Table 9-2 Protocol Keywords Keywords Notes http [map_name] If you added an HTTP inspection policy map according to the “Configuring an HTTP Inspection Policy Map for Additional Inspection Control” section on page 10-16, identify the map name in this command.
Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Table 9-2 Step 6 Protocol Keywords Keywords Notes scansafe [map_name] If you added a ScanSafe (Cloud Web Security) inspection policy map according to “Configuring a Service Policy to Send Traffic to Cloud Web Security” section on page 25-10, identify the map name in this command.
CH AP TE R 10 Configuring Inspection of Basic Internet Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
Chapter 10 Configuring Inspection of Basic Internet Protocols DNS Inspection • Configuring DNS Inspection, page 10-8 • Monitoring DNS Inspection, page 10-9 Information About DNS Inspection • General Information About DNS, page 10-2 • DNS Inspection Actions, page 10-2 General Information About DNS A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, a
Chapter 10 Configuring Inspection of Basic Internet Protocols DNS Inspection policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 dns-guard protocol-enforcement nat-rewrite policy-map global_policy class inspection_default inspect dns preset_dns_map ! ...
Chapter 10 Configuring Inspection of Basic Internet Protocols DNS Inspection Command Purpose policy-map type inspect dns name Creates an inspection policy map in which you want to match traffic directly. Example: You can specify multiple match commands in the policy map. For information about the order of match commands, see the “Defining Actions in an Inspection Policy Map” section on page 2-4.
Chapter 10 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 4 Command Purpose match [not] dns-class {eq {in | c_val}} | range c_val1 c_val2} Matches a DNS class, either in (for Internet) or c_val, an arbitrary value from 0 to 65535 in the DNS class field. The range keyword specifies a range, and the eq keyword specifies an exact match.
Chapter 10 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 6 Command Purpose match [not] domain-name regex {regex_id | class class_id] Matches a DNS message domain name list. The regex_name argument is a regular expression. The class regex_class_name is a regular expression class map. See the “Prerequisites” section on page 10-3.
Chapter 10 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 7 Command Purpose (If you are using a DNS inspection class map) Creates an inspection policy map, specifies the DNS inspection class map, and sets the action for the class map: policy-map type inspect dns name class class_map_name {drop [log] | drop-connection [log]| enforce-tsig {[drop] [log]} | mask [log] | log} • drop [log]—Drops the packet. log also logs the packet.
Chapter 10 Configuring Inspection of Basic Internet Protocols DNS Inspection Examples The following example shows a how to define a DNS inspection policy map. regex domain_example “example\.com” regex domain_foo “foo\.
Chapter 10 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 3 Step 4 Command Purpose policy-map name Adds or edits a policy map that sets the actions to take with the class map traffic. Example: ciscoasa(config)# policy-map global_policy In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name. class name Identifies the class map created in Step 1.
Chapter 10 Configuring Inspection of Basic Internet Protocols FTP Inspection For connections using a DNS server, the source port of the connection may be replaced by the IP address of DNS server in the show conn command output. A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol).
Chapter 10 Configuring Inspection of Basic Internet Protocols FTP Inspection Using the strict Option Using the strict option with the inspect ftp command increases the security of protected networks by preventing web browsers from sending embedded commands in FTP requests. Note To specify FTP commands that are not permitted to pass through the ASA, create an FTP map according to the “Configuring an FTP Inspection Policy Map for Additional Inspection Control” section on page 10-12.
Chapter 10 Configuring Inspection of Basic Internet Protocols FTP Inspection Configuring an FTP Inspection Policy Map for Additional Inspection Control FTP command filtering and security checks are provided using strict FTP inspection for improved security and control. Protocol conformance includes packet length checks, delimiters and packet format checks, command terminator checks, and command validation.
Chapter 10 Configuring Inspection of Basic Internet Protocols FTP Inspection d. (Optional) To match a file type for FTP transfer, enter the following command: ciscoasa(config-cmap)# match [not] filetype regex [regex_name | class regex_class_name] Where the regex_name is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. e.
Chapter 10 Configuring Inspection of Basic Internet Protocols FTP Inspection Step 5 (Optional) To add a description to the policy map, enter the following command: ciscoasa(config-pmap)# description string Step 6 To apply actions to matching traffic, perform the following steps. a.
Chapter 10 Configuring Inspection of Basic Internet Protocols HTTP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# mask-banner ciscoasa(config)# class-map match-all ftp-traffic ciscoasa(config-cmap)# match port tcp eq ftp ciscoasa(config)# policy-map ftp-policy ciscoasa(config-pmap)# class ftp-traffic ciscoasa(config-pmap-c)# inspect ftp strict mymap ciscoasa(config)# service-policy ftp-policy interface inside Verifying and Monitoring FTP Inspection FTP application inspection genera
Chapter 10 Configuring Inspection of Basic Internet Protocols HTTP Inspection The enhanced HTTP inspection feature, which is also known as an application firewall and is available when you configure an HTTP map (see “Configuring an HTTP Inspection Policy Map for Additional Inspection Control”), can help prevent attackers from using HTTP messages for circumventing network security policy. It verifies the following for all HTTP messages: • Conformance to RFC 2616 • Use of RFC-defined methods only.
Chapter 10 Configuring Inspection of Basic Internet Protocols HTTP Inspection ciscoasa(config-cmap)# description string c. (Optional) To match traffic with a content-type field in the HTTP response that does not match the accept field in the corresponding HTTP request message, enter the following command: ciscoasa(config-cmap)# match [not] req-resp content-type mismatch d.
Chapter 10 Configuring Inspection of Basic Internet Protocols HTTP Inspection Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. The length gt max_bytes is the maximum message body length in bytes. j.
Chapter 10 Configuring Inspection of Basic Internet Protocols HTTP Inspection The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server and/or client. The log keyword, which you can use alone or with one of the other keywords, sends a system log message. The rate-limit message_rate argument limits the rate of messages. You can specify multiple class or match commands in the policy map.
Chapter 10 Configuring Inspection of Basic Internet Protocols ICMP Inspection ICMP Inspection The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the ASA in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct.
Chapter 10 Configuring Inspection of Basic Internet Protocols Instant Messaging Inspection Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control To specify actions when a message violates a parameter, create an IM inspection policy map. You can then apply the inspection policy map when you enable IM inspection.
Chapter 10 Configuring Inspection of Basic Internet Protocols Instant Messaging Inspection Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. f.
Chapter 10 Configuring Inspection of Basic Internet Protocols IP Options Inspection You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see the “Defining Actions in an Inspection Policy Map” section on page 2-4. Step 7 Specify the action you want to perform on the matching traffic by entering the following command: ciscoasa(config-pmap-c)# {drop-connection | reset | log} Where the drop-connection action closes the connection.
Chapter 10 Configuring Inspection of Basic Internet Protocols IP Options Inspection • IP Options Inspection Overview, page 10-24 • Configuring an IP Options Inspection Policy Map for Additional Inspection Control, page 10-25 IP Options Inspection Overview Each IP packet contains an IP header with the Options field. The Options field, commonly referred to as IP Options, provide for control functions that are required in some situations but unnecessary for most common communications.
Chapter 10 Configuring Inspection of Basic Internet Protocols IPsec Pass Through Inspection Configuring an IP Options Inspection Policy Map for Additional Inspection Control Step 1 To create an IP Options inspection policy map, enter the following command: ciscoasa(config)# policy-map type inspect ip-options policy_map_name ciscoasa(config-pmap)# Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Chapter 10 Configuring Inspection of Basic Internet Protocols IPv6 Inspection • IPsec Pass Through Inspection Overview, page 10-26 • “Example for Defining an IPsec Pass Through Parameter Map” section on page 10-26 IPsec Pass Through Inspection Overview Internet Protocol Security (IPsec) is a protocol suite for securing IP communications by authenticating and encrypting each IP packet of a data stream.
Chapter 10 Configuring Inspection of Basic Internet Protocols IPv6 Inspection Information about IPv6 Inspection IPv6 inspection lets you selectively log or drop IPv6 traffic based on the extension header. In addition, IPv6 inspection can check conformance to RFC 2460 for type and order of extension headers in IPv6 packets.
Chapter 10 Configuring Inspection of Basic Internet Protocols IPv6 Inspection Detailed Steps Step 1 Command Purpose policy-map type inspect ipv6 name Creates an inspection policy map.
Chapter 10 Configuring Inspection of Basic Internet Protocols IPv6 Inspection drop match drop match drop match drop log header destination-option log header routing-address count gt 0 log header routing-type eq 0 log Configuring IPv6 Inspection To enable IPv6 inspection, perform the following steps. Detailed Steps Step 1 Command Purpose class-map name Creates a class map to identify the traffic for which you want to apply the inspection.
Chapter 10 Configuring Inspection of Basic Internet Protocols NetBIOS Inspection Examples The following example drops all IPv6 traffic with the hop-by-hop, destination-option, routing-address, and routing type 0 headers: policy-map type inspect ipv6 ipv6-pm parameters match header hop-by-hop drop match header destination-option drop match header routing-address count gt 0 drop match header routing-type eq 0 drop policy-map global_policy class class-default inspect ipv6 ipv6-pm ! service-policy global_pol
Chapter 10 Configuring Inspection of Basic Internet Protocols NetBIOS Inspection Step 4 (Optional) To add a description to the policy map, enter the following command: ciscoasa(config-pmap)# description string Step 5 To apply actions to matching traffic, perform the following steps. a.
Chapter 10 Configuring Inspection of Basic Internet Protocols PPTP Inspection ciscoasa(config)# policy-map netbios_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# inspect netbios netbios_map PPTP Inspection PPTP is a protocol for tunneling PPP traffic. A PPTP session is composed of one TCP channel and usually two PPTP GRE tunnels. The TCP channel is the control channel used for negotiating and managing the PPTP GRE tunnels.
Chapter 10 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.
Chapter 10 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection To specify actions when a message violates a parameter, create an ESMTP inspection policy map. You can then apply the inspection policy map when you enable ESMTP inspection. To create an ESMTP inspection policy map, perform the following steps: Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the general operations configuration guide.
Chapter 10 Configuring Inspection of Basic Internet Protocols TFTP Inspection Step 6 To configure parameters that affect the inspection engine, perform the following steps: a. To enter parameters configuration mode, enter the following command: ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# b. To configure a local domain name, enter the following command: ciscoasa(config-pmap-p)# mail-relay domain-name action [drop-connection | log]] Where the drop-connection action closes the connection.
Chapter 10 TFTP Inspection Cisco ASA Series Firewall CLI Configuration Guide 10-36 Configuring Inspection of Basic Internet Protocols
CH AP TE R 11 Configuring Inspection for Voice and Video Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
Chapter 11 Configuring Inspection for Voice and Video Protocols CTIQBE Inspection Limitations and Restrictions The following summarizes limitations that apply when using CTIQBE application inspection: • CTIQBE application inspection does not support configurations with the alias command. • Stateful failover of CTIQBE calls is not supported. • Entering the debug ctiqbe command may delay message transmission, which may have a performance impact in a real-time environment.
Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection The line beginning with RTP/RTCP: PAT xlates: appears only if an internal CTI device has registered with an external CallManager and the CTI device address and ports are PATed to that external interface. This line does not appear if the CallManager is located on an internal interface, or if the internal CTI device address and ports are translated to the same external interface that is used by the CallManager.
Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The ASA supports H.323 through Version 6, including H.323 v3 feature Multiple Calls on One Call Signaling Channel. With H.
Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection After inspecting the H.225 messages, the ASA opens the H.245 channel and then inspects traffic sent over the H.245 channel as well. All H.245 messages passing through the ASA undergo H.245 application inspection, which translates embedded IP addresses and opens the media channels negotiated in H.245 messages. The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the H.225 and H.
Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection • Only static NAT is fully supported. Static PAT may not properly translate IP addresses embedded in optional fields within H.323 messages. If you experience this kind of problem, do not use static PAT with H.323. • Not supported with dynamic NAT or PAT. • Not supported with extended PAT. • Not supported with NAT between same-security-level interfaces. • Not supported with outside NAT. • Not supported with NAT64.
Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection b. (Optional) To add a description to the class map, enter the following command: ciscoasa(config-cmap)# description string Where string is the description of the class map (up to 200 characters). c.
Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see the “Defining Actions in an Inspection Policy Map” section on page 2-4. Step 7 To configure parameters that affect the inspection engine, perform the following steps: a.
Chapter 11 Configuring Inspection for Voice and Video Protocols H.
Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection 0 Concurrent Call(s) for Local: 10.130.56.4/1050 Foreign: 172.30.254.205/1720 This output indicates that there is currently 1 active H.323 call going through the ASA between the local endpoint 10.130.56.3 and foreign host 172.30.254.203, and for these particular endpoints, there is 1 concurrent call between them, with a CRV for that call of 9861. For the local endpoint 10.130.56.4 and foreign host 172.30.254.
Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection Total: 1 GK Caller 172.30.254.214 10.130.56.14 This output shows that there is one active registration between the gatekeeper 172.30.254.214 and its client 10.130.56.14. MGCP Inspection This section describes MGCP application inspection.
Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection MGCP transactions are composed of a command and a mandatory response. There are eight types of commands: • CreateConnection • ModifyConnection • DeleteConnection • NotificationRequest • Notify • AuditEndpoint • AuditConnection • RestartInProgress The first four commands are sent by the call agent to the gateway. The Notify command is sent by the gateway to the call agent.
Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# b. To configure the call agents, enter the following command for each call agent: ciscoasa(config-pmap-p)# call-agent ip_address group_id Use the call-agent command to specify a group of call agents that can manage one or more gateways.
Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection Verifying and Monitoring MGCP Inspection The show mgcp commands command lists the number of MGCP commands in the command queue. The show mgcp sessions command lists the number of existing MGCP sessions. The detail option includes additional information about each command (or session) in the output.
Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection RTSP Inspection Overview The RTSP inspection engine lets the ASA pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. Note For Cisco IP/TV, use RTSP TCP port 554 and TCP 8554. RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. The ASA only supports TCP, in conformity with RFC 2326.
Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection • You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT if the Viewer and Content Manager are on the outside network and the server is on the inside network. Configuring an RTSP Inspection Policy Map for Additional Inspection Control To specify actions when a message violates a parameter, create an RTSP inspection policy map.
Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. Step 4 To create an RTSP inspection policy map, enter the following command: ciscoasa(config)# policy-map type inspect rtsp policy_map_name ciscoasa(config-pmap)# Where the policy_map_name is the name of the policy map.
Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection ciscoasa(config-pmap-p)# url-length-limit length Where the length argument specifies the URL length in bytes (0 to 6000). The following example shows a how to define an RTSP inspection policy map. ciscoasa(config)# regex badurl1 www.url1.com/rtsp.avi ciscoasa(config)# regex badurl2 www.url2.com/rtsp.rm hostname(config)# regex badurl3 www.url3.com/rtsp.
Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection To support SIP calls through the ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses.
Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection SIP inspection has a database with indices CALL_ID/FROM/TO from the SIP payload. These indices identify the call, the source, and the destination. This database contains the media addresses and media ports found in the SDP media information fields and the media type. There can be multiple media addresses and ports for a session. The ASA opens RTP/RTCP connections between the two endpoints using these media addresses/ports.
Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection Where the class_map_name is the name of the class map. The match-all keyword is the default, and specifies that traffic must match all criteria to match the class map. The match-any keyword specifies that the traffic matches the class map if it matches at leX( The CLI enters class-map configuration mode, where you can enter one or more match commands. b.
Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. k. (Optional) To match an URI in the SIP headers, enter the following command: ciscoasa(config-cmap)# match [not] uri {sip | tel} length gt length Step 4 Where length is the number of bytes the URI is greater than. 0 to 65536.
Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection b. To enable or disable instant messaging, enter the following command: ciscoasa(config-pmap-p)# im c. To enable or disable IP address privacy, enter the following command: ciscoasa(config-pmap-p)# ip-address-privacy d.
Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Configuring SIP Timeout Values The media connections are torn down within two minutes after the connection becomes idle. This is, however, a configurable timeout and can be set for a shorter or longer period of time.
Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection • SCCP Inspection Overview, page 11-25 • Supporting Cisco IP Phones, page 11-25 • Restrictions and Limitations, page 11-26 • Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control, page 11-26 • Verifying and Monitoring SIP Inspection, page 11-24 SCCP Inspection Overview Note For specific information about setting up the Phone Proxy on the ASA, which is part of the Cisco Unified
Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an ACL to connect to the protected TFTP server on UDP port 69. While you do need a static entry for the TFTP server, this does not have to be an identity static entry. When using NAT, an identity static entry maps to the same IP address. When using PAT, it maps to the same IP address and port.
Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Step 5 To apply actions to matching traffic, perform the following steps. a. Specify the traffic on which you want to perform actions using one of the following methods: • Specify the SCCP class map that you created in Step 3 by entering the following command: ciscoasa(config-pmap)# class class_map_name ciscoasa(config-pmap-c)# • b.
Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Where the value_length argument is a maximum or minimum value. f. To configure the timeout value for signaling and media connections, enter the following command: ciscoasa(config-pmap-p)# timeout The following example shows how to define an SCCP inspection policy map.
CH AP TE R 12 Configuring Inspection of Database and Directory Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
Chapter 12 Configuring Inspection of Database and Directory Protocols SQL*Net Inspection During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful BIND RESPONSE from the server is received, other operational messages may be exchanged (such as ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers, used by H.
Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in the packet. SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and addresses to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload.
Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection Managing Sun RPC Services Use the Sun RPC services table to control Sun RPC traffic through the ASA based on established Sun RPC sessions.
Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003 protocol UDP port 111 timeout 0:30:00 sunrpc-server inside 192.168.100.2 255.255.255.255 service 100005 protocol UDP port 111 timeout 0:30:00 This output shows that a timeout interval of 30 minutes is configured on UDP port 111 for the Sun RPC server with the IP address 192.168.100.2 on the inside interface.
Chapter 12 Sun RPC Inspection Cisco ASA Series Firewall CLI Configuration Guide 12-6 Configuring Inspection of Database and Directory Protocols
CH AP TE R 13 Configuring Inspection for Management Application Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
Chapter 13 Configuring Inspection for Management Application Protocols DCERPC Inspection DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages.
