Cisco ASDM User Guide Version 6.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xxxix Related Documentation xxxix Document Conventions xxxix Obtaining Documentation and Submitting a Service Request i-xl xl PART Getting Started 1 CHAPTER 1 Welcome to ASDM 1-1 ASDM Client Operating System and Browser Requirements VPN Specifications 1-2 Supported Platforms and SSMs New ASDM Features 1-2 1-2 1-4 Multiple ASDM Session Support 1-4 Unsupported Commands 1-4 Ignored and View-Only Commands 1-4 Effects of Unsupported Commands 1-5 Discontinuous Subnet Masks
Contents Enabling Extended Screen Reader Support Organizational Folder 1-16 1-16 About the Help Window 1-16 Header Buttons 1-16 Browser Window 1-17 Home Pane 1-17 Device Dashboard Tab 1-18 Firewall Dashboard Tab 1-20 Content Security Tab 1-21 Intrusion Prevention Tab 1-23 Connecting to IPS 1-23 System Home Pane CHAPTER 2 1-25 Introduction to the Security Appliance 2-1 New Features by Platform Release 2-1 New Features in Version 8.1(2) 2-1 New Features in Version 8.
Contents CHAPTER 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Preferences 3-1 3-1 Configuration Tools 3-3 Reset Device to the Factory Default Configuration 3-3 Save Running Configuration to TFTP Server 3-4 Save Internal Log Buffer to Flash 3-5 Command Line Interface 3-5 Command Errors 3-6 Interactive Commands 3-6 Avoiding Conflicts with Other Administrators 3-6 Show Commands Ignored by ASDM on Device 3-6 Diagnostic Tools 3-7 Packet Tracer 3-7 Ping 3-8 Using the
Contents PIX 515/515E Default Configuration 4-4 Configuring the Security Appliance for ASDM Access Setting Transparent or Routed Firewall Mode at the CLI 4-4 4-4 Starting ASDM 4-6 Downloading the ASDM Launcher 4-6 Starting ASDM from the ASDM Launcher 4-6 Using ASDM in Demo Mode 4-7 Starting ASDM from a Web Browser 4-8 Configuration Overview PART Device Setup and Management 2 CHAPTER 4-9 5 Using the Startup Wizard 5-1 Startup Wizard Screens for ASA 5500 Series and PIX 500 Series Security Applia
Contents CHAPTER 6 Configuring Basic Device Settings Management IP Address 6-1 6-1 System Time 6-2 Clock 6-2 NTP 6-3 Add/Edit NTP Server Configuration 6-4 Configuring Advanced Device Management Features Configuring HTTP Redirect 6-4 Edit HTTP/HTTPS Settings 6-5 Configuring Maximum SSL VPN Sessions 6-5 History Metrics 6-6 6-4 System Image/Configuration 6-6 Activation Key 6-6 Auto Update 6-7 Set Polling Schedule 6-9 Add/Edit Auto Update Server 6-9 Advanced Auto Update Settings 6-10 Boot Image/Config
Contents Configuring an Interface (Single Mode) 7-5 Enabling Same Security Level Communication (Single Mode) PPPoE IP Address and Route Settings CHAPTER 8 7-8 7-9 Configuring Interfaces in Multiple Mode 8-1 Configuring Interfaces in the System Configuration (Multiple Mode) 8-1 Configuring Physical Interfaces in the System Configuration (Multiple Mode) 8-2 Physical Interface Overview 8-2 Configuring and Enabling Physical Interfaces in the System Configuration (Multiple Mode) Configuring Redundant I
Contents Configuring Switch Ports 9-11 Interfaces > Switch Ports 9-11 Edit Switch Port 9-12 CHAPTER 10 Configuring Security Contexts 10-1 Security Context Overview 10-1 Common Uses for Security Contexts 10-2 Unsupported Features 10-2 Context Configuration Files 10-2 How the Security Appliance Classifies Packets 10-2 Valid Classifier Criteria 10-3 Invalid Classifier Criteria 10-4 Classification Examples 10-4 Cascading Security Contexts 10-7 Management Access to Security Contexts 10-8 System Administrat
Contents Interface 11-10 Redistribution 11-14 Static Neighbor 11-17 Summary Address 11-18 Virtual Link 11-19 RIP 11-22 Setup 11-23 Interface 11-24 Filter Rules 11-25 Redistribution 11-27 EIGRP 11-28 Configuring EIGRP 11-29 Field Information for the EIGRP Panes 11-30 Static Routes 11-40 Static Route Tracking 11-41 Configuring Static Route Tracking 11-42 Field Information for Static Routes 11-42 Static Routes 11-42 Add/Edit Static Route 11-43 Route Monitoring Options 11-44 CHAPTER 12 ASR Group 11-45
Contents MForwarding PIM 12-11 12-11 Protocol 12-12 Edit PIM Protocol 12-12 Neighbor Filter 12-13 Add/Edit/Insert Neighbor Filter Entry 12-14 Bidirectional Neighbor Filter 12-14 Add/Edit/Insert Bidirectional Neighbor Filter Entry Rendezvous Points 12-16 Add/Edit Rendezvous Point 12-16 Request Filter 12-18 Request Filter Entry 12-19 Route Tree 12-20 CHAPTER 13 DHCP, DNS and WCCP Services 12-15 13-1 DHCP Relay 13-1 Edit DHCP Relay Agent Settings 13-3 Add/Edit Global DHCP Relay Server 13-3 DHCP Serve
Contents RADIUS Server Support 14-4 Authentication Methods 14-4 Attribute Support 14-4 RADIUS Authorization Functions 14-4 TACACS+ Server Support 14-4 SDI Server Support 14-5 SDI Version Support 14-5 Two-step Authentication Process 14-5 SDI Primary and Replica Servers 14-5 NT Server Support 14-5 Kerberos Server Support 14-5 LDAP Server Support 14-6 Authentication with LDAP 14-6 Securing LDAP Authentication with SASL 14-6 LDAP Server Types 14-7 Authorization with LDAP for VPN 14-7 SSO Support for WebVPN wit
Contents Active/Standby Failover 15-2 Active/Active Failover 15-2 Stateless (Regular) Failover 15-3 Stateful Failover 15-3 Configuring Failover with the High Availability and Scalability Wizard 15-4 Accessing and Using the High Availability and Scalability Wizard 15-4 Configuring Active/Active Failover with the High Availability and Scalability Wizard 15-4 Configuring Active/Standby Failover with the High Availability and Scalability Wizard 15-5 Configuring VPN Load Balancing with the High Availability and
Contents Configuring CLI Parameters 16-2 Adding a Banner 16-2 Customizing a CLI Prompt 16-3 Changing the Console Timeout Period 16-4 Configuring File Access 16-4 Configuring the FTP Client Mode 16-4 Configuring the Security Appliance as a Secure Copy Server Configuring the Security Appliance as a TFTP Client 16-5 Adding Mount Points 16-6 Adding a CIFS Mount Point 16-6 Adding an FTP Mount Point 16-6 Configuring Configuring ICMP Access 16-7 Configuring a Management Interface 16-9 16-5 Configuring SNMP
Contents Configure Logging Flash Usage 17-4 Syslog Setup 17-4 Edit Syslog ID Settings 17-5 Advanced Syslog Configuration 17-6 E-Mail Setup 17-7 Add/Edit E-Mail Recipients 17-8 Event Lists 17-8 Add/Edit Event List 17-10 Add/Edit Syslog Message ID Filter 17-10 Logging Filters 17-10 Edit Logging Filters 17-11 Add/Edit Class and Severity Filter 17-13 Add/Edit Syslog Message ID Filter 17-14 Rate Limit 17-14 Edit Rate Limit for Syslog Logging Level 17-15 Add/Edit Rate Limit for Syslog Message 17-16 Syslo
Contents MAC Address vs.
Contents Add TLS Proxy Instance Wizard – Server Configuration 19-21 Add TLS Proxy Instance Wizard – Client Configuration 19-22 Add TLS Proxy Instance Wizard – Other Steps 19-24 Phone Proxy 19-24 Configuring the Phone Proxy 19-25 Creating a Phone Proxy Instance Add/Edit TFTP Server 19-27 19-25 CTL File 19-28 Creating a CTL File 19-28 Add/Edit Record Entry 19-29 TLS Proxy 19-30 Add/Edit TLS Proxy CTL Provider 19-32 Add/Edit CTL Provider CHAPTER 20 19-31 19-33 Configuring Access Rules and EtherType Rul
Contents Log Options 20-14 Configuring Ethertype Rules (Transparent Mode Only) Add/Edit EtherType Rule 20-17 CHAPTER 21 Configuring NAT 20-16 21-1 NAT Overview 21-1 Introduction to NAT 21-1 NAT in Routed Mode 21-2 NAT in Transparent Mode 21-3 NAT Control 21-4 NAT Types 21-6 Dynamic NAT 21-6 PAT 21-8 Static NAT 21-8 Static PAT 21-9 Bypassing NAT When NAT Control is Enabled 21-10 Policy NAT 21-10 NAT and Same Security Level Interfaces 21-12 Order of NAT Rules Used to Match Real Addresses 21-13 Mapped
Contents CHAPTER 22 Configuring Service Policy Rules 22-1 Service Policy Overview 22-1 Supported Features 22-1 Service Policy Elements 22-2 Default Global Policy 22-2 Feature Directionality 22-3 Feature Matching Guidelines 22-3 Order in Which Multiple Feature Actions within a Rule are Applied Incompatibility of Certain Feature Actions 22-5 Feature Matching Guidelines for Multiple Service Policies 22-5 Adding a Service Policy Rule for Through Traffic 22-6 Adding a Service Policy Rule for Management Tr
Contents Configuring TACACS+ Authorization 23-9 Configuring RADIUS Authorization 23-10 Configuring a RADIUS Server to Send Downloadable Access Control Lists 23-11 Configuring a RADIUS Server to Download Per-User Access Control List Names 23-15 Configuring Accounting for Network Access 23-15 Using MAC Addresses to Exempt Traffic from Authentication and Authorization CHAPTER 24 Configuring Application Layer Protocol Inspection Inspection Engine Overview 24-2 When to Use Application Protocol Inspection I
Contents Configuring MMP Inspection for a TLS Proxy NetBIOS Inspection PPTP Inspection 24-18 24-19 RADIUS Accounting Inspection RSH Inspection 24-18 24-19 24-19 RTSP Inspection 24-19 RTSP Inspection Overview 24-20 Using RealPlayer 24-20 Restrictions and Limitations 24-20 SIP Inspection 24-21 SIP Inspection Overview 24-21 SIP Instant Messaging 24-21 Skinny (SCCP) Inspection 24-22 SCCP Inspection Overview 24-23 Supporting Cisco IP Phones 24-23 Restrictions and Limitations 24-24 SMTP and Extended SMTP
Contents Select RTSP Map 24-36 Select SCCP (Skinny) Map 24-37 Select SIP Map 24-37 Select SNMP Map 24-38 Class Map Field Descriptions 24-39 DNS Class Map 24-39 Add/Edit DNS Traffic Class Map 24-40 Add/Edit DNS Match Criterion 24-40 Manage Regular Expressions 24-42 Manage Regular Expression Class Maps 24-42 FTP Class Map 24-43 Add/Edit FTP Traffic Class Map 24-44 Add/Edit FTP Match Criterion 24-44 H.323 Class Map 24-46 Add/Edit H.323 Traffic Class Map 24-46 Add/Edit H.
Contents Add/Edit FTP Policy Map (Security Level) 24-80 Add/Edit FTP Policy Map (Details) 24-81 Add/Edit FTP Map 24-82 GTP Inspect Map 24-84 IMSI Prefix Filtering 24-84 Add/Edit GTP Policy Map (Security Level) 24-85 Add/Edit GTP Policy Map (Details) 24-86 Add/Edit GTP Map 24-88 H.323 Inspect Map 24-89 Phone Number Filtering 24-90 Add/Edit H.323 Policy Map (Security Level) 24-91 Add/Edit H.323 Policy Map (Details) 24-92 Add/Edit HSI Group 24-93 Add/Edit H.
Contents Add/Edit SIP Policy Map (Security Level) 24-121 Add/Edit SIP Policy Map (Details) 24-122 Add/Edit SIP Inspect 24-124 SNMP Inspect Map 24-126 Add/Edit SNMP Map 24-127 CHAPTER 25 Configuring QoS 25-1 QoS Overview 25-1 Supported QoS Features 25-2 What is a Token Bucket? 25-2 Policing Overview 25-3 Priority Queueing Overview 25-3 Traffic Shaping Overview 25-4 How QoS Features Interact 25-4 DSCP and DiffServ Preservation 25-5 Creating the Standard Priority Queue for an Interface 25-5 Creating a
Contents Configuring Connection Settings 27-6 Connection Limit Overview 27-6 TCP Intercept Overview 27-6 Disabling TCP Intercept for Management Packets for Clientless SSL VPN Compatibility Dead Connection Detection Overview 27-7 TCP Sequence Randomization Overview 27-7 TCP Normalization Overview 27-7 Enabling Connection Limits and TCP Normalization 27-7 Configuring IP Audit 27-10 IP Audit Policy 27-11 Add/Edit IP Audit Policy Configuration IP Audit Signatures 27-12 IP Audit Signature List 27-13 Configuring
Contents Getting Started with the CSC SSM 29-4 Determining What Traffic to Scan 29-6 Rule Actions for CSC Scanning 29-8 CSC SSM Setup 29-9 Activation/License 29-10 IP Configuration 29-11 Host/Notification Settings 29-11 Management Access Host/Networks 29-12 Password 29-13 Restoring the Default Password 29-14 Wizard Setup 29-15 CSC Setup Wizard Activation Codes Configuration 29-15 CSC Setup Wizard IP Configuration 29-16 CSC Setup Wizard Host Configuration 29-17 CSC Setup Wizard Management Access Configurati
Contents CHAPTER 31 SSL VPN Wizard 31-1 SSL VPN Feature 31-1 SSL VPN Interface 31-2 User Authentication Group Policy 31-2 31-3 Bookmark List 31-3 IP Address Pools and Client Image Summary CHAPTER 32 VPN 31-4 31-4 32-1 VPN Wizard 32-1 VPN Tunnel Type 32-2 Remote Site Peer 32-3 IKE Policy 32-4 Hosts and Networks 32-5 Summary 32-6 Remote Access Client 32-6 VPN Client Authentication Method and Name Client Authentication 32-8 New Authentication Server Group 32-9 User Accounts 32-10 Address P
Contents Add/Edit IKE Policy 34-5 Assignment Policy 34-6 Address Pools 34-7 Add/Edit IP Pool 34-8 IPsec 34-8 Crypto Maps 34-9 Create IPsec Rule/Tunnel Policy (Crypto Map) - Basic Tab 34-11 Create IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab 34-13 Create IPsec Rule/Traffic Selection Tab 34-13 Pre-Fragmentation 34-16 Edit IPsec Pre-Fragmentation Policy 34-17 IPsec Transform Sets 34-18 Add/Edit Transform Set 34-18 Load Balancing 34-19 Setting Global NAC Parameters 34-22 Configuring Network Admissi
Contents Browse ICMP 35-19 Add ICMP Group 35-20 Browse Other 35-21 Add Protocol Group 35-21 Add/Edit Internal Group Policy > Servers 35-22 Add/Edit Internal Group Policy > IPSec Client 35-22 Client Access Rules 35-23 Add/Edit Client Access Rule 35-23 Add/Edit Internal Group Policy > Client Configuration Tab 35-24 Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab 35-24 View/Config Banner 35-25 Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Pa
Contents IPSec Remote Access Connection Profiles 35-49 Add or Edit an IPSec Remote Access Connection Profile 35-50 Add or Edit IPSec Remote Access Connection Profile Basic 35-50 Mapping Certificates to IPSec or SSL VPN Connection Profiles 35-51 Configure Site-to-Site Tunnel Groups 35-54 Add/Edit Site-to-Site Connection 35-55 Adding or Editing a Site-to-Site Tunnel Group 35-56 Crypto Map Entry 35-57 Crypto Map Entry for Static Peer Address 35-57 Managing CA Certificates 35-58 Install Certificate 35-59 Con
Contents CHAPTER 36 Configuring Dynamic Access Policies 36-1 Understanding VPN Access Policies 36-1 DAP Support for Remote Access Connection Types 36-3 DAP and AAA 36-3 DAP and Endpoint Security 36-4 DAP Connection Sequence 36-6 Test Dynamic Access Policies 36-6 Add/Edit Dynamic Access Policies 36-7 Add/Edit AAA Attributes 36-12 Retrieve AD Groups from selected AD Server Group 36-14 Add/Edit Endpoint Attributes 36-14 Operator for Endpoint Category 36-21 DAP Examples 36-21 Using DAP to Define Network Re
Contents Encoding 38-15 Web ACLs 38-17 Port Forwarding 38-19 Why Port Forwarding? 38-19 Requirements and Restrictions 38-20 Add/Edit Port Forwarding List 38-21 Add/Edit Port Forwarding Entry 38-21 Configuring the Use of External Proxy Servers Configuring Proxy Bypass DTLS Settings 38-22 38-23 38-25 SSL VPN Client Settings 38-25 Add/Replace SSL VPN Client Image 38-27 Upload Image 38-27 Add/Edit SSL VPN Client Profiles 38-28 Upload Package 38-28 Bypass Interface Access List 38-29 SSO Servers 38-29 Conf
Contents Customization Example 38-48 Using the Customization Template 38-50 The Customization Template 38-50 Help Customization 38-63 Import/Export Application Help Content 38-65 Configuring Browser Access to Client-Server Plug-ins 38-66 About Installing Browser Plug-ins 38-67 Plug-in Requirements and Restrictions 38-68 Preparing the Security Appliance for a Plug-in 38-68 Installing Plug-ins Redistributed by Cisco 38-68 Assembling and Installing Third-Party Plug-ins—Example: Citrix Java Presentation Serv
Contents CHAPTER 40 Configuring SSL Settings SSL 40-1 40-1 Edit SSL Certificate 40-2 SSL Certificates 40-3 PART Monitoring the Security Appliance 5 CHAPTER 41 Monitoring Interfaces ARP Table 41-1 41-1 DHCP 41-1 DHCP Server Table 41-2 DHCP Client Lease Information DHCP Statistics 41-3 MAC Address Table Dynamic ACLs 41-2 41-4 41-5 Interface Graphs 41-5 Graph/Table 41-8 PPPoE Client 41-8 interface connection 41-9 Track Status for 41-9 Monitoring Statistics for CHAPTER 42 Monitoring VPN
Contents SSO Statistics for Clientless SSL VPN Session CHAPTER 43 Monitoring Routing 43-1 Monitoring OSPF LSAs Type 1 43-1 Type 2 43-2 Type 3 43-3 Type 4 43-3 Type 5 43-4 Type 7 43-4 43-1 Monitoring OSPF Neighbors Monitoring EIGRP Neighbors Displaying Routes CHAPTER 44 Monitoring Properties 42-14 43-5 43-7 43-8 44-1 Monitoring AAA Servers 44-1 Viewing AAA Server Statistics 44-1 Updating the Operational State of an AAA Server Fields Used to Monitor AAA Servers 44-3 44-2 Monitoring Device Ac
Contents Blocks 44-17 CPU 44-17 Memory 44-18 WCCP 44-18 Service Groups 44-19 Redirection 44-19 CHAPTER 45 Monitoring Logging 45-1 About Log Viewing 45-1 Log Buffer 45-1 Log Buffer Viewer 45-2 Real-Time Log Viewer 45-3 Real-Time Log Viewer 45-3 CHAPTER 46 Monitoring Failover 46-1 Monitoring Failover in Single Context Mode or in a Security Context Status 46-1 Graphs 46-4 Monitoring Failover in the System Execution Space System 46-6 Failover Group 1 and Failover Group 2 46-9 CHAPTER 47 Monito
Contents ASA 5540 Feature Licenses A-4 ASA 5550 Feature Licenses A-4 ASA 5580 Feature Licenses A-5 PIX 515/515E Feature Licenses APPENDIX B PIX 525 Feature Licenses A-7 PIX 535 Feature Licenses A-7 Troubleshooting A-6 B-1 Testing Your Configuration B-1 Enabling ICMP Debug Messages and System Log Messages Pinging Security Appliance Interfaces B-2 Pinging Through the Security Appliance B-4 Disabling the Test Configuration B-5 Traceroute B-6 Packet Tracer B-6 Reloading the Security Appliance R
Contents Login DN Example for Active Directory C-5 Defining the Security Appliance LDAP Configuration C-5 Supported Cisco Attributes for LDAP Authorization C-6 Cisco-AV-Pair Attribute Syntax C-12 Additional Information for using ASDM to Configure LDAP C-14 Configuring an External RADIUS Server C-15 Reviewing the RADIUS Configuration Procedure C-15 Security Appliance RADIUS Authorization Attributes C-15 Configuring an External TACACS+ Server C-23 INDEX Cisco ASDM User Guide xxxviii OL-16647-01
Preface The ASDM User Guide contains the information that is available in the ASDM online help system.
Preface Obtaining Documentation and Submitting a Service Request Note • Information you need to enter in examples is shown in boldface screen font. • Variables for which you must supply a value are shown in italic screen font. Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
PA R T 1 Getting Started
CH A P T E R 1 Welcome to ASDM Cisco Adaptive Security Device Manager (ASDM) delivers world-class security management and monitoring services for security appliances through an intuitive, easy-to-use, management interface.
Chapter 1 Welcome to ASDM ASDM Client Operating System and Browser Requirements ASDM Client Operating System and Browser Requirements Table 1-1 lists the supported and recommended client operating systems and Java for ASDM. Table 1-1 Operating System Microsoft Windows Operating System and Browser Requirements Version Browser Other Requirements Windows Vista Internet Explorer 6.0 or 7.0 with Sun Java SE1 Plug-in 1.4.2, 5.0 (1.5.0), or 6.
Chapter 1 Welcome to ASDM Supported Platforms and SSMs • Advanced Inspection and Prevention (AIP) SSM, software Version 5.0, 5.1, and 6.0 • Content Security and Control (CSC) SSM, software Version 6.1 and 6.
Chapter 1 Welcome to ASDM New ASDM Features New ASDM Features Note For supported platform features, see the “New Features by Platform Release” section on page 2-1. Table 1-3 lists the new features for ASDM Version 6.1(5). Table 1-3 New Features for ASDM Version 6.1(5) Feature Description Support for Cisco ASA 5580 software Version 8.1(2) All 8.1(2) features are supported unless specifically noted.
Chapter 1 Welcome to ASDM Unsupported Commands Table 1-4 List of Unsupported Commands Unsupported Commands ASDM Behavior access-list Ignored if not used capture Ignored dns-guard Ignored eject Unsupported established Ignored. failover timeout Ignored icmp-unreachable rate-limit Ignored ipv6, any IPv6 addresses Ignored pager Ignored pim accept-register route-map Ignored. You can configure only the list option using ASDM.
Chapter 1 Welcome to ASDM Unsupported Commands To exit Monitor-only mode, use the CLI tool or access the security appliance console, and remove the alias command. You can use outside NAT instead of the alias command. See the Cisco Security Appliance Command Reference for more information.
Chapter 1 Welcome to ASDM About the ASDM Interface About the ASDM Interface The ASDM interface is designed to provide easy access to the many features that the adaptive security appliance supports. The ASDM interface includes the following components: Note • Menu Bar—Provides quick access to files, tools, wizards, and help. Many menu items also have keyboard shortcuts. • Toolbar—Lets you navigate ASDM. From the toolbar you can access the home pane, configuration, and monitoring panes.
Chapter 1 Welcome to ASDM About the ASDM Interface • Refresh ASDM with the Running Configuration on the Device—Loads a copy of the running configuration to ASDM. Click Refresh to make sure ASDM has a current copy of the running configuration. • Reset Device to the Factory Default Configuration—Restores the configuration to the factory default. See the Reset Device to the Factory Default Configuration dialog box for more information.
Chapter 1 Welcome to ASDM About the ASDM Interface • Time Ranges—Shows and hides the display of the Time Ranges pane. The Time Ranges pane is only available for the Access Rules, Service Policy Rules, AAA Rules, and Filter Rules panes in the configuration view. • Global Pools—Shows and hides the display of the Global Pools pane. The Global Pools pane is only available for the NAT Rules pane in the configuration view.
Chapter 1 Welcome to ASDM About the ASDM Interface • Administrator’s Alerts to Clientless SSL VPN Users—Lets an administrator send an alert message to clientless SSL VPN users. See the Administrator’s Alert to Clientless SSL VPN Users dialog box for more information. • Preferences—Changes the behavior of specified ASDM functions between sessions. See the Preferences dialog box for more information. • ASDM Java Console—Shows the Java console. See the ASDM Java Console dialog box for more information.
Chapter 1 Welcome to ASDM About the ASDM Interface • About Cisco Adaptive Security Appliance (ASA)—Displays information about the adaptive security appliance, including the software version, hardware set, configuration file loaded at startup, and software image loaded at startup. This information is helpful in troubleshooting. • About Cisco ASDM 6.1—Displays information about ASDM such as the software version, hostname, privilege level, operating system, device type, and Java version.
Chapter 1 Welcome to ASDM About the ASDM Interface How Do I? Tab Fields • Show tasks—Choose the type of information you want from the drop-down list. The available types are Security Policy, ASDM, Administration, and All. Search Tab Fields • For—Enter the term about which you want more information. • How Do I?—Check this check box to include downloadable content from Cisco.com, with details about performing certain tasks. • Features—Check to include features about which you want more details.