Chapter 13 Configuring Inspection for Management Application Protocols GTP Inspection The following example shows how to define a DCERPC inspection policy map with the timeout configured for DCERPC pinholes.
Chapter 13 Configuring Inspection for Management Application Protocols GTP Inspection Configuring a GTP Inspection Policy Map for Additional Inspection Control If you want to enforce additional parameters on GTP traffic, create and configure a GTP map.
Chapter 13 Configuring Inspection for Management Application Protocols GTP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# The mnc network_code argument is a two or three-digit value identifying the network code. By default, the security appliance does not check for valid MCC/MNC combinations. This command is used for IMSI Prefix filtering.
Chapter 13 Configuring Inspection for Management Application Protocols GTP Inspection a. Use the object-group command to define a new network object group that will represent the SGSN that sends GTP requests to the GSN pool. ciscoasa(config)# object-group network SGSN-name ciscoasa(config-network)# For example, the following command creates an object group named sgsn32: ciscoasa(config)# object-group network sgsn32 ciscoasa(config-network)# b.
Chapter 13 Configuring Inspection for Management Application Protocols GTP Inspection Enter this command separately for each timeout. The gsn keyword specifies the period of inactivity after which a GSN will be removed. The pdp-context keyword specifies the maximum period of time allowed before beginning to receive the PDP context. The request keyword specifies the maximum period of time allowed before beginning to receive the GTP message.
Chapter 13 Configuring Inspection for Management Application Protocols RADIUS Accounting Inspection total created_pdpmcb pdp_non_existent 0 0 total deleted_pdpmcb 0 You can use the vertical bar (|) to filter the display. Type ?| for more display filtering options. The following is sample GSN output from the show service-policy inspect gtp statistics gsn command: ciscoasa# show service-policy inspect gtp statistics gsn 9.9.9.9 1 in use, 1 most used, timeout 0:00:00 GTP GSN Statistics for 9.9.9.
Chapter 13 Configuring Inspection for Management Application Protocols RADIUS Accounting Inspection RADIUS Accounting Inspection Overview One of the well known problems is the over-billing attack in GPRS networks. The over-billing attack can cause consumers anger and frustration by being billed for services that they have not used. In this case, a malicious attacker sets up a connection to a server and obtains an IP address from the SGSN.
Chapter 13 Configuring Inspection for Management Application Protocols RSH Inspection service-policy global_policy global RSH Inspection RSH inspection is enabled by default. The RSH protocol uses a TCP connection from the RSH client to the RSH server on TCP port 514. The client and server negotiate the TCP port number where the client listens for the STDERR output stream. RSH inspection supports NAT of the negotiated port number if necessary.
Chapter 13 Configuring Inspection for Management Application Protocols XDMCP Inspection ciscoasa(config-snmp-map)# deny version 2 XDMCP Inspection XDMCP inspection is enabled by default; however, the XDMCP inspection engine is dependent upon proper configuration of the established command. XDMCP is a protocol that uses UDP port 177 to negotiate X sessions, which use TCP when established.
Chapter 13 XDMCP Inspection Cisco ASA Series Firewall CLI Configuration Guide 13-12 Configuring Inspection for Management Application Protocols
PART 5 Configuring Unified Communications
CH AP TE R 14 Information About Cisco Unified Communications Proxy Features This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features.
Chapter 14 Information About the Adaptive Security Appliance in Cisco Unified Communications Information About Cisco Unified Communications Proxy Features TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signaling End-to-end encryption often leaves network security appliances “blind” to media and signaling traffic, which can compromise access control and threat prevention security functions.
Chapter 14 Information About Cisco Unified Communications Proxy Features TLS Proxy Applications in Cisco Unified Communications The ASA provides perimeter security by encrypting signaling connections between enterprises and preventing unathorized calls. An ASA running the Cisco Intercompany Media Engine Proxy can either be deployed as an Internet firewall or be designated as a Cisco Intercompany Media Engine Proxy and placed in the DMZ, off the path of the regular Internet traffic.
Chapter 14 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features For the Cisco Unified Mobility solution, the TLS client is a Cisco UMA client and the TLS server is a Cisco UMA server. The ASA is between a Cisco UMA client and a Cisco UMA server. The mobility proxy (implemented as a TLS proxy) for Cisco Unified Mobility allows the use of an imported PKCS-12 certificate for server proxy during the handshake with the client.
Chapter 14 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features Model License Requirement1 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5545-X Base License: 2 sessions.
Chapter 14 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features Table 14-2 shows the default and maximum TLS session details by platform.
CH AP TE R 15 Using the Cisco Unified Communication Wizard This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features.
Chapter 15 Using the Cisco Unified Communication Wizard Information about the Cisco Unified Communication Wizard The wizard simplifies the configuration of the Unified Communications proxies in the following ways: • You enter all required data in the wizard steps. You are not required to navigate various ASDM screens to configure the Unified Communications proxies.
Chapter 15 Using the Cisco Unified Communication Wizard Licensing Requirements for the Unified Communication Wizard Using the ASA as a secure presence federation proxy, businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Cisco or Microsoft Presence servers, enabling intra-enterprise communications. The security appliance terminates the TLS connectivity between the servers, and can inspect and apply policies for the SIP communications between the servers.
Chapter 15 Using the Cisco Unified Communication Wizard Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6 addresses.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard Note Any configuration created by the wizard should be maintained through the wizard to ensure proper synchronization. For example, if you create a phone proxy configuration through the UC wizard and then modify the configuration outside of the wizard, the rest of the wizard configuration is not updated, and the wizard configuration is not synchronized.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard Step 2 Specify each entity in the network (all Cisco UCM and TFTP servers) that the IP phones must trust. Click Add to add the servers. See Configuring Servers for the Phone Proxy, page 15-6. To modify the configuration of a server already added to the configuration, select the server in the table and click Edit. The Edit Server dialog appears.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard statements, you must delete them manually by using the appropriate area of ASDM or rerun the Unified Communications wizard without making any changes and apply the configuration to to remove these statements.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard Selecting the Use interface IP radio button configures the server to use the IP address of the public interface. You select the public interface in step 4 of the wizard when you configure the public network for the phone proxy. If the Use interface IP radio button is selected, you must specify port translation settings in the Voice and TFTP sections.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard See also the Cisco Unified Communications Manager Security Guide for information on Using the Certificate Authority Proxy Function (CAPF) to install a locally significant certificate (LSC). If your network includes Cisco IP Communicators (CIPC) or you have LSC enabled IP phones, you must import the CAPF certificate from the Cisco UCM.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard Step 3 • PC Port • Voice VLAN access • Gratuitous ARP • Span to PC Port To configure address translation for IP phones, check the Enable address translation for IP phones check box. Select whether to use the IP address of the ASA private interface (which you selected in step 2 of the wizard) or enter an IP address.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Step 1 In the field for the private IP address, enter the IP address on which private media traffic terminates. The IP address must be within the same subnet as the private interface IP address. The correct subnet range is provided to the right of the field for the private IP address.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Configuring the Topology for the Cisco Mobility Advantage Proxy When configuring the Mobility Advantage Proxy, you specify settings to define the private and public network topology, such the private and public network interfaces, and the private and public IP addresses of the Cisco Mobility Advantage server.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard • When using the wizard to configure the Cisco Mobility Advantage proxy, the wizard only supports installing self-signed certificates. Step 2 Export the identity certificate generated by the wizard for the ASA. See Exporting an Identity Certificate, page 15-23. Step 3 In the Unified MA Server’s Certificate area, click Install Unified MA Server’s Certificate.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Presence Federation Proxy by using the Unified Communication Wizard Configuring the Presence Federation Proxy by using the Unified Communication Wizard Note The Unified Communication Wizard is supported for the ASA version 8.3(1) and later. To configure the Cisco Unified Presence proxy by using ASDM, choose Wizards > Unified Communication Wizard from the menu. The Unified Communication Wizard opens.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Presence Federation Proxy by using the Unified Communication Wizard Step 3 In the FQDN field, enter the domain name for the Unified Presence server. This domain name is included in the certificate signing request that you generate later in this wizard. Step 4 In the Public Network area, choose the interface of the public network from the drop-down list.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard For the TLS handshake, the two entities, namely the local entity and a remote entity, could validate the peer certificate via a certificate chain to trusted third-party certificate authorities. The local entity and the remote entity enroll with the CAs. The ASA as the TLS proxy must be trusted by both the local and remote entities.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard To configure the Cisco Intercompany Media Engine Proxy by using ASDM, choose Wizards > Unified Communication Wizard from the menu. The Unified Communication Wizard opens. From the first page, select the Cisco Intercompany Media Engine Proxy option under the Business-to-Business section and click Next.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Step 2 Click Next. Basic Deployment In a basic deployment, the Cisco Intercompany Media Engine Proxy sits in-line with the Internet firewall such that all Internet traffic traverses the ASA. In this deployment, a single Cisco UCM or a Cisco UCM cluster is centrally deployed within the enterprise, along with a Cisco Intercompany Media Engine server (and perhaps a backup).
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Step 1 To configure the Cisco Intercompany Media Engine Proxy as part of a basic deployment, select the interface that connects to the local Cisco Unified Communications servers. Or To configure the Cisco Intercompany Media Engine Proxy as part of an off-path deployment, complete the following steps: a.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine Proxy that has a SIP trunk enabled. Step 1 Enter the private IP address and port number (in the range 5000-6000) for the Cisco UCM server.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy Completing this step of the wizard generates a self-signed certificate for the ASA. The server proxy certificate is automatically generated using the subject name provided in an earlier step of this wizard. The wizard supports using self-signed certificates only.
Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy Establishing a trust relationship cross enterprises or across administrative domains is key. Cross enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a certificate with the FQDN of the Cisco Unified Communications Manager server (certificate impersonation).
Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Working with Certificates in the Unified Communication Wizard This section includes the following topics: • Exporting an Identity Certificate, page 15-23 • Installing a Certificate, page 15-23 • Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy, page 15-24 • Saving the Identity Certificate Request, page 15-25 • Installing the ASA Identity Certificat
Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Presence Federation server, and the Cisco Unified Communications Manager servers, respectively, on the ASA. See the documentation for each of these products for information about obtaining the identity certificates from each.
Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard • Remote Presence Federation servers for the Cisco Presence Federation Proxy • The remote ASAfor the Cisco Intercompany Media Engine Proxy Before generating the CSR, you can enter additional parameters. When configuring a Unified Communications proxy by using the wizard, you click the Generate CSR button while in the client-side or remote-side certificate management step of the wizard.
Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Submit the CSR to the certificate authority (CA), for example, by pasting the CSR text into the CSR enrollment page on the CA website. When the CA returns the signed identity certificate, rerun the Unified Communications Wizard. From the client-side or remote-side certificate management step of the wizard, click Install ASA’s Identity Certificate.
Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Typically, a certificate authority returns two certificates: your signed identity certificate and the certificate authority’s certificate (referred to as the root certificate). The root certificate from the certificate authority is used to sign other certificates.
Chapter 15 Working with Certificates in the Unified Communication Wizard Cisco ASA Series Firewall CLI Configuration Guide 15-28 Using the Cisco Unified Communication Wizard
CH AP TE R 16 Configuring the Cisco Phone Proxy This chapter describes how to configure the ASA for Cisco Phone Proxy feature.
Chapter 16 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Figure 16-1 Phone Proxy Secure Deployment Trusted / Inside / Un-Secured M ASA TCP/RTP M M M Un-trusted / Outside / Secured TLS/SRTP Internet IP Home Router w/NAT M Remote IP phone IP Internal IP phone IP Home Router w/NAT Remote IP phone Unencrypted signaling Encrypted signaling 271631 Enterprise The phone proxy supports a Cisco UCM cluster in mixed mode or nonsecure mode.
Chapter 16 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Note As an alternative to authenticating remote IP phones through the TLS handshake, you can configure authentication via LSC provisioning. With LSC provisioning you create a password for each remote IP phone user and each user enters the password on the remote IP phones to retrieve the LSC.
Chapter 16 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy • Cisco Unified IP Phone 7941 • Cisco Unified IP Phone 7941G-GE • Cisco Unified IP Phone 7940 (SCCP protocol support only) • Cisco Unified Wireless IP Phone 7921 • Cisco Unified Wireless IP Phone 7925 Note • Note Note To support Cisco Unified Wireless IP Phone 7925, you must also configure MIC or LSC on the IP phone so that it properly works with the phone proxy.
Chapter 16 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy Model License Requirement1 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5545-X Base License: 2 sessions.
Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy For more information about licensing, see the general operations configuration guide.
Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy • For IP phones behind a router or gateway, you must also meet this prerequisite. On the router or gateway, add routes to the media termination address on the ASA interface that the IP phones communicate with so that the phone can reach the media termination address. Certificates from the Cisco UCM Import the following certificates which are stored on the Cisco UCM.
Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy If NAT is configured for the TFTP server or Cisco UCMs, the translated “global” address must be used in the ACLs.
Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy host 10.0.0.2 nat (inside,outside) static interface service tcp 2443 7443 Note • Both PAT configurations—for the nonsecure and secure ports—must be configured. When the IP phones must contact the CAPF on the Cisco UCM and the Cisco UCM is configured with static PAT (LCS provisioning is required), you must configure static PAT for the default CAPF port 3804.
Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Note If an IP phone already has an LSC installed on it from a different Cisco UCM cluster, delete the LSC from the different cluster and install an LSC from the current Cisco UCM cluster. Note You can configure LSC provisioning for additional end-user authentication. See the Cisco Unified Communications Manager configuration guide for information. • The CAPF certificate must be imported onto the ASA.
Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Prerequisites for Rate Limiting TFTP Requests In a remote access scenario, we recommend that you configure rate limiting of TFTP requests because any IP phone connecting through the Internet is allowed to send TFTP requests to the TFTP server. To configure rate limiting of TFTP requests, configure the police command in the Modular Policy Framework. See the command reference for information about using the police command.
Chapter 16 Configuring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations End-User Phone Provisioning The phone proxy is a transparent proxy with respect to the TFTP and signaling transactions. If NAT is not configured for the Cisco UCM TFTP server, then the IP phones need to be configured with the Cisco UCM cluster TFTP server address. If NAT is configured for the Cisco UCM TFTP server, then the Cisco UCM TFTP server global address is configured as the TFTP server address on the IP phones.
Chapter 16 Configuring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations • General Guidelines and Limitations, page 16-13 • Media Termination Address Guidelines and Limitations, page 16-14 General Guidelines and Limitations The phone proxy has the following general limitations: • Only one phone proxy instance can be configured on the ASA by using the phone-proxy command. See the command reference for information about the phone-proxy command.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy – Two SIP IP phones: both in non-secure mode Two SCCP IP phones: one IP phone in authenticated mode and one in encrypted mode, both in authenticated mode, both in encrypted mode – Two SIP IP phones: one IP phone in authenticated mode and one in encrypted mode, both in authenticated mode, both in encrypted mode Two SCCP IP phones: both in non-secure mode This limitation results from the way the application-redirect rules (rules tha
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy • Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster, page 16-21 • Creating the Media Termination Instance, page 16-23 • Creating the Phone Proxy Instance, page 16-24 • Enabling the Phone Proxy with SIP and Skinny Inspection, page 16-26 • Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy, page 16-27 Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster Follow these tasks t
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 3 Click Find and it will display all the certificates. Step 4 Find the filename Cisco_Manufacturing_CA. This is the certificate need to verify the IP phone certificate. Click the .PEM file Cisco_Manufacturing_CA.pem. This will show you the certificate information and a dialog box that has the option to download the certificate.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster Note For mixed-mode clusters, the phone proxy does not support the Cisco Unified Call Manager using TFTP to send encrypted configuration files to IP phones through the ASA.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Prerequisites Import the required certificates, which are stored on the Cisco UCM. See Certificates from the Cisco UCM, page 16-7 and Importing Certificates from the Cisco UCM, page 16-15. Command Purpose Step 1 hostname(config)# crypto key generate rsa label key-pair-label modulus size Example: crypto key generate rsa label cucmtftp_kp modulus 1024 Creates a keypair that can be used for the trustpoints.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Prerequisites If you are using domain names for your Cisco UCM and TFTP server, you must configure DNS lookup on the ASA. Add an entry for each of the outside interfaces on the ASA into your DNS server, if such entries are not already present. Each ASA outside IP address should have a DNS entry associated with it for lookups. These DNS entries must also be enabled for Reverse Lookup.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Using an Existing CTL File Note Only when the phone proxy is running in mixed-mode clusters, you have the option to use an existing CTL file to install trustpoints.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Command Purpose Step 1 hostname(config)# tls-proxy proxy_name Example: tls-proxy mytls Creates the TLS proxy instance. Step 2 hostname(config-tlsp)# server trust-point _internal_PP_ctl-instance_filename Configures the server trustpoint and references the internal trustpoint named _internal_PP_ctl-instance_filename.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 6 Command Purpose hostname(config-ca-trustpoint)# subject-name X.500_name Example: hostname(config-ca-trustpoint)# subject-name cn=FW_LDC_SIGNER_172_23_45_200 Includes the indicated subject DN in the certificate during enrollment Where the X.500_name is for the LDC. Use commas to separate attribute-value pairs. Insert quotation marks around any value that contains commas or spaces.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Command Purpose • hostname(config)# crypto ca export trustpoint identity-certificate Example: hostname(config)# crypto ca export ldc_server identity-certificate Exports the certificate if a trustpoint with proxy-ldc-issuer is used as the signer of the dynamic certificates. • hostname(config)# show crypto ca server certificates Exports the certificate for the embedded local CA server LOCAL-CA-SERVER.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Command Purpose Step 1 hostname(config)# media-termination instance_name Example: hostname(config)# media-termination mediaterm1 Creates the media termination instance that you attach to the phone proxy. Step 2 hostname(config-media-termination)# address ip_address [interface intf_name] Examples: hostname(config-media-termination)# address 192.0.2.25 interface inside hostname(config-media-termination)# address 10.10.0.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 1 Step 2 Command Purpose hostname(config)# phone-proxy phone_proxy_name Example: hostname(config)# phone-proxy myphoneproxy Creates the phone proxy instance. hostname(config-phone-proxy)# media-termination instance_name Examples: hostname(config-phone-proxy)# media-termination my_mt Specifies the media termination instance used by the phone proxy for SRTP and RTP.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 7 Command Purpose hostname(config-phone-proxy)# cipc security-mode authenticated (Optional) Forces Cisco IP Communicator (CIPC) softphones to operate in authenticated mode when CIPC softphones are deployed in a voice and data VLAN scenario. See Cisco IP Communicator Prerequisites, page 16-10 for all requirements for using the phone proxy with CIPC.
Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Command Purpose hostname(config)# class-map class_map_name Example: class-map sec_sip Configures the secure SIP class of traffic to inspect. Step 5 hostname(config-cmap)# match port tcp eq 5061 Matches the TCP port 5061 to which you want to apply actions for secure SIP inspection Step 6 hostname(config-cmap)# exit Exits from the Class Map configuration mode.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Configuring Your Router Your firewall/router needs to be configured to forward a range of UDP ports to the IP phone. This will allow the IP phone to receive audio when you make/receive calls. Note Different Cable/DSL routers have different procedures for this configuration.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Table 16-4 Security Appliance Debug Commands to Use with the Phone Proxy To Use the Command Notes To show error and event messages for TLS proxy inspection. debug inspect tls-proxy [events | errors] Use this command when your IP phone has successfully downloaded all TFTP files but is failing to complete the TLS handshake with the TLS proxy configured for the phone proxy.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Table 16-5 Security Appliance Capture Commands to Use with the Phone Proxy To Use the Command To capture packets on the ASA interfaces. capture capture_name interface interface_name Notes Use this command if you are experiencing any problems that might require looking into the packets.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Table 16-6 lists the show commands to use with the phone proxy. Table 16-6 Security Appliance Show Commands to Use with the Phone Proxy To Use the Command Notes To show the packets or connections show asp drop dropped by the accelerated security path. Use this command to troubleshoot audio quality issues with the IP phones or other traffic issues with the phone proxy.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Table 16-6 Security Appliance Show Commands to Use with the Phone Proxy To Use the Command To show the logs in the buffer and logging show logging settings. Notes Before entering the show logging command, enable the logging buffered command so that the show logging command displays the current message buffer and the current settings.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy • Check the Security settings on the IP phone by selecting the Settings button > Security Configuration. Settings for web access, Security mode, MIC, LSC, CTL file, trust list, and CAPF appear. Under Security mode, make sure the IP phone is set to Encrypted. • Check the IP phone to determine which certificates are installed on the phone by selecting the Settings button > Security Configuration > Trust List.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Step 2 From the ASA, verify that the CTL file for the phone proxy contains one record entry for each entity in the network—Primary Cisco UCM, Secondary Cisco UCM, TFTP server—by entering the following command: ciscoasa# show running-config all ctl-file [ctl_name] Each of these record entries creates one entry on the IP phone trustlist. The phone proxy creates one entry internally with the function CUCM+TFTP.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Solution Step 1 Verify that DNS lookup is configured on the ASA. Step 2 If DNS lookup is configured, determine whether you can ping the FQDN for the Cisco UCM from the ASA. Step 3 If ASA cannot ping the Cisco UCM FQDN, check to see if there is a problem with the DNS server. Step 4 Additionally, use the name command to associate a name with an IP address with the FQDN.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy PP: Client outside:192.168.10.5/49355 retransmitting request for Config file SEP001562106AF3.cnf.xml.sgn PP: opened 0x17ccde PP: 192.168.10.5/49355 requesting SEP001562106AF3.cnf.xml.sgn PP: Client outside:192.168.10.5/49355 retransmitting request for Config file SEP001562106AF3.cnf.xml.sgn PP: opened 0x17ccde PP: 192.168.10.5/49355 requesting SEP001562106AF3.cnf.xml.sgn PP: Client outside:192.168.10.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Step 3 If the router is a Linksys router, see Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy, page 16-27 for information on the configuration requirements. IP Phone Requesting Unsigned File Error Problem The IP phone should always request a signed file. Therefore, the TFTP file being requested always has the .SGN extension.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy Make sure that each media-termination instance is created correctly and that the address or addresses are set correctly. The ASA must meet specific criteria for media termination. See Media Termination Instance Prerequisites, page 16-6 for the complete list of prerequisites that you must follow when creating the media termination instance and configuring the media termination addresses.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy b. Verify that the list of installed certificates contains all required certificates for the phone proxy. See Table 16-2, Certificates Required by the Security Appliance for the Phone Proxy, for information. c. Step 4 Import any missing certificates onto the ASA. See also Importing Certificates from the Cisco UCM, page 16-15.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy SSL Handshake Failure Problem The phone proxy is not functioning. Initial troubleshooting uncovered the following errors in the ASA syslogs: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl handshake failure %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_CERTIFICATE Reason: no certificate returned %ASA-6-725006: Device failed SSL handshake with outside client:72.146.123.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy [3des-sha1] [des-sha1] [rc4-md5] [possibly others] See the command reference for more information about setting ciphers with the ssl encryption command. Certificate Validation Errors Problem Errors in the ASA log indicate that certificate validation errors occurred. Entering the show logging asdm command, displayed the following errors: 3|Jun 19 2008 17:23:54|717009: Certificate validation failed.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy phone-proxy mypp media-termination address 10.10.0.25 cipc security-mode authenticated cluster-mode mixed disable service-settings timeout secure-phones 0:05:00 hostname(config)# Make sure that each media-termination instance is created correctly and that the address or addresses are set correctly. The ASA must meet specific criteria for media termination.
Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Proxy The SAST keys can be seen via the show crypto key mypubkey rsa command. The SAST keys are associated with a trustpoint that is labeled _internal_ctl-file_name_SAST_X where ctl-file-name is the name of the CTL file instance that was configured, and X is an integer from 0 to N-1 where N is the number of SASTs configured for the CTL file (the default is 2).
Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy mGF/hfDDNAICBAA= hostname(config)# quit INFO: Import PKCS12 operation completed successfully hostname(config)# Step 3 Create the CTL file instance on the new ASA using the same name as the one used in the SAST trustpoints created in Step 2 by entering the following commands. Create trustpoints for each Cisco UMC (primary and secondary).
Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Figure 16-2 Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher Corporate Network IP Cisco UCM+TFTP 192.0.2.101 Comcast Address 69.181.112.219 ASA Outside Interface 10.10.0.24 IP M Home Router w/NAT Internet Comcast Address 98.208.49.30 Home Router w/NAT Cisco UCM cluster is in nonsecure mode ASA Inside Interface 192.0.2.1 IP Phone A 192.0.2.16 IP 271632 Chapter 16 object network obj-192.0.2.
Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher Figure 16-3 shows an example of the configuration for a mixed-mode Cisco UCM cluster using the following topology. Figure 16-3 Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher Corporate Network IP Cisco UCM+TFTP 192.0.2.101 Comcast Address 69.181.112.219 ASA Outside Interface 10.10.0.
Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy address 10.10.0.25 interface outside phone-proxy mypp media-termination my_mediaterm tftp-server address 192.0.2.
Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy host 192.0.2.101 nat (inside,outside) static interface udp 69 69 access-list pp extended permit udp any host 10.10.0.
Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Figure 16-5 Mixed-mode Cisco UCM cluster, Primary Cisco UCM, Secondary Cisco UCM, and TFTP Server on Different Servers Primary Cisco UCM 192.0.2.105 Secondary Cisco UCM 192.0.2.106 M M ASA Inside Interface 192.0.2.24 TFTP / Publisher 192.0.2.101 Corporate Network M IP Phone A 192.0.2.102 Internet IP Home Router Comcast Address w/NAT 98.208.49.30 ASA Outside Interface 10.10.0.24 IP IP Phone B 192.0.2.
Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy crypto ca trustpoint ldc_server enrollment self proxy_ldc_issuer fqdn my-ldc-ca.exmaple.com subject-name cn=FW_LDC_SIGNER_172_23_45_200 keypair ldc_signer_key crypto ca enroll ldc_server tls-proxy my_proxy server trust-point _internal_PP_myctl client ldc issuer ldc_server client ldc keypair phone_common client cipher-suite aes128-sha1 aes256-sha1 media-termination my_mediaterm address 192.0.2.
Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Figure 16-6 TFTP Server 192.0.2.101 LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher ASA Inside Interface 192.0.2.24 M Corporate Network IP Phone A 192.0.2.102 Internet ASA Outside Interface 10.10.0.24 IP Home Router Comcast Address w/NAT 98.208.49.30 IP IP Home Router Comcast Address w/NAT 69.181.112.219 Phone B 192.0.2.103 271633 Chapter 16 object network obj-192.0.2.
Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy server trust-point _internal_PP_myctl client ldc issuer ldc_server client ldc keypair phone_common client cipher-suite aes128-sha1 aes256-sha1 media-termination my_mediaterm address 192.0.2.25 interface inside address 10.10.0.25 interface outside phone-proxy mypp media-termination my_mediaterm tftp-server address 192.0.2.
Configuring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Figure 16-7 VLAN Transversal Between CIPC Softphones on the Data VLAN and Hard Phones on the Voice VLAN Cisco UCM + TFTP Server 192.0.2.101 ASA Data VLAN interface 10.10.0.24 Corporate Network (Voice VLAN) M Cisco IPC 10.130.50.10 Corporate Network (Data VLAN) Cisco IPC 10.130.50.11 IP ASA Inside Interface 10.130.50.24 Cisco IPC 10.130.50.12 271636 Chapter 16 IP object network obj-10.130.50.0 subnet 10.130.50.0 255.255.
Chapter 16 Configuring the Cisco Phone Proxy Feature History for the Phone Proxy class sec_sip inspect sip phone-proxy mypp service-policy pp_policy interface data Feature History for the Phone Proxy Table 16-7 lists the release history for this feature. Table 16-7 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information Cisco Phone Proxy 8.0(4) The phone proxy feature was introduced. The following new commands were introduced.
CH AP TE R 17 Configuring the TLS Proxy for Encrypted Voice Inspection This chapter describes how to configure the ASA for the TLS Proxy for Encrypted Voice Inspection feature.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Proxy for Encrypted Voice Inspection The security appliance acts as a TLS proxy between the Cisco IP Phone and Cisco UCM. The proxy is transparent for the voice calls between the phone and theCisco UCM.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Proxy for Encrypted Voice Inspection • Cisco Unified IP Phone 7941G-GE • Cisco Unified IP Phone 7940 • Cisco Unified Wireless IP Phone 7921 • Cisco Unified Wireless IP Phone 7925 • Cisco IP Communicator (CIPC) for softphones CTL Client Overview The CTL Client application supplied by Cisco Unified CallManager Release 5.1 and later supports a TLS proxy server (firewall) in the CTL file.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Proxy for Encrypted Voice Inspection Figure 17-2 CTL Client TLS Proxy Features — ASA IP Address or Domain Name Figure 17-2 shows support for entering the security appliance IP address or domain name in the CTL Client. Figure 17-3 CTL Client TLS Proxy Features — CTL Entry for ASA Figure 17-3 shows that the CTL entry for the security appliance as the TLS proxy has been added.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Licensing for the TLS Proxy Figure 17-4 CTL Client TLS Proxy Features — CTL File Installed on the ASA The security appliance does not store the raw CTL file in the flash, rather, it parses the CTL file and installs appropriate trustpoints. Figure 17-4 indicates the installation was successful.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Licensing for the TLS Proxy Model License Requirement1 ASA 5580 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions.2 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Prerequisites for the TLS Proxy for Encrypted Voice Inspection 2. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Table 17-1 shows the default and maximum TLS session details by platform.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection • Creating Trustpoints and Generating Certificates, page 17-9 • Creating an Internal CA, page 17-10 • Creating a CTL Provider Instance, page 17-11 • Creating the TLS Proxy Instance, page 17-12 • Enabling the TLS Proxy Instance for Skinny or SIP Inspection, page 17-13 Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection To configure the security appliance
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Step 8 Run the CTL Client application to add the server proxy certificate (ccm_proxy) to the CTL file and install the CTL file on the security appliance. See the Cisco Unified CallManager document for information on how to configure and use CTL Client: http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_1/nci/p08/secuauth.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Step 5 Command Purpose ciscoasa(config-ca-trustpoint)# subject-name X.500_name Example: ciscoasa(config-ca-trustpoint)# subject-name cn=EJW-SV-1-Proxy Includes the indicated subject DN in the certificate during enrollment Cisco IP Phones require certain fields from the X.509v3 certificate to be present to validate the certificate via consulting the CTL file.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Step 3 Command Purpose ciscoasa(config-ca-trustpoint)# proxy-ldc-issuer Issues TLS proxy local dynamic certificates. The proxy-ldc-issuer command grants a crypto trustpoint the role as local CA to issue the LDC and can be accessed from crypto ca trustpoint configuration mode.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Command Purpose Step 1 ciscoasa(config)# ctl-provider ctl_name Example: ciscoasa(config)# ctl-provider my_ctl Enters the CTL provider configuration mode so that you can create the Certificate Trust List provider instance. Step 2 ciscoasa(config-ctl-provider)# client interface if_name ipv4_addr Example: ciscoasa(config-ctl-provider)# client interface inside address 172.23.45.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Command Purpose Step 1 ciscoasa(config)# tls-proxy proxy_name Example: ciscoasa(config)# tls-proxy my_proxy Creates the TLS proxy instance. Step 2 ciscoasa(config-tlsp)# server trust-point proxy_trustpoint Example: ciscoasa(config-tlsp)# server trust-point ccm_proxy Specifies the proxy trustpoint certificate to present during TLS handshake.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Step 1 Command Purpose hostname(config)# class-map class_map_name Example: ciscoasa(config)# class-map sec_skinny Configures the secure Skinny class of traffic to inspect. Where class_map_name is the name of the Skinny class map.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Monitoring the TLS Proxy Monitoring the TLS Proxy You can enable TLS proxy debug flags along with SSL syslogs to debug TLS proxy connection problems.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Monitoring the TLS Proxy Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Data channel ready for the Client Apr 17 2007 23:13:47: %ASA-7-725013: SSL Server inside:195.168.2.201/5061 choose cipher : AES128-SHA Apr 17 2007 23:13:47: %ASA-7-717025: Validating certificate chain containing 1 certificate(s). Apr 17 2007 23:13:47: %ASA-7-717029: Identified client certificate within certificate chain.
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection Feature History for the TLS Proxy for Encrypted Voice Inspection Public Key Type: RSA (1024 bits) Issuer Name: cn=TLS-Proxy-Signer Subject Name: cn=SEP0002B9EB0AAD o=Cisco Systems Inc c=US Validity Date: start date: 09:25:41 PDT Apr 16 2007 end date: 09:25:41 PDT Apr 15 2008 Associated Trustpoints: outside 133.9.0.218:49159 inside 195.168.2.
Chapter 17 Feature History for the TLS Proxy for Encrypted Voice Inspection Cisco ASA Series Firewall CLI Configuration Guide 17-18 Configuring the TLS Proxy for Encrypted Voice Inspection
CH AP TE R 18 Configuring Cisco Mobility Advantage This chapter describes how to configure the ASA for Cisco Unified Communications Mobility Advantage Proxy features.
Chapter 18 Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature The TCP/TLS default port is 5443. There are no embedded NAT or secondary connections. Cisco UMA client and server communications can be proxied via TLS, which decrypts the data, passes it to the inspect MMP module, and re-encrypt the data before forwarding it to the endpoint. The inspect MMP module verifies the integrity of the MMP headers and passes the OML/HTTP to an appropriate handler.
Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Figure 18-1 Security Appliance as Firewall with Mobility Advantage Proxy and MMP Inspection Enterprise Services Mobile Data Network (GPRS Data Channel) Network: Active Directory 10.1.1.0/24 Exchange IP Address: 10.1.1.2 Port: 5443 Cisco Unified ASA with Presence TLS Proxy Firewall MMP/SSL/TLS MMP/SSL/TLS Cisco UMC Client PSTN Hostname: cuma.example.com Network: 192.0.2.0/24 IP Address: 192.0.2.
Chapter 18 Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Figure 18-2 Cisco UMC/Cisco UMA Architecture – Scenario 2: Security Appliance as Mobility Advantage Proxy Only Client connects to cuma.example.com (192.0.2.41) Cisco UMC Client Internet ISP Gateway DMZ Corporate Firewall Internal Network IP Address: 172.16.27.41 (DMZ routable) 192.0.2.41/24 outside 192.0.2.
Chapter 18 Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Trust Relationships for Cisco UMA Deployments To establish a trust relationship between the Cisco UMC client and the ASA, the ASA uses the Cisco UMA server certificate and keypair or the ASA obtains a certificate with the Cisco UMA server FQDN (certificate impersonation).
Chapter 18 Configuring Cisco Mobility Advantage Licensing for the Cisco Mobility Advantage Proxy Feature Figure 18-4 How the Security Appliance Represents Cisco UMA – Certificate Impersonation 3rd Party CA Certificate Authority Enroll with FQDN of Cisco UMA Certificate Cisco UMA 271644 ASA Internet Cisco UMC Client TLS (ASA Certificate with Cisco UMA FQDN) Key 1 Inspected and Modified (if needed) TLS (Self-signed, or from local CA) Key 2 A trusted relationship between the ASA and the Cisco UMA se
Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisco Mobility Advantage • Enabling the TLS Proxy for MMP Inspection, page 18-9 Task Flow for Configuring Cisco Mobility Advantage To configure for the ASA to perform TLS proxy and MMP inspection as shown in Figure 18-1 and Figure 18-2, perform the following tasks. It is assumed that self-signed certificates are used between the ASA and the Cisco UMA server.
Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisco Mobility Advantage Step 1 Command Purpose hostname(config)# crypto ca trustpoint trustpoint_name Example: hostname(config)# crypto ca trustpoint cuma_server Enters the trustpoint configuration mode for the specified trustpoint so that you can create the trustpoint for the Cisco UMA server. A trustpoint represents a CA identity and possibly a device identity, based on a certificate issued by the CA.
Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisco Mobility Advantage Step 3 Command Purpose hostname(config-tlsp)# client trust-point proxy_name Example: hostname(config-tlsp)# client trust-point cuma_proxy Specifies the trustpoint and associated certificate that the ASA uses in the TLS handshake when the ASA assumes the role of the TLS client. The certificate must be owned by the ASA (identity certificate).
Chapter 18 Configuring Cisco Mobility Advantage Monitoring for Cisco Mobility Advantage Command Purpose Step 6 hostname(config-pmap)# inspect mmp tls-proxy proxy_name Example: hostname(config-pmap)# inspect mmp tls-proxy cuma_proxy Enables SCCP (Skinny) application inspection and enables the phone proxy for the specified inspection session. Step 7 hostname(config-pmap)# exit Exits from the Policy Map configuration mode.
Chapter 18 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage • Example 1: Cisco UMC/Cisco UMA Architecture – Security Appliance as Firewall with TLS Proxy and MMP Inspection, page 18-11 • Example 2: Cisco UMC/Cisco UMA Architecture – Security Appliance as TLS Proxy Only, page 18-12 This section describes sample configurations that apply to two deployment scenarios for the TLS proxy used by the Cisco Mobility Adv
Chapter 18 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage object network obj-10.1.1.2-01 host 10.1.1.2 nat (inside,outside) static 192.0.2.140 crypto ca import cuma_proxy pkcs12 sample_passphrase quit ! for CUMA server’s self-signed certificate crypto ca trustpoint cuma_server enrollment terminal crypto ca authenticate cuma_server Enter the base 64 encoded CA certificate.
Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Figure 18-6 Cisco UMC/Cisco UMA Architecture – Scenario 2: Security Appliance as TLS Proxy Only Client connects to cuma.example.com (192.0.2.41) Cisco UMC Client Internet ISP Gateway DMZ Corporate Firewall Internal Network IP Address: 172.16.27.41 (DMZ routable) 192.0.2.41/24 outside eth0 192.0.2.
Chapter 18 Configuring Cisco Mobility Advantage Feature History for Cisco Mobility Advantage tls-proxy cuma_proxy server trust-point cuma_proxy no server authenticate-client client cipher-suite aes128-sha1 aes256-sha1 class-map cuma_proxy match port tcp eq 5443 policy-map global_policy class cuma_proxy inspect mmp tls-proxy cuma_proxy service-policy global_policy global Feature History for Cisco Mobility Advantage Table 18-1 lists the release history for this feature.
CH AP TE R 19 Configuring Cisco Unified Presence This chapter describes how to configure the adaptive security appliance for Cisco Unified Presence.
Chapter 19 Configuring Cisco Unified Presence Information About Cisco Unified Presence Figure 19-1 Typical Cisco Unified Presence/LCS Federation Scenario Enterprise X private Cisco UCM Cisco UCM Cisco UP (UK) Cisco UP (HK) Enterprise Y DMZ DMZ private network AD Cisco UCM Cisco UP (US) Orative (Ann) 192.0.2.1 Routing Inside ASA Outside Proxy 8.0.4 (Cisco UP) IPPM (Ann) SIP Internet 192.0.2.
Configuring Cisco Unified Presence Information About Cisco Unified Presence ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 5060 For another Cisco UP with the address 10.0.0.
Chapter 19 Configuring Cisco Unified Presence Information About Cisco Unified Presence http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht ml Trust Relationship in the Presence Federation Within an enterprise, setting up a trust relationship is achievable by using self-signed certificates or you can set it up on an internal CA. Establishing a trust relationship cross enterprises or across administrative domains is key for federation.
Chapter 19 Configuring Cisco Unified Presence Information About Cisco Unified Presence Security Certificate Exchange Between Cisco UP and the Security Appliance You need to generate the keypair for the certificate (such as cup_proxy_key) used by the ASA, and configure a trustpoint to identify the self-signed certificate sent by the ASA to Cisco UP (such as cup_proxy) in the TLS handshake.
Chapter 19 Configuring Cisco Unified Presence Information About Cisco Unified Presence For further information about configuring Cisco Unified Presence Federation for XMPP Federation, see the Integration Guide for Configuring Cisco Unified Presence Release 8.0 for Interdomain Federation: http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht ml Configuration Requirements for XMPP Federation For XMPP Federation, ASA acts as a firewall only.
Chapter 19 Configuring Cisco Unified Presence Licensing for Cisco Unified Presence nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_ obj_host_ service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_5269 n
Chapter 19 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Model License Requirement1 ASA 5545-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5555-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5585-X with SSP-10 Base License: 2 sessions. ASA 5585-X with SSP-20, -40, or -60 Base License: 2 sessions. ASA SM Base License: 2 sessions.
Chapter 19 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation • Creating Trustpoints and Generating Certificates, page 19-9 • Installing Certificates, page 19-10 • Creating the TLS Proxy Instance, page 19-12 • Enabling the TLS Proxy for SIP Inspection, page 19-13 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation To configure a Cisco Unified Presence/LCS Federation scenario with the ASA as the TLS proxy where there is a
Chapter 19 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Step 1 Step 2 Command Purpose hostname(config)# crypto key generate rsa label key-pair-label modulus size Example: crypto key generate rsa label ent_y_proxy_key modulus 1024 INFO: The name for the keys will be: ent_y_proxy_key Keypair generation process begin. Please wait... hostname(config)# Creates the RSA keypair that can be used for the trustpoints.
Chapter 19 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Command Purpose Step 1 hostname(config)# crypto ca export trustpoint identity-certificate Example: hostname(config)# crypto ca export ent_y_proxy identity-certificate Export the ASA self-signed (identity) certificate.
Chapter 19 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation What to Do Next Once you have created the trustpoints and installed the certificates for the local and remote entities on the ASA, create the TLS proxy instance. See Creating the TLS Proxy Instance, page 19-12.
Chapter 19 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Step 7 Step 8 Command Purpose hostname(config-tlsp)# client trust-point proxy_trustpoint Example: hostname(config-tlsp)# client trust-point ent_y_proxy Specifies the trustpoint and associated certificate that the ASA uses in the TLS handshake when the ASA assumes the role of the TLS client.
Chapter 19 Configuring Cisco Unified Presence Monitoring Cisco Unified Presence Command Purpose Step 8 hostname(config)# policy-map name Example: hostname(config)# policy-map global_policy Configure the policy map and attach the action to the class of traffic. Step 9 hostname(config-pmap)# class classmap_name Example: hostname(config-pmap)# class ent_x_to_y Assigns a class map to the policy map so that you can assign actions to the class map traffic.
Chapter 19 Configuring Cisco Unified Presence Configuration Example for Cisco Unified Presence • Example ACL Configuration for XMPP Federation, page 19-17 • Example NAT Configuration for XMPP Federation, page 19-18 Example Configuration for SIP Federation Deployments The following sample illustrates the necessary configuration for the ASA to perform TLS proxy for Cisco Unified Presence as shown in Figure 19-5.
Chapter 19 Configuring Cisco Unified Presence Configuration Example for Cisco Unified Presence Figure 19-5 Typical Cisco Unified Presence/LCS Federation Scenario Enterprise X private Cisco UCM Cisco UCM Cisco UP (UK) Cisco UP (HK) Enterprise Y DMZ DMZ private network AD Cisco UCM Cisco UP (US) Orative (Ann) 192.0.2.1 Routing Inside ASA Outside Proxy 8.0.4 (Cisco UP) IPPM (Ann) SIP Internet 192.0.2.
Chapter 19 Configuring Cisco Unified Presence Configuration Example for Cisco Unified Presence quit ! for Entity Y’s CA certificate crypto ca trustpoint ent_y_ca enrollment terminal crypto ca authenticate ent_y_ca Enter the base 64 encoded CA certificate.
Chapter 19 Configuring Cisco Unified Presence Configuration Example for Cisco Unified Presence The following values are used in this sample configuration: • Private XMPP federation Cisco Unified Presence Release 8.0 IP address = 1.1.1.1 • Private second Cisco Unified Presence Release 8.0 IP address= 2.2.2.2 • Private third Cisco Unified Presence Release 7.x IP address = 3.3.3.3 • XMPP federation listening port = 5269 access-list ALLOW-ALL extended permit tcp any host 1.1.1.
Chapter 19 Configuring Cisco Unified Presence Configuration Example for Cisco Unified Presence • Private third Cisco Unified Presence Release 7.x IP address = 3.3.3.3 • XMPP federation listening port = 5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.
Chapter 19 Configuring Cisco Unified Presence Feature History for Cisco Unified Presence Feature History for Cisco Unified Presence Table 19-1 lists the release history for this feature. Table 19-1 Feature History for Cisco Unified Presence Feature Name Releases Feature Information Cisco Presence Federation Proxy 8.0(4) The Cisco Unified Presence proxy feature was introduced. Cisco Presence Federation Proxy 8.3(1) The Unified Communications Wizard was added to ASDM.
CH AP TE R 20 Configuring Cisco Intercompany Media Engine Proxy This chapter describes how to configure the ASA for Cisco Intercompany Media Engine Proxy.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Cisco Intercompany Media Engine has the following key features: • Works with existing phone numbers: Cisco Intercompany Media Engine works with the phone numbers an enterprise currently has and does not require an enterprise to learn new numbers or change providers to use Cisco Intercompany Media Engine.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy On successful verification, the terminating side creates a ticket that grants permission to the call originator to make a Cisco IME call to a specific number. See Tickets and Passwords, page 20-3 for information. Tickets and Passwords Cisco Intercompany Media Engine utilizes tickets and passwords to provide enterprise verification.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy As illustrated in Figure 20-1. Enterprise B makes a PSTN call to enterprise A. That call completes successfully. Later, Enterprise B Cisco Intercompany Media Engine server initiates validation procedures with Enterprise A. These validation procedures succeed. During the validation handshake, Enterprise B sends Enterprise A its domain name.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy The TLS signaling connections from the Cisco UCM are terminated on the adaptive security appliance and a TCP or TLS connection is initiated to the Cisco UCM. SRTP (media) sent from external IP phones to the internal network IP phone via the adaptive security appliance is converted to RTP.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Cisco Intercompany Media Engine Architecture in a Basic Deployment Inside Enterprise Permiter Security Figure 20-2 DMZ Cisco UCM Cluster Outside Enterprise UC-IME Bootstrap Server UC-IME Access Protocol M Peer-to-peer Validation M M UC-IME Server TCP/TLS M M SIP/TLS ASA Enabled with UC-IME Proxy SIP/SCCP SRTP RTP/SRTP IP 248760 IP IP Basic Deployment In a basic depl
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Licensing for Cisco Intercompany Media Engine Off Path Deployment In an off path deployment, inbound and outbound Cisco Intercompany Media Engine calls pass through an adaptive security appliance enabled with the Cisco Intercompany Media Engine Proxy. The adaptive security appliance is located in the DMZ and is configured to support only the Cisco Intercompany Media Engine traffic (SIP signaling and RTP traffic).
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Guidelines and Limitations Model License Requirement All models Intercompany Media Engine license. When you enable the Intercompany Media Engine (IME) license, you can use TLS proxy sessions up to the configured TLS proxy limit.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Guidelines and Limitations • Stateful failover of Cisco Unified Intercompany Media Engine is not supported. During failover, existing calls traversing the Cisco Intercompany Media Engine Proxy disconnect; however, new calls successfully traverse the proxy after the failover completes. • Having Cisco UCMs on more than one of the ASA interfaces is not supported with the Cisco Intercompany Media Engine Proxy.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Assume for example, the ASA is configured to have a maximum of 100 TLS proxy sessions and IME calls between SCCP IP phones establish 101 TLS proxy sessions. In this example, the next IME call is initiated successfully by the originating SCCP IP phone but fails after the call is accepted by the terminating SCCP IP phone.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Note Step 1 through Step 8 apply to both basic (in-line) and off path deployments and Step 9 applies only to off path deployment. To configure a Cisco Intercompany Media Engine for a basic deployment, perform the following tasks. Step 1 Configure static NAT for Cisco UCM. See Configuring NAT for Cisco Intercompany Media Engine Proxy, page 20-11. Or Configure PAT for the UCM server.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Figure 20-6 Example for Configuring NAT for a Deployment Local Enterprise Local Cisco UCMs 192.168.10.30 199.168.10.31 Configure NAT: 192.168.10.30 192.168.10.31 209.165.200.227 209.165.200.228 M M TLS Corporate Network Local ASA IP IP IP Internet Outside Cisco UCM addresses 209.165.200.227 209.165.200.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 8 hostname(config-network-object)# exit Exits from the objects configuration mode. Step 9 hostname(config)# nat (inside,outside) source static real_obj mapped_obj Examples: hostname(config)# nat (inside,outside) source static ucm_real_192.168.10.30 ucm_209.165.200.228 hostname(config)# nat (inside,outside) source static ucm_real_192.168.10.31 ucm_209.165.200.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1 hostname(config)# object network name Examples: hostname(config)# object network ucm-pat-209.165.200.228 Configures a network object for the outside IP address of Cisco UCM that you want to translate. Step 2 hostname(config-network-object)# host ip_address Example: hostname(config-network-object)# host 209.165.200.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Creating ACLs for Cisco Intercompany Media Engine Proxy To configure ACLs for the Cisco Intercompany Media Engine Proxy to reach the Cisco UCM server, perform the following steps. The example command lines in this task are based on a basic (in-line) deployment. See Figure 20-5 on page 20-10 for an illustration explaining the example command lines in this task.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What to Do Next Create the media termination instance on the ASA for the Cisco Intercompany Media Engine Proxy. See Creating the Media Termination Instance, page 20-16.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1 hostname(config)# media-termination instance_name Example: hostname(config)# media-termination uc-ime-media-term Creates the media termination instance that you attach to the Cisco Intercompany Media Engine Proxy. Step 2 hostname(config-media-termination)# address ip_address interface intf_name Examples: hostname(config-media-termination)# address 209.165.200.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Note Step 1 You cannot change any of the configuration settings for the Cisco Intercompany Media Engine Proxy described in this procedure when the proxy is enabled for SIP inspection. Remove the Cisco Intercompany Media Engine Proxy from SIP inspection before changing any of the settings described in this procedure.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 4 Command Purpose hostname(config-uc-ime)# ticket epoch n password password Example: hostname(config-uc-ime)# ticket epoch 1 password password1234 Configures the ticket epoch and password for Cisco Intercompany Media Engine. Where n is an integer from 1-255. The epoch contains an integer that updates each time that the password is changed.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 5 Command Purpose (Optional) Specifies the fallback timers for Cisco Intercompany Media Engine.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy connections between the local Cisco UCM and the local ASA. The instructions in that task describe how to create trustpoints between the local Cisco UCM and the local ASA. Prerequisites for Installing Certificates To create a proxy certificate on the ASA that is trusted by the remote entity, obtain a certificate from a trusted CA or export it from the remote enterprise ASA.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 4 hostname(config-ca-trustpoint)# keypair keyname Example: hostname(config-ca-trustpoint)# keypair local-ent-key Specifies the key pair whose public key is to be certified. Step 5 hostname(config-ca-trustpoint)# enroll terminal Specifies that you will use the “copy and paste” method of enrollment with this trustpoint (also known as manual enrollment).
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Creating the TLS Proxy Because either enterprise, namely the local or remote Cisco UCM servers, can initiate the TLS handshake (unlike IP Telephony or Cisco Mobility Advantage, where only the clients initiate the TLS handshake), you must configure by-directional TLS proxy rules. Each enterprise can have an ASA as the TLS proxy.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 6 Command Purpose hostname(config-tlsp)# server trust-point proxy_trustpoint Example: hostname(config-tlsp)# server trust-point local-ent For inbound connections, specifies the proxy trustpoint certificate presented during TLS handshake. The certificate must be owned by the adaptive security appliance (identity certificate).
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1 hostname(config)# class-map class_map_name Examples: hostname(config)# class-map ime-inbound-sip Defines a class for the inbound Cisco Intercompany Media Engine SIP traffic. Step 2 hostname(config-cmap)# match access-list access_list_name Examples: hostname(config-cmap)# match access-list ime-inbound-sip Identifies the SIP traffic to inspect.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 14 hostname(config-pmap)# exit Exits from the policy map configuration mode. Step 15 hostname(config)# service-policy policymap_name global Examples: hostname(config)# service-policy ime-policy global Enables the service policy for SIP inspection for all interfaces. Where policymap_name is the name of the policy map you created in Step 7 of this task.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 1 Commands Purpose hostname(config)# crypto key generate rsa label key-pair-label hostname(config)# crypto ca trustpoint trustpoint_name hostname(config-ca-trustpoint)# enroll self hostname(config-ca-trustpoint)# keypair keyname hostname(config-ca-trustpoint)# subject-name x.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 6 Commands Purpose hostname(config)# crypto ca authenticate trustpoint Example: hostname(config)# crypto ca authenticate local-ent-ucm Imports the certificate from local Cisco UCM. Where trustpoint is the trustpoint for the local Cisco UCM. Paste the certificate downloaded from the local Cisco UCM.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy (Optional) Configuring Off Path Signaling Perform this task only when you are configuring the Cisco Intercompany Media Engine Proxy as part of an off path deployment. You might choose to have an off path deployment when you want to use the Cisco Intercompany Media Engine but do not want to replace your existing Internet firewall with an ASA enabled with the Cisco Intercompany Media Engine Proxy.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 5 Command Purpose hostname(config)# uc-ime uc_ime_name Example: hostname(config)# uc-ime local-ent-ime Specifies the Cisco Intercompany Media Engine Proxy that you created in the task Creating the Cisco Intercompany Media Engine Proxy, page 20-17. Where uc_ime_name is the name you specified in Step 1 of Creating the Cisco Intercompany Media Engine Proxy, page 20-17.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 2 Check the Enable Cisco UC-IME proxy check box to enable the feature. Step 3 In the Unified CM Servers area, enter an IP address or hostname for the Cisco Unified Communications Manager (Cisco UCM) or click the ellipsis to open a dialog and browse for an IP address or hostname. Step 4 In the Trunk Security Mode field, click a security option.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Note Step 10 In the Fallback area, configure the fallback timer for the Cisco Intercompany Media Engine by specifying the following settings: a. In the Fallback Sensitivity File field, enter the path to a file in flash memory that the ASA uses for mid-call PSTN fallback. The file name that you enter must be the name of a file on disk that includes the .fbs file extension.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Troubleshooting Cisco Intercompany Media Engine Proxy Step 4 Specify the public network settings. Step 5 Specify the media termination address settings of Cisco UCM. Step 6 Configure the local-side certificate management, namely the certificates that are exchanged between the local Cisco Unified Communications Manager servers and the ASA.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Troubleshooting Cisco Intercompany Media Engine Proxy Local SRTP key set : Remote SRTP key set Remote Media (audio) conn: 192.168.10.51/19520 to 192.168.10.3/30930 Call-ID: ab6d7980-a7d11b08-50-1e0aa8c0@192.168.10.30 FB Sensitivity: 3 Session ID: 2948-32325449-0@81a985c9-f3a1-55a0-3b19-96549a027259 SIP Trunk URI: 81a985c9-f3a1-55a0-3b19-9654@UCM-30;maddr=192.168.10.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Troubleshooting Cisco Intercompany Media Engine Proxy Sum_all_packets : 20196 Codec_payload_format : 9 RTP_ptime_ms : 20 Max_RBLR_pct_x100 : 0 Max_ITE_count_in_8_sec : 0 Max_BLS_ms : 0 Max_PDV_usec : 1000 Min_PDV_usec : 0 Mov_avg_PDV_usec : 109 Total_ITE_count : 0 Total_sec_count : 403 Concealed_sec_count : 0 Severely_concealed_sec_count : 0 Max_call_interval_ms : 118 Total_SequenceNumber_Resets : 0 Media-session: 192.168.10.