Chapter 1 Welcome to ASDM About the ASDM Interface Connection to Device ASDM maintains a constant connection to the adaptive security appliance to maintain up-to-date monitoring and home pane data. This dialog box shows the status of the connection. When you make a configuration change, ASDM opens a second connection for the duration of the configuration, and then closes it; however, this dialog box does not represent the second connection. Device List The device list is a dockable pane.
Chapter 1 Welcome to ASDM About the ASDM Interface • Reset—Discards changes and reverts to the information displayed before changes were made or the last time you clicked Refresh or Apply. After you click Reset, click Refresh to make sure that information from the current running configuration is displayed. • Restore Default—Clears the selected settings and returns to the default settings. • Cancel—Discards changes and returns to the previous pane.
Chapter 1 Welcome to ASDM About the ASDM Interface Table 1-6 Moving the Focus To move the focus to the Press next field Tab previous field Shift+Tab next field when the focus is in a table Ctrl+Tab previous field when the focus is in a table Shift+Ctrl+Tab next tab (when a tab has the focus) Right Arrow previous tab (when a tab has the focus) Left Arrow next cell in a table Tab previous sell in a table Shift+Tab next pane (when multiple panes are displayed) F6 previous pane (when mul
Chapter 1 Welcome to ASDM About the Help Window Enabling Extended Screen Reader Support By default, labels and descriptions are not included in tab order when you press the Tab key to navigate a pane. Some screen readers, such as JAWS, only read screen objects that have the focus. You can include the labels and descriptions in the tab order by enabling extended screen reader support.
Chapter 1 Welcome to ASDM Home Pane Browser Window When you open help and a help page is already open, the new help page will appear in the same browser window. If no help page is open, then the help page will appear in a new browser window. When you open help and Netscape Communicator is the default browser, the help page will appear in a new browser window.
Chapter 1 Welcome to ASDM Home Pane Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Device Dashboard Tab The Device Dashboard tab lets you view, at a glance, important information about your adaptive security appliance, such as the status of your interfaces, the version you are running, licensing information, and performance. Fields • Device Information—Includes two tabs to show device information.
Chapter 1 Welcome to ASDM Home Pane VPN Peers—Display only. Shows the number of VPN peers allowed. This entry is blank if no VPN peers are supported. Clientless SSL VPN Peers—Display only. Shows the number of clientless SSL VPN peers allowed. • VPN Tunnels Status—Routed, single mode only. Shows the following information: – IKE—Display only. Shows the number of connected IKE tunnels. – IPSec—Display only. Shows the number of connected IPSec tunnels. – Clientless SSL VPN—Display only.
Chapter 1 Welcome to ASDM Home Pane Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Firewall Dashboard Tab The Firewall Dashboard tab lets you view important information about the traffic passing through your security appliance, including the number of connections, NAT translations, dropped packets, attacks, and top usage statistics. The Traffic Overview statistics are enabled by default.
Chapter 1 Welcome to ASDM Home Pane – Hits—Shows the number of packet hits that occurred. – Source—Shows the source IP address. – Dest—Shows the destination IP address. – Service—Shows the service (protocol or port) for the connection. – Action—Shows whether the rule is a permit or deny rule. In the Table view, you can select a rule in the list and right-click the rule to display a popup menu item, Show Rule. Choose this item to go to the Access Rules table and select that rule in this table.
Chapter 1 Welcome to ASDM Home Pane – Last Update—Display only. Shows the date of the last software update obtained from Trend Micro. – Daily Node #—Display only. Shows the number of network devices for which the CSC SSM provided services in the preceding 24 hours. ASDM updates this field at midnight. – Base License—Display only. Shows the license status for basic features of the CSC SSM, such as anti-virus, anti-spyware, and FTP file blocking. The license expiration date appears.
Chapter 1 Welcome to ASDM Home Pane – Subject/File/URL—Display only. Shows the subject of e-mails that contain a threat, the names of FTP files that contain a threat, or blocked or filtered URLs. – Receiver/Host—Display only. Shows the recipient of e-mails that contain a threat or the IP address or hostname of a threatened node. – Sender—Display only. Shows the source of e-mails that contain a threat. – Content Action—Display only.
Chapter 1 Welcome to ASDM Home Pane – IPS Version—Display only. Shows the IPS software version. – IDM Version—Display only. Shows the IDM software version. – Bypass Mode—Display only. Shows the bypass mode, which can be set to On or Off. – Missed Packets Percentage—Display only. Shows the percentage of missed packets. – IP Address—Display only. Shows the IP address of the adaptive security appliance. – Device Type—Display only. Shows the type and model of the adaptive security appliance.
Chapter 1 Welcome to ASDM System Home Pane System Home Pane The ASDM system home pane lets you view important status information about your adaptive security appliance. Many of the details available on the ASDM system home pane are available elsewhere in ASDM, but this pane shows at-a-glance how your adaptive security appliance is running. Status information on the system home pane is updated every ten seconds. Note This pane is available only in the security context.
Chapter 1 Welcome to ASDM System Home Pane Firewall Mode Security Context Multiple Routed • Transparent Single • • Context • System • Cisco ASDM User Guide 1-26 OL-16647-01
CH A P T E R 2 Introduction to the Security Appliance The security appliance combines advanced stateful firewall and VPN concentrator functionality in one device, and for some models, an integrated intrusion prevention module called the AIP SSM or an integrated content security and control module called the CSC SSM.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-1 lists the new features for Version 8.1(2). Note Table 2-1 Version 8.1(x) is only supported on the Cisco ASA 5580 adaptive security appliance. New Features for ASA Version 8.1(2) Feature Description Remote Access Features Auto Sign-On with Smart Tunnels for IE This feature lets you enable the replacement of logon credentials for WININET connections.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-1 New Features for ASA Version 8.1(2) (continued) Feature Description Show Active Directory Groups The CLI command show ad-groups was added to list the active directory groups. ASDM Dynamic Access Policy uses this command to present the administrator with a list of MS AD groups that can be used to define the VPN policy.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-1 New Features for ASA Version 8.1(2) (continued) Feature Description TCP Normalization Enhancements You can now configure TCP normalization actions for certain packet types. Previously, the default actions for these kinds of packets was to drop the packet. Now you can set the TCP normalizer to allow the packets.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-2 New Features for ASA Version 8.1(1) Feature Description Introduction of the Cisco ASA 5580 The Cisco ASA 5580 comes in two models: • The ASA 5580-20 delivers 5 Gigabits per second of TCP traffic and UDP performance is even greater. Many features in the system have been made multi-core capable to achieve this high throughput.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-3 lists the new features for Version 8.0(4). Table 2-3 New Features for ASA and PIX Version 8.0(4) Feature Description Unified Communications Features1 Phone Proxy Phone Proxy functionality is supported. ASA Phone Proxy provides similar features to those of the Metreos Cisco Unified Phone Proxy with additional support for SIP inspection and enhanced security.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-3 New Features for ASA and PIX Version 8.0(4) (continued) Feature Description Auto Sign-On with Smart Tunnels for IE1 This feature lets you enable the replacement of logon credentials for WININET connections. Most Microsoft applications use WININET, including Internet Explorer. Mozilla Firefox does not, so it is not supported by this feature.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-3 New Features for ASA and PIX Version 8.0(4) (continued) Feature Description Smart Tunnel over Mac OS1 Smart tunnels now support Mac OS. In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-3 New Features for ASA and PIX Version 8.0(4) (continued) Feature Description Timeout for SIP Provisional Media You can now configure the timeout for SIP provisional media using the timeout sip-provisional-media command. In ASDM, see Configuration > Firewall > Advanced > Global Timeouts.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-4 New Features for ASA and PIX Version 8.0(3) (continued) Feature Description Fully Qualified Domain Name Support Enhancement Added option in the redirect-fqdn command to send either the fully qualified domain name (FQDN) or the IP address to the client in a VPN load balancing cluster.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-5 New Features for ASA and PIX Version 8.0(2) (continued) ASA Feature Type Feature Description High Availability Remote command execution in Failover pairs You can execute commands on the peer unit in a failover pair without having to connect directly to the peer. This works for both Active/Standby and Active/Active failover.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-5 New Features for ASA and PIX Version 8.0(2) (continued) ASA Feature Type Feature Description Cisco Secure Desktop Host Scan As a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connection, the remote computer scans for a greatly expanded collection of antivirus and antispyware applications, firewalls, operating systems, and associated updates.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-5 New Features for ASA and PIX Version 8.0(2) (continued) ASA Feature Type Feature Description Platform Enhancements VLAN support for remote access VPN connections Provides support for mapping (tagging) of client traffic at the group or user level. This feature is compatible with clientless as well as IPsec and SSL tunnel-based connections.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-5 New Features for ASA and PIX Version 8.0(2) (continued) ASA Feature Type Feature Browser-based Personal bookmark SSL VPN Features support (continued) Transformation enhancements Description Users can define their own bookmarks. These bookmarks are stored on a file server. Adds support for several complex forms of web content over clientless connections, including Adobe flash and Java WebStart.
Chapter 2 Introduction to the Security Appliance New Features by Platform Release Table 2-5 New Features for ASA and PIX Version 8.0(2) (continued) ASA Feature Type Feature Description Modular policy framework inspect class map Traffic can match one of multiple match commands in an inspect class map; formerly, traffic had to match all match commands in a class map to match the class map.
Chapter 2 Introduction to the Security Appliance Firewall Functional Overview Table 2-5 New Features for ASA and PIX Version 8.0(2) (continued) ASA Feature Type Feature Description Logging Secure logging You can enable secure connections to the syslog server using SSL or TLS with TCP, and encrypted system log message content. Not supported on the PIX series adaptive security appliance. IPv6 IPv6 support for SIP The SIP inspection engine supports IPv6 addresses.
Chapter 2 Introduction to the Security Appliance Firewall Functional Overview • Applying Application Inspection, page 2-17 • Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 2-18 • Sending Traffic to the Content Security and Control Security Services Module, page 2-18 • Applying QoS Policies, page 2-18 • Applying Connection Limits and TCP Normalization, page 2-18 Permitting or Denying Traffic with Access Lists You can apply an access list to limit traffic
Chapter 2 Introduction to the Security Appliance Firewall Functional Overview Sending Traffic to the Advanced Inspection and Prevention Security Services Module If your model supports the AIP SSM for intrusion prevention, then you can send traffic to the AIP SSM for inspection. The AIP SSM is an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
Chapter 2 Introduction to the Security Appliance Firewall Functional Overview Firewall Mode Overview The security appliance runs in two different firewall modes: • Routed • Transparent In routed mode, the security appliance is considered to be a router hop in the network. In transparent mode, the security appliance acts like a “bump in the wire,” or a “stealth firewall,” and is not considered a router hop. The security appliance connects to the same network on its inside and outside interfaces.
Chapter 2 Introduction to the Security Appliance VPN Functional Overview – Session lookup – TCP sequence number check – NAT translations based on existing sessions – Layer 3 and Layer 4 header adjustments For UDP or other connectionless protocols, the security appliance creates connection state information so that it can also use the fast path. Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Chapter 2 Introduction to the Security Appliance Security Context Overview which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.
Chapter 2 Introduction to the Security Appliance Security Context Overview Cisco ASDM User Guide 2-22 OL-16647-01
C H A P T E R 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools This chapter describes the preferences and tools available for configuration, problem diagnosis, and file management, and includes the following sections: • Preferences, page 3-1 • Configuration Tools, page 3-3 • Diagnostic Tools, page 3-7 • File Management Tools, page 3-18 Preferences This feature lets you change the behavior of some ASDM functions between sessions.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Preferences “You are not allowed to modify the ASA configuration, because you do not have sufficient privileges.” Step 4 f. Check the Enable screen reader support (requires ASDM restart) check box to enable screen readers to work. You must restart ASDM to enable this option. g.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Configuration Tools Step 6 Note After you have specified settings on these three tabs, click OK to save your settings and close the Preferences dialog box. Each time that you check or uncheck a preferences setting, the change is saved to the .conf file and becomes available to all the other ASDM sessions running on the workstation at the time. You must restart ASDM for all changes to take effect.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Configuration Tools Step 2 Enter the Management IP address of the management interface, instead of using the default address, 192.168.1.1. For an adaptive security appliance with a dedicated management interface, the interface is called “Management0/0.” For other adaptive security appliances, the configured interface is Ethernet 1 and called “inside.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Configuration Tools Firewall Mode Security Context Multiple Routed • Transparent Single • • Context System • • Save Internal Log Buffer to Flash This feature lets you save the internal log buffer to flash memory. To save the internal log buffer to flash memory, perform the following steps: Step 1 In the main ASDM application window, choose File > Save Internal Log Buffer to Flash.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Configuration Tools Step 6 After you have closed the Command Line Interface dialog box, if you changed the configuration, click Refresh to view the changes in ASDM.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools Step 1 In the main ASDM application window, choose Tools > Show Commands Ignored by ASDM on Device. Step 2 Click OK when you are done.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools • Debug all packet drops in a production network. • Verify the configuration is working as intended. • Show all rules applicable to a packet, along with the CLI lines that caused the rule addition. • Show a time line of packet changes in a data path. • Trace packets in the data path.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools To use the Ping tool, perform the following steps: Step 1 In the main ASDM application window, choose Tools > Ping. The Ping dialog box appears. Step 2 Enter the destination IP address for the ICMP echo request packets in the IP Address field. If a hostname has been assigned in the Configuration > Firewall > Objects > IP Names pane, you can use the hostname in place of the IP address.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools • Loopback testing of two interfaces—A ping may be initiated from one interface to another on the same security appliance, as an external loopback test to verify basic “up” status and operation of each interface. • Pinging to a security appliance—The Ping tool can ping an interface on another security appliance to verify that it is up and responding.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools Pinging to a Security Appliance Interface When you try to ping to an adaptive security appliance interface, verify that the pinging response (ICMP echo reply) is enabled for that interface by choosing Tools > Ping. When pinging is disabled, the adaptive security appliance cannot be detected by other devices or software applications, and will not respond to the ASDM Ping tool.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools Step 6 Specify the minimum and maximum TTL values for the first probes. The minimum default is one, but it can be set to a higher value to suppress the display of known hops. The maximum default is 30. The traceroute terminates when the packet reaches the destination or when the maximum value is reached. Step 7 Check the Specify source interface or IP address check box.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System • ASDM Java Console You can use the ASDM Java console to view and copy logged entries in a text format, which can help you troubleshoot ASDM errors. To access this tool, in the main ASDM application window, choose Tools > ASDM Java Console.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools Step 3 Choose the ingress interface (inside or outside) from the drop-down list. Step 4 Enter the source host IP address and choose the network IP address from the drop-down list. Step 5 Choose the protocol from the drop-down list. Step 6 Depending on the selected protocol, you also need to define both the source port services and destination port services.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single • Context • • System • Field Information for the Packet Capture Wizard This section includes the following topics: • Ingress Traffic Selector, page 3-15 • Egress Traffic Selector, page 3-16 • Buffers, page 3-16 • Summary, page 3-17 • R
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Egress Traffic Selector The Egress Traffic Selector dialog box lets you configure the egress interface, source and destination hosts/networks, and source and destination port services for packet capture.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Diagnostic Tools Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Summary The Summary dialog box shows the traffic selectors and the buffer parameters for the packet capture. Fields • Traffic Selectors—Shows the capture and access list configuration specified in the previous steps. • Buffer Parameters—Shows the buffer parameters specified in the previous step.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Save Captures The Save Captures dialog box lets you save the ingress and egress packet captures to ASCII or PCAP file format for further packet analysis. Fields • ASCII—Specifies to save the capture buffer in ASCII format. • PCAP—Specifies to save the capture buffer in PCAP format.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools File Management The File Management tool lets you view, move, copy, and delete files stored in flash memory, transfer files, and to manage files on remote storage devices (mount points). Note In multiple context mode, this tool is only available in the system security context.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools Manage Mount Points This feature lets you configure remote storage (mount points) for network file systems using a CIFS or FTP connection. The dialog box lists the mount-point name, connection type, server name or IP address, and the enabled setting (yes or no). You can add, edit, or delete mount points. See Add/Edit a CIFS/FTP Mount Point, page 3-20 for more information.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools Step 2 Make the changes to the remaining settings, and click OK when you are done. To edit an FTP mount point, perform the following steps: Step 1 Choose the FTP mount-point you want to modify, and click Edit. The Edit FTP Mount Point dialog box appears. Note Step 2 You cannot change the FTP mount-point name. Make the changes to the remaining settings, and click OK when you are done.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools File Transfer The File Transfer tool lets you transfer files from either a local or remote location. You can transfer a local file on your computer or a flash file system to and from the security appliance. You can transfer a remote file to and from the security appliance using HTTP, HTTPS, TFTP, FTP, or SMB.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools Step 9 To transfer a file to a remote server, choose the Remote server option. a. Enter the path to the location of the file. b. For FTP transfers, enter the type.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools Step 1 In the main ASDM application window, choose Tools > Upgrade Software from Cisco.com. The Upgrade Software from Cisco.com Wizard appears. The Overview screen describes the steps in the image upgrade process. Step 2 Click Next to continue. The Authentication screen appears. Step 3 Enter your assigned Cisco.com user name and the Cisco.com password, and then click Next.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System • ASDM Assistant The ASDM Assistant tool lets you search and view useful ASDM procedural help about certain tasks. To access information, choose View > ASDM Assistant > How Do I? or enter a search request from the Look For field in the menu bar.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools b. For the Reload Start Time, you can select from the following options: – Click Now to perform an immediate reload. – Click Delay by to delay the reload by a specified amount of time. Enter the time to elapse before the reload in hours and minutes or only minutes. – Click Schedule at to schedule the reload to occur at a specific time and date.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools Step 1 Create a folder or on your computer to store backup files so they will be easy to find if you have to restore later. Step 2 Choose Tools > Backup Configurations. ASDM opens the Backup Configurations dialog box. By default, all files are checked and will be backed up if they are available. If you want to back up all of the files in the list, go to Step 5.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools ASDM displays a status window. When the backup completes, ASDM closes it and opens the Backup Statistics window. This window shows the status of each backup. Note Step 10 Backup “failure messages” are most likely the consequence of no configuration present for the types indicated. Click OK to close the window.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools Restoring Configurations You can specify configurations and images to restore from a zip file on your local computer. Before proceeding, please note the following restrictions: • The zip file you restore must be created from the Tools > Backup Configurations option.
Chapter 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools File Management Tools By default, all files are checked; ASDM restores them if they are available. Step 4 Use the default options, or uncheck them and check the specific configurations and images you want to restore. Step 5 Click Restore. ASDM displays a status window until the restore operation completes.
CH A P T E R 4 Before You Start This section describes the tasks you must perform before you use ASDM, and includes the following topics: • Factory Default Configurations, page 4-1 • Configuring the Security Appliance for ASDM Access, page 4-4 • Setting Transparent or Routed Firewall Mode at the CLI, page 4-4 • Starting ASDM, page 4-6 • Configuration Overview, page 4-9 Factory Default Configurations The factory default configuration is supported on all security appliances, except for the PIX 525
Chapter 4 Before You Start Factory Default Configurations Step 1 Choose File > Reset Device to the Factory Default Configuration. Step 2 To change the default IP address, do one of the following: Step 3 Note • For the ASA 5500 series, check the Use this address for the Management 0/0 interface that will be named as “management” check box, enter the new IP address in the Management IP Address field, and then choose the new subnet mask in the Management Subnet Mask drop-down list.
Chapter 4 Before You Start Factory Default Configurations interface Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vlan 1 no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown ip address dhcp setroute interface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 no shutdown global (outside) 1 interface nat (inside) 1 0 0 http server enable http 192.168.1.0 255.255.255.
Chapter 4 Before You Start Configuring the Security Appliance for ASDM Access PIX 515/515E Default Configuration The default factory configuration for the PIX 515/515E security appliance provides the following: • The inside Ethernet1 interface. If you did not set the IP address in the configure factory-default command, then the IP address and subnet mask are 192.168.1.1 and 255.255.255.0.
Chapter 4 Before You Start Setting Transparent or Routed Firewall Mode at the CLI For multiple context mode, the system configuration is erased, which removes any contexts. If you again add a context that has an existing configuration that was created for the wrong mode, the context configuration will not work correctly. Note Be sure to create your context configurations for the correct mode before you add them again, or add new contexts with new paths for new configurations.
Chapter 4 Before You Start Starting ASDM This command also appears in each context configuration for information only; you cannot enter this command in a context.
Chapter 4 Before You Start Starting ASDM Step 2 Enter or choose the adaptive security appliance IP address or hostname to which you want to connect. To clear the list of IP addresses, click the trash can icon next to the Device/IP Address/Name field. Step 3 Enter your username and your password, and then click OK.
Chapter 4 Before You Start Starting ASDM – Configuration > Interface > Edit Interface > Renew DHCP Lease – Configuring a standby device after failover • Operations that cause a rereading of the configuration, in which the GUI reverts to the original configuration: – Switching contexts – Making changes in the Interface pane – NAT pane changes – Clock pane changes To run ASDM in Demo Mode, perform the following steps: Step 1 Download the ASDM Demo Mode installer, asdm-demo-version.
Chapter 4 Before You Start Configuration Overview Configuration Overview To configure and monitor the adaptive security appliance, perform the following steps: Step 1 For initial configuration Using the Startup Wizard, choose Wizards > Startup Wizard. Step 2 To use the IPSec VPN Wizard to configure IPSec VPN connections, choose Wizards > IPSec VPN Wizard and complete each screen that appears.
Chapter 4 Before You Start Configuration Overview – Filter Rules prevent outbound access to specific websites or FTP servers. The security appliance works with a separate server running either Websense Enterprise or Sentian by N2H2. Choose Configuration > Properties > URL Filtering to configure the URL filtering server, which you must do before adding a rule. – Configuring Service Policy Rules apply application inspection, connection limits, and TCP normalization.
Chapter 4 Before You Start Configuration Overview – The CLI. – SNMP and ICMP. – Logging, including e-mail, event lists, filters, rate limit, syslog servers, and SMTP. For more information, see Configuring Logging. – User and AAA authentication. – High availability, the Scalability Wizard, and failover. – Advanced configuration. Note Step 8 If you have a CSC SSM card or IPS software installed, either the Trend Micro Content Security or IPS feature button also appears.
Chapter 4 Before You Start Configuration Overview Cisco ASDM User Guide 4-12 OL-16647-01
PA R T 2 Device Setup and Management
CH A P T E R 5 Using the Startup Wizard The ASDM Startup Wizard guides you through the initial configuration of the adaptive security appliance, and helps you define the following settings for the adaptive security appliance: • The hostname • The domain name • A password to restrict administrative access through ASDM or the CLI • The IP address information of the outside interface • Other interfaces, such as the inside or DMZ interfaces • NAT or PAT rules • DHCP settings for the inside interf
Chapter 5 Using the Startup Wizard Startup Wizard Screens for ASA 5500 Series and PIX 500 Series Security Appliances Startup Wizard Screens for ASA 5500 Series and PIX 500 Series Security Appliances Table 5-1 lists all of the required Startup Wizard screens for configuring the ASA 5500 series adaptive security appliances and PIX 500 series security appliances only. The actual sequence of screens is determined by your specified configuration selections.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Table 5-2 Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Screen Name and Sequence Availability Step 1 - Starting Point or Welcome, page 5-3 All modes. The Teleworker option in Step 2 is available only on the ASA-5505. Step 2 - Basic Configuration, page 5-4 Step 3 - Auto Update Server, page 5-5 Single, routed and transparent modes.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Note If you reset the configuration to factory defaults, you cannot undo these changes by clicking Cancel or by closing this screen. For More Information See the Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide and the Cisco ASA 5505 Getting Started Guide.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance For More Information See the Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide and the Cisco ASA 5505 Getting Started Guide.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 4 - Management IP Address Configuration This screen lets you configure the management IP address of the host for this context. To access this feature from the main ASDM application window, choose Configuration > Properties > Management IP. Fields • Management IP Address—Specifies the IP address of the host that can access this context for management purposes using ASDM or a session protocol.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Do not configure—Check this check box to disable configuration of this VLAN. For More Information See the Cisco ASA 5505 Getting Started Guide.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Firewall Mode Security Context Multiple Routed Transparent — • Single Context • • System — Step 7 - Interface IP Address Configuration This screen allows you to configure the interface by obtaining an IP address from a PPPoE server or a DHCP server, or by specifying an IP address and subnet mask.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Firewall Mode Security Context Multiple Routed Transparent Single — • • Context • System — Step 8 - Internet Interface Configuration - PPPoE This screen lets you configure the specified outside interface by obtaining an IP address from a PPPoE server. To access this feature from the main ASDM application window, choose Configuration > Interfaces.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single — • • Context • System — Step 9 - Business Interface Configuration - PPPoE This screen lets you configure the inside interface by obtaining an IP address from a PPPoE server.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance For More Information See the Cisco ASA 5505 Getting Started Guide. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single — • • Context • System — Step 10 - Home Interface Configuration - PPPoE This screen lets you configure the DMZ interface by obtaining an IP address from a PPPoE server.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Obtain default route using PPPoE—Check this check box to set the default routing using the PPPoE server. For More Information See the Cisco ASA 5505 Getting Started Guide.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 12 - Static Routes This screen lets you create, edit, and remove static routes that will access networks connected to a router on any interface.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Enable auto-configuration—Check this check box to allow automatic configuration of the DNS server, WINS server, lease length, and ping timeout settings. • DNS Server 1—Specifies the IP address of the DNS server. • WINS Server 1—Specifies the IP address of the WINS server. • DNS Server 2—Specifies the IP address of the alternate DNS server.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • A DNS server on a higher level security interface cannot use PAT. Fields • Use Network Address Translation (NAT)—Choose to enable NAT and a range of IP addresses to be used for translation. • Starting Global IP Address—Specifies the first IP address in a range of IP addresses to be used for translation.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Interface—Displays the host or network name. • IP Address—Displays the IP address of the host or network. • Mask—Displays the subnet mask of the host or network. • Enable HTTP server for HTTPS/ASDM access—Check this check box to enable a secure connection to an HTTP server to access ASDM.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Interface Name—Choose from a list of predetermined interfaces. • IP Address—Specifies an IP address for the interface. • Subnet Mask—Specifies a subnet mask for the interface from a selection of subnet mask IP addresses.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Fields • Enable Easy VPN remote—Check this check box to enable the adaptive security appliance to act as an Easy VPN remote device. If you do not enable this feature, any host that has access to the adaptive security appliance outside interface through a VPN tunnel can manage it remotely.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 17 - Startup Wizard Summary This screen summarizes all of the settings you have made for the security appliance. • To change any of the settings in previous screens, click Back. • If you started the Startup Wizard directly from a browser, when you click Finish, the configuration that you created through the wizard is sent to the adaptive security appliance and saved in flash memory automatically.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Edit Interface To access this feature from the main ASDM application window, choose Configuration > Interfaces. Fields Note • Interface—Displays the name of the selected interface to edit. • Interface Name—Displays the name of the selected interface, and lets you change the name of the interface.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Note Enable traffic between two or more interfaces with the same security level—Check this check box to enable traffic between two or more interfaces with the same security level. IP address-related fields are not available in transparent mode. For More Information See the Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance – Specify an IP address—Click to specify an IP address for an interface: IP Address—Lets you enter an IP address for an interface. Subnet Mask—Lets you enter or choose a subnet mask for an interface from the drop-down list. – Obtain default route using PPPoE—Click to obtain the default route between the PPPoE server and the PPPoE client.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Use the following IP address—Choose this option to specify an IP address manually for the interface. This field is not visible in transparent mode. • IP Address—Specifies an IP address for an outside interface. This field is not visible in transparent mode. • Subnet Mask—Choose a subnet mask for an outside interface from the drop-down list.
Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Cisco ASDM User Guide 5-24 OL-16647-01
C H A P T E R 6 Configuring Basic Device Settings This section contains the following topics: • Management IP Address, page 6-1 • System Time, page 6-2 • Configuring Advanced Device Management Features, page 6-4 • System Image/Configuration, page 6-6 • Device Name/Password, page 6-12 • System Software, page 6-13 Management IP Address The Management IP pane lets you set the management IP address for the security appliance or for a context in transparent firewall mode.
Chapter 6 Configuring Basic Device Settings System Time System Time You can manually set the system date or time or have the security appliance dynamically set the system date and tim e using an NTP server. See the following topics for more information: • Clock, page 6-2 • NTP, page 6-3 Clock The Clock pane lets you manually set the date and time for the security appliance. The time displays in the status bar at the bottom of the main ASDM pane.
Chapter 6 Configuring Basic Device Settings System Time Firewall Mode Security Context Multiple Routed Transparent Single • • • Context System — • NTP The NTP pane lets you define NTP servers to dynamically set the time on the security appliance. The time displays in the status bar at the bottom of the main ASDM pane. Time derived from an NTP server overrides any time set manually in the Clock pane.
Chapter 6 Configuring Basic Device Settings Configuring Advanced Device Management Features Add/Edit NTP Server Configuration The Add/Edit NTP Server Configuration dialog box lets you add or edit an NTP server. Fields • IP Address—Sets the NTP server IP address. • Preferred—Sets this server as a preferred server. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the preferred server is used.
Chapter 6 Configuring Basic Device Settings Configuring Advanced Device Management Features Note To redirect HTTP, the interface requires an access list that permits HTTP. Otherwise, the interface cannot listen to the HTTP port. To change the HTTP redirect setting of an interface or the port from which it redirects HTTP connections, select the interface in the table and click Edit. You can also double-click an interface. The Edit HTTP/HTTPS Settings dialog box opens.
Chapter 6 Configuring Basic Device Settings System Image/Configuration Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • History Metrics The History Metrics pane lets you configure the adaptive security appliance to keep a history of various statistics, which ASDM can display on any Graph/Table. If you do not enable history metrics, you can only monitor statistics in real time.
Chapter 6 Configuring Basic Device Settings System Image/Configuration Features of temporary and permanent licenses combine to form the running license. When you activate a temporary license, it overrides any previously-activated temporary license and combines with the permanent license to create a new running license. When you activate a permanent license, it overwrites the currently running permanent and temporary licenses and becomes the running license.
Chapter 6 Configuring Basic Device Settings System Image/Configuration Important Notes • If the security appliance configuration is updated from an Auto Update server, ASDM is not notified. You must choose Refresh or File > Refresh ASDM with the Running Configuration on the Device to get the latest configuration, and any changes to the configuration made in ASDM will be lost. • If HTTPS is chosen as the protocol to communicate with the Auto Update server, the security appliance will use SSL.
Chapter 6 Configuring Basic Device Settings System Image/Configuration Firewall Mode Security Context Multiple Routed Transparent Single • • • Context System — — Set Polling Schedule The Set Polling Schedule dialog box lets you configure specific days, and the time-of-day for the security appliance to poll the Auto Update server.
Chapter 6 Configuring Basic Device Settings System Image/Configuration Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context System — — Advanced Auto Update Settings Fields • Use Device ID to uniquely identify the ASA—Enables authentication using a Device ID. The Device ID is used to uniquely identify the security appliance to the Auto Update server. • Device ID—Type of Device ID to use.
Chapter 6 Configuring Basic Device Settings System Image/Configuration Fields • Boot Order—Displays the order in which binary image files will be used to boot. • Boot Image Location—Displays the physical location and path of the boot file. • Boot Configuration File Path—Displays the location of the configuration file. • Add—Lets you add a flash or TFTP boot image entry to be used in the boot process. • Edit—Lets you edit a flash or TFTP boot image entry.
Chapter 6 Configuring Basic Device Settings Device Name/Password Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single • • Context — System • Device Name/Password The Device Name/Password pane lets you set the hostname and domain name for the security appliance and set the enable and telnet passwords.
Chapter 6 Configuring Basic Device Settings System Software The Telnet Password area contains the following fields. In multiple context mode, the Telnet Password area only appears in contexts; it does not appear in the system execution space. • Change the password to access the platform console—Lets you change the login password. • Old Password—Enter the old password. • New Password—Enter the new password. • Confirm New Password—Confirm the new password.
Chapter 6 Configuring Basic Device Settings System Software – Client Revision—Specifies the revision number(s) of the software component. Double-clicking any of the rows in the Client Images table opens the Edit Client Update Entry dialog box, in which you can modify the client parameters. These changes are immediately reflected in the table, but you must click Apply to save them to the configuration.
Chapter 6 Configuring Basic Device Settings System Software Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single • • Context System — — Cisco ASDM User Guide OL-16647-01 6-15
Chapter 6 Configuring Basic Device Settings System Software Cisco ASDM User Guide 6-16 OL-16647-01
C H A P T E R 7 Configuring Interfaces in Single Mode This chapter describes how to configure and enable physical Ethernet interfaces, how to create redundant interface pairs, and how to add subinterfaces. If you have both fiber and copper Ethernet ports (for example, on the 4GE SSM for the ASA 5510 and higher series adaptive security appliance), this chapter describes how to configure the interface media type.
Chapter 7 Configuring Interfaces in Single Mode Interface Overview • Default Physical Interface Settings, page 7-2 • Connector Types, page 7-2 • Auto-MDI/MDIX Feature, page 7-2 Default Physical Interface Settings By default, the speed and duplex for copper (RJ-45) interfaces are set to auto-negotiate. Connector Types The ASA 5550 adaptive security appliance and the 4GE SSM for the ASA 5510 and higher adaptive security appliance include two connector types: copper RJ-45 and fiber SFP.
Chapter 7 Configuring Interfaces in Single Mode Interface Overview • If you use a redundant interface for the failover or state link, you must put a switch or hub between the two units; you cannot connect them directly. Without the switch or hub, you could have the active port on the primary unit connected directly to the standby port on the secondary unit. • You can monitor redundant interfaces for failover; be sure to reference the logical redundant interface name.
Chapter 7 Configuring Interfaces in Single Mode Interface Overview Maximum Subinterfaces To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature Licenses.” Preventing Untagged Packets on the Physical Interface If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. This property is also true for the active physical interface in a redundant interface pair.
Chapter 7 Configuring Interfaces in Single Mode Configuring an Interface (Single Mode) • Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). For same security interfaces, you can filter traffic in either direction. • NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).
Chapter 7 Configuring Interfaces in Single Mode Configuring an Interface (Single Mode) a. Click Add > Redundant Interface. The Add Redundant Interface dialog box appears with the General tab selected. b. In the Redundant ID field, enter an integer between 1 and 8. c. From the Primary Interface drop-down list, choose the physical interface you want to be primary. Be sure to pick an interface that does not have a subinterface and that has not already been allocated to a context. d.
Chapter 7 Configuring Interfaces in Single Mode Configuring an Interface (Single Mode) Note Route tracking is only available in single, routed mode. SLA ID—A unique identifier for the SLA monitoring process. Valid values are from 1 to 2147483647. Monitor Options—Click this button to open the Route Monitoring Options dialog box. In the Route Monitoring Options dialog box you can configure the parameters of the tracked object monitoring process. • To obtain an IP address using PPPoE, check Use PPPoE. a.
Chapter 7 Configuring Interfaces in Single Mode Enabling Same Security Level Communication (Single Mode) parameters. For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase.
Chapter 7 Configuring Interfaces in Single Mode PPPoE IP Address and Route Settings If you enable same security interface communication, you can still configure interfaces at different security levels as usual. You can also enable communication between hosts connected to the same interface.
Chapter 7 Configuring Interfaces in Single Mode PPPoE IP Address and Route Settings – Monitor Options—Click this button to open the Route Monitoring Options dialog box. In the Route Monitoring Options dialog box you can configure the parameters of the tracked object monitoring process. – Secondary Track—Select this option to configure the secondary PPPoE route tracking. Secondary Track ID—A unique identifier for the route tracking process. Valid values are from 1 to 500.
C H A P T E R 8 Configuring Interfaces in Multiple Mode This chapter describes how to configure and enable physical Ethernet interfaces, how to create redundant interface pairs, and how to add subinterfaces in the system configuration. If you have both fiber and copper Ethernet ports (for example, on the 4GE SSM for the ASA 5510 and higher series adaptive security appliance), this chapter describes how to configure the interface media type.
Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the System Configuration (Multiple Mode) Note If you use failover, you need to assign a dedicated interface as the failover link and an optional interface for Stateful Failover on the Failover: Setup tab. (You can use the same interface for failover and state traffic, but we recommend separate interfaces).
Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the System Configuration (Multiple Mode) Configuring and Enabling Physical Interfaces in the System Configuration (Multiple Mode) To configure and enable a physical interface, perform the following steps: Step 1 In the Configuration > Device List pane, double-click System under the active device IP address. Step 2 On the Context Management > Interfaces pane, click a physical interface that you want to configure, and click Edit.
Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the System Configuration (Multiple Mode) Redundant Interface Overview This section includes overview information about redundant interfaces, and includes the following topics: • Default State of Redundant Interfaces, page 8-4 • Redundant Interfaces and Failover Guidelines, page 8-4 • Redundant Interface MAC Address, page 8-4 • Physical Interface Guidelines for Use in a Redundant Interface, page 8-4 Default State of Redund
Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the System Configuration (Multiple Mode) • If you shut down the active interface, then the standby interface becomes active. Adding a Redundant Interface in the System Configuration (Multiple Mode) You can configure up to 8 redundant interface pairs.
Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the System Configuration (Multiple Mode) • Maximum Subinterfaces, page 8-6 Default State of Subinterfaces When you add a subinterface, it is enabled by default. However, the physical or redundant interface must also be enabled to pass traffic (see the “Configuring Physical Interfaces in the System Configuration (Multiple Mode)” section on page 8-2 to enable physical interfaces.
Chapter 8 Configuring Interfaces in Multiple Mode Allocating Interfaces to Contexts Enabling Jumbo Frame Support for the ASA 5580 in the System Configuration (Multiple Mode) A jumbo frame is an Ethernet packet larger than the standard maximun of 1518 bytes (including Layer 2 header and FCS), up to 9216 bytes. You can enable support for jumbo frames for all Gigabit and 10-Gigabit interfaces on interface adapters by increasing the amount of memory to process Ethernet frames.
Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) Default State of Interfaces In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space.
Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.
Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) The description can be up to 240 characters on a single line, without carriage returns. The system description is independent of the context description. In the case of a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description.
Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) You can also enable communication between hosts connected to the same interface. • To enable interfaces on the same security level to communicate with each other, from the Configuration > Interfaces pane, check Enable traffic between two or more interfaces which are configured with same security level.
Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) Cisco ASDM User Guide 8-12 OL-16647-01
C H A P T E R 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance. Note To configure interfaces of other models, see Chapter 7, “Configuring Interfaces in Single Mode.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: • Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 9-1 for an example network where the Home VLAN can communicate with the Internet, but cannot initiate contact with Business.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Default Interface Configuration If your adaptive security appliance includes the default factory configuration, your interfaces are configured as follows: • The outside interface (security level 0) is VLAN 2. Ethernet0/0 is assigned to VLAN 2 and is enabled. The VLAN 2 IP address is obtained from the DHCP server.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces You can only enable SPAN monitoring using the Command Line Interface tool by entering theswitchport monitor command. See the switchport monitor command in the Cisco Security Appliance Command Reference for more information. Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest).
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces If you enabled Easy VPN, you cannot add or delete VLAN interfaces, nor can you edit the security level or interface name. We suggest that you finalize your interface configuration before you enable Easy VPN.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces The backup interface does not pass through traffic unless the default route through the primary interface fails. This option is useful for Easy VPN; when the backup interface becomes the primary, the security appliance moves the VPN rules to the new primary interface.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Add/Edit Interface > General The Add/Edit Interface > General tab lets you add or edit a VLAN interface. If you intend to use an interface for failover, do not configure the interface in this dialog box; instead, use the Failover: Setup tab.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Retry Count—Sets the number of times between 4 and 16 that the security appliance resends a DHCP request if it does not receive a reply after the first attempt. The total number of attempts is the retry count plus the first attempt. For example, if you set the retry count to 4, the security appliance sends up to 5 DHCP requests.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context System — — Add/Edit Interface > Advanced The Add/Edit Interface > Advanced tab lets you set the MTU, VLAN ID, MAC addresses, and other options. Fields • MTU—Sets the MTU from 300 to 65,535 bytes.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports – Block Traffic from this Interface to—Choose a VLAN ID in the list. • Select Backup Interface—Shows the backup ISP interface for this interface. If this interface fails, the backup interface takes over. The backup interface does not pass through traffic unless the default route through the primary interface fails.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports • Mode—The mode, Access or Trunk. Access ports can be assigned to one VLAN. Trunk ports can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. • Protected—Shows if this switch port is protected, Yes or No. This option prevents the switch port from communicating with other protected switch ports on the same VLAN.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports Interfaces > Interfaces tab and specify the switch port in the Add/Edit Interface > General tab rather than specifying it in this dialog box; in either case, you need to add the VLAN on the Interfaces > Interfaces tab and assign the switch port to it. • Isolated—This option prevents the switch port from communicating with other protected switch ports on the same VLAN.
Chapter 9 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports Cisco ASDM User Guide 9-14 OL-16647-01
C H A P T E R 10 Configuring Security Contexts This chapter describes how to use security contexts and enable multiple context mode. This chapter includes the following sections: • Security Context Overview, page 10-1 • Enabling or Disabling Multiple Context Mode, page 10-9 • Configuring Resource Classes, page 10-10 • Configuring Security Contexts, page 10-16 Security Context Overview You can partition a single security appliance into multiple virtual devices, known as security contexts.
Chapter 10 Configuring Security Contexts Security Context Overview Common Uses for Security Contexts You might want to use multiple security contexts in the following situations: • You are a service provider and want to sell security services to many customers. By enabling multiple security contexts on the security appliance, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration.
Chapter 10 Configuring Security Contexts Security Context Overview Note • Invalid Classifier Criteria, page 10-4 • Classification Examples, page 10-4 If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered to each context.
Chapter 10 Configuring Security Contexts Security Context Overview static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0 Note For management traffic destined for an interface, the interface IP address is used for classification. Invalid Classifier Criteria The following configurations are not used for packet classification: • NAT exemption—The classifier does not use a NAT exemption configuration for classification purposes because NAT exemption does not identify a mapped interface.
Chapter 10 Configuring Security Contexts Security Context Overview Figure 10-2 shows multiple contexts sharing an outside interface without MAC addresses assigned. The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address. Figure 10-2 Packet Classification with a Shared Interface using NAT Internet Packet Destination: 209.165.201.3 GE 0/0.
Chapter 10 Configuring Security Contexts Security Context Overview Figure 10-3 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context Context A Context B Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Customer A Inside Customer B Host 10.1.1.13 Host 10.1.1.13 Host 10.1.1.
Chapter 10 Configuring Security Contexts Security Context Overview For transparent firewalls, you must use unique interfaces. Figure 10-4 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 1/0.3, which is assigned to Context B. Figure 10-4 Transparent Firewall Contexts Internet Classifier GE 0/0.2 GE 0/0.1 GE 0/0.3 Admin Context Context A Context B GE 1/0.1 GE 1/0.2 GE 1/0.
Chapter 10 Configuring Security Contexts Security Context Overview Figure 10-5 shows a gateway context with two contexts behind the gateway. Figure 10-5 Cascading Contexts Internet GE 0/0.2 Outside Gateway Context Inside GE 0/0.1 (Shared Interface) Outside Outside Admin Context Context A Inside GE 1/1.43 Inside 153366 GE 1/1.
Chapter 10 Configuring Security Contexts Enabling or Disabling Multiple Context Mode log in with a username, enter the login command. For example, you log in to the admin context with the username “admin.” The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user “admin” with maximum privileges.
Chapter 10 Configuring Security Contexts Configuring Resource Classes original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name “admin.” To enable multiple mode, enter the following command: hostname(config)# mode multiple You are prompted to reboot the security appliance.
Chapter 10 Configuring Security Contexts Configuring Resource Classes Classes and Class Members Overview The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class.
Chapter 10 Configuring Security Contexts Configuring Resource Classes Figure 10-7 Unlimited Resources 50% 43% 5% Maximum connections allowed. 4% Connections in use. 3% Connections denied because system limit was reached. 2% A B C Contexts Silver Class 1 2 3 Contexts Gold Class 153211 1% Default Class All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class.
Chapter 10 Configuring Security Contexts Configuring Resource Classes Figure 10-8 shows the relationship between the default class and other classes. Contexts A and C belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class, and is by default a member of the default class.
Chapter 10 Configuring Security Contexts Configuring Resource Classes For resources that do not have a system limit, you cannot set the percentage; you can only set an absolute value. If you do not set a limit, the limit is inherited from the default class. If the default class does not set a limit, then the resource is unlimited, or the system limit if available.
Chapter 10 Configuring Security Contexts Configuring Resource Classes • Step 6 Inspects/sec—Sets the limit for application inspections per second. Select the check box to enable this limit. If you set the limit to 0, it is unlimited. Click OK.
Chapter 10 Configuring Security Contexts Configuring Security Contexts – Peak (#)—Shows the peak number of xlates since the statistics were last cleared, either using the clear resource usage command or because the device rebooted. • NATs—Shows the number of NAT rules. – Context—Shows the name of each context. – NATs (#)—Shows the current number of NAT rules. – NATs (%)—Shows the NAT rules used by this context as a percentage of the total number of NAT rules used by all contexts.
Chapter 10 Configuring Security Contexts Configuring Security Contexts Step 5 From the Interfaces > Physical Interface drop-down list, choose an interface. You can assign the main interface, in which case you leave the subinterface ID blank, or you can assign a subinterface or a range of subinterfaces associated with this interface. In transparent firewall mode, only interfaces that have not been allocated to other contexts are shown.
Chapter 10 Configuring Security Contexts Configuring Security Contexts • Enabling Automatic MAC Address Assignment, page 10-18 MAC Address Overview To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets.
C H A P T E R 11 Configuring Dynamic And Static Routing To configure static routes and dynamic routing protocols, go to Configuration > Device Setup > Routing area of the ASDM interface. You can configure up to two OSPF, one EIGRP, and one RIP routing process on the security appliance at the same time. Dynamic routing is only available on security appliances in routed firewall mode; you cannot configure dynamic routing protocols on a security appliance in transparent firewall mode.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing If NAT is used, if OSPF is operating on public and private areas, and if address filtering is required, then you need to run two OSPF processes—one process for the public areas and one for the private areas. A router that has interfaces in multiple areas is called an Area Border Router (ABR).