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy Table 20-1 lists the release history for this feature. Table 20-1 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information Cisco Intercompany Media Engine Proxy 8.3(1) The Cisco Intercompany Media Engine Proxy was introduced.
PART 6 Configuring Connection Settings and QoS
CH AP TE R 22 Configuring Connection Settings This chapter describes how to configure connection settings for connections that go through the ASA, or for management connections, that go to the ASA.
Chapter 22 Configuring Connection Settings Information About Connection Settings TCP Intercept and Limiting Embryonic Connections Limiting the number of embryonic connections protects you from a DoS attack. The ASA uses the per-client limits and the embryonic connection limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets.
Chapter 22 Configuring Connection Settings Information About Connection Settings TCP Sequence Randomization Each TCP connection has two ISNs: one generated by the client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.
Chapter 22 Configuring Connection Settings Licensing Requirements for Connection Settings fast path (an established connection), or the control plane path (advanced inspection). See the “Stateful Inspection Overview” section on page 1-17 in the general operations configuration guide for more detailed information about the stateful firewall. TCP packets that match existing connections in the fast path can pass through the ASA without rechecking every aspect of the security policy.
Chapter 22 Configuring Connection Settings Guidelines and Limitations Guidelines and Limitations Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent mode. Failover Guidelines Failover is supported.
Chapter 22 Configuring Connection Settings Configuring Connection Settings no check-retransmission no checksum-verification exceed-mss allow queue-limit 0 timeout 4 reserved-bits allow syn-data allow synack-data drop invalid-ack drop seq-past-window drop tcp-options range 6 7 clear tcp-options range 9 255 clear tcp-options selective-ack allow tcp-options timestamp allow tcp-options window-scale allow ttl-evasion-protection urgent-flag clear window-variation allow-connection Configuring Connection Settin
Chapter 22 Configuring Connection Settings Configuring Connection Settings Step 2 (Optional) Configure the TCP map criteria by entering one or more of the following commands (see Table 22-1). If you want to customize some settings, then the defaults are used for any commands you do not enter.
Chapter 22 Configuring Connection Settings Configuring Connection Settings Table 22-1 tcp-map Commands Command Notes check-retransmission Prevents inconsistent TCP retransmissions. checksum-verification Verifies the checksum. exceed-mss {allow | drop} Sets the action for packets whose data length exceeds the TCP maximum segment size. (Default) The allow keyword allows packets whose data length exceeds the TCP maximum segment size.
Chapter 22 Configuring Connection Settings Configuring Connection Settings Table 22-1 tcp-map Commands (continued) Command Notes queue-limit pkt_num [timeout seconds] Sets the maximum number of out-of-order packets that can be buffered and put in order for a TCP connection, between 1 and 250 packets.
Chapter 22 Configuring Connection Settings Configuring Connection Settings Table 22-1 tcp-map Commands (continued) Command Notes synack-data {allow | drop} Sets the action for TCP SYNACK packets that contain data. The allow keyword allows TCP SYNACK packets that contain data. (Default) The drop keyword drops TCP SYNACK packets that contain data. syn-data {allow | drop} Sets the action for SYN packets with data. (Default) The allow keyword allows SYN packets with data.
Chapter 22 Configuring Connection Settings Configuring Connection Settings Table 22-1 tcp-map Commands (continued) Command Notes urgent-flag {allow | clear} Sets the action for packets with the URG flag. The URG flag is used to indicate that the packet contains information that is of higher priority than other data within the stream.
Chapter 22 Configuring Connection Settings Configuring Connection Settings Step 3 Command Purpose policy-map name Adds or edits a policy map that sets the actions to take with the class map traffic.
Chapter 22 Configuring Connection Settings Configuring Connection Settings Command Purpose set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]} Sets maximum connection limits or whether TCP sequence randomization is enabled.
Chapter 22 Configuring Connection Settings Configuring Connection Settings Command Purpose set connection timeout {[embryonic hh:mm:ss] {idle hh:mm:ss [reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]} Sets connection timeouts. For global timeouts, see the timout command in the command reference.
Chapter 22 Configuring Connection Settings Monitoring Connection Settings Command Purpose set connection advanced-options tcp-map-name Customizes the TCP normalizer. See the “Customizing the TCP Normalizer with a TCP Map” section on page 22-6 to create a TCP map. Example: ciscoasa(config-pmap-c)# set connection advanced-options tcp_map1 Enables TCP state bypass.
Chapter 22 Configuring Connection Settings Configuration Examples for Connection Settings ciscoasa(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000 ciscoasa(config-pmap-c)# set connection timeout idle 2:0:0 embryonic 0:40:0 half-closed 0:20:0 dcd ciscoasa(config-pmap-c)# service-policy CONNS interface outside You can enter set connection commands with multiple parameters or you can enter each parameter as a separate command.
Chapter 22 Configuring Connection Settings Feature History for Connection Settings Feature History for Connection Settings Table 22-2 lists each feature change and the platform release in which it was implemented. Table 22-2 Feature History for Connection Settings Feature Name Platform Releases TCP state bypass 8.2(1) This feature was introduced. The following command was introduced: set connection advanced-options tcp-state-bypass. Connection timeout for all protocols 8.
Chapter 22 Configuring Connection Settings Feature History for Connection Settings Table 22-2 Feature History for Connection Settings (continued) Feature Name Increased maximum connection limits for service policy rules Platform Releases 9.0(1) Feature Information The maximum number of connections for service policy rules was increased from 65535 to 2000000.
CH AP TE R 23 Configuring QoS Have you ever participated in a long-distance phone call that involved a satellite connection? The conversation might be interrupted with brief, but perceptible, gaps at odd intervals. Those gaps are the time, called the latency, between the arrival of packets being transmitted over the network. Some network traffic, such as voice and video, cannot tolerate long latency times.
Chapter 23 Configuring QoS Information About QoS Supported QoS Features The ASA supports the following QoS features: • Policing—To prevent individual flows from hogging the network bandwidth, you can limit the maximum bandwidth used per flow. See the “Information About Policing” section on page 23-3 for more information.
Chapter 23 Configuring QoS Information About QoS For traffic shaping, a token bucket permits burstiness but bounds it. It guarantees that the burstiness is bounded so that the flow will never send faster than the token bucket capacity, divided by the time interval, plus the established rate at which tokens are placed in the token bucket.
Chapter 23 Configuring QoS Information About QoS Information About Traffic Shaping Traffic shaping is used to match device and link speeds, thereby controlling packet loss, variable delay, and link saturation, which can cause jitter and delay. Note Traffic shaping is only supported on the ASA 5505, 5510, 5520, 5540, and 5550. • Traffic shaping must be applied to all outgoing traffic on a physical interface or in the case of the ASA 5505, on a VLAN.
Chapter 23 Configuring QoS Licensing Requirements for QoS You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed. For example, if you configure standard priority queuing for the global policy, and then configure traffic shaping for a specific interface, the feature you configured last is rejected because the global policy overlaps the interface policy.
Chapter 23 Configuring QoS Configuring QoS • (ASA 5512-X through ASA 5555-X) Priority queuing is not supported on the Management 0/0 interface. • (ASASM) Only policing is supported. Additional Guidelines and Limitations • QoS is applied unidirectionally; only traffic that enters (or exits, depending on the QoS feature) the interface to which you apply the policy map is affected. See the “Feature Directionality” section on page 1-2 for more information.
Chapter 23 Configuring QoS Configuring QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue To determine the priority queue and TX ring limits, use the worksheets below. Table 23-1 shows how to calculate the priority queue size. Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped (called tail drop).
Chapter 23 Configuring QoS Configuring QoS 2. Typically, the maximum size is 1538 bytes, or 1542 bytes for tagged Ethernet. If you allow jumbo frames (if supported for your platform), then the packet size might be larger. 3. The delay depends on your application. For example, to control jitter for VoIP, you should use 20 ms.
Chapter 23 Configuring QoS Configuring QoS Step 2 Command Purpose queue-limit number_of_packets Changes the size of the priority queues. The default queue limit is 1024 packets. Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped (called tail drop). To avoid having the queue fill up, you can use the queue-limit command to increase the queue buffer size.
Chapter 23 Configuring QoS Configuring QoS Restrictions • You cannot use the class-default class map for priority traffic. • You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed. • (ASASM) The ASASM only supports policing. • For policing, to-the-box traffic is not supported. • For policing, traffic to and from a VPN tunnel bypass interface is not supported.
Chapter 23 Configuring QoS Configuring QoS Step 6 Command Purpose class priority_map_name Identifies the class map you created for prioritized traffic in Step 1. Example: ciscoasa(config-pmap)# class priority_class Step 7 Configures priority queuing for the class. priority Example: ciscoasa(config-pmap-c)# priority Step 8 class policing_map_name Identifies the class map you created for policed traffic in Step 3.
Chapter 23 Configuring QoS Configuring QoS ciscoasa(config)# class-map tcp_traffic ciscoasa(config-cmap)# match access-list tcp_traffic In the following example, other, more specific match criteria are used for classifying traffic for specific, security-related tunnel groups.
Chapter 23 Configuring QoS Configuring QoS Example 23-2 Priority and Policing Example In this example, the maximum rate for traffic of the tcp_traffic class is 56,000 bits/second and a maximum burst size of 10,500 bytes per second. For the TC1-BestEffort class, the maximum rate is 200,000 bits/second, with a maximum burst of 37,500 bytes/second. Traffic in the TC1-voice class has no policed maximum speed or burst rate because it belongs to a priority class.
Chapter 23 Configuring QoS Configuring QoS • For hierarchical priority queuing, you do not need to create a priority queue on an interface. • For hierarchical priority queuing, for encrypted VPN traffic, you can only match traffic based on the DSCP or precedence setting; you cannot match a tunnel group. • For hierarchical priority queuing, IPsec-over-TCP traffic is not supported.
Chapter 23 Configuring QoS Configuring QoS • You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed. See the “How QoS Features Interact” section on page 23-4 for information about valid QoS configurations. • You cannot configure traffic shaping in the global policy. Detailed Steps Step 1 Command Purpose policy-map name Adds or edits a policy map.
Chapter 23 Configuring QoS Monitoring QoS ciscoasa(config-cmap)# match access-list ike ciscoasa(config-cmap)# class-map voice_traffic ciscoasa(config-cmap)# match dscp EF AF13 ciscoasa(config-cmap)# policy-map qos_class_policy ciscoasa(config-pmap)# class voice_traffic ciscoasa(config-pmap-c)# priority ciscoasa(config-pmap-c)# class ike ciscoasa(config-pmap-c)# priority ciscoasa(config-pmap-c)# policy-map qos_outside_policy ciscoasa(config-pmap)# class class-default ciscoasa(config-pmap-c)# shape average
Chapter 23 Configuring QoS Monitoring QoS Viewing QoS Standard Priority Statistics To view statistics for service policies implementing the priority command, use the show service-policy command with the priority keyword: ciscoasa# show service-policy priority The following is sample output for the show service-policy priority command: ciscoasa# show service-policy priority Global policy: Service-policy: global_fw_policy Interface outside: Service-policy: qos Class-map: TG1-voice Priority: Interface outsi
Chapter 23 Configuring QoS Monitoring QoS Service-policy: voip Class-map: voip Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: class-default queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Viewing QoS Standard Priority Queue Statistics To display the priority-queue statistics for an interface, use the show priority-queue statistics command in privileged EXEC mode.
Chapter 23 Configuring QoS Feature History for QoS Feature History for QoS Table 23-3 lists each feature change and the platform release in which it was implemented. Table 23-3 Feature History for QoS Feature Name Platform Releases Feature Information Priority queuing and policing 7.0(1) We introduced QoS priority queuing and policing.
Chapter 23 Feature History for QoS Cisco ASA Series Firewall CLI Configuration Guide 23-20 Configuring QoS
CH AP TE R 24 Troubleshooting Connections and Resources This chapter describes how to troubleshoot the ASA and includes the following sections: • Testing Your Configuration, page 24-1 • Monitoring Per-Process CPU Usage, page 24-7 Testing Your Configuration This section describes how to test connectivity for the single mode ASA or for each security context, how to ping the ASA interfaces, and how to allow hosts on one interface to ping through to hosts on another interface.
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Enabling ICMP Debugging Messages and Syslog Messages Debugging messages and syslog messages can help you troubleshoot why your pings are not successful. The ASA only shows ICMP debugging messages for pings to the ASA interfaces, and not for pings through the ASA to other hosts.
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Pinging ASA Interfaces To test whether the ASA interfaces are up and running and that the ASA and connected routers are operating correctly, you can ping the ASA interfaces. To ping the ASA interfaces, perform the following steps: Step 1 Draw a diagram of your single-mode ASA or security context that shows the interface names, security levels, and IP addresses.
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Ping Failure at the ASA Interface ? Ping Router Host 330858 Figure 24-2 ASA If the ping reaches the ASA, and it responds, debugging messages similar to the following appear: ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2 ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Passing Traffic Through the ASA After you successfully ping the ASA interfaces, make sure that traffic can pass successfully through the ASA. By default, you can ping from a high security interface to a low security interface. You just need to enable ICMP inspection to allow returning traffic through. If you want to ping from high to low, then you need to apply an ACL to allow traffic.
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Step 4 (Optional, for low security interfaces) Adds an ACL to allow ICMP traffic from any source host. access-list ICMPACL extended permit icmp any any Step 5 access-group ICMPACL in interface outside Assigns the ACL to the outside interface. Replace “outside” with your interface name if it is different. Repeat the command for each interface that you want to allow ICMP traffic from high to low.
Chapter 24 Troubleshooting Connections and Resources Monitoring Per-Process CPU Usage Determining Packet Routing with Traceroute You can trace the route of a packet using the traceroute feature, which is accessed with the traceroute command. A traceroute works by sending UDP packets to a destination on an invalid port. Because the port is not valid, the routers along the way to the destination respond with an ICMP Time Exceeded Message, and report that error to the ASA.