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Setup > Process Instances Tab You can enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks. Fields • OSPF Process 1 and 2 areas—Each area contains the settings for a specific OSPF process. • Enable this OSPF Process—Check the check box to enable an OSPF process.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing • RFC 1583 Compatible—Check this check box to calculate summary route costs per RFC 1583. Uncheck this check box to calculate summary route costs per RFC 2328. To minimize the chance of routing loops, all OSPF devices in an OSPF routing domain should have RFC compatibility set identically.This setting is selected by default.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Setup > Area/Networks Tab The Area/Networks tab displays the areas, and the networks they contain, for each OSPF process on the security appliance. Fields • Area/Networks—Displays information about the areas and the area networks configured for each OSPF process.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Fields • OSPF Process—When adding a new area, choose the OSPF process ID for the OSPF process for which the area is being. If there is only one OSPF process enabled on the security appliance, then that process is selected by default. When editing an existing area, you cannot change the OSPF process ID. • Area ID—When adding a new area, enter the area ID. You can specify the area ID as either a decimal number or an IP address.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing – None—Choose this option to disable OSPF area authentication. This is the default setting. – Password—Choose this option to use a clear text password for area authentication. This option is not recommended where security is a concern. – MD5—Choose this option to use MD5 authentication. • Default Cost—Specify a default cost for the area. Valid values range from 0 to 65535. The default value is 1.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add/Edit Route Summarization Use the Add Route Summarization dialog box to add a new entry to the Route Summarization table. Use the Edit Route Summarization dialog box to change an existing entry. Fields • OSPF Process—Choose the OSPF process the route summary applies to.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Fields The Filtering table displays the following information. Double-clicking a table entry opens the Add/Edit Filtering Entry dialog box for the selected entry. • OSPF Process—Displays the OSPF process associated with the filter entry. • Area ID—Displays the ID of the area associated with the filter entry. • Filtered Network—Displays the network address being filtered.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing • Sequence #—Enter a sequence number for the filter. Valid values range from 1 to 4294967294. When multiple filters apply to an LSA, the filter with the lowest sequence number is used. • Action—Choose “Permit” to allow the LSA traffic or “Deny” to block the LSA traffic. • Optional—Contains the optional settings for the filter. – Lower Range—Specify the minimum prefix length to be matched.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing – Interface—Displays the interface name. – Authentication Type—Displays the type of OSPF authentication enabled on the interface. The authentication type can be one of the following values: None—OSPF authentication is disabled. Password—Clear text password authentication is enabled. MD5—MD5 authentication is enabled. Area—The authentication type specified for the area is enabled on the interface.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing • MD5 IDs and Keys—Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID. – Enter MD5 ID and Key—Contains the settings for entering MD5 key information. Key ID—Enter a numerical key identifier. Valid values range from 1 to 255. Key—An alphanumeric character string of up to 16 bytes.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Edit OSPF Interface Properties Fields • Interface—Displays the name of the interface for which you are configuring OSPF properties. You cannot edit this field. • Broadcast—Check this check box to specify that the interface is a broadcast interface. This check box is selected by default for Ethernet interfaces.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Edit OSPF Interface Advanced Properties The Edit OSPF Interface Advanced Properties dialog box lets you change the values for the OSPF hello interval, retransmit interval, transmit delay, and dead interval. Typically, you only need to change these values from the defaults if you are experiencing OSPF problems on your network.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Fields The Redistribution table displays the following information. Double-clicking a table entry opens the Add/Edit OSPF Redistribution Entry dialog box for the selected entry. • OSPF Process—Displays the OSPF process associated with the route redistribution entry. • Protocol—Displays the source protocol the routes are being redistributed from.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Add/Edit OSPF Redistribution Entry The Add/Edit OSPF Redistribution Entry dialog box lets you add a new redistribution rule to or edit an existing redistribution rule in the Redistribution table. Some of the redistribution rule information cannot be changed when you are editing an existing redistribution rule. Fields • OSPF Process—Choose the OSPF process associated with the route redistribution entry.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Static Neighbor The Static Neighbor pane displays manually defined neighbors; it does not display discovered neighbors. You need to define a static neighbor for each point-to-point, non-broadcast interface.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Fields • OSPF Process—Choose the OSPF process associated with the static neighbor. If you are editing an existing static neighbor, you cannot change this value. • Neighbor—Enter the IP address of the static neighbor. • Interface—Choose the interface associated with the static neighbor. If you are editing an existing static neighbor, you cannot change this value.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add/Edit OSPF Summary Address Entry The Add/Edit OSPF Summary Address Entry dialog box lets you add new entries to or modify existing entries in the Summary Address table. Some of the summary address information cannot be changed when editing an existing entry.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing • Authentication—Displays the type of authentication used by the virtual link: – None—No authentication is used. – Password—Clear text password authentication is used. – MD5—MD5 authentication is used. You can perform the following actions on the entries in the Virtual Link table: • Add—Opens the Add/Edit Virtual Link dialog box for adding a new entry to the Virtual Link table.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Advanced OSPF Virtual Link Properties The Advanced OSPF Virtual Link Properties dialog box lets you configure OSPF authentication and packet intervals. Fields • Authentication—Contains the OSPF authentication options. – None—Choose this option to disable OSPF authentication. – Password—Choose this option to use clear text password authentication. This is not recommended where security is a concern.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing – Dead Interval—Specifies the interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this field is four times the interval set by the Hello Interval field.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Setup Use the Setup pane to enable RIP on the security appliance and to configure global RIP protocol parameters. You can only enable a single RIP process on the security appliance. Fields • Enable RIP Routing—Check this check box to enable RIP routing on the security appliance. When you enable RIP, it is enabled on all interfaces. Checking this check box also enables the other fields on this pane.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Interface The Interface pane allows you to configure interface-specific RIP settings, such as the version of RIP the interface sends and receives and the authentication method, if any, used for the RIP broadcasts. Fields • Interface table—Each row displays the interface-specific RIP settings for an interface.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing • Enable Authentication—Check this check box to enable RIP authentication. Uncheck this check box to disable RIP broadcast authentication. – Key—The key used by the authentication method. Can contain up to 16 characters. – Key ID—The key ID. Valid values are from 0 to 255. – Authentication Mode—You can select the following authentication modes: MD5—Uses MD5 for RIP message authentication.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing – In—Filters networks on incoming RIP updates. – Out—Filters networks from outgoing RIP updates. • Interface—You can select a specific interface for the filter rule, or you can select the All Interfaces option to apply the filter to all interfaces. • Action—(Display only) Displays Permit if the specified network is not filtered from incoming or outgoing RIP advertisements.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Redistribution The Redistribution pane displays the routes that are being redistributed from other routing processes into the RIP routing process. Fields • Protocol—(Display only) Displays the routing protocol being redistributed into the RIP routing process: – Static—Static routes. – Connected—Directly connected networks.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing – OSPF and OSPF ID—Routes discovered by the OSPF routing process. If you choose OSPF, you must also enter the OSPF process ID. Additionally, you can select the specific types of OSPF routes to redistribute from the Match area. – EIGRP and EIGRP ID—Routes discovered by the EIGRP routing process. If you choose EIGRP, you must also specify the autonomous system number of the EIGRP routing process in the EIGRP ID field.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Configuring EIGRP To configure EIGRP routing on the Security Appliance, perform the following steps: Step 1 Go to the Configuration > Device Setup > Routing > EIGRP area of the ASDM interface. Step 2 Enable the EIGRP routing process on the Setup > Process Instances tab. See Process Instances, page 11-30 for more information. Step 3 (Optional) Configure the EIGRP routing process parameters.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Step 10 (Optional) Control the sending and receiving of default route information in EIGRP updates on the Default Information pane. By default, default routes are sent and accepted. See Default Information, page 11-39 for more information.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing • Advanced—Click this button to configure the EIGRP process settings, such as the router ID, default metrics, stub routing settings, neighbor change and warning logging, and the administrative distances for the EIGRP routes.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing – Stub Connected—Advertises connected routes. – Stub Static—Advertises static routes. – Stub Redistributed—Advertises redistributed routes. – Stub Summary—Advertises summary routes. • Adjacency Changes—Lets you configure the logging of neighbor warning and change messages. Logging for both is enabled by default. – Log Neighbor Changes—Check to enable or uncheck to disable the logging of neighbor adjacency changes.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing • EIGRP AS—Displays the autonomous system number of the EIGRP routing process. • IP Address—Enter the IP address of the networks to participate in the EIGRP routing process. • Network Mask—Select or enter a network mask to apply to the IP address.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • For More Information • Configuring EIGRP, page 11-29 Filter Rules The Filter Rules pane displays the route filtering rules configured for the EIGRP routing process. Filter rules let you control which routes are accepted or advertised by the EIGRP routing process.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • For More Information • Configuring EIGRP, page 11-29 Interface The Interface pane displays the EIGRP interface configurations.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • For More Information • Configuring EIGRP, page 11-29 Redistribution The Redistribution pane displays the rules for redistributing routes from other routing protocols into the EIGRP routing process. Each row of the Redistribution pane table contains a route redistribution entry.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing • Optional OSPF Redistribution—these options let you further specify which OSPF routes are redistributed into the EIGRP routing process. – Match Internal—Match routes internal to the specified OSPF process. – Match External 1—Match type 1 routes external to the specified OSPF process. – Match External 2—Match type 2 routes external to the specified OSPF process.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • For More Information • Configuring EIGRP, page 11-29 Summary Address The Summary Address pane displays a table of the statically-defined EIGRP summary addresses. By default, EIGRP summarizes subnet routes to the network level. You can create statically-defined EIGRP summary addresses to the subnet level from the Summary Address pane.
Chapter 11 Configuring Dynamic And Static Routing Dynamic Routing Default Information The Default Information pane displays a table of rules for controlling the sending and receiving of default route information in EIGRP updates. You can have one “in” and one “out” rule for each EIGRP routing process (only one process is currently supported). By default, default routes are sent and accepted.
Chapter 11 Configuring Dynamic And Static Routing Static Routes • IP Address—Type IP address of the network being permitted or denied. To permit or deny all addresses, use the IP address 0.0.0.0 with a network mask of 0.0.0.0. • Netmask—Specify the network mask applied to the network IP address. You can type a network mask into this field or select one of the common masks from the list.
Chapter 11 Configuring Dynamic And Static Routing Static Routes The default route identifies the gateway IP address to which the security appliance sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route. You can define up to three equal cost default route entries per device.
Chapter 11 Configuring Dynamic And Static Routing Static Routes Configuring Static Route Tracking This procedure provides an overview of configuring static route tracking. For specific information about the various fields used to configure this feature, see Field Information for Static Routes, page 11-42. To configure tracking for a static route, perform the following steps: Step 1 Choose a target of interest. Make sure the target responds to echo requests. Step 2 Open the Static Routes page.
Chapter 11 Configuring Dynamic And Static Routing Static Routes • Interface—(Display only) Lists the internal or external network interface name enabled in Interfaces. • IP Address—(Display only) Lists the internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0. • Netmask—(Display only) Lists the network mask address that applies to the IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.
Chapter 11 Configuring Dynamic And Static Routing Static Routes • None—No options are specified for the static route. • Tunneled—Used only for default route. Only one default tunneled gateway is allowed per security appliance. Tunneled option is not supported under transparent mode. • Tracked—Select this option to specify that the route is tracked. Specifying this option starts the route tracking process. – Track ID—A unique identifier for the route tracking process.
Chapter 11 Configuring Dynamic And Static Routing ASR Group Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • ASR Group Use the ASR Group screen to assign asynchronous routing group ID numbers to interfaces. In some situations, return traffic for a session may be routed through a different interface than it originated from.
Chapter 11 Configuring Dynamic And Static Routing Proxy ARPs Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • — Context • System — Proxy ARPs In rare circumstances, you might want to disable proxy ARP for global addresses. When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device.
C H A P T E R 12 Configuring Multicast Routing Multicast routing is supported in single, routed mode only. This section contains the following topics: • Multicast, page 12-1—enable or disable multicast routing on the security appliance. • IGMP, page 12-2—configure IGMP on the security appliance. • Multicast Route, page 12-7—define static multicast routes. • MBoundary, page 12-9—configure boundaries for administratively-scoped multicast addresses.
Chapter 12 Configuring Multicast Routing IGMP For More Information Configuring Multicast Routing, page 12-1 IGMP, page 12-2 Multicast Route, page 12-7 MBoundary, page 12-9 MForwarding, page 12-11 PIM, page 12-11 IGMP IP hosts use IGMP to report their group memberships to directly connected multicast routers. IGMP uses group address (Class D IP addresses). Host group addresses can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The address 224.0.0.
Chapter 12 Configuring Multicast Routing IGMP • Add—Opens the Add/Edit Access Group dialog box. Use this button to add a new access group entry at the bottom of the table. • Edit—Opens the Add/Edit Access Group dialog box. Use this button to change the information for the selected access group entry. • Delete—Removes the selected access group entry from the table.
Chapter 12 Configuring Multicast Routing IGMP Note If you simply want to forward multicast packets for a specific group to an interface without the security appliance accepting those packets as part of the group, see Static Group. Fields • Join Group—Displays the multicast group membership for each interface. – Interface—Displays the name of the security appliance interface. – Multicast Group Address—Displays the address of a multicast group that the interface belongs to.
Chapter 12 Configuring Multicast Routing IGMP Protocol The Protocol pane displays the IGMP parameters for each interface on the security appliance. Fields • Protocol—Displays the IGMP parameters set on each interface. Double-clicking a row in the table opens the Configure IGMP Parameters dialog box for the selected interface. – Interface—Displays the name of the interface. – Enabled—Displays “Yes” if IGMP is enabled on the interface. Displays “No” if IGMP is disabled on the interface.
Chapter 12 Configuring Multicast Routing IGMP • Query Interval—Enter the interval, in seconds, at which the designated router sends IGMP host-query messages. Valid values range from 1 to 3600 seconds. The default value is 125 seconds. • Query Timeout—Enter the period of time, in seconds, before which the security appliance takes over as the querier for the interface after the previous querier has stopped doing so. Valid values range from 60 to 300 seconds. The default value is 255 seconds.
Chapter 12 Configuring Multicast Routing Multicast Route Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add/Edit IGMP Static Group Use the Add IGMP Static Group dialog box to statically assign a multicast group to an interface. Use the Edit IGMP Static Group dialog box to change existing static group assignments.
Chapter 12 Configuring Multicast Routing Multicast Route • Edit—Opens the Add/Edit Multicast Route dialog box. Use this button to change the selected static multicast route. • Delete—Use this button to remove the selected static route.
Chapter 12 Configuring Multicast Routing MBoundary MBoundary The MBoundary pane lets you configure a multicast boundary for administratively-scoped multicast addresses. A multicast boundary restricts multicast data packet flows and enables reuse of the same multicast group address in different administrative domains. When a multicast boundary is defined on an interface, only the multicast traffic permitted by the filter ACL passes through the interface.
Chapter 12 Configuring Multicast Routing MBoundary • Action—The action for the filter entry. Permit allows the specified traffic to pass. Deny prevents the specified traffic from passing through the interface. When a multicast boundary filter is configured on an interface, multicast traffic is denied by default. • Network Address—The multicast group address of the group being permitted or denied. • Netmask—The network mask applied to the multicast group address.
Chapter 12 Configuring Multicast Routing MForwarding MForwarding The MForwarding pane lets you disable and reenable multicast forwarding on a per interface basis. By default, multicast forwarding is enabled on all interfaces. When multicast forwarding is disabled on an interface, the interface does not accept any multicast packets unless specifically configured through other methods. IGMP packets are also prevented when multicast forwarding is disabled.
Chapter 12 Configuring Multicast Routing PIM Protocol The Protocol pane displays the interface-specific PIM properties. Fields • Protocol—Displays the PIM settings for each interface. Double-clicking an entry in the table opens the Edit PIM Protocol dialog box for that entry. – Interface—Displays the name of the security appliance interfaces. – PIM Enabled—Displays “Yes” if PIM is enabled on the interface, “No” if PIM is not enabled. – DR Priority—Displays the interface priority.
Chapter 12 Configuring Multicast Routing PIM Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Neighbor Filter The Neighbor Filter pane displays the PIM neighbor filters, if any, that are configured on the security appliance. A PIM neighbor filter is an ACL that defines the neighbor devices that can participate in PIM. If a neighbor filter is not configured for an interface, then there are no restrictions.
Chapter 12 Configuring Multicast Routing PIM Add/Edit/Insert Neighbor Filter Entry The Add/Edit/Insert Neighbor Filter Entry lets you create ACL entries for the PIM neighbor filter ACL. Fields • Interface—Select the name of the interface the PIM neighbor filter entry applies to from the list. • Action—Select “permit” to allow the specified neighbors to participate in PIM. Select “deny” to prevent the specified neighbors from participating in PIM.
Chapter 12 Configuring Multicast Routing PIM Fields The PIM Bidirectional Neighbor Filter table contains the following entries. Double-click an entry to open the Edit Bidirectional Neighbor Filter Entry dialog box for that entry. • Interface—Displays the interface the bidirectional neighbor filter applies to. • Action—Displays “permit” if the bidirectional neighbor filter entry allows participation in the DF election process.
Chapter 12 Configuring Multicast Routing PIM Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Rendezvous Points When you configure PIM, you must choose one or more routers to operate as the RP. An RP is a single, common root of a shared distribution tree and is statically configured on each router. First hop routers use the RP to send register packets on behalf of the source multicast hosts. You can configure a single RP to serve more than one group.
Chapter 12 Configuring Multicast Routing PIM Restrictions • You cannot use the same RP address twice. • You cannot specify All Groups for more than one RP. Fields • Rendezvous Point IP Address—Enter the IP address of the RP. This is a unicast address. When editing an existing RP entry, you cannot change this value. • Use bi-directional forwarding—Check this check box if you want the specified multicast groups to operation in bidirectional mode.
Chapter 12 Configuring Multicast Routing PIM Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Multicast Group Multicast groups are lists of access rules that define which multicast addresses are part of the group. A multicast group can contain a single multicast address or a range of multicast addresses. Use the Add Multicast Group dialog box to create a new multicast group rule.
Chapter 12 Configuring Multicast Routing PIM – Destination—Displays the multicast destination address. • Insert Before—Opens the Request Filter Entry dialog box. Use this button to add a new multicast group entry before the selected entry in the table. • Insert After—Opens the Request Filter Entry dialog box. Use this button to add a new multicast group entry after the selected entry in the table. • Add—Opens the Request Filter Entry dialog box.
Chapter 12 Configuring Multicast Routing PIM Route Tree By default, PIM leaf routers join the shortest-path tree immediately after the first packet arrives from a new source. This reduces delay, but requires more memory than shared tree. You can configure whether the security appliance should join shortest-path tree or use shared tree, either for all multicast groups or only for specific multicast addresses.
C H A P T E R 13 DHCP, DNS and WCCP Services A DHCP server provides network configuration parameters, such as IP addresses, to DHCP clients. The security appliance can provide DHCP server or DHCP relay services to DHCP clients attached to security appliance interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. DHCP relay passes DHCP requests received on one interface to an external DHCP server located behind a different interface.
Chapter 13 DHCP, DNS and WCCP Services DHCP Relay Prerequisites Before you can enable a DHCP relay agent on an interface, you must have at least one DHCP relay global server in the configuration or DHCP relay interface server. Fields • DHCP Relay Agent—Display only. Contains the fields for configuring the DHCP relay agent. – Interface—Displays the interface ID.
Chapter 13 DHCP, DNS and WCCP Services DHCP Relay Edit DHCP Relay Agent Settings You can enable the DHCP relay agent and configure the relay agent parameters for the selected interface in the Edit DHCP Relay Agent Settings dialog box. Restrictions • You cannot enable a DHCP relay agent on an interface that has a DHCP relay global server configured for it. • You cannot enable a DHCP relay agent on a security appliance that has DHCP server configured on an interface.
Chapter 13 DHCP, DNS and WCCP Services DHCP Server Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — DHCP Server The DHCP Server pane lets you configure the security appliance interfaces as DHCP servers. You can configure one DHCP server per interface on the security appliance. Note You cannot configure a DHCP server on an interface that has DHCP relay configured on it.
Chapter 13 DHCP, DNS and WCCP Services DHCP Server – Enable Auto-configuration from interface—Check this check box to enable DHCP auto configuration and select the interface from the menu. DHCP auto configuration causes the DHCP server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client running on the specified interface.
Chapter 13 DHCP, DNS and WCCP Services DHCP Server Edit DHCP Server You can enable DHCP and specify the DHCP address pool for the selected interface in the Edit DHCP Server dialog box. Fields • Enable DHCP Server—Check this check box to enable the DHCP server on the selected interface. Uncheck this check box to disable DHCP on the selected interface. Disabling the DHCP server on the selected interface does not clear the specified DHCP address pool.
Chapter 13 DHCP, DNS and WCCP Services DHCP Server Firewall Mode Security Context Multiple Routed • Transparent Single • • Context • System — Advanced DHCP Options The Advanced DHCP Options dialog box lets you configure DHCP option parameters. You use DHCP options to provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers.
Chapter 13 DHCP, DNS and WCCP Services DHCP Server The name of the associated IP Address fields can change based on the DHCP option you chose. For example, if you choose DHCP Option 3 (Router), the fields change name to Router 1 and Router 2. Note – IP Address 1—An IP address in dotted-decimal notation. – IP Address 2—(Optional) An IP address in dotted-decimal notation. • ASCII—Choose this option specifies that an ASCII value is returned to the DHCP client.
Chapter 13 DHCP, DNS and WCCP Services DNS Client DNS Client The DNS Client pane shows the DNS server groups and DNS lookup information for the security appliance, so it can resolve server names to IP addresses in your Clientless SSL VPN configuration or certificate configuration. Other features that define server names (such as AAA) do not support DNS resolution.
Chapter 13 DHCP, DNS and WCCP Services Dynamic DNS Fields • Name—Specifies the server name. For the Edit function, this field is Display only. • DNS Servers—Manages the DNS server list. You can specify up to six addresses to which DNS requests can be forwarded. The security appliance tries each DNS server in order until it receives a response. You must enable DNS on at least one interface in the DNS Lookup area before you can add a DNS server. – Server to be Added—Specifies the DNS server IP address.
Chapter 13 DHCP, DNS and WCCP Services Dynamic DNS Fields • Update Methods—Lists the DDNS update methods that are configured on the security appliance. This table includes: – Method Name—Display only. Shows the user-defined name for the DDNS update method. – Interval—Display only. Shows the time between DNS update attempts configured for the update method. – Update DNS Server Records—Display only.
Chapter 13 DHCP, DNS and WCCP Services Dynamic DNS Add/Edit Dynamic DNS Update Methods The Add/Edit Dynamic DNS Update Methods dialog box lets you add a new method or edit a previously added method. You can specify the method name (if adding a method), specify the interval between DDNS update attempts, and specify whether the DDNS client attempts to update both or neither of the two DNS records, the A record and the PTR record.
Chapter 13 DHCP, DNS and WCCP Services WCCP • DHCP Client—This area allows you to specify that the DHCP client updates both the A and PTR DNS records or neither.
Chapter 13 DHCP, DNS and WCCP Services WCCP Add or Edit WCCP Service Group The Add or Edit Service Group dialog box lets you change the service group parameters for a configured service group. Fields • Service—Specifies the service group. You can specify the web cache service, or the identification number of the service. • Web Cache—Specifies the web cache service. The maximum number of services, including those specified with a dynamic service identifier is 256.
Chapter 13 DHCP, DNS and WCCP Services WCCP Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System • Add or Edit WCCP Redirection The Redirection pane lets you add or change packet redirection on the ingress of an interface using WCCP. Fields • Interface—Choose the interface on which to enable WCCP redirection. • Service Group—Choose the service group. • New—Opens the Add Service Group dialog box.
Chapter 13 DHCP, DNS and WCCP Services WCCP Cisco ASDM User Guide 13-16 OL-16647-01
CH A P T E R 14 Configuring AAA Servers and the Local Database This chapter describes support for AAA (pronounced “triple A”) and how to configure AAA servers and the local database.
Chapter 14 Configuring AAA Servers and the Local Database AAA Overview About Authentication Authentication controls access by requiring valid user credentials, which are typically a username and password.
Chapter 14 Configuring AAA Servers and the Local Database AAA Server and Local Database Support AAA Server and Local Database Support The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. This section describes support for each AAA server type and the local database.
Chapter 14 Configuring AAA Servers and the Local Database AAA Server and Local Database Support 4. Local command authorization is supported by privilege level only. 5. Command accounting is available for TACACS+ only. RADIUS Server Support The security appliance supports RADIUS servers.
Chapter 14 Configuring AAA Servers and the Local Database AAA Server and Local Database Support SDI Server Support The RSA SecurID servers are also known as SDI servers. This section contains the following topics: • SDI Version Support, page 14-5 • Two-step Authentication Process, page 14-5 • SDI Primary and Replica Servers, page 14-5 SDI Version Support The security appliance supports SDI Version 5.0 and 6.0. SDI uses the concepts of an SDI primary and SDI replica servers.
Chapter 14 Configuring AAA Servers and the Local Database AAA Server and Local Database Support Note The security appliance does not support changing user passwords during tunnel negotiation. To avoid this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the security appliance.
Chapter 14 Configuring AAA Servers and the Local Database AAA Server and Local Database Support LDAP Server Types The security appliance supports LDAP version 3 and is compatible with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server), the Microsoft Active Directory, and other LDAPv3 directory servers.
Chapter 14 Configuring AAA Servers and the Local Database AAA Server and Local Database Support Local Database Support The security appliance maintains a local database that you can populate with user profiles. This section contains the following topics: • User Profiles, page 14-8 • Fallback Support, page 14-8 User Profiles User profiles contain, at a minimum, a username. Typically, a password is assigned to each username, although passwords are optional.
Chapter 14 Configuring AAA Servers and the Local Database Configuring AAA Server Groups Configuring AAA Server Groups If you want to use an external AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name. Each server group is specific to one type of server: Kerberos, LDAP, NT, RADIUS, SDI, or TACACS+.
Chapter 14 Configuring AAA Servers and the Local Database Configuring AAA Server Groups In Timed mode, failed servers are reactivated after 30 seconds of down time. Note Step 6 This option is not available for the HTTP Form protocol. If you chose Depletion reactivation mode, add a time interval in the Dead Time field. The Dead Time is the duration of time, in minutes, to elapse between the disabling of the last server in a group and the subsequent reenabling of all servers.
Chapter 14 Configuring AAA Servers and the Local Database Configuring AAA Server Groups Step 7 • Kerberos Server Fields, page 14-14 • LDAP Server Fields, page 14-15 • HTTP Form Server Fields, page 14-17 Click OK. The dialog box closes and the AAA server is added to the AAA server group. Step 8 In the AAA Server Groups pane, click Apply to save the changes. The changes are saved.
Chapter 14 Configuring AAA Servers and the Local Database Configuring AAA Server Groups Field Description Common Password A case-sensitive password that is common among users who access this RADIUS authorization server through this security appliance. Be sure to provide this information to your RADIUS server administrator. Note For an authentication RADIUS server (rather than authorization) do not configure a common password.
Chapter 14 Configuring AAA Servers and the Local Database Configuring AAA Server Groups TACACS+ Server Fields The following table describes the unique fields for configuring TACACS+ servers, for use with the “Adding a Server to a Group” section on page 14-10. Field Description Server Port The port to be used for this server. Server Secret Key The shared secret key used to authenticate the TACACS+ server to the security appliance.
Chapter 14 Configuring AAA Servers and the Local Database Configuring AAA Server Groups Kerberos Server Fields The following table describes the unique fields for configuring Kerberos servers, for use with the “Adding a Server to a Group” section on page 14-10. Field Description Server Port Server port number 88, or the UDP port number over which the security appliance communicates with the Kerberos server.
Chapter 14 Configuring AAA Servers and the Local Database Configuring AAA Server Groups LDAP Server Fields The following table describes the unique fields for configuring LDAP servers, for use with the “Adding a Server to a Group” section on page 14-10. Field Description Enable LDAP over SSL check box When checked, SSL secures communications between the security appliance and the LDAP server. Also called secure LDAP (LDAP-S).
Chapter 14 Configuring AAA Servers and the Local Database Configuring AAA Server Groups Field Description Login DN The security appliance uses the Login Distinguished Name (DN) and Login Password to establish trust (bind) with an LDAP server. The Login DN represents a user record in the LDAP server that the administrator uses for binding. When binding, the security appliance authenticates to the server using the Login DN and the Login Password.
Chapter 14 Configuring AAA Servers and the Local Database Configuring AAA Server Groups Field Description Group Base DN Used only for Active Directory servers using LDAP protocol. This DN specifies the location in the LDAP hierarchy to begin searching for the AD groups. That is, the list of memberOf enumerations. If this field is not configured, the security applicance uses the Base DN for AD group retrieval.
Chapter 14 Configuring AAA Servers and the Local Database Testing Server Authentication and Authorization Field Description Hidden Values The hidden parameters for the HTTP POST request submitted to the authenticating web server for SSO authentication. This parameter is necessary only when it is expected by the authenticating web server as indicated by its presence in the HTTP POST request. The maximum number of characters is 2048.
Chapter 14 Configuring AAA Servers and the Local Database Adding a User Account Note Although you can configure HTTP authentication using the local database, that functionality is always enabled by default. You should only configure HTTP authentication if you want to use a RADIUS or TACACS+ server for authentication. • Console authentication • Telnet and SSH authentication • enable command authentication This setting is for CLI-access only and does not affect the ASDM login.
Chapter 14 Configuring AAA Servers and the Local Database Adding a User Account • Full Access (ASDM, Telnet, SSH and console)—If you configure authentication for management access using the local database, then this option lets the user use ASDM, SSH, Telnet, and the console port. If you also configure enable authentication, then the user can access global configuration mode. – Privilege Level—Selects the privilege level for this user to use with local command authorization.
Chapter 14 Configuring AAA Servers and the Local Database Adding a User Account – IPSec—IP Security Protocol. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. – Clientless SSL VPN—VPN via SSL/TLS. Uses a web browser to establish a secure remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client.