Chapter 24 Monitoring Per-Process CPU Usage Cisco ASA Series Firewall CLI Configuration Guide 24-8 Troubleshooting Connections and Resources
PART 7 Configuring Advanced Network Protection
CH AP TE R 25 Configuring the ASA for Cisco Cloud Web Security Cisco Cloud Web Security provides web security and web filtering services through the Software-as-a-Service (SaaS) model. Enterprises with the ASA in their network can use Cloud Web Security services without having to install additional hardware. When Cloud Web Security is enabled on the ASA, the ASA transparently redirects selected HTTP and HTTPS traffic to the Cloud Web Security proxy servers.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security This chapter includes the following sections: • Information About Cisco Cloud Web Security, page 25-2 • Licensing Requirements for Cisco Cloud Web Security, page 25-6 • Prerequisites for Cloud Web Security, page 25-7 • Guidelines and Limitations, page 25-7 • Default Settings, page 25-8 • Configuring Cisco Cloud Web Security, page 25-8 • Monitoring Cloud Web Security, page 25-17 • Configur
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security The ASA supports the following methods of determining the identity of a user, or of providing a default identity: • AAA rules—When the ASA performs user authentication using a AAA rule, the username is retrieved from the AAA server or local database. Identity from AAA rules does not include group information. If configured, the default group is used.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security For more information, see the Cloud Web Security documentation: http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h tml. ScanCenter Policy In ScanCenter, traffic is matched against policy rules in order until a rule is matched. Cloud Web Security then applies the configured action for the rule.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security – AAA usernames, when using RADIUS or TACACS+, are sent in the following format: LOCAL\username – AAA usernames, when using LDAP, are sent in the following format: domain-name\username – For the default username, it is sent in the following format: [domain-name\]username For example, if you configure the default username to be “Guest,” then the ASA sends “Guest.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Licensing Requirements for Cisco Cloud Web Security Bypassing Scanning with Whitelists If you use AAA rules or IDFW, you can configure the ASA so that web traffic from specific users or groups that otherwise match the service policy rule is not redirected to the Cloud Web Security proxy server for scanning.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Prerequisites for Cloud Web Security Model License Requirement All models Strong Encryption (3DES/AES) License to encrypt traffic between the security appliance and the Cloud Web Security server. On the Cloud Web Security side, you must purchase a Cisco Cloud Web Security license and identify the number of users that the ASA handles. Then log into ScanCenter, and generate your authentication keys.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Default Settings • When an interface to the Cloud Web Security proxy servers goes down, output from the show scansafe server command shows both servers up for approximately 15-25 minutes. This condition may occur because the polling mechanism is based on the active connection, and because that interface is down, it shows zero connection, and it takes the longest poll time approach. • Cloud Web Security is not supported with the ASA CX module.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Detailed Steps Step 1 Command Purpose scansafe general-options Enters scansafe general-options configuration mode. Example: ciscoasa(config)# scansafe general-options Step 2 server primary {ip ip_address | fqdn fqdn} [port port] Configures the fully qualified domain name or IP address of the primary Cloud Web Security proxy server.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Note You must configure a route pointing to the Scansafe towers in both; the admin context and the specific context. This ensures that the Scansafe tower does not become unreachable in the Active/Active failover scenario.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Detailed Steps Step 1 Command Purpose policy-map type inspect scansafe name1 Creates an inspection policy map so you can configure essential parameters for the rule and also optionally identify the whitelist. An inspection policy map is required for each class of traffic that you want to send to Cloud Web Security.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 7 Command Purpose policy-map type inspect scansafe name2 parameters default {[user user] [group group]} class whitelist_name2 whitelist Repeat Step 1 to Step 6 to create a separate class map for HTTPS traffic (for example). You can create an inspection class map for each class of traffic you want to send to Cloud Web Security.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 10 Command Purpose match access-list acl1 Specifies an ACL created in Step 8. Example: ciscoasa(config-cmap)# match access-list SCANSAFE_HTTP Step 11 class-map name2 match access-list acl2 Although you can use other match statements for this rule, we recommend using the match access-list command because it is the most versatile for identifying HTTP or HTTPS-only traffic.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Examples The following example configures two classes: one for HTTP and one for HTTPS. Each ACL exempts traffic to www.cisco.com and to tools.cisco.com, and to the DMZ network, for both HTTP and HTTPS. All other traffic is sent to Cloud Web Security, except for traffic from several whitelisted users and groups. The policy is then applied to the inside interface.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security (Optional) Configuring Whitelisted Traffic If you use user authentication, you can exempt some traffic from being filtered by Cloud Web Security based on the username and/or groupname. When you configure your Cloud Web Security service policy rule, you can reference the whitelisting inspection class map. Both IDFW and AAA user credentials can be used with this feature.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security hostname(config-pmap-p)# hostname(config-pmap-p)# hostname(config-pmap-p)# hostname(config-pmap-c)# https default group2 default_group2 class whitelist1 whitelist (Optional) Configuring the User Identity Monitor When you use IDFW, the ASA only downloads user identity information from the AD server for users and groups included in active ACLs; the ACL must be used in a feature such as an access rule, AAA rul
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Monitoring Cloud Web Security Monitoring Cloud Web Security Command Purpose show scansafe server Shows the status of the server, whether it is the current active server, the backup server, or unreachable. show scansafe statistics Shows total and current HTTP(S) connections. show conn scansafe Shows all Cloud Web Security connections, as noted by the capitol Z flag.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security • Single Mode Example, page 25-18 • Multiple Mode Example, page 25-19 • Whitelist Example, page 25-19 • Directory Integration Examples, page 25-20 • Cloud Web Security with Identity Firewall Example, page 25-22 Single Mode Example The following example shows a complete configuration for Cisco Cloud Web Security: Configure ACLs We re
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security hostname(cfg-scansafe)# server primary ip 192.168.115.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security parameters default user user1 group group1 https class whiteListCmap whitelist After creating this inspect policy, attach it to the policy map to be assigned to the service group: policy-map pmap class web inspect scansafe ss fail-close class https inspect scansafe ss2 fail-close Then attach the policy map to a service-policy to make it in effect globally or by ASA interface: service-policy p
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security Configuring the Active Directory Agent Using RADIUS The following example shows how to configure the Active Directory Agent on your ASA using RADIUS: hostname(config)# aaa-server adagent protocol radius hostname(config-aaa-server-group)# ad-agent-mode hostname(config-aaa-server-group)# aaa-server adagent (inside) host 192.168.116.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security hostname(config)# hostname(config)# hostname(config)# hostname(config)# hostname(config)# user-identity user-identity user-identity user-identity user-identity inactive-user-timer minutes 60 action netbios-response-fail remove-user-ip user-not-found enable action mac-address-mismatch remove-user-ip ad-agent active-user-database full-download If you are using more than one domain, then enter
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security domain-name uk.scansafe.net enable password liqhNWIOSfzvir2g encrypted passwd liqhNWIOSfzvir2g encrypted names ! interface Ethernet0/0 nameif inside security-level 100 ip address 192.168.116.90 255.255.255.0 ! interface Ethernet0/1 nameif outside security-level 0 ip address 192.168.114.90 255.255.254.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-pol
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp policy-map type inspect scansafe http-pmap parameters default group http-scansafe http policy-map pmap-http class cmap-http inspect scansafe http-pmap fail-open class cmap-https inspect scansafe https-pmap fail-open ! servi
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Related Documents Related Documents Related Documents URL Cisco ScanSafe Cloud Web Security Configuration Guides http://www.cisco.com/en/US/products/ps11720/products_installati on_and_configuration_guides_list.html Feature History for Cisco Cloud Web Security Table 25-1 lists each feature change and the platform release in which it was implemented.
CH AP TE R 26 Configuring the Botnet Traffic Filter Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address.
Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter • Botnet Traffic Filter Actions for Known Addresses, page 26-2 • Botnet Traffic Filter Databases, page 26-2 • How the Botnet Traffic Filter Works, page 26-5 Botnet Traffic Filter Address Types Addresses monitored by the Botnet Traffic Filter include: • Known malware addresses—These addresses are on the blacklist identified by the dynamic database and the static blacklist.
Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter 2. When the infected host starts a connection to the IP address of the malware site, then the ASA sends a syslog message informing you of the suspicious activity and optionally drops the traffic if you configured the ASA to do so. 3.
Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache. (This action is a background process, and does not affect your ability to continue configuring the ASA). We recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping.
Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter How the Botnet Traffic Filter Works Figure 26-1 shows how the Botnet Traffic Filter works with the dynamic database plus DNS inspection with Botnet Traffic Filter snooping. Figure 26-1 How the Botnet Traffic Filter Works with the Dynamic Database Security Appliance DNS Reverse Lookup Cache Infected Host 3 DNS Server 1a. Match? DNS Snoop 3a. Match? 2 DNS Reply: 209.165.201.3 Internet Connection to: 209.
Chapter 26 Configuring the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter The following table shows the licensing requirements for this feature: Model License Requirement All models You need the following licenses: • Botnet Traffic Filter License. • Strong Encryption (3DES/AES) License to download the dynamic database.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter This section includes the following topics: • Task Flow for Configuring the Botnet Traffic Filter, page 26-7 • Configuring the Dynamic Database, page 26-8 • Enabling DNS Snooping, page 26-10 • Adding Entries to the Static Database, page 26-9 • Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 26-12 • Blocking Botnet Traffic Manually, page 26-
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Dynamic Database This procedure enables database updates, and also enables use of the downloaded dynamic database by the ASA. In multiple context mode, the system downloads the database for all contexts using the admin context interface. You can configure use of the database on a per-context basis. By default, downloading and using the dynamic database is disabled.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter ciscoasa(config)# dynamic-filter use-database What to Do Next See the “Adding Entries to the Static Database” section on page 26-9. Adding Entries to the Static Database The static database lets you augment the dynamic database with domain names or IP addresses that you want to blacklist or whitelist. Static blacklist entries are always designated with a Very High threat level.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Command Purpose name domain_name Adds a name to the whitelist. You can enter this command multiple times for multiple entries. You can add up to 1000 whitelist entries. Example: ciscoasa(config-llist)# name good.example.com address ip_address mask Adds an IP address to the whitelist. You can enter this command multiple times for multiple entries. The mask can be for a single host or for a subnet.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Default DNS Inspection Configuration and Recommended Configuration The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does not have DNS snooping enabled. We suggest that you enable DNS snooping only on interfaces where external DNS requests are going.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Step 5 Command Purpose inspect dns [map_name] dynamic-filter-snoop Enables DNS inspection with Botnet Traffic Filter snooping. To use the default DNS inspection policy map for the map_name, specify preset_dns_map for the map name. See the “DNS Inspection” section on page 10-1 for more information about creating a DNS inspection policy map.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Recommended Configuration Although DNS snooping is not required, we recommend configuring DNS snooping for maximum use of the Botnet Traffic Filter (see the “Enabling DNS Snooping” section on page 26-10). Without DNS snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus any IP addresses in the dynamic database; domain names in the dynamic database are not used.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Step 3 Command Purpose (Optional) Automatically drops malware traffic. To manually drop traffic, see the “Blocking Botnet Traffic Manually” section on page 26-15.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Step 4 Command Purpose (Optional) If you configured the dynamic-filter drop blacklist command, then this command treats greylisted traffic as blacklisted traffic for dropping purposes. If you do not enable this command, greylisted traffic will not be dropped. See the “Botnet Traffic Filter Address Types” section on page 26-2 for more information about the greylist.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Note • ACLs block all future connections. To block the current connection, if it is still active, enter the clear conn command. For example, to clear only the connection listed in the syslog message, enter the clear conn address 10.1.1.45 address 209.165.202.129 command. See the command reference for more information. Shun the infected host.
Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter bad.example.net Found more than 2 matches, enter a more specific string to find an exact match Monitoring the Botnet Traffic Filter Whenever a known address is classified by the Botnet Traffic Filter, then a syslog message is generated. You can also monitor Botnet Traffic Filter statistics and other parameters by entering commands on the ASA.
Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Command Purpose show dynamic-filter reports infected-hosts {max-connections | latest-active | highest-threat | subnet ip_address netmask | all} Generates reports about infected hosts. These reports contain detailed history about infected hosts, showing the correlation between infected hosts, visited malware sites, and malware ports.
Chapter 26 Configuring the Botnet Traffic Filter Configuration Examples for the Botnet Traffic Filter horrible.example.net(10.232.224.2) nono.example.org(209.165.202.
Chapter 26 Configuring the Botnet Traffic Filter Configuration Examples for the Botnet Traffic Filter ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop ciscoasa(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside ciscoasa(config)# dynamic-filter enable interface outside ciscoasa(config)# dynamic-filter drop blacklist interface outside The following recommended example configuration for multiple context mode enables the Botnet Traffic Filter for two context
Chapter 26 Configuring the Botnet Traffic Filter Where to Go Next ciscoasa/context1(config-llist)# address 10.1.1.1 255.255.255.0 ciscoasa/context1(config-llist)# dynamic-filter whitelist ciscoasa/context1(config-llist)# name good.example.com ciscoasa/context1(config-llist)# name great.example.com ciscoasa/context1(config-llist)# name awesome.example.com ciscoasa/context1(config-llist)# address 10.1.1.2 255.255.255.
Chapter 26 Configuring the Botnet Traffic Filter Feature History for the Botnet Traffic Filter Feature History for the Botnet Traffic Filter Table 26-1 lists each feature change and the platform release in which it was implemented. Table 26-1 Feature History for the Botnet Traffic Filter Feature Name Platform Releases Feature Information Botnet Traffic Filter 8.2(1) This feature was introduced. Automatic blocking, and blacklist category and 8.2(2) threat level reporting.
CH AP TE R 27 Configuring Threat Detection This chapter describes how to configure threat detection statistics and scanning threat detection and includes the following sections: • Information About Threat Detection, page 27-1 • Licensing Requirements for Threat Detection, page 27-1 • Configuring Basic Threat Detection Statistics, page 27-2 • Configuring Advanced Threat Detection Statistics, page 27-6 • Configuring Scanning Threat Detection, page 27-15 • Configuration Examples for Threat Detecti
Chapter 27 Configuring Threat Detection Configuring Basic Threat Detection Statistics Model License Requirement All models Base License. Configuring Basic Threat Detection Statistics Basic threat detection statistics include activity that might be related to an attack, such as a DoS attack.
Chapter 27 Configuring Threat Detection Configuring Basic Threat Detection Statistics For each received event, the ASA checks the average and burst rate limits; if both rates are exceeded, then the ASA sends two separate system messages, with a maximum of one message for each rate type per burst period. Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.
Chapter 27 Configuring Threat Detection Configuring Basic Threat Detection Statistics Table 27-1 Basic Threat Detection Default Settings (continued) Trigger Settings Packet Drop Reason Average Rate Denial by ACLs 400 drops/sec over the last 600 800 drops/sec over the last 20 seconds. second period. 320 drops/sec over the last 3600 seconds. • Basic firewall checks failed • Packets failed application inspection Interface overload Burst Rate 640 drops/sec over the last 120 second period.
Chapter 27 Configuring Threat Detection Configuring Basic Threat Detection Statistics Monitoring Basic Threat Detection Statistics To monitor basic threat detection statistics, perform one of the following tasks: Command Purpose show threat-detection rate [min-display-rate min_display_rate] [acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack] Displays basic threat detection statistics.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Feature History for Basic Threat Detection Statistics Table 27-2 lists each feature change and the platform release in which it was implemented. Table 27-2 Feature History for Basic Threat Detection Statistics Feature Name Platform Releases Feature Information Basic threat detection statistics 8.0(2) Basic threat detection statistics was introduced.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Security Context Guidelines Only TCP Intercept statistics are available in multiple mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Types of Traffic Monitored Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection. Default Settings By default, statistics for ACLs are enabled.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Step 3 Command Purpose threat-detection statistics host [number-of-rate {1 | 2 | 3}] (Optional) Enables statistics for hosts. Example: ciscoasa(config)# threat-detection statistics host number-of-rate 2 The number-of-rate keyword sets the number of rate intervals maintained for host statistics. The default number of rate intervals is 1, which keeps the memory usage low.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Step 5 Command Purpose threat-detection statistics protocol [number-of-rate {1 | 2 | 3}] (Optional) Enables statistics for non-TCP/UDP IP protocols.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics The ASA stores the count at the end of each burst period, for a total of 30 completed burst intervals. The unfinished burst interval presently occurring is not included in the average rate. For example, if the average rate interval is 20 minutes, then the burst interval is 20 seconds.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics To monitor advanced threat detection statistics, perform one of the following tasks: Command Purpose show threat-detection statistics [min-display-rate min_display_rate] top [[access-list | host | port-protocol] [rate-1 | rate-2 | rate-3] | tcp-intercept [all] detail]] Displays the top 10 statistics.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Command Purpose show threat-detection statistics [min-display-rate min_display_rate] protocol [protocol_number | ah | eigrp | esp | gre | icmp | igmp | igrp | ip | ipinip | ipsec | nos | ospf | pcp | pim | pptp | snp | tcp | udp] Displays statistics for all IP protocols or for a specific protocol. show threat-detection memory Displays how much memory is used by advanced threat detection statistics.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Table 27-3 show threat-detection statistics host Command Fields (continued) Field Description fw-drop Shows the number of firewall drops.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Table 27-3 show threat-detection statistics host Command Fields (continued) Field Description 20-min, 1-hour, 8-hour, and 24-hour Shows statistics for these fixed rate intervals. Sent byte Shows the number of successful bytes sent from the host. Sent pkts Shows the number of successful packets sent from the host.
Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Table 27-4 Feature History for Advanced Threat Detection Statistics (continued) Platform Releases Feature Name Customize port and protocol statistics rate intervals 8.3(1) Feature Information You can now customize the number of rate intervals for which statistics are collected. The default number of rates was changed from 3 to 1.
Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Guidelines and Limitations This section includes the guidelines and limitations for this feature: Security Context Guidelines Supported in single mode only. Multiple mode is not supported. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Types of Traffic Monitored • Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Configuring Scanning Threat Detection Detailed Steps Step 1 Command Purpose threat-detection scanning-threat [shun [except {ip-address ip_address mask | object-group network_object_group_id}]] Enables scanning threat detection. By default, the system log message 733101 is generated when a host is identified as an attacker.
Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Command Purpose clear threat-detection shun [ip_address [mask]] Releases a host from being shunned. If you do not specify an IP address, all hosts are cleared from the shun list. show threat-detection scanning-threat [attacker | target] Displays hosts that the ASA decides are attackers (including hosts on the shun list), and displays the hosts that are the target of an attack.
Chapter 27 Configuring Threat Detection Configuration Examples for Threat Detection Table 27-6 Feature History for Scanning Threat Detection (continued) Platform Releases Feature Name Feature Information Burst rate interval changed to 1/30th of the average rate. 8.2(1) In earlier releases, the burst rate interval was 1/60th of the average rate. To maximize memory usage, the sampling interval was reduced to 30 times during the average rate. Improved memory usage 8.
Chapter 27 Configuration Examples for Threat Detection Cisco ASA Series Firewall CLI Configuration Guide 27-20 Configuring Threat Detection
CH AP TE R 28 Using Protection Tools This chapter describes some of the many tools available to protect your network and includes the following sections: • Preventing IP Spoofing, page 28-1 • Configuring the Fragment Size, page 28-2 • Blocking Unwanted Connections, page 28-2 • Configuring IP Audit for Basic IPS Support, page 28-3 Preventing IP Spoofing This section lets you enable Unicast Reverse Path Forwarding on an interface.
Chapter 28 Using Protection Tools Configuring the Fragment Size Configuring the Fragment Size By default, the ASA allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. You might need to let fragments on your network if you have an application that routinely fragments packets, such as NFS over UDP. However, if you do not have an application that fragments traffic, we recommend that you do not allow fragments through the ASA. Fragmented packets are often used as DoS attacks.
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature provides basic IPS support for the ASA that does not have an AIP SSM. It supports a basic list of signatures, and you can configure the ASA to perform one or more actions on traffic that matches a signature.
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support IP Audit Signature List Table 28-1 lists supported signatures and system message numbers. Table 28-1 Signature IDs and System Message Numbers Signature Message ID Number Signature Title Signature Type Description 1000 400000 IP options-Bad Option List Informational Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed.
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 28-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 1103 400009 IP Overlapping Fragments (Teardrop) Attack Triggers when two fragments contained within the same IP datagram have offsets that indicate that they share positioning within the datagram.
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 28-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 2008 400018 ICMP Timestamp Reply Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 14 (Timestamp Reply).
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 28-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 3042 400028 TCP FIN only flags Attack Triggers when a single orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a specific host.
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 28-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 6152 400044 yppasswdd (YP password daemon) Portmap Request Informational Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port.
CH AP TE R 29 Configuring Filtering Services This chapter describes how to use filtering services to provide greater control over traffic passing through the ASA and includes the following sections: • Information About Web Traffic Filtering, page 29-1 • Configuring ActiveX Filtering, page 29-2 • Configuring Java Applet Filtering, page 29-4 • Filtering URLs and FTP Requests with an External Server, page 29-6 • Monitoring Filtering Statistics, page 29-15 Information About Web Traffic Filtering You
Chapter 29 Configuring Filtering Services Configuring ActiveX Filtering Configuring ActiveX Filtering This section includes the following topics: • Information About ActiveX Filtering, page 29-2 • Licensing Requirements for ActiveX Filtering, page 29-2 • Guidelines and Limitations for ActiveX Filtering, page 29-3 • Configuring ActiveX Filtering, page 29-3 • Configuration Examples for ActiveX Filtering, page 29-3 • Feature History for ActiveX Filtering, page 29-4 Information About ActiveX Filt
Chapter 29 Configuring Filtering Services Licensing Requirements for ActiveX Filtering Guidelines and Limitations for ActiveX Filtering This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Does not support IPv6.
Chapter 29 Configuring Filtering Services Configuring Java Applet Filtering Feature History for ActiveX Filtering Table 29-1 lists the release history for ActiveX Filtering. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 29-1 Feature History for ActiveX Filtering Feature Name Platform Releases ActiveX filtering 7.
Chapter 29 Configuring Filtering Services Configuring Java Applet Filtering Guidelines and Limitations for Java Applet Filtering This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Does not support IPv6.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server The following example removes the configuration for downloading Java applets to a host on a protected network: ciscoasa(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 This command allows host 192.168.3.3 to download Java applets. Feature History for Java Applet Filtering Table 29-1 lists the release history for Java applet filtering.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Note URL caching will only work if the version of the URL server software from the URL server vendor supports it. Although ASA performance is less affected when using an external server, you might notice longer access times to websites or FTP servers when the filtering server is remote from the ASA.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Identifying the Filtering Server You can identify up to four filtering servers per context. The ASA uses the servers in order until a server responds. In single mode, a maximum of 16 of the same type of filtering servers are allowed. You can only configure a single type of server (Websense or Secure Computing SmartFilter) in your configuration.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Command Purpose For Websense: Identifies the address of the filtering server. if_name is the name of the ASA interface connected to the filtering server (the default is inside). For the vendor {secure-computing | n2h2} option, use secure-computing as the vendor string; however, n2h2 is acceptable for backward compatibility.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Configuring Additional URL Filtering Settings After you have accessed a website, the filtering server can allow the ASA to cache the server address for a certain period of time, as long as each website hosted at the address is in a category that is permitted at all times.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Caching Server Addresses After you access a website, the filtering server can allow the ASA to cache the server address for a certain period of time, as long as each website hosted at the address is in a category that is permitted at all times. When you access the server again, or if another user accesses the server, the ASA does not need to consult the filtering server again.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Enabling HTTP Filtering You must identify and enable the URL filtering server before enabling HTTP filtering. When the filtering server approves an HTTP connection request, the ASA allows the reply from the web server to reach the originating client. If the filtering server denies the request, the ASA redirects you to a block page, indicating that access was denied.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Truncating Long HTTP URLs By default, if a URL exceeds the maximum permitted size, then it is dropped.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server To enable HTTPS filtering, enter the following command: Command Purpose filter https port[-port] localIP local_mask foreign_IP foreign_mask [allow] Enables HTTPS filtering. Replaces port[-port] with a range of port numbers if a different port than the default port for HTTPS (443) is used.
Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics Monitoring Filtering Statistics To monitor filtering statistics, enter one of the following commands: Command Purpose show url-server Shows information about the URL filtering server. show url-server statistics Shows URL filtering statistics. show url-block Shows the number of packets held in the url-block buffer and the number (if any) dropped because of exceeding the buffer limit or retransmission.
Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics STATUS_REQUEST LOOKUP_REQUEST LOG_REQUEST 1609 1526 0 Errors: ------RFC noncompliant GET method URL buffer update failure 1601 1526 NA 0 0 The following is sample output from the show url-block command: ciscoasa# show url-block url-block url-mempool 128 url-block url-size 4 url-block block 128 The following is sample output from the show url-block block statistics command: ciscoasa# show url-block block statistics URL Pending
Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics Feature History for URL Filtering Table 29-5 lists the release history for URL filtering. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 29-5 Feature History for URL Filtering Feature Name Platform Releases Feature Information URL filtering 7.0(1) Filters URLs based on an established set of filtering criteria.
Chapter 29 Monitoring Filtering Statistics Cisco ASA Series Firewall CLI Configuration Guide 29-18 Configuring Filtering Services
PART 8 Configuring Modules
CH AP TE R 30 Configuring the ASA CX Module This chapter describes how to configure the ASA CX module that runs on the ASA.
Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA The ASA CX module runs a separate application from the ASA. The ASA CX module includes external management interface(s) so you can connect to the ASA CX module directly. Any data interfaces on the ASA CX module are used for ASA traffic only. Traffic goes through the firewall checks before being forwarded to the ASA CX module.
Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module Monitor-Only Mode For demonstration purposes, you can configure a service policy or a traffic-forwarding interface in monitor-only mode. For guidelines and limitations for monitor-only mode, see the “Guidelines and Limitations” section on page 30-6.
Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module Figure 30-3 ASA CX Traffic-Forwarding Switch ASA SPAN Port Main System Gig 0/3 ASA CX 303699 ASA CX inspection Backplane Forwarded Traffic Information About ASA CX Management • Initial Configuration, page 30-4 • Policy Configuration and Management, page 30-5 Initial Configuration For initial configuration, you must use the CLI on the ASA CX module to run the setup command and configure other optional settings.
Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module or ASDM). However, physical characteristics (such as enabling the interface) are configured on the ASA. You can remove the ASA interface configuration (specifically the interface name) to dedicate this interface as an ASA CX-only interface. This interface is management-only. Policy Configuration and Management After you perform initial configuration, configure the ASA CX policy using Cisco Prime Security Manager (PRSM).
Chapter 30 Configuring the ASA CX Module Licensing Requirements for the ASA CX Module • Do not configure ASA inspection on HTTP traffic. • Do not configure Cloud Web Security (ScanSafe) inspection. If you configure both the ASA CX action and Cloud Web Security inspection for the same traffic, the ASA only performs the ASA CX action. • Other application inspections on the ASA are compatible with the ASA CX module, including the default inspections.
Chapter 30 Configuring the ASA CX Module Guidelines and Limitations Firewall Mode Guidelines Supported in routed and transparent firewall mode. Traffic-forwarding interfaces are only supported in transparent mode. Failover Guidelines Does not support failover directly; when the ASA fails over, any existing ASA CX flows are transferred to the new ASA, but the traffic is allowed through the ASA without being inspected by the ASA CX. ASA Clustering Guidelines Does not support clustering.
Chapter 30 Configuring the ASA CX Module Default Settings Additional Guidelines and Limitations • See the “Compatibility with ASA Features” section on page 30-5. • You cannot change the software type installed on the hardware module; if you purchase an ASA CX module, you cannot later install other software on it. Default Settings Table 30-1 lists the default settings for the ASA CX module.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Step 3 (ASA 5585-X; Optional) Configure the ASA CX module management IP address for initial SSH access. See the “(ASA 5585-X) Changing the ASA CX Management IP Address” section on page 30-14. Step 4 On the ASA CX module, configure basic settings. See the “Configuring Basic ASA CX Settings at the ASA CX CLI” section on page 30-15. Step 5 On the ASA CX module, configure the security policy using PRSM.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module If you have an inside router If you have an inside router, you can route between the management network, which can include both the ASA Management 0/0 and ASA CX Management 1/0 interfaces, and the ASA inside network for Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module ASA 5512-X through ASA 5555-X (Software Module) These models run the ASA CX module as a software module, and the ASA CX management interface shares the Management 0/0 interface with the ASA. For initial setup, you can connect with SSH to the ASA CX default IP address (192.168.1.2/24).
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module CX IP address for that interface. Because the ASA CX module is essentially a separate device from the ASA, you can configure the ASA CX management address to be on the same network as the inside interface.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module http://www.cisco.com/cisco/software/release.html?mdfid=284325223&softwareid=284399946 The boot software lets you set basic ASA CX network configuration, partition the SSD, and download the larger system software from a server of your choice to the SSD. Step 2 Download the ASA CX system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the ASA CX management interface. If you have a Cisco.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Username: buffy Password: angelforever Verifying Downloading Extracting Package Detail Description: Requires reboot: Cisco ASA CX System Upgrade Yes Do you want to continue with upgrade? [n]: Y Warning: Please do not interrupt the process or turn off the system. Doing so might leave system in unusable state. Upgrading Stopping all the services ... Starting upgrade process ... Reboot is required to complete the upgrade.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Configuring Basic ASA CX Settings at the ASA CX CLI You must configure basic network settings and other parameters on the ASA CX module before you can configure your security policy. Detailed Steps Step 1 Do one of the following: • (All models) Use SSH to connect to the ASA CX management IP address.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Applying... Done. Generating self-signed certificate, the web server will be restarted after that ... Done. Press ENTER to continue... asacx> Note Step 5 If you change the host name, the prompt does not show the new name until you log out and log back in. If you do not use NTP, configure the time settings. The default time zone is the UTC time zone. Use the show time command to see the current settings.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module What to Do Next • (Optional) Configure the authentication proxy port. See the “(Optional) Configuring the Authentication Proxy Port” section on page 30-17. • Redirect traffic to the ASA CX module. See the “Redirecting Traffic to the ASA CX Module” section on page 30-18. (Optional) Configuring the Authentication Proxy Port The default authentication port is 885. To change the authentication proxy port, perform the following steps.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Redirecting Traffic to the ASA CX Module You can redirect traffic to the ASA CX module by creating a service policy that identifies specific traffic. For demonstration purposes only, you can also enable monitor-only mode for the service policy, which forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Detailed Steps Step 1 Command Purpose class-map name Creates a class map to identify the traffic for which you want to send to the ASA CX module. Example: ciscoasa(config)# class-map cx_class Step 2 match parameter If you want to send multiple traffic classes to the ASA CX module, you can create multiple class maps for use in the security policy. Specifies the traffic in the class map.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Step 6 Command Purpose (Optional) If you created multiple class maps for ASA CX traffic, you can specify another class for the policy. class name2 Example: ciscoasa(config-pmap)# class cx_class2 Step 7 (Optional) cxsc {fail-close | fail-open} [auth-proxy | monitor-only] See the “Feature Matching Within a Service Policy” section on page 1-3 for detailed information about how the order of classes matters within a policy map.
Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module Detailed Steps Step 1 Command Purpose interface physical_interface Enters interface configuration mode for the physical interface you want to use for traffic-forwarding. Example: ciscoasa(config)# interface gigabitethernet 0/5 Step 2 no nameif Example: ciscoasa(config-ifc)# no nameif Step 3 Step 4 Removes any name configured for the interface. If this interface was used in any ASA configuration, that configuration is removed.
Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module Resetting the Password You can reset the module password to the default. For the user admin, the default password is Admin123. After resetting the password, you should change it to a unique value using the module application. Resetting the module password causes the module to reboot. Services are not available while the module is rebooting. To reset the module password to the default of Admin123, perform the following steps.
Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module Detailed Steps Command Purpose For a hardware module (ASA 5585-X): Reloads the module software. hw-module module 1 reload For a software module (ASA 5512-X through ASA 5555-X): sw-module module cxsc reload Example: ciscoasa# hw-module module 1 reload For a hardware module: Performs a reset, and then reloads the module.
Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image To uninstall a software module image and associated configuration, perform the following steps. Guidelines In multiple context mode, perform this procedure in the system execution space. Detailed Steps Step 1 Command Purpose sw-module module cxsc uninstall Permanently uninstalls the software module image and associated configuration.
Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module Detailed Steps Command Purpose Telnet session. Accesses the module using Telnet. You are prompted for the username and password. The default username is admin, and the default password is Admin123. session cxsc Example: ciscoasa# session cxsc Opening command session with slot 1. Connected to module cxsc. Escape character sequence is 'CTRL-^X'. cxsc login: admin Password: Admin123 Console session. Accesses the module console.
Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module To check the status of a module, enter one of the following commands: Command Purpose show module Displays the status. show module {1 | cxsc} details Displays additional status information. Specify 1 for a hardware module and cxsc for a software module. show module cxsc recover Displays the network parameters for transferring a software module boot image.
Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module The following is sample output from the show service-policy command showing the ASA CX policy and the current statistics as well as the module status when the authentication proxy is enabled; in this case, the proxied counters also increment: hostname# show service-policy cxsc Global policy: Service-policy: pmap Class-map: class-default Default Queueing Set connection policy: random-sequence-number disable drop 0 CXSC: card status Up, m
Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module Command Purpose show asp event dp-cp cxsc-msg This output shows how many ASA CX module messages are on the dp-cp queue. Currently, only VPN queries from the ASA CX module are sent to dp-cp. show conn This command already shows if a connection is being forwarded to a module by displaying the ‘X - inspected by service module’ flag. Connections being forwarded to the ASA CX module will also display the ‘X’ flag.
Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module in in in dst ip/id=172.23.58.52, mask=255.255.255.255, port=2000, dscp=0x0 input_ifc=mgmt, output_ifc=identity id=0x7ffed86caa80, priority=121, domain=cxsc-auth-proxy, deny=false hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=192.168.5.172, mask=255.255.255.
Chapter 30 Configuring the ASA CX Module Troubleshooting the ASA CX Module cxsc-msg 1 0 1 0 1 0 The following is sample output from the show conn detail command: ciscoasa# show conn detail 0 in use, 105 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.
Chapter 30 Configuring the ASA CX Module Troubleshooting the ASA CX Module When you enable the authentication proxy, the ASA generates a debug messge when it sends an authentication proxy TLV to the ASA CX module, giving IP and port details: DP CXSC Event: Sent Auth proxy tlv for adding Auth Proxy on interface: inside4. DP CXSC Event: Sent Auth proxy tlv for adding Auth Proxy on interface: cx_inside. DP CXSC Event: Sent Auth proxy tlv for adding Auth Proxy on interface: cx_outside.
Chapter 30 Configuring the ASA CX Module Configuration Examples for the ASA CX Module Note 2. Check the output of the show service-policy cxsc command to see if any packets were proxied. 3. Perform a packet capture on the backplane, and check to see if traffic is being redirected on the correct configured port. See the “Capturing Module Traffic” section on page 30-30.
Chapter 30 Configuring the ASA CX Module Feature History for the ASA CX Module ciscoasa(config-pmap)# class my-cx-class2 ciscoasa(config-pmap-c)# cxsc fail-open auth-proxy ciscoasa(config-pmap-c)# service-policy my-cx-policy interface outside Feature History for the ASA CX Module Table 30-2 lists each feature change and the platform release in which it was implemented.
Chapter 30 Configuring the ASA CX Module Feature History for the ASA CX Module Table 30-2 Feature History for the ASA CX Module (continued) Feature Name Monitor-only mode for demonstration purposes Platform Releases Feature Information ASA 9.1(2) For demonstration purposes only, you can enable ASA CX 9.1(2) monitor-only mode for the service policy, which forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected.
Chapter 30 Configuring the ASA CX Module Feature History for the ASA CX Module Table 30-2 Feature History for the ASA CX Module (continued) Feature Name Platform Releases Multiple context mode support for the ASA CX module ASA 9.1(3) You can now configure ASA CX service policies per ASA CX 9.2(1) context on the ASA.
Chapter 30 Feature History for the ASA CX Module Cisco ASA Series Firewall CLI Configuration Guide 30-36 Configuring the ASA CX Module
CH AP TE R 31 Configuring the ASA IPS Module This chapter describes how to configure the ASA IPS module. The ASA IPS module might be a hardware module or a software module, depending on your ASA model. For a list of supported ASA IPS modules per ASA model, see the Cisco ASA Compatibility Matrix: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.
Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA The ASA IPS module runs a separate application from the ASA. The ASA IPS module might include an external management interface so you can connect to the ASA IPS module directly; if it does not have a management interface, you can connect to the ASA IPS module through the ASA interface.
Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS Module Operating Modes You can send traffic to the ASA IPS module using one of the following modes: • Inline mode—This mode places the ASA IPS module directly in the traffic flow (see Figure 31-1). No traffic that you identified for IPS inspection can continue through the ASA without first passing through, and being inspected by, the ASA IPS module.
Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS Module Figure 31-3 Security Contexts and Virtual Sensors ASA Context 1 Main System Context 2 Context 3 Sensor 1 251160 Sensor 2 IPS Figure 31-4 shows a single mode ASA paired with multiple virtual sensors (in inline mode); each defined traffic flow goes to a different sensor.
Chapter 31 Configuring the ASA IPS Module Licensing Requirements for the ASA IPS module See the following information about the management interface: – ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X—The IPS management interface is a separate external Gigabit Ethernet interface. – ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X—These models run the ASA IPS module as a software module. The IPS management interface shares the Management 0/0 interface with the ASA.