Chapter 14 Configuring AAA Servers and the Local Database Configuring LDAP Attribute Maps • Maximum Connect Time—If the Inherit check box is not selected, this parameter specifies the maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1 minute, and the maximum is 2147483647 minutes (over 4000 years). To allow unlimited connection time, select the Unlimited check box (the default).
Chapter 14 Configuring AAA Servers and the Local Database Adding an Authentication Prompt Step 2 In the Name field, add a name for the map. Step 3 In the Customer Name field, add the name of your organization’s corresponding attribute. Step 4 From the Cisco Name drop-down list, choose an attribute. Step 5 Click Add. Step 6 To add more names, repeat steps 1 through 5. Step 7 To map the customer names, click the Map Value tab. Step 8 Click Add.
Chapter 14 Configuring AAA Servers and the Local Database Adding an Authentication Prompt Step 2 Application Character limit for Authentication prompt Microsoft Internet Explorer 37 Telnet 235 FTP 235 In the Messages area, add messages in the User accepted message and User rejected message fields.
C H A P T E R 15 High Availability This section contains the following topics: • Understanding Failover, page 15-1 • Configuring Failover with the High Availability and Scalability Wizard, page 15-4 • Field Information for the Failover Panes, page 15-14 Understanding Failover The Failover pane contains the settings for configuring failover on the security appliance.
Chapter 15 High Availability Understanding Failover • Active/Active Failover, page 15-2 • Stateless (Regular) Failover, page 15-3 • Stateful Failover, page 15-3 Active/Standby Failover In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance.
Chapter 15 High Availability Understanding Failover • Commands entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state. • Commands entered in the admin context are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.
Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard • The ISAKMP and IPSec SA table. The following information is not copied to the standby unit when Stateful Failover is enabled: • HTTP connection table (unless HTTP replication is enabled). • The user authentication (uauth) table. • The ARP table. • Routing tables.
Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard See Choose the Type of Failover Configuration, page 15-7 for more information about this screen. Step 2 Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed.
Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Step 2 Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed. See Check Failover Peer Connectivity and Compatibility, page 15-8 for more information about this screen.
Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Field Information for the High Availability and Scalability Wizard The following dialogs are available in the High Availability and Scalability Wizard. You will not see every dialog box when you run through the wizard; each dialog box appears depending on the type of failover you are configuring and the hardware platform you are configuring it on.
Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Firewall Mode Security Context Multiple Routed Transparent Single • • • Context — System • Check Failover Peer Connectivity and Compatibility The Check Failover Peer Connectivity and Compatibility screen lets you verify that the selected failover peer is reachable and compatible with the current unit.
Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard You need to convert both the current security appliance and the peer security appliance to multiple context mode before you can proceed. Fields • Change device To Multiple Context—Causes the security appliance to change to multiple context mode. device is the hostname of the security appliance. • Change device (peer) To Multiple Context—Causes the peer unit to change to multiple context mode.
Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Although you can create security contexts on this screen, you cannot assign interfaces to those contexts or configure any other properties for them. To configure context properties and assign interfaces to a context, you need to use the System > Security Contexts pane. Fields • Name—Displays the name of the security context. To change the name, click the name and type a new name.
Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard State Link Configuration The State Link Configuration screen does not appear in the wizard for ASDM running on the ASA 5505 platform. The State Link Configuration lets you enable Stateful Failover and configure the Stateful Failover link properties. Fields • Use the LAN link as the State Link—Choose this option to pass state information across the LAN-based failover link.
Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard • Active IP—Double-click this field to edit or add an active IP address. Changes to this field also appear in the Standby IP field for the corresponding interface on the peer unit. • Standby IP—Double-click this field to edit or add a standby IP address. Changes to this field also appear in the Active IP field for the corresponding interface on the peer unit.
Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Note Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and later), the Cisco VPN 3002 Hardware Client (Release 3.5 and later), or the ASA 5505 operating as an Easy VPN Client. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but the cannot participate in load balancing.
Chapter 15 High Availability Field Information for the Failover Panes • Private Interface Of This Device—Specifies the name or IP address of the private interface for this device. • Send FQDN to client—Check this check box to cause the VPN cluster master to send a fully qualified domain name using the host and domain name of the cluster device instead of the outside IP address when redirecting VPN client connections to that cluster device.
Chapter 15 High Availability Field Information for the Failover Panes Failover - Single Mode The Failover pane contains the tabs where you can configure Active/Standby failover in single context mode. For more information about failover, see Understanding Failover. For more information about configuring the settings on each tab of the Failover pane, see the following information. Note that the Interfaces tabs changes based on whether you are in routed firewall mode or transparent firewall mode.
Chapter 15 High Availability Field Information for the Failover Panes – Interface—Specifies the interface used for failover communication. Failover requires a dedicated interface, however you can share the interface with Stateful Failover. Only unconfigured interfaces or subinterfaces are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces pane.
Chapter 15 High Availability Field Information for the Failover Panes – Logical Name—Specifies the logical interface used for failover communication. If you selected the Use Named option in the Interface drop-down list, this field displays a list of named interfaces. This field is dimmed if the LAN Failover interface is selected in the Interface drop-down list. – Standby IP—Specifies the IP address used by the secondary unit to communicate with the primary unit.
Chapter 15 High Availability Field Information for the Failover Panes Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • For More Information For more information about failover in general, see Understanding Failover. Edit Failover Interface Configuration (Routed Firewall Mode) Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.
Chapter 15 High Availability Field Information for the Failover Panes Failover: Interfaces (Transparent Firewall Mode) Use this tab to define the standby management IP address and to specify whether the status of the interfaces on the security appliance should be monitored. Fields • Interface—Lists the interfaces on the security appliance and identifies their monitoring status. – Interface Name column—Identifies the interface name.
Chapter 15 High Availability Field Information for the Failover Panes – No Link—The physical link for the interface is down. – Failed—No traffic is received on the interface, yet traffic is heard on the peer interface. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single — • • Context System — — For More Information For more information about failover in general, see Understanding Failover.
Chapter 15 High Availability Field Information for the Failover Panes Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context System — — For More Information For more information about failover in general, see Understanding Failover. Failover: MAC Addresses The MAC Addresses tab lets you configure the virtual MAC addresses for the interfaces in an Active/Standby failover pair.
Chapter 15 High Availability Field Information for the Failover Panes • Delete—Removes the currently selected interface from the MAC addresses table. There is no confirmation or undo. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context System — — For More Information For more information about failover in general, see Understanding Failover.
Chapter 15 High Availability Field Information for the Failover Panes Failover-Multiple Mode, Security Context The fields displayed on the Failover pane in multiple context mode change depending upon whether the context is in transparent or routed firewall mode.
Chapter 15 High Availability Field Information for the Failover Panes • Subnet Mask—Identifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface. • Standby IP Address—Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface. • Monitor interface for failure—Specifies whether this interface is monitored for failure.
Chapter 15 High Availability Field Information for the Failover Panes Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single — • — Context • System — For More Information For more information about failover in general, see Understanding Failover. Edit Failover Interface Configuration Use the Edit Failover Interface Configuration dialog box to specify whether the status of the interface should be monitored.
Chapter 15 High Availability Field Information for the Failover Panes Failover-Multiple Mode, System This pane includes tabs for configuring the system-level failover settings in the system context of a security appliance in multiple context mode. In multiple mode, you can configure Active/Standby or Active/Active failover. Active/Active failover is automatically enabled when you create failover groups in the device manager.
Chapter 15 High Availability Field Information for the Failover Panes Only unconfigured interfaces or subinterfaces that have not been assigned to a context are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces pane or assign that interface to a context. – Active IP—Specifies the IP address for the failover interface on the active unit.
Chapter 15 High Availability Field Information for the Failover Panes Failover > Criteria Tab Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.
Chapter 15 High Availability Field Information for the Failover Panes Failover > Active/Active Tab Use this tab to enable Active/Active failover on the security appliance by defining failover groups. In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple mode. A failover group is simply a logical group of security contexts. You can create two failover groups on the security appliance.
Chapter 15 High Availability Field Information for the Failover Panes Firewall Mode Security Context Multiple Routed Transparent Single • • — Context — System • For More Information For more information about failover in general, see Understanding Failover. Add/Edit Failover Group Use the Add/Edit Failover Group dialog box to define failover groups for an Active/Active failover configuration.
Chapter 15 High Availability Field Information for the Failover Panes – Active MAC Address—Displays the MAC address for the interface and failover group on the unit where the failover group is active. – Standby MAC Address—Displays the MAC address for the interface and failover group on the unit where the failover group is in the standby state. • Add—Displays the Add Interface MAC Address dialog box. You cannot assign virtual MAC addresses to the LAN failover and Stateful Failover interfaces.
Chapter 15 High Availability Field Information for the Failover Panes – Active Interface—Specifies the MAC address for the interface and failover group on the unit where the failover group is active. Each interface may have up to two MAC addresses, one for each failover group, which override the physical MAC address. Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Chapter 15 High Availability Field Information for the Failover Panes – Standby MAC Address—Identifies the MAC address on the standby security appliance (usually secondary). • Add—Displays the Add/Edit Interface MAC Address dialog box. • Edit—Displays the Add/Edit Interface MAC Address dialog box for the selected interface. • Delete—Removes the currently selected interface from the MAC addresses table. There is no confirmation or undo.
Chapter 15 High Availability Field Information for the Failover Panes For More Information For more information about failover in general, see Understanding Failover.
C H A P T E R 16 Configuring Management Access This chapter contains the following topics: • Configuring Device Access for ASDM, Telnet, or SSH, page 16-1 • Configuring CLI Parameters, page 16-2 • Configuring File Access, page 16-4 • Configuring Configuring ICMP Access, page 16-7 • Configuring a Management Interface, page 16-9 • Configuring SNMP, page 16-9 • Configuring Management Access Rules, page 16-19 • Configuring AAA for System Administrators, page 16-20 Configuring Device Access for
Chapter 16 Configuring Management Access Configuring CLI Parameters Step 10 For SSH sessions, the default timeout value is 60 minutes. To change this value, type a new one in the SSH Timeout field. Step 11 Click Apply. The changes are saved to the running configuration.
Chapter 16 Configuring Management Access Configuring CLI Parameters • Login Banner—This banner appears when a user logs in to the CLI. • Message-of-the-day (motd) Banner—This banner appears when a user first connects to the CLI. • ASDM Banner—This banner appears when a user connects to ASDM, following user authentication. The user is given two options for dismissing the banner: – Continue—Dismiss the banner and complete login as usual. – Disconnect— Dismiss the banner and terminate the connection.
Chapter 16 Configuring Management Access Configuring File Access The prompt is changed and displays in the CLI Prompt Preview field. Step 2 Click Apply. The new prompt is saved to the running configuration.
Chapter 16 Configuring Management Access Configuring File Access Configuring the Security Appliance as a Secure Copy Server You can enable the secure copy server on the security appliance. Only clients that are allowed to access the security appliance using SSH can establish a secure copy connection. This implementation of the secure copy server has the following limitations: • The server can accept and terminate connections for secure copy, but cannot initiate them.
Chapter 16 Configuring Management Access Configuring File Access The changes are saved to the running configuration. This TFTP server will be used to save the security appliance configuration files. For more information, see Save Running Configuration to TFTP Server, page 3-4.
Chapter 16 Configuring Management Access Configuring Configuring ICMP Access To define an FTP mount point, perform the following steps: Step 1 From the Configuration > Device Management > Management Access > File Access > Mount-Points pane, click Add > FTP Mount Point. The Add FTP Mount Point dialog box appears. Step 2 Check the Enable check box. This option attaches the FTP file system on the security appliance to the UNIX file tree.
Chapter 16 Configuring Management Access Configuring Configuring ICMP Access To configure ICMP access rules, perform the following steps: Step 1 From the Configuration > Device Management > Management Access > ICMP pane, click Add. If you want to insert a rule in the ICMP table, click the rule that the new rule will precede, and click Insert. The Create ICMP Rule dialog box appears in the right-hand pane. Step 2 From the ICMP Type drop-down list, choose the type of ICMP message for this rule.
Chapter 16 Configuring Management Access Configuring a Management Interface Step 7 Step 8 (Optional) To set ICMP unreachable message limits, set the following options. Increasing the rate limit, along with enabling the “Decrement time to live for a connection” option on the Configuration > Firewall > Service Policy Rules > Rule Actions > Connection Settings dialog box, is required to allow a traceroute through the security appliance that shows the security appliance as one of the hops.
Chapter 16 Configuring Management Access Configuring SNMP You can configure the security appliance to send traps (event notifications) to a network management station (NMS), or you can use the NMS to browse the MIBs on the security appliance. Use CiscoWorks for Windows or any other SNMP V1, MIB-II-compliant browser to receive SNMP traps and browse a MIB.
Chapter 16 Configuring Management Access Configuring SNMP Download Cisco MIBs from the following location: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. Download Cisco OIDs from the following location: ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz.
Chapter 16 Configuring Management Access Configuring SNMP MIB or Trap Support Description of Security Appliance Support RFC1213-MIB Browsing of the following table: • ip.ipAddrTable • ifTable The following objects are supported: RFC1213-MIB::ifNumber.0 = 1 RFC1213-MIB::ifIndex.1 = 1 RFC1213-MIB::ifDescr.1 = "Adaptive Security Appliance 'mgmt' interface" RFC1213-MIB::ifType.1 = ethernet-csmacd(6) RFC1213-MIB::ifMtu.1 = 1500 RFC1213-MIB::ifSpeed.1 = Gauge32: 4294967295 RFC1213-MIB::ifPhysAddress.
Chapter 16 Configuring Management Access Configuring SNMP MIB or Trap Support Description of Security Appliance Support ENTITY-MIB Browsing of the following groups and tables: • entPhysicalTable • entLogicalTable The following objects are supported: ENTITY-MIB::entPhysicalDescr.1 = ASA 5580 Series SPE40 or SPE20 ENTITY-MIB::entPhysicalDescr.2 = ASA 5580 Series CPU ENTITY-MIB::entPhysicalDescr.3 = ASA 5580 Series CPU ENTITY-MIB::entPhysicalDescr.4 = ASA 5580 Series CPU ENTITY-MIB::entPhysicalDescr.
Chapter 16 Configuring Management Access Configuring SNMP MIB or Trap Support ENTITY-MIB (continued) Description of Security Appliance Support ENTITY-MIB::entPhysicalName.5 = 3 ENTITY-MIB::entPhysicalName.6 = slot 4 ENTITY-MIB::entPhysicalName.7 = slot 5 ENTITY-MIB::entPhysicalName.8 = slot 7 ENTITY-MIB::entPhysicalHardwareRev.1 = V01 ENTITY-MIB::entPhysicalHardwareRev.2 = ENTITY-MIB::entPhysicalHardwareRev.3 = ENTITY-MIB::entPhysicalHardwareRev.4 = ENTITY-MIB::entPhysicalHardwareRev.
Chapter 16 Configuring Management Access Configuring SNMP MIB or Trap Support Description of Security Appliance Support ENTITY-MIB::entPhysicalAlias.8 = ENTITY-MIB::entPhysicalAssetID.1 ENTITY-MIB::entPhysicalAssetID.2 ENTITY-MIB::entPhysicalAssetID.3 ENTITY-MIB::entPhysicalAssetID.8 ENTITY-MIB::entPhysicalIsFRU.1 = ENTITY-MIB::entPhysicalIsFRU.2 = ENTITY-MIB::entPhysicalIsFRU.4 = ENTITY-MIB::entPhysicalIsFRU.5 = ENTITY-MIB::entPhysicalIsFRU.6 = ENTITY-MIB::entPhysicalIsFRU.
Chapter 16 Configuring Management Access Configuring SNMP MIB or Trap Support Description of Security Appliance Support CISCO-MEMORY-POOL-MIB Browsing of the following table: • ciscoMemoryPoolTable—The memory usage described in this table applies only to the security appliance general-purpose processor, and not to the network processors. The following objects are supported: CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolName.1 = System memory CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolName.
Chapter 16 Configuring Management Access Configuring SNMP MIB or Trap Support Description of Security Appliance Support CISCO-PROCESS- MIB Browsing of the following table: • cpmCPUTotalTable The following objects are supported: CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.1 = CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.2 = CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.3 = CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.4 = CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex.
Chapter 16 Configuring Management Access Configuring SNMP • Adding an SNMP Management Station, page 16-18 Configuring the SNMP Agent To configure an SNMP agent, perform the following steps: Step 1 From the Configuration > Device Management > Management Access > SNMP pane, in the Community String (default) field, add a default community string. Enter the password used by the SNMP management stations when sending requests to the security appliance.
Chapter 16 Configuring Management Access Configuring Management Access Rules Step 9 Click Apply. The management station is configured and changes are saved to the running configuration. Configuring SNMP Traps To designate which traps the SNMP agent generates and how they are collected and sent to network management stations, perform the following steps: Step 1 From the Configuration > Device Management > Management Access > SNMP pane, click Configure Traps.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators Step 8 (Optional) To configure advanced options, click More Options. You can configure the following settings: • If you want to turn off this Management Access Rule, uncheck Enable Rule. • To add a source service in the Source Service field; or click the ellipsis (...) to browse for a source service. The destination service and source service must be the same.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators If you configure enable authentication, the security appliance prompts you for your username and password. If you do not configure enable authentication, enter the system enable password when you enter the enable command (set by the enable password command). However, if you do not use enable authentication, after you enter the enable command, you are no longer logged in as a particular user.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators Limiting User CLI and ASDM Access with Management Authorization If you configure CLI or enable authentication, you can limit a local user, RADIUS, TACACS+, or LDAP user (if you map LDAP attributes to RADIUS attributes) from accessing the CLI, ASDM, or the enable command.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators • Local users—Configure the Access Restriction option. See “Add/Edit User Account > Identity”. By default, the access restriction is Full Access, which allows full access to any services specified by the Authentication tab options.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators About Preserving User Credentials When a user logs into the security appliance, they are required to provide a username and password for authentication. The security appliance retains these session credentials in case further authentication is needed later in the session. When the following configurations are in place, a user needs only to authenticate with the local server upon login.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators command accounting records may not readily identify who was logged in as the enable_15 username. If you use different accounting servers for each context, tracking who was using the enable_15 username requires correlating the data from several servers.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators – LDAP users—Configure the user with a privilege level between 0 and 15, and then map the LDAP attribute to Cisco VAS CVPN3000-Privilege-Level according to the “Configuring LDAP Attribute Maps” section on page 14-22. Default Command Privilege Levels By default, the following commands are assigned to privilege level 0. All other commands are at level 15.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators The Variant column displays show, clear, or cmd. You can set the privilege only for the show, clear, or configure form of the command. The configure form of the command is typically the form that causes a configuration change, either as the unmodified command (without the show or clear prefix) or as the no form. To change the level of a command, double-click it or click Edit. You can set the level between 0 and 15.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators Configuring Commands on the TACACS+ Server You can configure commands on a Cisco Secure Access Control Server (ACS) TACACS+ server as a shared profile component, for a group, or for individual users. For third-party TACACS+ servers, see your server documentation for more information about command authorization support. See the following guidelines for configuring commands in Cisco Secure ACS Version 3.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators Figure 16-2 • Permitting Single Word Commands To disallow some arguments, enter the arguments preceded by deny. For example, to allow enable, but not enable password, enter enable in the commands box, and deny password in the arguments box. Be sure to select the Permit Unmatched Args check box so that enable alone is still allowed (see Figure 16-3).
Chapter 16 Configuring Management Access Configuring AAA for System Administrators Figure 16-4 • Specifying Abbreviations We recommend that you allow the following basic commands for all users: – show checksum – show curpriv – enable – help – show history – login – logout – pager – show pager – clear pager – quit – show version Enabling TACACS+ Command Authorization Before you enable TACACS+ command authorization, be sure that you are logged into the security appliance as a user that is defined on th
Chapter 16 Configuring Management Access Configuring AAA for System Administrators Step 4 Click Apply. Configuring Management Access Accounting To enable accounting for management access, perform the following steps: Step 1 You can only account for users that first authenticate with the security appliance, so configure authentication using the “Configuring Authentication for CLI, ASDM, and enable command Access” section on page 16-20.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators Recovering from a Lockout In some circumstances, when you turn on command authorization or CLI authentication, you can be locked out of the security appliance CLI. You can usually recover access by restarting the security appliance. However, if you already saved your configuration, you might be locked out. Table 16-2 lists the common lockout conditions and how you might recover from them.
Chapter 16 Configuring Management Access Configuring AAA for System Administrators Cisco ASDM User Guide OL-16647-01 16-33
Chapter 16 Configuring Management Access Configuring AAA for System Administrators Cisco ASDM User Guide 16-34 OL-16647-01
C H A P T E R 17 Configuring Logging The logging feature lets you enable logging and specify how log information is handled. The Log viewing feature lets you view syslog messages in real-time. For a description of the log viewing feature, see Chapter 45, “Monitoring Logging.
Chapter 17 Configuring Logging Using Logging Using Logging After you have defined the security context, choose Configuration > Device Management > Logging. Under Logging, you can do the following: • In the Logging Setup pane, enable logging and configure the logging parameters. For more information, see Logging Setup, page 17-2.
Chapter 17 Configuring Logging Logging Setup Step 4 Check the Send syslogs in EMBLEM format check box to enable EMBLEM format so that it is used for all log destinations, except syslog servers. Step 5 In the Buffer Size field, specify the size of the internal log buffer to which syslog messages are saved if the logging buffer is enabled. When the buffer fills up, messages will be overwritten unless you save the logs to an FTP server or to internal flash memory. The default buffer size is 4096 bytes.
Chapter 17 Configuring Logging Syslog Setup Step 4 In the Username field, specify the username to log in to the FTP server. Step 5 In the Password field, specify the password associated with the username to log in to the FTP server. Step 6 In the Confirm Password field, reenter the password, and click OK.
Chapter 17 Configuring Logging Syslog Setup Step 1 From the Facility code to include in syslogs drop-down list, choose a system log facility for syslog servers to use as a basis to file messages. The default is LOCAL(4)20, which is what most UNIX systems expect. However, because your network devices share eight available facilities, you might need to change this value for system logs. Step 2 To add the date and time in each syslog message sent, check the Include timestamp in syslogs check box.
Chapter 17 Configuring Logging Syslog Setup Step 1 Check the Disable Message(s) check box to disable messages for the syslog message ID(s) displayed in the Syslog ID(s) list. Step 2 From the Logging Level drop-down list, choose the severity level of messages to be sent for the syslog message ID(s) displayed in the Syslog ID(s) list.
Chapter 17 Configuring Logging E-Mail Setup In the User-Defined ID field, specify an alphanumeric, user-defined string. Step 3 Click OK to close this dialog box.
Chapter 17 Configuring Logging Event Lists Add/Edit E-Mail Recipients The Add/Edit E-Mail Recipient dialog box lets you set up a destination e-mail address for a specified severity of syslog messages to be sent as e-mail messages. The severity level used to filter messages for the destination e-mail address is the higher of the severity level specified in this dialog box and the global filter set for all e-mail recipients in the Logging Filters pane.
Chapter 17 Configuring Logging Event Lists Step 5 • All—All event classes • auth—User Authentication • bridge—Transparent firewall • ca—PKI Certification Authority • config—Command Interface • ha—Failover • ips—Intrusion Protection Service • ip—IP Stack • np—Network Processor • ospf—OSPF Routing • rip—RIP Routing • rm—Resource Manager • session—User Session • snmp—SNMP • sys—System Choose the severity level from the drop-down list.
Chapter 17 Configuring Logging Logging Filters Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit Event List The Add/Edit Event List dialog box lets you create or edit an event list that you can use to specify which messages should be sent to a log destination. You can create event lists that filter messages according to message class and severity level, or by message ID. To add or edit an event list, see Event Lists, page 17-8.
Chapter 17 Configuring Logging Logging Filters To apply message filters to a log destination, perform the following steps: Step 1 Choose the name of the logging destination to which you want to apply a filter.
Chapter 17 Configuring Logging Logging Filters Step 5 Step 6 Step 7 Choose the event class from the drop-down list.
Chapter 17 Configuring Logging Logging Filters Add/Edit Class and Severity Filter The Add/Edit Class and Severity Filter dialog box lets you specify a message class and severity level to be used to filter messages. To add or edit a message class and severity level for filtering messages, perform the following steps: Step 1 Step 2 Step 3 Choose the event class from the drop-down list.
Chapter 17 Configuring Logging Rate Limit Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit Syslog Message ID Filter The Add/Edit Syslog Message ID Filter dialog box lets you specify individual syslog message IDs or ranges of IDs to include in the event list filter. To add or edit a syslog message ID filter, see Event Lists, page 17-8.
Chapter 17 Configuring Logging Rate Limit Step 2 The No of Messages field displays the number of messages sent. The Interval (Seconds) field displays the interval, in seconds, that is used to limit how many messages at this logging level can be sent. Choose a logging level from the table and click Edit to display the Edit Rate Limit for Syslog Logging Level dialog box. To continue, see Edit Rate Limit for Syslog Logging Level, page 17-15.
Chapter 17 Configuring Logging Syslog Servers Add/Edit Rate Limit for Syslog Message The Add/Edit Rate Limit for Syslog Message dialog box lets you assign rate limits to a specific syslog message. To add or change the rate limit for a specific syslog message, perform the following steps: Step 1 To add a rate limit to a specific syslog message, click Add to display the Add Rate Limit for Syslog Message dialog box.
Chapter 17 Configuring Logging Syslog Servers Note You can set up a maximum of four syslog servers per security context (up to a total of 16). Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit Syslog Server The Add/Edit Syslog Server dialog box lets you add or edit the syslog servers to which the adaptive security appliance sends syslog messages.
Chapter 17 Configuring Logging SMTP SMTP The SMTP pane allows you to configure the remote SMTP server IP address to which e-mail alerts and notifications are sent in response to specific events. To access this pane, choose Configuration > Device Setup > Logging > SMTP. To configure the remote SMTP server, perform the following steps: Step 1 Enter the IP address of the primary SMTP server. Step 2 (Optional) Enter the IP address of the standby SMTP server, and click Apply.
Chapter 17 Configuring Logging Using NetFlow Step 6 When NetFlow is enabled, certain syslog messages become redundant. To maintain system performance, we recommend that you disable all redundant syslog messages, because the same information is exported through NetFlow. To disable all redundant syslog messages, check the Disable redundant syslog messages check box. To display the redundant syslog messages and their status, click Show Redundant Syslog Messages.
Chapter 17 Configuring Logging Using NetFlow Step 10 Click OK to close the Manage NetFlow Collectors dialog box and return to the Add Flow Event dialog box. Click OK again to close the Add Flow Event dialog box and return to the NetFlow tab. Step 11 To change flow event entries, choose an entry from the list, and click Edit. To remove flow event entries, choose an entry from the list, and click Delete. Step 12 Click Finish to exit the wizard.
PA R T 3 Configuring the Firewall
C H A P T E R 18 Firewall Mode Overview This chapter describes how the firewall works in each firewall mode. To set the mode at the CLI, see the “Setting Transparent or Routed Firewall Mode at the CLI” section on page 4-4. Note In multiple context mode, you cannot set the firewall mode separately for each context; you can only set the firewall mode for the entire security appliance.
Chapter 18 Firewall Mode Overview Routed Mode Overview • An Inside User Visits a Web Server, page 18-2 • An Outside User Visits a Web Server on the DMZ, page 18-3 • An Inside User Visits a Web Server on the DMZ, page 18-4 • An Outside User Attempts to Access an Inside Host, page 18-5 • A DMZ User Attempts to Access an Inside Host, page 18-6 An Inside User Visits a Web Server Figure 18-1 shows an inside user accessing an outside web server. Figure 18-1 Inside to Outside www.example.
Chapter 18 Firewall Mode Overview Routed Mode Overview 3. The security appliance translates the local source address (10.1.2.27) to the global address 209.165.201.10, which is on the outside interface subnet. The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet. 4. The security appliance then records that a session is established and forwards the packet from the outside interface. 5. When www.example.
Chapter 18 Firewall Mode Overview Routed Mode Overview 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA).
Chapter 18 Firewall Mode Overview Routed Mode Overview The following steps describe how data moves through the security appliance (see Figure 18-3): 1. A user on the inside network requests a web page from the DMZ web server using the destination address of 10.1.1.3. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA).
Chapter 18 Firewall Mode Overview Routed Mode Overview The following steps describe how data moves through the security appliance (see Figure 18-4): 1. A user on the outside network attempts to reach an inside host (assuming the host has a routable IP address). If the inside network uses private addresses, no outside user can reach the inside network without NAT. The outside user might attempt to reach an inside user by using an existing NAT session. 2.
Chapter 18 Firewall Mode Overview Transparent Mode Overview Transparent Mode Overview Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
Chapter 18 Firewall Mode Overview Transparent Mode Overview Passing Traffic Not Allowed in Routed Mode In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow almost any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
Chapter 18 Firewall Mode Overview Transparent Mode Overview Using the Transparent Firewall in Your Network Figure 18-6 shows a typical transparent firewall network where the outside devices are on the same subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside router. Figure 18-6 Transparent Firewall Network Internet 10.1.1.1 Network A Management IP 10.1.1.2 10.1.1.3 Network B 92411 192.168.1.
Chapter 18 Firewall Mode Overview Transparent Mode Overview In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces. • Each directly connected network must be on the same subnet.
Chapter 18 Firewall Mode Overview Transparent Mode Overview How Data Moves Through the Transparent Firewall Figure 18-7 shows a typical transparent firewall implementation with an inside network that contains a public web server. The security appliance has an access list so that the inside users can access Internet resources. Another access list lets the outside users access only the web server on the inside network. Figure 18-7 Typical Transparent Firewall Data Path www.example.com Internet 209.165.
Chapter 18 Firewall Mode Overview Transparent Mode Overview An Inside User Visits a Web Server Figure 18-8 shows an inside user accessing an outside web server. Figure 18-8 Inside to Outside www.example.com Internet 209.165.201.2 Host 209.165.201.3 92408 Management IP 209.165.201.6 The following steps describe how data moves through the security appliance (see Figure 18-8): 1. The user on the inside network requests a web page from www.example.com. 2.
Chapter 18 Firewall Mode Overview Transparent Mode Overview An Inside User Visits a Web Server Using NAT Figure 18-8 shows an inside user accessing an outside web server. Figure 18-9 Inside to Outside with NAT www.example.com Internet Static route on router to 209.165.201.0/27 through security appliance Source Addr Translation 10.1.2.27 209.165.201.10 10.1.2.1 Management IP 10.1.2.2 Host 10.1.2.
Chapter 18 Firewall Mode Overview Transparent Mode Overview 7. The security appliance performs NAT by translating the mapped address to the real address, 10.1.2.27. An Outside User Visits a Web Server on the Inside Network Figure 18-10 shows an outside user accessing the inside web server. Figure 18-10 Outside to Inside Host Internet 209.165.201.2 Management IP 209.165.201.6 209.165.201.1 Web Server 209.165.200.225 92409 209.165.200.
Chapter 18 Firewall Mode Overview Transparent Mode Overview If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. 5. The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. 6. The security appliance forwards the packet to the outside user.
Chapter 18 Firewall Mode Overview Transparent Mode Overview Cisco ASDM User Guide 18-16 OL-16647-01
C H A P T E R 19 Adding Global Objects The Objects pane provides a single location where you can configure, view, and modify the reusable components that you need to implement your policy on the security appliance. For example, once you define the hosts and networks that are covered by your security policy, you can select the host or network to which a feature applies, instead of having to redefine it every time. This saves time and ensures consistency and accuracy of your security policy.
Chapter 19 Adding Global Objects Using Network Objects and Groups Network Object Overview Network objects let you predefine host and network IP addresses so that you can streamline subsequent configuration. When you configure the security policy, such as an access rule or a AAA rule, you can choose these predefined addresses instead of typing them in manually. Moreover, if you change the definition of an object, the change is inherited automatically by any rules using the object.
Chapter 19 Adding Global Objects Using Network Objects and Groups Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single • • Context • System — Configuring a Network Object Group To configure a network object group, perform the following steps: Step 1 In the Configuration > Firewall > Objects > Network Objects/Group pane, click Add > Network Object Group to add a new object group, or choose an object group
Chapter 19 Adding Global Objects Using Network Objects and Groups Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Using Network Objects and Groups in a Rule When you create a rule, you can enter an IP address manually, or you can browse for a network object or group to use in the rule.
Chapter 19 Adding Global Objects Configuring Service Groups The Usages dialog box appears listing all the rules currently using the network object or group. This dialog box also lists any network object groups that contain the object.
Chapter 19 Adding Global Objects Configuring Service Groups – Filter field—Enter the name of the service group. The wildcard characters asterisk (*) and question mark (?) are allowed. – Filter—Runs the filter. – Clear—Clears the Filter field. • Name—Lists the service group names. Click the plus (+) icon next to the name to expand the service group so you can view the services. Click the minus (-) icon to collapse the service group. • Protocol—Lists the service group protocols.
Chapter 19 Adding Global Objects Configuring Service Groups – Source Port/Range—Lets you enter the source port or range for the new TCP, UDP, or TCP-UDP service group member. – ICMP Type—Lets you enter the ICMP type for the new ICMP service group member. – Protocol—Lets you enter the protocol for the new protocol service group member. • Members in Group—Shows items that are already added to the service group. • Add—Adds the selected item to the service group.
Chapter 19 Adding Global Objects Configuring Class Maps Firewall Mode Security Context Multiple Routed • Transparent Single • Context • • System — Configuring Class Maps For information about class maps, see the “Class Map Field Descriptions” section on page 24-39. Configuring Inspect Maps For information about inspect maps, see the “Inspect Map Field Descriptions” section on page 24-59.
Chapter 19 Adding Global Objects Configuring Regular Expressions – Name—Shows the regular expression class map name. – Match Conditions—Shows the match type and regular expressions in the class map. Match Type—Shows the match type, which for regular expressions is always a positive match type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)).
Chapter 19 Adding Global Objects Configuring Regular Expressions Table 19-1 regex Metacharacters Character Description Notes . Dot Matches any single character. For example, d.g matches dog, dag, dtg, and any word that contains those characters, such as doggonnit. (exp) Subexpression A subexpression segregates characters from surrounding characters, so that you can use other metacharacters on the subexpression. For example, d(o|a)g matches dog and dag, but do|ag matches do and ag.
Chapter 19 Adding Global Objects Configuring Regular Expressions Table 19-1 regex Metacharacters (continued) Character Description Notes char Character When character is not a metacharacter, matches the literal character. \r Carriage return Matches a carriage return 0x0d. \n Newline Matches a new line 0x0a. \t Tab Matches a tab 0x09. \f Formfeed Matches a form feed 0x0c. \xNN Escaped hexadecimal number Matches an ASCII character using hexadecimal (exactly two digits).
Chapter 19 Adding Global Objects Configuring Regular Expressions – Character String—Enter a text string. – Escape Special Characters—If you entered any metacharacters in your text string that you want to be used literally, check this box to add the backslash (\) escape character before them. for example, if you enter “example.com,” this option converts it to “example\.com”.
Chapter 19 Adding Global Objects Configuring Regular Expressions – One or more times (+)—A quantifier that indicates that there is at least 1 of the previous expression. For example, lo+se matches lose and loose, but not lse. – Any number of times (*)—A quantifier that indicates that there are 0, 1 or any number of the previous expression. For example, lo*se matches lse, lose, loose, etc. – At least—Repeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, etc.
Chapter 19 Adding Global Objects Configuring TCP Maps Add/Edit Regular Expression Class Map The Add/Edit Regular Expression Class Map dialog box groups regular expressions together. A regular expression class map can be used by inspection class maps and inspection policy maps. Fields • Name—Enter a name for the class map, up to 40 characters in length. The name “class-default” is reserved.
Chapter 19 Adding Global Objects Configuring Time Ranges Configuring Time Ranges Use the Time Ranges option to create a reusable component that defines starting and ending times that can be applied to various security features. Once you have defined a time range, you can select the time range and apply it to different options that require scheduling. The time range feature lets you define a time range that you can attach to traffic rules, or an action.
Chapter 19 Adding Global Objects Configuring Time Ranges • Start at—Specifies when the time range begins. – Month—Specifies the month, in the range of January through December. – Day—Specifies the day, in the range of 01 through 31. – Year—Specifies the year, in the range of 1993 through 2035. – Hour—Specifies the hour, in the range of 00 through 23. – Minute—Specifies the minute, in the range of 00 through 59. • Never end—Specifies that there is no end to the time range.
Chapter 19 Adding Global Objects Encrypted Traffic Inspection – On these days of the week—Lets you choose specific days of the week. – Daily Start Time—Specifies the hour and the minute that the time range begins. – Daily End Time (inclusive) area—Specifies the hour and the minute that the time range ends. The end time specified is inclusive. • Weekly Interval – From—Lists the day of the week, Monday through Sunday. – Through—Lists the day of the week, Monday through Sunday.
Chapter 19 Adding Global Objects TLS Proxy Wizard Use the TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager.
Chapter 19 Adding Global Objects TLS Proxy Wizard Configure TLS Proxy Pane Note This feature is not supported for ASDM version 6.1.5 or the Adaptive Security Appliance version 8.1.2. You can configure the TLS Proxy from the Configuration > Firewall > Advanced > Encrypted Traffic Inspection > TLS Proxy pane. For a detailed overview of the TLS Proxy, see TLS Proxy Wizard, page 19-17.
Chapter 19 Adding Global Objects TLS Proxy Wizard Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Adding a TLS Proxy Instance Note This feature is not supported for ASDM version 6.1.5 or the Adaptive Security Appliance version 8.1.2.
Chapter 19 Adding Global Objects TLS Proxy Wizard Add TLS Proxy Instance Wizard – Server Configuration Note This feature is not supported for ASDM version 6.1.5 or the Adaptive Security Appliance version 8.1.2. Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the security appliance.
Chapter 19 Adding Global Objects TLS Proxy Wizard See TLS Proxy Wizard, page 19-17 to determine which TLS clients used by the Cisco Unified Communication features are capable of client authentication. Step 5 Click Next. The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens.
Chapter 19 Adding Global Objects TLS Proxy Wizard Step 3 To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and configure the LDC Issuer option, the security appliance acts as the certificate authority and issues certificates to TLS clients. a. Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones... check box. b.
Chapter 19 Adding Global Objects Phone Proxy Add TLS Proxy Instance Wizard – Other Steps Note This feature is not supported for ASDM version 6.1.5 or the Adaptive Security Appliance version 8.1.2. The last dialog box of the Add TLS Proxy Instance Wizard specifies the additional steps required to make TLS Proxy fully functional.
Chapter 19 Adding Global Objects Phone Proxy Configuring the Phone Proxy Note This feature is not supported for ASDM version 6.1.5 or the Adaptive Security Appliance version 8.1.2. Configuring the Phone Proxy requires the following steps: Step 1: Create the CTL file. See Creating a CTL File, page 19-28. Step 2: Create the TLS Proxy instance to handle the encrypted signaling. See Adding a TLS Proxy Instance, page 19-20. Step 3: Create the Phone Proxy instance.
Chapter 19 Adding Global Objects Phone Proxy Step 5 Note Step 6 Step 7 Step 8 In the TFTP Server Settings list, do one of the following: • To add a new TFTP server for the Phone Proxy, click Add. The Add TFTP Server dialog box opens. See Add/Edit TFTP Server, page 19-27. • To select an existing TFTP server, select one from the drop-down list. The TFTP server must reside on the same interface as the Cisco Unified Call Manager.
Chapter 19 Adding Global Objects Phone Proxy The IP address you enter should be the global IP address based on where the IP phone and HTTP proxy server is located. You can enter a hostname in the IP Address field when that hostname can be resolved to an IP address by the security appliance (for example, DNS lookup is configured) because the security appliance will resolve the hostname to an IP address. If a port is not specified, the default will be 8080. c.
Chapter 19 Adding Global Objects CTL File Interface—Specifies the interface on which the TFTP server resides. The TFTP server must reside on the same interface as the Cisco Unified Call Manager (CUCM). Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • CTL File Note This feature is not supported for ASDM version 6.1.5 or the Adaptive Security Appliance version 8.1.2.
Chapter 19 Adding Global Objects CTL File The Create a Certificate Trust List (CTL) File pane is used to configure the attributes for generating the CTL file. The name of the CTL file instance is generated by the ASDM. When the user tries to edit the CTL file instance configuration, the ASDM automatically generates the shutdown CLI command first and the no shutdown CLI command as the last command.
Chapter 19 Adding Global Objects TLS Proxy • capf: Specifies the role of this trustpoint to be CAPF. Only one CAPF trustpoint can be configured. Address—Specifies the IP address of the trustpoint. The IP address you specify must be the global address of the TFTP server or CUCM if NAT is configured. The global IP address is the IP address as seen by the IP phones because it will be the IP address used for the CTL record for the trustpoint.
Chapter 19 Adding Global Objects TLS Proxy • Add—Adds a TLS Proxy. • Edit—Edits a TLS Proxy. • Delete—Deletes a TLS Proxy. • Maximum Sessions—Lets you specify the maximum number of TLS Proxy sessions to support. – Specify the maximum number of TLS Proxy sessions that the ASA needs to support. By default, ASA supports 300 sessions.—Enables maximum number of sessions option. – Maximum number of sessions:—The minimum is 1. The maximum is dependent on the platform. The default is 300.
Chapter 19 Adding Global Objects CTL Provider – Available Algorithms—Lists the available algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. Add—Adds the selected algorithm to the active list. Remove—Removes the selected algorithm from the active list. – Active Algorithms—Lists the active algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.
Chapter 19 Adding Global Objects CTL Provider Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit CTL Provider The Add/Edit CTL Provider dialog box lets you define the parameters for the CTL Provider. Fields • CTL Provider Name—Specifies the CTL Provider name. • Certificate to be Exported—Specifies the certificate to be exported to the client. – Certificate Name—Specifies the name of the certificate to be exported to the client.
Chapter 19 Adding Global Objects CTL Provider Firewall Mode Security Context Multiple Routed • Transparent Single • • Context • System — Cisco ASDM User Guide 19-34 OL-16647-01
C H A P T E R 20 Configuring Access Rules and EtherType Rules This chapter describes how to configure access rules and EtherType rules, and includes the following topics: Note • Information About Access Rules and EtherType Rules, page 20-1 • Configuring Access Rules, page 20-7 • Configuring Ethertype Rules (Transparent Mode Only), page 20-16 You use access rules to control network access in both routed and transparent firewall modes.
Chapter 20 Configuring Access Rules and EtherType Rules Information About Access Rules and EtherType Rules Information About Both Access Rules and EtherType Rules This section describes information for both access rules and EtherType rules, and includes the following topics: • Using Access Rules and EtherType Rules on the Same Interface, page 20-2 • Rule Order, page 20-2 • Implicit Deny, page 20-2 • Inbound and Outbound Rules, page 20-2 Using Access Rules and EtherType Rules on the Same Interface
Chapter 20 Configuring Access Rules and EtherType Rules Information About Access Rules and EtherType Rules Note “Inbound” and “outbound” refer to the application of an access list on an interface, either to traffic entering the security appliance on an interface or traffic exiting the security appliance on an interface.
Chapter 20 Configuring Access Rules and EtherType Rules Information About Access Rules and EtherType Rules IP Addresses Used for Access Rules When You Use NAT When you use NAT, the IP addresses you specify for an access rule depend on the interface to which the access rule is attached; you need to use addresses that are valid on the network connected to the interface.
Chapter 20 Configuring Access Rules and EtherType Rules Information About Access Rules and EtherType Rules If you want to allow an outside host to access an inside host, you can apply an inbound access rule on the outside interface. You need to specify the translated address of the inside host in the access rule because that address is the address that can be used on the outside network (see Figure 20-3). Figure 20-3 IP Addresses in Access Rules: NAT used for Destination Addresses 209.165.200.
Chapter 20 Configuring Access Rules and EtherType Rules Information About Access Rules and EtherType Rules Access Rules for Returning Traffic For TCP and UDP connections for both routed and transparent mode, you do not need an access list to allow returning traffic, because the security appliance allows all returning traffic for established, bidirectional connections.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Access Rules 802.3-formatted frames are not handled by the rule because they use a length field as opposed to a type field. BPDUs, which are handled by the rule, are the only exception: they are SNAP-encapsulated, and the security appliance is designed to specifically handle BPDUs. The security appliance receives trunk port (Cisco proprietary) BPDUs.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Access Rules For more information about access rules, see the “Information About Access Rules and EtherType Rules” section on page 20-1. Fields Note: You can adjust the table column widths by moving your cursor over a column line until it turns into a double arrow. Click and drag the column line to the desired size. • Add—Adds a new access rule. • Edit—Edits an access rule. • Delete—Deletes an access rule.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Access Rules • Packet Trace—Provides detailed information about packet processing with the adaptive security appliance, as well as information for packet sniffing and network fault isolation. The following description summarizes the columns in the Access Rules table. You can edit the contents of these columns by double-clicking on a table row. Rules are displayed in the order of execution.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Access Rules Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Rule Queries The Rule Queries dialog box lets you manage named rule queries that you can use in the Filter field when searching for Rules. Fields • Add—Adds a rule query. • Edit—Edits a rule query. • Delete—Deletes a rule query.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Access Rules – Remove—Removes the selected criteria. • Define New Criteria—This area lets you define new criteria to add to the match criteria. – Field—Choose a type of criteria, including Interface, Source, Destination, Service, Action, or another Rule Query to be nested in this rule query. – Value—Enter a value to search on. For the Interface type, this field becomes a drop-down list so you can choose an interface name.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Access Rules • Description—(Optional) Enter a description of the access rule. • Enable Logging—Enables logging for the access rule. – Logging Level—Specifies default, emergencies, alerts, critical, errors, warnings, notifications, informational, or debugging. • More Options—Shows additional configuration options for the rule. – Enable Rule—Enables or disables the rule.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Access Rules Fields • TCP—Select this option to add TCP services or port numbers to an object group. • UDP—Select this option to add UDP services or port numbers to an object group. • TCP-UDP—Select this option to add services or port numbers that are common to TCP and UDP to an object group. • Service Group table—This table contains a descriptive name for each service object group.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Access Rules total number of hits during the interval. At the end of each interval, the security appliance resets the hit count to 0. If no packets match the access rule during an interval, the security appliance deletes the flow entry. A large number of flows can exist concurrently at any point of time.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Access Rules The Log option consumes a certain amount of memory when enabled. To help control the risk of a potential Denial of Service attack, you can configure the Maximum Deny-flow setting by choosing Advanced in the Access Rules window. Fields • Use default logging behavior—Uses the older access rule logging mechanism: the security appliance logs system log message number 106023 when a packet is denied.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Ethertype Rules (Transparent Mode Only) Configuring Ethertype Rules (Transparent Mode Only) The EtherType Rules window shows access rules based on packet EtherTypes. EtherType rules are used to configure non-IP related traffic policies through the security appliance when operating in transparent mode. In transparent mode, you can apply both extended and EtherType access rules to an interface.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Ethertype Rules (Transparent Mode Only) Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single — • • Context • System — Add/Edit EtherType Rule The Add/Edit EtherType Rules dialog box lets you add or edit an EtherType rule.
Chapter 20 Configuring Access Rules and EtherType Rules Configuring Ethertype Rules (Transparent Mode Only) Cisco ASDM User Guide 20-18 OL-16647-01
C H A P T E R 21 Configuring NAT This chapter describes Network Address Translation, and includes the following sections: • NAT Overview, page 21-1 • Configuring NAT Control, page 21-15 • Using Dynamic NAT, page 21-16 • Using Static NAT, page 21-26 • Using NAT Exemption, page 21-32 NAT Overview This section describes how NAT works on the security appliance, and includes the following topics: • Introduction to NAT, page 21-1 • NAT Control, page 21-4 • NAT Types, page 21-6 • Policy NAT, pag
Chapter 21 Configuring NAT NAT Overview Note In this document, all types of translation are referred to as NAT. When describing NAT, the terms inside and outside represent the security relationship between any two interfaces. The higher security level is inside and the lower security level is outside. For example, interface 1 is at 60 and interface 2 is at 50; therefore, interface 1 is “inside” and interface 2 is “outside.
Chapter 21 Configuring NAT NAT Overview NAT in Transparent Mode Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform NAT for their networks. For example, a transparent firewall security appliance is useful between two VRFs so you can establish BGP neighbor relations between the VRFs and the global table. However, NAT per VRF might not be supported. In this case, using NAT in transparent mode is essential.
Chapter 21 Configuring NAT NAT Overview Figure 21-2 NAT Example: Transparent Mode www.example.com Internet Static route on router to 209.165.201.0/27 through security appliance Source Addr Translation 10.1.2.27 209.165.201.10 10.1.2.1 Management IP 10.1.2.2 Host 10.1.2.
Chapter 21 Configuring NAT NAT Overview Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule, as shown in Figure 21-4. Figure 21-4 NAT Control and Same Security Traffic Security Appliance Security Appliance 10.1.1.1 Dyn. NAT 10.1.1.1 No NAT 209.165.201.1 10.1.1.1 10.1.2.
Chapter 21 Configuring NAT NAT Overview NAT Types This section describes the available NAT types, and includes the following topics: • Dynamic NAT, page 21-6 • PAT, page 21-8 • Static NAT, page 21-8 • Static PAT, page 21-9 • Bypassing NAT When NAT Control is Enabled, page 21-10 You can implement address translation as dynamic NAT, Port Address Translation, static NAT, static PAT, or as a mix of these types.
Chapter 21 Configuring NAT NAT Overview Figure 21-6 Remote Host Attempts to Connect to the Real Address Web Server www.example.com Outside 209.165.201.2 Security Appliance Translation 10.1.2.27 209.165.201.10 10.1.2.27 10.1.2.1 132216 Inside 10.1.2.27 Figure 21-7 shows a remote host attempting to initiate a connection to a mapped address. This address is not currently in the translation table; therefore, the security appliance drops the packet.
Chapter 21 Configuring NAT NAT Overview Dynamic NAT has these disadvantages: • If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected. Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.
Chapter 21 Configuring NAT NAT Overview The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host (if an access list exists that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT.
Chapter 21 Configuring NAT NAT Overview Bypassing NAT When NAT Control is Enabled If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts or you can disable NAT control. You might want to bypass NAT, for example, if you are using an application that does not support NAT.
Chapter 21 Configuring NAT NAT Overview Figure 21-9 Policy NAT with Different Destination Addresses Server 1 209.165.201.11 Server 2 209.165.200.225 209.165.201.0/27 209.165.200.224/27 DMZ Translation 10.1.2.27 209.165.202.129 Translation 10.1.2.27 209.165.202.130 Inside Packet Dest. Address: 209.165.201.11 Packet Dest. Address: 209.165.200.225 10.1.2.27 130039 10.1.2.0/24 Figure 21-10 shows the use of source and destination ports. The host on the 10.1.2.