Chapter 31 Configuring the ASA IPS Module Default Settings http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html • The ASA 5505 does not support multiple context mode, so multiple context features, such as virtual sensors, are not supported on the AIP SSC. • The ASA IPS module for the ASA 5510 and higher supports higher performance requirements, while the ASA IPS module for the ASA 5505 is designed for a small office installation.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Configuring the ASA IPS module This section describes how to configure the ASA IPS module and includes the following topics: • Task Flow for the ASA IPS Module, page 31-7 • Connecting the ASA IPS Management Interface, page 31-8 • Sessioning to the Module from the ASA, page 31-11 • Configuring Basic IPS Module Network Settings, page 31-12 • (ASA 5512-X through ASA 5555-X) Booting the Software Module, page 31-11 • Configurin
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Connecting the ASA IPS Management Interface In addition to providing management access to the IPS module, the IPS management interface needs access to an HTTP proxy server or a DNS server and the Internet so it can download global correlation, signature updates, and license requests. This section describes recommended network configurations. Your network may differ.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you have only one inside network, then you cannot also have a separate management network, which would require an inside router to route between the networks. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you have only one inside network, then you cannot also have a separate management network. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. If you remove the ASA-configured name from the Management 0/0 interface, you can still configure the IPS IP address for that interface.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Sessioning to the Module from the ASA To access the IPS module CLI from the ASA, you can session from the ASA. For software modules, you can either session to the module (using Telnet) or create a virtual console session. A console session might be useful if the control plane is down and you cannot establish a Telnet session. Detailed Steps Command Purpose Telnet session. Accesses the module using Telnet.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Do one of the following: • New ASA with IPS pre-installed—To view the IPS module software filename in flash memory, enter:. ciscoasa# dir disk0: For example, look for a filename like IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip. Note the filename; you will need this filename later in the procedure. • Existing ASA with new IPS installation—Download the IPS software from Cisco.com to a TFTP server.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5510 and Higher) Configuring Basic Network Settings Session to the module from the ASA and configure basic settings using the setup command. Note (ASA 5512-X through ASA 5555-X) If you cannot session to the module, then the IPS module is not running. See the “(ASA 5512-X through ASA 5555-X) Booting the Software Module” section on page 31-11, and then repeat this procedure after you install the module.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Restrictions Do not configure NAT for the management address if you intend to access it using ASDM. For initial setup with ASDM, you need to access the real address. After initial setup (where you set the password on the ASA IPS module), you can configure NAT and supply ASDM with the translated address for accessing the ASA IPS module.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Step 5 Command Purpose hw-module module 1 ip ip_address netmask gateway Configures the management IP address for the ASA IPS module. Make sure this address is on the same subnet as the ASA VLAN IP address. For example, if you assigned 10.1.1.1 to the VLAN for the ASA, then assign another address on that network, such as 10.1.1.2, for the IPS management address. Example: ciscoasa# hw-module module 1 ip 10.1.1.2 255.255.255.0 10.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Step 2 Access the ASA IPS module CLI using one of the following methods: • Session from the ASA to the ASA IPS module. See the “Sessioning to the Module from the ASA” section on page 31-11. • Connect to the IPS management interface using SSH. If you did not change it, the default management IP address is 192.168.1.2. The default username is cisco, and the default password is cisco.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Command Purpose context name Identifies the context you want to configure. Enter this command in the system execution space. Example: ciscoasa(config)# context admin ciscoasa(config-ctx)# Step 2 allocate-ips sensor_name [mapped_name] [default] Example: ciscoasa(config-ctx)# allocate-ips sensor1 highsec Enter this command for each sensor you want to assign to the context.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Examples The following example assigns sensor1 and sensor2 to context A, and sensor1 and sensor3 to context B. Both contexts map the sensor names to “ips1” and “ips2.” In context A, sensor1 is set as the default sensor, but in context B, no default is set so the default that is configured on the ASA IPS module is used.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Command Purpose class-map name Creates a class map to identify the traffic for which you want to send to the ASA IPS module. Example: ciscoasa(config)# class-map ips_class Step 2 match parameter If you want to send multiple traffic classes to the ASA IPS module, you can create multiple class maps for use in the security policy. Specifies the traffic in the class map.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Step 5 Command Purpose ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}] Specifies that the traffic should be sent to the ASA IPS module. Example: The fail-close keyword sets the ASA to block all traffic if the ASA IPS module is unavailable. ciscoasa(config-pmap-c)# ips promiscuous fail-close The inline and promiscuous keywords control the operating mode of the ASA IPS module.
Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Step 7 Command Purpose (Optional) Specifies that the second class of traffic should be sent to the ASA IPS module. ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}] Add as many classes as desired by repeating these steps.
Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Note Before you download the IPS software to disk0, make sure at least 50% of the flash memory is free. When you install IPS, IPS reserves 50% of the internal flash memory for its file system. Detailed Steps Step 1 Command Purpose For a hardware module (for example, the ASA 5585-X): Specifies the location of the new image.
Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Shutting Down the Module Shutting down the module software prepares the module to be safely powered off without losing configuration data. Note: If you reload the ASA, the module is not automatically shut down, so we recommend shutting down the module before reloading the ASA. To gracefully shut down the module, perform the following steps at the ASA CLI.
Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Resetting the Password You can reset the module password to the default. For the user cisco, the default password is cisco. After resetting the password, you should change it to a unique value using the module application. Resetting the module password causes the module to reboot. Services are not available while the module is rebooting. To reset the module password to the default of cisco, perform the following steps.
Chapter 31 Configuring the ASA IPS Module Monitoring the ASA IPS module Reloading or Resetting the Module To reload or reset the module, enter one of the following commands at the ASA CLI. Detailed Steps Command Purpose For a hardware module (for example, the ASA 5585-X): Reloads the module software.
Chapter 31 Configuring the ASA IPS Module Configuration Examples for the ASA IPS module Serial Number: JAB11370240 Firmware version: 1.0(14)3 Software version: 6.2(1)E2 MAC Address Range: 001d.45c2.e832 to 001d.45c2.e832 App. Name: IPS App. Status: Up App. Status Desc: Not Applicable App. Version: 6.2(1)E2 Data plane Status: Up Status: Up Mgmt IP Addr: 209.165.201.29 Mgmt Network Mask: 255.255.224.0 Mgmt Gateway: 209.165.201.30 Mgmt Access List: 209.165.201.31/32 209.165.202.158/32 209.165.200.
Chapter 31 Configuring the ASA IPS Module Feature History for the ASA IPS module ciscoasa(config)# class-map my-ips-class ciscoasa(config-cmap)# match access-list my-ips-acl ciscoasa(config)# class-map my-ips-class2 ciscoasa(config-cmap)# match access-list my-ips-acl2 ciscoasa(config-cmap)# policy-map my-ips-policy ciscoasa(config-pmap)# class my-ips-class ciscoasa(config-pmap-c)# ips inline fail-open sensor sensor1 ciscoasa(config-pmap)# class my-ips-class2 ciscoasa(config-pmap-c)# ips inline fail-open s
Chapter 31 Configuring the ASA IPS Module Feature History for the ASA IPS module Table 31-2 Feature History for the ASA IPS module (continued) Feature Name Platform Releases Support for Dual SSPs for SSP-40 and SSP-60 8.4(2) Feature Information For SSP-40 and SSP-60, you can use two SSPs of the same level in the same chassis. Mixed-level SSPs are not supported (for example, an SSP-40 with an SSP-60 is not supported).
CH AP TE R 32 Configuring the ASA CSC Module This chapter describes how to configure the Content Security and Control (CSC) application that is installed in a CSC SSM in the ASA.
Chapter 32 Configuring the ASA CSC Module Information About the CSC SSM Figure 32-1 Flow of Scanned Traffic with the CSC SSM ASA Main System modular service policy Request sent Request forwarded inside outside Diverted Traffic Client content security scan CSC SSM Reply sent Server 148386 Reply forwarded You use ASDM for system setup and monitoring of the CSC SSM.
Chapter 32 Configuring the ASA CSC Module Information About the CSC SSM Figure 32-2 CSC SSM Deployment with a Management Network ASA Trend Micro Update Server inside 192.168.100.1 Main System management port 192.168.50.1 Internet CSC SSM ASDM Syslog outside 10.6.13.67 192.168.50.
Chapter 32 Configuring the ASA CSC Module Information About the CSC SSM Based on the configuration shown in Figure 32-3, configure the ASA to divert to the CSC SSM only requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network, and incoming SMTP connections from outside hosts to the mail server on the DMZ network. Exclude from scanning HTTP requests from the inside network to the web server on the DMZ network.
Chapter 32 Configuring the ASA CSC Module Licensing Requirements for the CSC SSM In the outside-policy, outside-class matches SMTP traffic from any outside source to the DMZ network. This setting protects the SMTP server and inside users who download e-mail from the SMTP server on the DMZ network, without having to scan connections from SMTP clients to the server.
Chapter 32 Configuring the ASA CSC Module Guidelines and Limitations – Domain name and hostname for the CSC SSM. – An e-mail address and an SMTP server IP address and port number for e-mail notifications. – E-mail address(es) for product license renewal notifications. – IP addresses of hosts or networks that are allowed to manage the CSC SSM. The IP addresses for the CSC SSM management port and the ASA management interface can be in different subnets. – Password for the CSC SSM.
Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Configuring the CSC SSM This section describes how to configure the CSC SSM and includes the following topics: • Before Configuring the CSC SSM, page 32-7 • Connecting to the CSC SSM, page 32-8 • Diverting Traffic to the CSC SSM, page 32-10 Before Configuring the CSC SSM Before configuring the ASA and the CSC SSM, perform the following steps: Step 1 If the CSC SSM did not come preinstalled in a Cisco ASA, install it and connect a net
Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM • If you manually control time settings, verify the clock settings, including time zone. Choose Configuration > Properties > Device Administration > Clock. • If you are using NTP, verify the NTP configuration. Choose Configuration > Properties > Device Administration > NTP. Step 6 Open ASDM. Step 7 Connect to and log in to the CSC SSM. For instructions, see the “Connecting to the CSC SSM” section on page 32-8.
Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM To connect to the CSC SSM, perform the following steps: Step 1 In the ASDM main application window, click the Content Security tab. Step 2 In the Connecting to CSC dialog box, click one of the following radio buttons: • To connect to the IP address of the management port on the SSM, click Management IP Address. ASDM automatically detects the IP address for the SSM in the ASA.
Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM What to Do Next See the “Diverting Traffic to the CSC SSM” section on page 32-10. Diverting Traffic to the CSC SSM You use Modular Policy Framework commands to configure the ASA to divert traffic to the CSC SSM. Prerequisites Before configuring the ASA to divert traffic to the CSC SSM, see Chapter 1, “Configuring a Service Policy Using the Modular Policy Framework,” which introduces Modular Policy Framework concepts and common commands.
Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Step 6 Command Purpose set connection per-client-max n Lets you configure limits to thwart DoS attacks. The per-client-max parameter limits the maximum number of connections that individual clients can open. If a client uses more network resources simultaneously than is desired, you can enforce a per-client limit for simultaneous connections that the ASA diverts to the CSC SSM.
Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Step 7 Command Purpose csc {fail-close | fail-open} Enables traffic scanning with the CSC SSM and assigns the traffic identified by the class map as traffic to be sent to the CSC SSM. Must be part of a service policy, which can be applied globally or to specific interfaces.
Chapter 32 Configuring the ASA CSC Module Monitoring the CSC SSM What to Do Next See the “Monitoring the CSC SSM” section on page 32-13. Monitoring the CSC SSM To check the status of a module, enter one of the following commands: Command Purpose show module Displays the status. show module 1 details Displays additional status information. show module 1 recover Displays the network parameters for transferring an image to the module.
Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Port Mask: 255.255.224.0 Gateway IP Address: 209.165.200.
Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Detailed Steps Step 1 Command Purpose hw-module module 1 recover configure Specifies the location of the new image. This command prompts you for the URL for the TFTP server, the management interface IP address and netmask, gateway address, and VLAN ID (ASA 5505 only).
Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module To reset the module password to the default of cisco, perform the following steps. Detailed Steps Command Purpose hw-module module 1 password-reset Resets the module password to cisco. The 1 is the specified slot number on the SSM hardware module. On the CSC SSM, entering this command resets web services on the hardware module after the password has been reset.
Chapter 32 Configuring the ASA CSC Module Configuration Examples for the CSC SSM Shutting Down the Module If you restart the ASA, the module is not automatically restarted. To shut down the module, perform the following steps at the ASA CLI. Detailed Steps Command Purpose hw-module module 1 shutdown Shuts down the module. Example: ciscoasa# hw-module module 1 shutdown Configuration Examples for the CSC SSM To identify the traffic that you want to scan, you can configure the ASA in different ways.
Chapter 32 Configuring the ASA CSC Module Additional References ciscoasa(config-pmap)# class csc_inbound_class ciscoasa(config-pmap-c)# csc fail-close ciscoasa(config-pmap-c)# service-policy csc_in_policy interface outside The following example shows how to use an ACL to exempt the traffic from being matched by the policy map and prevent the ASA from sending traffic to the CSC SSM: ciscoasa(config)# access-list ciscoasa(config)# access-list 255.255.255.
Chapter 32 Configuring the ASA CSC Module Feature History for the CSC SSM Related Topic Document Title Cisco Content Security and Control SSM Administrator Guide Instructions on use of the CSC SSM GUI. Additional licensing requirements of specific windows available in the CSC SSM GUI. Reviewing the default content security policies in the CSC SSM GUI before modifying them or entering advanced configuration settings. Technical Documentation, Marketing, and Support-related information.
Chapter 32 Feature History for the CSC SSM Cisco ASA Series Firewall CLI Configuration Guide 32-20 Configuring the ASA CSC Module
INDEX ASA CX module A about AAA 30-1 ASA feature compatibility accounting 7-21 authentication proxy authentication about network access 7-2 30-17 troubleshooting downloadable access lists network access web clients 7-17 7-14 7-1 basic settings cabling 7-10 30-9 debugging failover downloadable 7-17 global access rules implicit deny 30-30 30-6 management access 6-3 monitoring password reset ActiveX filtering 29-2 PRSM 30-5 reload 30-22 AIP See IPS module security policy
Index IP fragment using with dynamic database 28-4 IP impossible packet large ICMP traffic ping of death graylist 28-6 28-7 statd buffer overflow 28-8 TCP FIN only flags TCP NULL flags files updates examples 28-7 26-8 26-19 26-22 graylist description 26-2 dropping traffic 7-3 network access Telnet 26-2 26-16 feature history 28-7 7-4 HTTP 26-3 searching 28-6 authentication FTP 26-8 information about 28-7 UDP snork 26-13 enabling use of 28-6 UDP chargen DoS 26-13 dynamic
Index required by phone proxy Cisco IP Communicator AAA performance 16-16 7-1 CX module 16-10 Cisco IP Phones, application inspection about 11-25 30-1 Cisco UMA. See Cisco Unified Mobility.
Index DNS request for all records attack DNS zone transfer attack FTP inspection 28-7 about 28-7 DNS zone transfer from high port attack 10-10 configuring 28-7 10-10 downloadable access lists configuring 7-17 converting netmask expressions DSCP preservation G 7-21 23-5 GTP inspection dynamic NAT about about 3-7 network object NAT twice NAT 13-3 configuring 13-3 H.225 timeouts 11-9 4-5 5-7 H dynamic PAT network object NAT 4-7 See also NAT H.245 troubleshooting twice NAT H.
Index inspection_default class-map Layer 3/4 1-9 matching multiple policy maps inspection engines See application inspection Instant Messaging inspection LCS Federation Scenario 19-2 LDAP 11-19 application inspection interfaces default settings 12-1 licenses 6-8, 32-6 IP fragment attack 1-6 Cisco Unified Communications Proxy features 28-4 IP impossible packet attack 28-4 IP overlapping fragments attack licensing requirements 28-5 CSC SSM IP phone phone proxy provisioning 14-4, 17-
Index default policy examples flows about 1-3 3-14 configuring 1-2 1-6 matching multiple policy maps service policy, applying 1-6 4-1 dynamic NAT 4-5 dynamic PAT 4-7 examples 4-18 See also class map guidelines 4-2 See also policy map identity NAT 1-17 MPLS monitoring LDP TDP 4-14 4-17 prerequisites 6-7 router-id static NAT 6-7 no proxy ARP 6-7 multi-session PAT 4-2 4-11 4-15, 5-20 object 4-16 extended PAT 4-7 flat range for PAT N NAT about 3-11 route lookup 4-15,
Index dynamic NAT 5-7 per-session PAT dynamic PAT 5-11 phone proxy examples 5-25 guidelines 5-2 identity NAT monitoring access lists ASA role 14-3 16-15 Cisco IP Communicator 5-24 static NAT 16-7 certificates 5-21 prerequisites 4-16 16-10 Cisco UCM supported versions 5-2 16-3, 17-2 configuring mixed-mode Cisco UCM cluster 5-18 types 3-3 configuring non-secure Cisco UCM cluster VPN 3-22 event recovery VPN client rules network object NAT about 16-12 IP phones supported com
Index CSC SSM routed mode 32-5 presence_proxy_remotecert 15-15 proxied RPC request attack 28-7 NAT routing other protocols proxy servers SIP and PRSM 3-11 6-5 RTSP inspection 11-18 about 30-5 11-15 configuring 11-14 Q S QoS about SAST keys 23-1, 23-3 DiffServ preservation DSCP preservation feature interaction policies SCCP (Skinny) inspection 23-5 about 23-5 configuring 23-1 23-13 11-24 1-17 1-17 interface 23-2 traffic shaping 1-18 SIP inspection about 23-4 viewing st
Index management defaults password reset reload TCP state bypass 31-6 AAA 31-24, 32-15 configuring 31-25, 32-16 reset failover 31-25, 32-16 routing shutdown NAT 22-5 22-5 TCP Intercept 28-8 stateful inspection 22-5 22-5 TCP normalization 22-5 unsupported features 22-3 static NAT 22-5 TCP SYN+FIN flags attack testing configuration 3-3 few-to-many mapping 3-6 many-to-few mapping 3-5, 3-6 network object NAT twice NAT drop types 4-11 enabling 5-18 overview 27-2 27-4 27-2 ra
Index applications supported by ASA 14-3 Cisco Unified Presence architecture U 19-1 configuring for Cisco Unified Presence licenses 19-8 UDP bomb attack 14-4, 17-5, 18-6, 19-7, 20-7 tocken bucket chargen DoS attack 23-2 snork attack traffic shaping overview filtering 23-2, 23-3 DHCP packets, allowing packet handling viewing QoS statistics virtual HTTP 11-9 H.