Chapter 21 Configuring NAT NAT Overview For policy static NAT, both translated and remote hosts can originate traffic. For traffic originated on the translated network, the NAT rule specifies the real addresses and the destination addresses, but for traffic originated on the remote network, the rule identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using this translation. Figure 21-11 shows a remote host connecting to a translated host.
Chapter 21 Configuring NAT NAT Overview Order of NAT Rules Used to Match Real Addresses The security appliance matches real addresses to NAT rules in the following order: 1. NAT exemption—In order, until the first match. 2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT is included in this category. 3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed. 4. Regular dynamic NAT—Best match.
Chapter 21 Configuring NAT NAT Overview When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The security appliance refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly.
Chapter 21 Configuring NAT Configuring NAT Control Figure 21-13 shows a web server and DNS server on the outside. The security appliance has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation.
Chapter 21 Configuring NAT Using Dynamic NAT Using Dynamic NAT This section describes how to configure dynamic NAT, including dynamic NAT and PAT, dynamic policy NAT and PAT, and identity NAT. Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses. You can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, and not the destination.
Chapter 21 Configuring NAT Using Dynamic NAT Real Addresses and Global Pools Paired Using a Pool ID In a dynamic NAT rule, you specify real addresses and then pair them with a global pool of addresses to which the real addresses are mapped when they exit another interface (in the case of PAT, this is one address, and in the case of identity NAT, this is the same as the real address). Each global pool is assigned a pool ID.
Chapter 21 Configuring NAT Using Dynamic NAT Global Pools on Different Interfaces with the Same Pool ID You can create a global pool for each interface using the same pool ID. If you create a global pool for the Outside and DMZ interfaces on ID 1, then a single NAT rule associated with ID 1 identifies traffic to be translated when going to both the Outside and the DMZ interfaces.
Chapter 21 Configuring NAT Using Dynamic NAT Figure 21-16 Different NAT IDs Web Server: www.cisco.com Outside Global 1: 209.165.201.3209.165.201.10 Global 2: 209.165.201.11 192.168.1.14 Translation 209.165.201.11:4567 NAT 1: 10.1.2.0/24 Translation 10.1.2.27 209.165.201.3 NAT 2: 192.168.1.0/24 10.1.2.27 132927 Inside 192.168.1.
Chapter 21 Configuring NAT Using Dynamic NAT Figure 21-17 NAT and PAT Together Web Server: www.cisco.com Translation 10.1.2.27 209.165.201.3 Outside Global 1: 209.165.201.3209.165.201.4 Global 1: 209.165.201.5 10.1.2.29 Translation 209.165.201.5:6096 Translation 10.1.2.28 209.165.201.4 NAT 1: 10.1.2.0/24 Inside 10.1.2.29 132928 10.1.2.27 10.1.2.
Chapter 21 Configuring NAT Using Dynamic NAT Figure 21-18 Outside NAT and Inside NAT Combined Outside Translation 10.1.1.15 209.165.201.4 Global 1: 209.165.201.3209.165.201.10 Outside NAT 1: 10.1.1.0/24 NAT 1: 10.1.1.0/24 DMZ 10.1.1.15 Global 1: 10.1.2.3010.1.2.40 Static to DMZ: 10.1.2.27 10.1.1.5 Translation 10.1.1.15 10.1.2.30 Inside 10.1.2.27 132940 Undo Translation 10.1.1.5 10.1.2.
Chapter 21 Configuring NAT Using Dynamic NAT Step 2 For a new pool, from the Interface drop-down list, choose the interface where you want to use the mapped IP addresses. Step 3 For a new pool, in the Pool ID field, enter a number between 1 and 2147483647. Do not enter a pool ID that is already in use, or your configuration will be rejected. Step 4 In the IP Addresses to Add area, click Range, Port Address Translation (PAT), or PAT Address Translation (PAT) Using IP Address of the interface.
Chapter 21 Configuring NAT Using Dynamic NAT To configure a dynamic NAT, PAT, or identity NAT rule, perform the following steps. Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule. The Add Dynamic NAT Rule dialog box appears. Step 2 In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to translate. Step 3 Enter the real addresses in the Source field, or click the ...
Chapter 21 Configuring NAT Using Dynamic NAT Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session. TCP initial sequence number randomization can be disabled if required. For example: – If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.
Chapter 21 Configuring NAT Using Dynamic NAT To configure dynamic policy NAT or PAT, perform the following steps: Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Advanced > Add Dynamic Policy NAT Rule. The Add Dynamic Policy NAT Rule dialog box appears. Step 2 In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to translate.
Chapter 21 Configuring NAT Using Static NAT Note • You can also set these values using a security policy rule (see the “Configuring Connection Settings” section on page 27-6). If you set them in both places, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization.
Chapter 21 Configuring NAT Using Static NAT Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses. You can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, and not the destination. See the “Policy NAT” section on page 21-10 for more information. Static PAT lets you translate the real IP address to a mapped IP address, as well as the real port to a mapped port.
Chapter 21 Configuring NAT Using Static NAT Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Add Static NAT Rule. The Add Static NAT Rule dialog box appears. Step 2 In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to translate. Step 3 Enter the real addresses in the Source field, or click the ... button to choose an IP address that you already defined in ASDM.
Chapter 21 Configuring NAT Using Static NAT Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session. TCP initial sequence number randomization can be disabled if required. For example: – If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.
Chapter 21 Configuring NAT Using Static NAT Configuring Static Policy NAT, PAT, or Identity NAT Figure 21-22 shows typical static policy NAT, static policy PAT, and static policy identity NAT scenarios. The translation is always active so both translated and remote hosts can originate connections. Figure 21-22 Static Policy NAT Scenarios Static Policy NAT Static Policy PAT Security Appliance Security Appliance 10.1.1.1 209.165.201.1 10.1.1.1:23 209.165.201.1:23 10.1.1.2 209.165.201.2 10.1.1.
Chapter 21 Configuring NAT Using Static NAT Step 6 Specify the mapped IP address by clicking one of the following: • Use IP Address Enter the IP address or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0.
Chapter 21 Configuring NAT Using NAT Exemption • Step 11 Maximum Embryonic Connections—Specifies the maximum number of embryonic connections per host up to 65,536. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. This limit enables the TCP Intercept feature. The default is 0, which means the maximum embryonic connections.
Chapter 21 Configuring NAT Using NAT Exemption Note You can later specify addresses that you do not want to exempt. For example, you can specify a subnet to exempt such as 10.1.1.0/24, but if you want to translate 10.1.1.50, then you can create a separate rule for that address that removes the exemption. Separate multiple real addresses by a comma. Step 5 Enter the destination addresses in the Destination field, or click the ... button to choose an IP address that you already defined in ASDM.
Chapter 21 Configuring NAT Using NAT Exemption Cisco ASDM User Guide 21-34 OL-16647-01
C H A P T E R 22 Configuring Service Policy Rules This chapter describes how to enable service policy rules. Service policies provide a consistent and flexible way to configure security appliance features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications.
Chapter 22 Configuring Service Policy Rules Service Policy Overview • Application inspection • IPS • QoS output policing • QoS priority queue • QoS traffic shaping, hierarchical priority queue • NetFlow Secure Event Logging filtering Service Policy Elements Configuring a service policy consists of adding one or more service policy rules per interface or for the global policy. For each rule, you identify the following elements: 1.
Chapter 22 Configuring Service Policy Rules Service Policy Overview Feature Directionality Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy map is affected if the traffic matches the class map for both directions.
Chapter 22 Configuring Service Policy Rules Service Policy Overview Note Application inspection includes multiple inspection types, and each inspection type is a separate feature when you consider the matching guidelines above. Order in Which Multiple Feature Actions within a Rule are Applied The order in which different types of actions in a service policy are performed is independent of the order in which the actions appear in ASDM. Note NetFlow Secure Event Logging filtering is order-independent.
Chapter 22 Configuring Service Policy Rules Service Policy Overview p. SIP q. Skinny r. SMTP s. SNMP t. SQL*Net u. TFTP v. XDMCP w. DCERPC x. Instant Messaging Note RADIUS accounting is not listed because it is the only inspection allowed on management traffic. WAAS is not listed because it can be configured along with other inspections for the same traffic. 5. IPS 6. QoS output policing 7. QoS standard priority queue 8.
Chapter 22 Configuring Service Policy Rules Adding a Service Policy Rule for Through Traffic For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected on the egress of the outside interface.
Chapter 22 Configuring Service Policy Rules Adding a Service Policy Rule for Through Traffic – Default Inspection Traffic—The class matches the default TCP and UDP ports used by all applications that the security appliance can inspect. This option, which is used in the default global policy, is a special shortcut that when used in a rule, ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
Chapter 22 Configuring Service Policy Rules Adding a Service Policy Rule for Through Traffic multiple ACEs to the same traffic class by repeating this entire procedure. See the “Managing the Order of Service Policy Rules” section on page 22-13 for information about changing the order of ACEs. • Use an existing traffic class. If you created a traffic class used by a rule on a different interface, you can reuse the traffic class definition for this rule.
Chapter 22 Configuring Service Policy Rules Adding a Service Policy Rule for Through Traffic If you want to specify a TCP or UDP port number, or an ICMP service number, enter protocol/port. For example, enter TCP/8080. By default, the service is IP. Separate multiple services by a comma. e. (Optional) Enter a description in the Description field. f. (Optional) To specify a source service for TCP or UDP, click the More Options area open, and enter a TCP or UDP service in the Source Service field.
Chapter 22 Configuring Service Policy Rules Adding a Service Policy Rule for Management Traffic Step 9 Click Finish. Adding a Service Policy Rule for Management Traffic You can create a service policy for traffic directed to the security appliance for management purposes. This type of security policy can perform RADIUS accounting inspection and connection limits.
Chapter 22 Configuring Service Policy Rules Adding a Service Policy Rule for Management Traffic both RADIUS accounting and connection limits are applied to the interface. However, if you have a global policy with RADIUS accounting, and an interface policy with RADIUS accounting, then only the interface policy RADIUS accounting is applied to that interface. a. Choose an interface from the drop-down list.
Chapter 22 Configuring Service Policy Rules Adding a Service Policy Rule for Management Traffic Step 6 Click Next. Step 7 The next dialog box depends on the traffic match criteria you chose. • Source and Destination Address—This dialog box lets you set the source and destination addresses: a. Click Match or Do Not Match. The Match option creates a rule where traffic matching the addresses have actions applied. The Do Not Match option exempts the traffic from having the specified actions applied.
Chapter 22 Configuring Service Policy Rules Managing the Order of Service Policy Rules In the Service field, enter a port number or name, or click ... to choose one already defined in ASDM. Step 8 Click Next. The Add Management Service Policy Rule - Rule Actions dialog box appears. Step 9 To configure RADIUS accounting inspection, choose an inspect map from the RADIUS Accounting Map drop-down list, or click Configure to add a map.
Chapter 22 Configuring Service Policy Rules RADIUS Accounting Field Descriptions Step 2 Click the Move Up or Move Down cursor (see Figure 22-1). Figure 22-1 If you rearrange ACEs in an access list that is used in multiple service policies, then the change is inherited in all service policies. Note Step 3 Moving an ACE When you are done rearranging your rules or ACEs, click Apply.
Chapter 22 Configuring Service Policy Rules RADIUS Accounting Field Descriptions Firewall Mode Security Context Multiple Routed • Transparent Single • Context • • System — Add RADIUS Accounting Policy Map The Add RADIUS Accounting Policy Map dialog box lets you add the basic settings for the RADIUS accounting map. Fields • Name—Enter the name of the previously configured RADIUS accounting map. • Description—Enter the description of the RADIUS accounting map, up to 100 characters in length.
Chapter 22 Configuring Service Policy Rules RADIUS Accounting Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • Context • • System — RADIUS Inspect Map The RADIUS pane lets you view previously configured RADIUS application inspection maps. A RADIUS map lets you change the default configuration values used for RADIUS application inspection. You can use a RADIUS map to protect against an overbilling attack.
Chapter 22 Configuring Service Policy Rules RADIUS Accounting Field Descriptions • Add—Adds the host entry to the Host table. • Delete—Deletes the host entry from the Host table. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — RADIUS Inspect Map Other The RADIUS Inspect Map Other Parameters pane lets you configure additional parameter settings for the inspect map.
Chapter 22 Configuring Service Policy Rules RADIUS Accounting Field Descriptions Cisco ASDM User Guide 22-18 OL-16647-01
CH A P T E R 23 Applying AAA for Network Access This chapter describes how to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the “Configuring AAA for System Administrators” section on page 16-20.
Chapter 23 Applying AAA for Network Access Configuring Authentication for Network Access Information About Authentication The security appliance lets you configure network access authentication using AAA servers.
Chapter 23 Applying AAA for Network Access Configuring Authentication for Network Access Redirection is an improvement over the basic method because it provides an improved user experience when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and firewall modes. It also supports authenticating directly with the security appliance.
Chapter 23 Applying AAA for Network Access Configuring Authentication for Network Access Configuring Network Access Authentication To enable network access authentication, perform the following steps. For more information about authentication, see the “Information About Authentication” section on page 23-2. Step 1 From the Configuration > Firewall > AAA Rules pane, choose Add > Add Authentication Rule. The Add Authentication Rule dialog box appears.
Chapter 23 Applying AAA for Network Access Configuring Authentication for Network Access Enabling the Redirection Method of Authentication for HTTP and HTTPS This method of authentication enables HTTP(S) listening ports to authenticate network users. When you enable a listening port, the security appliance serves an authentication page for direct connections and, by enabling redirection, for through traffic.
Chapter 23 Applying AAA for Network Access Configuring Authentication for Network Access • Enabling Virtual HTTP—Virtual HTTP lets you authenticate separately with the security appliance and with the HTTP server. Even if the HTTP server does not need a second authentication, this feature achieves the effect of stripping the basic authentication credentials from the HTTP GET request. See the “Authenticating HTTP(S) Connections with a Virtual Server” section on page 23-7 for more information.
Chapter 23 Applying AAA for Network Access Configuring Authentication for Network Access Authenticating Telnet Connections with a Virtual Server Although you can configure network access authentication for any protocol or service (see the “Configuring Authentication for Network Access” section on page 23-1), you can authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic that requires authentication is allowed through.
Chapter 23 Applying AAA for Network Access Configuring Authentication for Network Access If the destination HTTP server requires authentication in addition to the security appliance, then virtual HTTP lets you authenticate separately with the security appliance (via a AAA server) and with the HTTP server.
Chapter 23 Applying AAA for Network Access Configuring Authorization for Network Access Configuring the Authentication Proxy Limit You can manually configure the uauth session limit by setting the maximum number of concurrent proxy connections allowed per user. To set the proxy limit, perform the following steps: Step 1 From the Configuration > Firewall > AAA Rules pane, click Advanced. The AAA Rules Advanced Options dialog box appears. Step 2 In the Proxy Limit area, check Enable Proxy Limit.
Chapter 23 Applying AAA for Network Access Configuring Authorization for Network Access To configure TACACS+ authorization, perform the following steps: Step 1 Enable authentication. For more information, see the “Configuring Network Access Authentication” section on page 23-4. If you have already enabled authentication, continue to the next step. Step 2 From the Configuration > Firewall > AAA Rules pane, choose Add > Add Authorization Rule. The Add Authorization Rule dialog box appears.
Chapter 23 Applying AAA for Network Access Configuring Authorization for Network Access When you configure the security appliance to authenticate users for network access, you are also implicitly enabling RADIUS authorizations; therefore, this section contains no information about configuring RADIUS authorization on the security appliance. It does provide information about how the security appliance handles access list information received from RADIUS servers.
Chapter 23 Applying AAA for Network Access Configuring Authorization for Network Access 2. If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS access-accept message that contains the internal name of the applicable downloadable access list.
Chapter 23 Applying AAA for Network Access Configuring Authorization for Network Access 6. If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds with an access-challenge message that contains a portion of the access list, formatted as described above, and an State attribute (IETF RADIUS attribute 24), which contains control data used by Cisco Secure ACS to track the progress of the download.
Chapter 23 Applying AAA for Network Access Configuring Authorization for Network Access access-list access-list access-list access-list access-list access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit permit permit permit permit permit udp any host 10.0.0.253 icmp any host 10.0.0.253 tcp any host 10.0.0.
Chapter 23 Applying AAA for Network Access Configuring Accounting for Network Access Converting Wildcard Netmask Expressions in Downloadable Access Lists If a RADIUS server provides downloadable access lists to Cisco VPN 3000 series concentrators as well as to the security appliance, you may need the security appliance to convert wildcard netmask expressions to standard netmask expressions.
Chapter 23 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Step 3 From the Interface drop-down list, choose the interface for applying the rule. Step 4 In the Action field, click one of the following, depending on the implementation: • Account • Do not Account. Step 5 From the AAA Server Group drop-down list, choose a server group. To add a AAA server to the server group, click Add Server.
Chapter 23 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization The order of entries matters, because the packet uses the first entry it matches, as opposed to a best match scenario. If you have a permit entry, and you want to deny an address that is allowed by the permit entry, be sure to enter the deny entry before the permit entry.
Chapter 23 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Cisco ASDM User Guide 23-18 OL-16647-01
C H A P T E R 24 Configuring Application Layer Protocol Inspection This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the security appliance to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
Chapter 24 Configuring Application Layer Protocol Inspection Inspection Engine Overview • RADIUS Accounting Inspection, page 24-19 • RSH Inspection, page 24-19 • RTSP Inspection, page 24-19 • SIP Inspection, page 24-21 • Skinny (SCCP) Inspection, page 24-22 • SMTP and Extended SMTP Inspection, page 24-24 • SNMP Inspection, page 24-25 • SQL*Net Inspection, page 24-25 • Sun RPC Inspection, page 24-26 • TFTP Inspection, page 24-28 • XDMCP Inspection, page 24-28 • Service Policy Field
Chapter 24 Configuring Application Layer Protocol Inspection Inspection Engine Overview Inspection Limitations See the following limitations for application protocol inspection: • State information for multimedia sessions that require inspection are not passed over the state link for stateful failover. The exception is GTP, which is replicated over the state link. • Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security interfaces.
Chapter 24 Configuring Application Layer Protocol Inspection Configuring Application Inspection Table 24-1 Supported Application Inspection Engines (continued) Application1 Default Port NAT Limitations Standards2 Comments NetBIOS Name Server over IP UDP/137, — 138 (Source ports) — NetBIOS is supported by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138.
Chapter 24 Configuring Application Layer Protocol Inspection CTIQBE Inspection To configure application inspection, perform the following steps: Step 1 Click Configuration > Firewall > Service Policy Rules. Step 2 Add or edit a service policy rule according to the “Adding a Service Policy Rule for Through Traffic” section on page 22-6. If you want to match non-standard ports, then create a new rule for the non-standard ports.
Chapter 24 Configuring Application Layer Protocol Inspection DCERPC Inspection • Entering the debug ctiqbe command may delay message transmission, which may have a performance impact in a real-time environment. When you enable this debugging or logging and Cisco IP SoftPhone seems unable to complete call setup through the security appliance, increase the timeout values in the Cisco TSP settings on the system running Cisco IP SoftPhone.
Chapter 24 Configuring Application Layer Protocol Inspection DNS Inspection • Translates the DNS record based on the configuration completed using NAT rules. Translation only applies to the A-record in the DNS reply; therefore, DNS Rewrite does not affect reverse lookups, which request the PTR record. Note DNS Rewrite is not applicable for PAT because multiple PAT rules are applicable for each A-record and the PAT rule to use is ambiguous.
Chapter 24 Configuring Application Layer Protocol Inspection ESMTP Inspection Figure 24-1 Translating the Address in a DNS Reply (DNS Rewrite) DNS server server.example.com IN A 209.165.200.5 Web server server.example.com 192.168.100.1 ISP Internet Web client http://server.example.com 192.168.100.2 132406 Security appliance 192.168.100.1IN A 209.165.200.5 DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server is on an inside interface.
Chapter 24 Configuring Application Layer Protocol Inspection FTP Inspection Note If you disable FTP inspection engines, outbound users can start connections only in passive mode, and all inbound FTP is disabled. Using Strict FTP Using strict FTP increases the security of protected networks by preventing web browsers from sending embedded commands in FTP requests.
Chapter 24 Configuring Application Layer Protocol Inspection GTP Inspection • The security appliance replaces the FTP server response to the SYST command with a series of Xs. to prevent the server from revealing its system type to FTP clients. To override this default behavior, use the Low setting in the FTP map. Verifying and Monitoring FTP Inspection FTP application inspection generates the following log messages: • An Audit record 302002 is generated for each file that is retrieved or uploaded.
Chapter 24 Configuring Application Layer Protocol Inspection H.323 Inspection Figure 24-2 GPRS Tunneling Protocol Internet Home PLMN MS SGSN Gn GGSN Gi Corporate network 2 Gp Corporate network 1 Roaming partner (visited PLMN) 119935 GRX The UMTS is the commercial convergence of fixed-line telephony, mobile, Internet and computer technology. UTRAN is the networking protocol used for implementing wireless networks in this system.
Chapter 24 Configuring Application Layer Protocol Inspection H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
Chapter 24 Configuring Application Layer Protocol Inspection HTTP Inspection The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not necessarily need to be sent in the same TCP packet as H.225 and H.245 messages, the security appliance must remember the TPKT length to process and decode the messages properly.
Chapter 24 Configuring Application Layer Protocol Inspection Instant Messaging Inspection Instant Messaging Inspection The IM inspect engine lets you apply fine grained controls on the IM application to control the network usage and stop leakage of confidential data, propagation of worms, and other threats to the corporate network. ICMP Inspection The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and UDP traffic.
Chapter 24 Configuring Application Layer Protocol Inspection MGCP Inspection For search responses, when the LDAP server is located outside, NAT should be considered to allow internal peers to communicate locally while registered to external LDAP servers. For such search responses, xlates are searched first, and then DNAT entries to obtain the correct address. If both of these searches fail, then the address is not changed.
Chapter 24 Configuring Application Layer Protocol Inspection MGCP Inspection the Internet or over other packet networks. Using NAT and PAT with MGCP lets you support a large number of devices on an internal network with a limited set of external (global) addresses. Examples of media gateways are: • Trunking gateways, that interface between the telephone network and a Voice over IP network. Such gateways typically manage a large number of digital circuits.
Chapter 24 Configuring Application Layer Protocol Inspection MMP Inspection • DeleteConnection • NotificationRequest • Notify • AuditEndpoint • AuditConnection • RestartInProgress The first four commands are sent by the call agent to the gateway. The Notify command is sent by the gateway to the call agent. The gateway may also send a DeleteConnection. The registration of the MGCP gateway with the call agent is achieved by the RestartInProgress command.
Chapter 24 Configuring Application Layer Protocol Inspection NetBIOS Inspection • Note Verifies that client to server MMP content lengths are not exceeded. If an entity content length is exceeded (4096), the TCP session is terminated. 4096 is the value currently used in MMP implementations. Since MMP headers and entities can be split across packets, the security appliance buffers data to ensure consistent inspection. The SAPI (stream API) handles data buffering for pending inspection opportunities.
Chapter 24 Configuring Application Layer Protocol Inspection PPTP Inspection PPTP Inspection PPTP is a protocol for tunneling PPP traffic. A PPTP session is composed of one TCP channel and usually two PPTP GRE tunnels. The TCP channel is the control channel used for negotiating and managing the PPTP GRE tunnels. The GRE tunnels carries PPP sessions between the two hosts.
Chapter 24 Configuring Application Layer Protocol Inspection RTSP Inspection RTSP Inspection Overview The RTSP inspection engine lets the security appliance pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. Note For Cisco IP/TV, use RTSP TCP port 554 and TCP 8554. RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. The security appliance only supports TCP, in conformity with RFC 2326.
Chapter 24 Configuring Application Layer Protocol Inspection SIP Inspection • With Cisco IP/TV, the number of translates the security appliance performs on the SDP part of the message is proportional to the number of program listings in the Content Manager (each program listing can have at least six embedded IP addresses). • You can configure NAT for Apple QuickTime 4 or RealPlayer.
Chapter 24 Configuring Application Layer Protocol Inspection Skinny (SCCP) Inspection • Session Initiation Protocol (SIP)-Specific Event Notification, RFC 3265 • Session Initiation Protocol (SIP) Extension for Instant Messaging, RFC 3428 MESSAGE/INFO requests can come in at any time after registration/subscription. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens pinholes that time out according to the configured SIP timeout value.
Chapter 24 Configuring Application Layer Protocol Inspection Skinny (SCCP) Inspection Note For specific information about setting up the Phone Proxy on the security appliance, which is part of the Cisco Unified Communications architecture and supports IP Phone deployment, see Phone Proxy, page 19-24. SCCP Inspection Overview Skinny (SCCP) is a simplified protocol used in VoIP networks. Cisco IP Phones using SCCP can coexist in an H.323 environment.
Chapter 24 Configuring Application Layer Protocol Inspection SMTP and Extended SMTP Inspection When the Cisco IP Phones are on a higher security interface compared to the TFTP server and Cisco CallManager, no access list or static entry is required to allow the Cisco IP Phones to initiate the connection.
Chapter 24 Configuring Application Layer Protocol Inspection SNMP Inspection With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following rules are not observed: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply. An SMTP server responds to client requests with numeric reply codes and optional human-readable strings.
Chapter 24 Configuring Application Layer Protocol Inspection Sun RPC Inspection The packets that need fix-up contain embedded host/port addresses in the following format: (ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a)) SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in the packet.
Chapter 24 Configuring Application Layer Protocol Inspection Sun RPC Inspection • IP address—Displays the IP address of the SunRPC server. • Mask—Displays the subnet mask of the IP Address of the SunRPC server. • Service ID—Displays the SunRPC program number, or service ID, allowed to traverse the security appliance. • Protocol—Displays the SunRPC transport protocol (TCP or UDP). • Port—Displays the SunRPC protocol port range.
Chapter 24 Configuring Application Layer Protocol Inspection TFTP Inspection TFTP Inspection TFTP inspection is enabled by default. TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and client. The security appliance inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server.
Chapter 24 Configuring Application Layer Protocol Inspection Service Policy Field Descriptions • Select H.
Chapter 24 Configuring Application Layer Protocol Inspection Service Policy Field Descriptions – Configure—Displays the Select HTTP Map dialog box, which lets you select a map name to use for this protocol. • ICMP—Enables application inspection for the ICMP protocol. • ICMP Error—Enables application inspection for the ICMP Error protocol. • ILS—Enables application inspection for the ILS protocol. • IM—Enables application inspection for the IM protocol.
Chapter 24 Configuring Application Layer Protocol Inspection Service Policy Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — For More Information Inspect Map Field Descriptions, page 24-59 Inspect command pages for each protocol in the Cisco Security Appliance Command Reference. Select DCERPC Map The Select DCERPC Map dialog box lets you select or create a new DCERPC map.
Chapter 24 Configuring Application Layer Protocol Inspection Service Policy Field Descriptions Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Select ESMTP Map The Select ESMTP Map dialog box lets you select or create a new ESMTP map. An ESMTP map lets you change the configuration values used for ESMTP application inspection.
Chapter 24 Configuring Application Layer Protocol Inspection Service Policy Field Descriptions Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Select GTP Map The Select GTP Map dialog box lets you select or create a new GTP map. A GTP map lets you change the configuration values used for GTP application inspection.
Chapter 24 Configuring Application Layer Protocol Inspection Service Policy Field Descriptions Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Select HTTP Map The Select HTTP Map dialog box lets you select or create a new HTTP map. An HTTP map lets you change the configuration values used for HTTP application inspection.
Chapter 24 Configuring Application Layer Protocol Inspection Service Policy Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Select IPSec-Pass-Thru Map The Select IPSec-Pass-Thru dialog box lets you select or create a new IPSec map. An IPSec map lets you change the configuration values used for IPSec application inspection.
Chapter 24 Configuring Application Layer Protocol Inspection Service Policy Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Select NETBIOS Map The Select NETBIOS Map dialog box lets you select or create a new NetBIOS map. A NetBIOS map lets you change the configuration values used for NetBIOS application inspection.
Chapter 24 Configuring Application Layer Protocol Inspection Service Policy Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Select SCCP (Skinny) Map The Select SCCP (Skinny) Map dialog box lets you select or create a new SCCP (Skinny) map. An SCCP (Skinny) map lets you change the configuration values used for SCCP (Skinny) application inspection.
Chapter 24 Configuring Application Layer Protocol Inspection Service Policy Field Descriptions Fields • Use the default SIP inspection map—Specifies to use the default SIP map. • Select a SIP map for fine control over inspection—Lets you select a defined application inspection map or add a new one. • Add—Opens the Add Policy Map dialog box for the inspection. • TLS Proxy—Lets you specify TLS proxy settings for the inspect map.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions Class Map Field Descriptions An inspection class map matches application traffic with criteria specific to the application, such as a URL string. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions Add/Edit DNS Traffic Class Map The Add/Edit DNS Traffic Class Map dialog box lets you define a DNS class map. Fields • Name—Enter the name of the DNS class map, up to 40 characters in length. • Description—Enter the description of the DNS class map. • Add—Adds a DNS class map. • Edit—Edits a DNS class map. • Delete—Deletes a DNS class map.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions Header Flag Value—Lets you enter an arbitrary 16-bit value in hex to match. • Type Criterion Values—Specifies the value details for the DNS type match. – DNS Type Field Name—Lists the DNS types to select.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • Context • • System — Manage Regular Expressions The Manage Regular Expressions dialog box lets you configure Regular Expressions for use in pattern matching. Regular expressions that start with “_default” are default regular expressions and cannot be modified or deleted. Fields • Name—Shows the regular expression names.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions • Add—Adds a regular expression class map. • Edit—Edits a regular expression class map. • Delete—Deletes a regular expression class map. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — FTP Class Map The FTP Class Map panel lets you configure FTP class maps for FTP inspection.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions Add/Edit FTP Traffic Class Map The Add/Edit FTP Traffic Class Map dialog box lets you define a FTP class map. Fields • Name—Enter the name of the FTP class map, up to 40 characters in length. • Description—Enter the description of the FTP class map. • Add—Adds an FTP class map. • Edit—Edits an FTP class map. • Delete—Deletes an FTP class map.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions GET—FTP client command for the retr (retrieve a file) command. HELP—Help information from the server. MKD—Create a directory. PUT—FTP client command for the stor (store a file) command. RMD—Remove a directory. RNFR—Rename from. RNTO—Rename to. SITE—Specify a server specific command. STOU—Store a file with a unique name. • File Name Criterion Values—Specifies to match on the FTP transfer filename.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — H.323 Class Map The H.323 Class Map panel lets you configure H.323 class maps for H.323 inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions • Add—Adds an H.323 class map. • Edit—Edits an H.323 class map. • Delete—Deletes an H.323 class map. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single • • Context • System — Add/Edit H.323 Match Criterion The Add/Edit H.323 Match Criterion dialog box lets you define the match criterion and value for the H.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions – Audio—Match audio type. – Video—Match video type. – Data—Match data type. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — HTTP Class Map The HTTP Class Map panel lets you configure HTTP class maps for HTTP inspection.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions Add/Edit HTTP Traffic Class Map The Add/Edit HTTP Traffic Class Map dialog box lets you define a HTTP class map. Fields • Name—Enter the name of the HTTP class map, up to 40 characters in length. • Description—Enter the description of the HTTP class map. • Add—Adds an HTTP class map. • Edit—Edits an HTTP class map. • Delete—Deletes an HTTP class map.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions – Request Body—Applies the regular expression match to the body of the request. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions – Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers. Greater Than Count—Enter the maximum number of headers. – Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified. Greater Than Length—Enter a header length value in bytes.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against. – Response Header Field Count—Applies the regular expression match to the header of the response with a maximum number of header fields.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions – Response Status Line—Applies the regular expression match to the status line. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit IM Traffic Class Map The Add/Edit IM Traffic Class Map dialog box lets you define a IM class map. Fields • Name—Enter the name of the IM class map, up to 40 characters in length. • Description—Enter the description of the IM class map. • Add—Adds an IM class map. • Edit—Edits an IM class map.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions – Source IP Address—Match source IP address. – Destination IP Address—Match destination IP address. – Filename—Match filename form IM file transfer service. • Protocol Criterion Values—Specifies which IM protocols to match. – Yahoo! Messenger—Specifies to match Yahoo! Messenger instant messages. – MSN Messenger—Specifies to match MSN Messenger instant messages.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions • Destination IP Address Criterion Values—Specifies to match the destination IP address of the IM service. – IP Address—Enter the destination IP address of the IM service. – IP Mask—Mask of the destination IP address. • Filename Criterion Values—Specifies to match the filename from the IM file transfer service. Applies the regular expression match.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit SIP Traffic Class Map The Add/Edit SIP Traffic Class Map dialog box lets you define a SIP class map. Fields • Name—Enter the name of the SIP class map, up to 40 characters in length.
Chapter 24 Configuring Application Layer Protocol Inspection Class Map Field Descriptions – Content Type—Match the Content Type header. – IM Subscriber—Match the SIP IM subscriber. – Message Path—Match the SIP Via header. – Request Method—Match the SIP request method. – Third-Party Registration—Match the requester of a third-party registration. – URI Length—Match a URI in the SIP headers, between 0 and 65536. • Called Party Criterion Values—Specifies to match the called party.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. • Message Path Criterion Values—Specifies to match a SIP Via header. Applies the regular expression match. – Regular Expression—Lists the defined regular expressions to match. – Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions • DNS Inspect Map, page 24-64 • ESMTP Inspect Map, page 24-71 • FTP Inspect Map, page 24-79 • GTP Inspect Map, page 24-84 • H.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Use the Service Policy Rules tab on the Security Policy pane to apply the inspect map to traffic matching the criteria specified in the service policy. A service policy can apply to a specific interface or to all the interfaces on the security appliance. DCERPC The DCERPC inspection lets you create, view, and manage DCERPC inspect maps.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions RADIUS Accounting The RADIUS Accounting inspection lets you create, view, and manage RADIUS Accounting inspect maps. You can use a RADIUS map to protect against an overbilling attack. RTSP The RTSP inspection lets you create, view, and manage RTSP inspect maps. You can use an RTSP map to protect RTSP traffic, including RTSP PAT.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Endpoint mapper service lookup: enabled Endpoint mapper service lookup timeout: 00:05:00 – Medium—Default. Pinhole timeout: 00:01:00 Endpoint mapper service: not enforced Endpoint mapper service lookup: disabled. – High Pinhole timeout: 00:01:00 Endpoint mapper service: enforced Endpoint mapper service lookup: disabled – Customize—Opens the Add/Edit DCERPC Policy Map dialog box for additional settings.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – High Pinhole timeout: 00:01:00 Endpoint mapper service: enforced Endpoint mapper service lookup: disabled – Default Level—Sets the security level back to the default level of Medium. • Details—Shows the Parameters to configure additional settings. – Pinhole Timeout—Sets the pinhole timeout.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions • Add—Configures a new DNS inspect map. To edit a DNS inspect map, select the DNS entry in the DNS Inspect Maps table and click Customize. • Delete—Deletes the inspect map selected in the DNS Inspect Maps table. • Security Level—Select the security level (high, medium, or low). – Low—Default.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit DNS Policy Map (Security Level) The Add/Edit DNS Policy Map pane lets you configure the security level and additional settings for DNS application inspection maps. Fields • Name—When adding a DNS map, enter the name of the DNS map.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Message length check: enabled Message length maximum: 512 Mismatch rate logging: enabled TSIG resource record: enforced – Default Level—Sets the security level back to the default level of Low. • Details—Shows the Protocol Conformance, Filtering, Mismatch Rate, and Inspection tabs to configure additional settings.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Drop packets that exceed specified maximum length (global)—Drops packets that exceed maximum length in bytes. Maximum Packet Length—Enter maximum packet length in bytes. – Server Settings—Applies settings on the server only. Drop packets that exceed specified maximum length——Drops packets that exceed maximum length in bytes. Maximum Packet Length—Enter maximum packet length in bytes.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Add/Edit DNS Inspect The Add/Edit DNS Inspect dialog box lets you define the match criterion and value for the DNS inspect map. Fields • Single Match—Specifies that the DNS inspect has only one match statement. • Match Type—Specifies whether traffic should match or not match the values. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – DNS Class Field Value—Specifies to match either a DNS class field value or a DNS class field range. Value—Lets you enter an arbitrary value between 0 and 65535 to match. Range—Lets you enter a range match. Both values between 0 and 65535. • Question Criterion Values—Specifies to match on the DNS question section. • Resource Record Criterion Values—Specifies to match on the DNS resource record section.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Log if body line length is greater than 1000 Log if sender address length is greater than 320 Log if MIME file name length is greater than 255 – Medium Obfuscate Server Banner Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections if sender address length is greater than
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions • Add—Opens the Add MIME File Type Filter dialog box to add a MIME file type filter. • Edit—Opens the Edit MIME File Type Filter dialog box to edit a MIME file type filter. • Delete—Deletes a MIME file type filter. • Move Up—Moves an entry up in the list. • Move Down—Moves an entry down in the list.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections and log if sender address length is greater than 320 Drop Connections and log if MIME file name length is greater than 255 – MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Edit—Opens the Edit ESMTP Inspect dialog box to edit an ESMTP inspection. – Delete—Deletes an ESMTP inspection. – Move Up—Moves an inspection up in the list. – Move Down—Moves an inspection down in the list.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Log—Enable or disable. • Body Line Length Criterion Values—Specifies the value details for body line length match. – Greater Than Length—Body line length in bytes. – Action—Reset, drop connection, log. – Log—Enable or disable. • Commands Criterion Values—Specifies the value details for command match.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Available Parameters Table: 8bitmime auth binarymime checkpoint dsn ecode etrn others pipelining size vrfy – Add—Adds the selected parameter from the Available Parameters table to the Selected Parameters table. – Remove—Removes the selected command from the Selected Commands table. – Action—Reset, Drop Connection, Mask, Log. – Log—Enable or disable.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Log—Enable or disable. • MIME Filename Length Criterion Values—Specifies the value details for MIME filename length match. – Greater Than Length—MIME filename length in bytes. – Action—Reset, Drop Connection, Log. – Log—Enable or disable. • MIME Encoding Criterion Values—Specifies the value details for MIME encoding match.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — FTP Inspect Map The FTP pane lets you view previously configured FTP application inspection maps. An FTP map lets you change the default configuration values used for FTP application inspection. FTP command filtering and security checks are provided using strict FTP inspection for improved security and control.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions File Type Filtering The File Type Filtering dialog box lets you configure the settings for a file type filter. Fields • Match Type—Shows the match type, which can be a positive or negative match. • Criterion—Shows the criterion of the inspection. • Value—Shows the value to match in the inspection. • Action—Shows the action if the match condition is met. • Log—Shows the log state.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Default Level—Sets the security level back to the default level of Medium. • Details—Shows the Parameters and Inspections tabs to configure additional settings.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • Context • • System — Add/Edit FTP Map The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the FTP inspect map. Fields • Single Match—Specifies that the FTP inspect has only one match statement. • Match Type—Specifies whether traffic should match or not match the values.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. – Regular Expression Class—Lists the defined regular expression classes to match. – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. • File Type Criterion Values—Specifies the value details for FTP file type match.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions GTP Inspect Map The GTP pane lets you view previously configured GTP application inspection maps. A GTP map lets you change the default configuration values used for GTP application inspection. GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Fields • Mobile Country Code—Defines the non-zero, three-digit value identifying the mobile country code. One or two-digit entries will be prepended by 0 to create a three-digit value. • Mobile Network Code—Defines the two or three-digit value identifying the network code. • Add—Add the specified country code and network code to the IMSI Prefix table.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit GTP Policy Map (Details) The Add/Edit GTP Policy Map pane lets you configure the security level and additional settings for GTP application inspection maps. Fields • Name—When adding a GTP map, enter the name of the GTP map. When editing a GTP map, the name of the previously configured GTP map is shown.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Request Queue—Lets you change the default for the maximum period of inactivity before receiving the GTP message during a GTP session. The default is 1 minute. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Add/Edit GTP Map The Add/Edit GTP Inspect dialog box lets you define the match criterion and value for the GTP inspect map. Fields • Match Type—Specifies whether traffic should match or not match the values. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. • Criterion—Specifies which criterion of GTP traffic to match.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Value—Specifies whether value is an exact match or a range. Equals—Enter a value. Range—Enter a range of values. – Action—Drop packet. – Log—Enable or disable. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single • • Context • System — H.323 Inspect Map The H.323 pane lets you view previously configured H.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Limit payload to audio or video, based on the signaling exchange: no – High State Checking h225 Enabled State Checking ras Enabled Call Party Number Enabled Call duration Limit 1:00:00 RTP conformance enforced Limit payload to audio or video, based on the signaling exchange: yes – Phone Number Filtering—Opens the Phone Number Filtering dialog box to configure phone number filters.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit H.323 Policy Map (Security Level) The Add/Edit H.323 Policy Map pane lets you configure the security level and additional settings for H.323 application inspection maps. Fields • Name—When adding an H.323 map, enter the name of the H.323 map. When editing an H.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions • Details—Shows the State Checking, Call Attributes, Tunneling and Protocol Conformance, HSI Group Parameters, and Inspections tabs to configure additional settings. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit H.323 Policy Map (Details) The Add/Edit H.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Add—Opens the Add HSI Group dialog box to add an HSI group. – Edit—Opens the Edit HSI Group dialog box to edit an HSI group. – Delete—Deletes an HSI group. • Inspections—Tab that shows you the H.323 inspection configuration and lets you add or edit. – Match Type—Shows the match type, which can be a positive or negative match. – Criterion—Shows the criterion of the H.323 inspection.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit H.323 Map The Add/Edit H.323 Inspect dialog box lets you define the match criterion and value for the H.323 inspect map. Fields • Single Match—Specifies that the H.323 inspect has only one match statement. • Match Type—Specifies whether traffic should match or not match the values.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Manage—Opens the Manage H323 Class Maps dialog box to add, edit, or delete H.323 Class Maps. • Action—Drop packet, drop connection, or reset.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – High Protocol violation action: Drop connection and log Drop connections for unsafe methods: Allow only GET and HEAD. Drop connections for requests with non-ASCII headers: Enabled URI filtering: Not configured Advanced inspections: Not configured – URI Filtering—Opens the URI Filtering dialog box to configure URI filters. – Customize—Opens the Edit HTTP Policy Map dialog box for additional settings.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit HTTP Policy Map (Security Level) The Add/Edit HTTP Policy Map pane lets you configure the security level and additional settings for HTTP application inspection maps. Fields • Name—When adding an HTTP map, enter the name of the HTTP map.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit HTTP Policy Map (Details) The Add/Edit HTTP Policy Map pane lets you configure the security level and additional settings for HTTP application inspection maps.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit HTTP Map The Add/Edit HTTP Inspect dialog box lets you define the match criterion and value for the HTTP inspect map. Fields • Single Match—Specifies that the HTTP inspect has only one match statement. • Match Type—Specifies whether traffic should match or not match the values.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular Expression—Lists the defined regular expressions to match.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Count—Enter the maximum number of header fields. – Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – H323 Traffic Class—Specifies the HTTP traffic class match. – Manage—Opens the Manage HTTP Class Maps dialog box to add, edit, or delete HTTP Class Maps. • Action—Drop connection, reset, or log. • Log—Enable or disable.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Add/Edit Instant Messaging (IM) Policy Map The Add/Edit Instant Messaging (IM) Policy Map pane lets you configure the security level and additional settings for IM application inspection maps. Fields • Name—When adding an IM map, enter the name of the IM map. When editing an IM map, the name of the previously configured IM map is shown.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Destination IP Address—Match destination IP address. – Version—Match IM file transfer service version. – Client Login Name—Match client login name from IM service. – Client Peer Login Name—Match client peer login name from IM service. – Filename—Match filename form IM file transfer service. • Protocol Criterion Values—Specifies which IM protocols to match.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Regular Expression—Lists the defined regular expressions to match. – Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. – Regular Expression Class—Lists the defined regular expression classes to match. – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Low—Default. Maximum ESP flows per client: Unlimited. ESP idle timeout: 00:10:00. Maximum AH flows per client: Unlimited. AH idle timeout: 00:10:00. – High Maximum ESP flows per client:10. ESP idle timeout: 00:00:30. Maximum AH flows per client: 10. AH idle timeout: 00:00:30. – Customize—Opens the Add/Edit IPSec Pass Thru Policy Map dialog box for additional settings.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions AH idle timeout: 00:00:30. – Default Level—Sets the security level back to the default level of Low. • Details—Shows additional parameter settings to configure.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions MGCP Inspect Map The MGCP pane lets you view previously configured MGCP application inspection maps. An MGCP map lets you change the default configuration values used for MGCP application inspection. You can use an MGCP map to manage connections between VoIP devices and MGCP call agents. Fields • MGCP Inspect Maps—Table that lists the defined MGCP inspect maps. • Add—Configures a new MGCP inspect map.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit MGCP Policy Map The Add/Edit MGCP Policy Map pane lets you configure the command queue, gateway, and call agent settings for MGCP application inspection maps. Fields • Name—When adding an MGCP map, enter the name of the MGCP map.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit MGCP Group The Add/Edit MGCP Group dialog box lets you define the configuration of an MGCP group that will be used when MGCP application inspection is enabled. Fields • Group ID—Specifies the ID of the call agent group.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions NetBIOS Inspect Map The NetBIOS pane lets you view previously configured NetBIOS application inspection maps. A NetBIOS map lets you change the default configuration values used for NetBIOS application inspection. NetBIOS application inspection performs NAT for the embedded IP address in the NetBIOS name service packets and NetBIOS datagram services packets.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions RTSP Inspect Map The RTSP pane lets you view previously configured RTSP application inspection maps. An RTSP map lets you change the default configuration values used for RTSP application inspection. You can use an RTSP map to protect RTSP traffic. Fields • RTSP Inspect Maps—Table that lists the defined RTSP inspect maps. • Add—Configures a new RTSP inspect map.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Edit—Opens the Edit RTSP Inspect dialog box to edit a RTSP inspection. – Delete—Deletes a RTSP inspection. – Move Up—Moves an inspection up in the list. – Move Down—Moves an inspection down in the list.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — SCCP (Skinny) Inspect Map The SCCP (Skinny) pane lets you view previously configured SCCP (Skinny) application inspection maps.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Maximum message ID: 0x141. Minimum prefix length: 4. Maximum prefix length: 65536. Media timeout: 00:01:00. Signaling timeout: 00:05:00. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: Yes. – Message ID Filtering—Opens the Messaging ID Filtering dialog box for configuring message ID filters.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit SCCP (Skinny) Policy Map (Security Level) The Add/Edit SCCP (Skinny) Policy Map pane lets you configure the security level and additional settings for SCCP (Skinny) application inspection maps. Fields • Name—When adding an SCCP (Skinny) map, enter the name of the SCCP (Skinny) map.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Limit payload to audio or video, based on the signaling exchange: Yes. – Message ID Filtering—Opens the Messaging ID Filtering dialog box for configuring message ID filters. – Default Level—Sets the security level back to the default. • Details—Shows additional parameter, RTP conformance, and message ID filtering settings to configure.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Criterion—Shows the criterion of the inspection. – Value—Shows the value to match in the inspection. – Action—Shows the action if the match condition is met. – Log—Shows the log state. – Add—Opens the Add Message ID Filtering dialog box to add a message ID filter. – Edit—Opens the Edit Message ID Filtering dialog box to edit a message ID filter. – Delete—Deletes a message ID filter.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — SIP Inspect Map The SIP pane lets you view previously configured SIP application inspection maps. A SIP map lets you change the default configuration values used for SIP application inspection. SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and instant messaging.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – High SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Denied. Hide server’s and endpoint’s IP addresses: Disabled. Mask software version and non-SIP URIs: Enabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Enforced.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Non-SIP traffic on SIP port: Permitted. Hide server’s and endpoint’s IP addresses: Disabled. Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: No SIP conformance: Drop packets that fail state checking.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Enable SIP instant messaging (IM) extensions—Enables Instant Messaging extensions. Default is enabled. – Permit non-SIP traffic on SIP port—Permits non-SIP traffic on SIP port. Permitted by default. • IP Address Privacy—Tab that lets you configure the IP address privacy settings for SIP. – Hide server’s and endpoint’s IP addresses—Enables IP address privacy. Disabled by default.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Move Up—Moves an inspection up in the list. – Move Down—Moves an inspection down in the list. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit SIP Inspect The Add/Edit SIP Inspect dialog box lets you define the match criterion and value for the SIP inspect map.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Regular Expression—Lists the defined regular expressions to match. – Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. – Regular Expression Class—Lists the defined regular expression classes to match. – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions – Regular Expression Class—Lists the defined regular expression classes to match. – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. • URI Length Criterion Values—Specifies to match a URI in the SIP headers greater than specified length. – URI type—Specifies to match either SIP URI or TEL URI. – Greater Than Length—Length in bytes.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit SNMP Map The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection. Fields • SNMP Map Name—Defines the name of the application inspection map. • SNMP version 1—Enables application inspection for SNMP version 1.
Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Field Descriptions Cisco ASDM User Guide 24-128 OL-16647-01
C H A P T E R 25 Configuring QoS Have you ever participated in a long-distance phone call that involved a satellite connection? The conversation might be interrupted with brief, but perceptible, gaps at odd intervals. Those gaps are the time, called the latency, between the arrival of packets being transmitted over the network. Some network traffic, such as voice and video, cannot tolerate long latency times.
Chapter 25 Configuring QoS QoS Overview Supported QoS Features The security appliance supports the following QoS features: • Policing—To prevent individual flows from hogging the network bandwidth, you can limit the maximum bandwidth used per flow. See the “Policing Overview” section on page 25-3 for more information.
Chapter 25 Configuring QoS QoS Overview For traffic shaping, a token bucket permits burstiness but bounds it. It guarantees that the burstiness is bounded so that the flow will never send faster than the token bucket capacity, divided by the time interval, plus the established rate at which tokens are placed in the token bucket.
Chapter 25 Configuring QoS QoS Overview Traffic Shaping Overview Traffic shaping is used to match device and link speeds, thereby controlling packet loss, variable delay, and link saturation, which can cause jitter and delay. • Traffic shaping must be applied to all outgoing traffic on a physical interface or in the case of the ASA 5505, on a VLAN. You cannot configure traffic shaping for specific types of traffic.
Chapter 25 Configuring QoS Creating the Standard Priority Queue for an Interface You cannot configure traffic shaping and standard priority queueing for the same interface; only hierarchical priority queueing is allowed. For example, if you configure standard priority queueing for the global policy, and then configure traffic shaping for a specific interface, the feature you configured last is rejected because the global policy overlaps the interface policy.
Chapter 25 Configuring QoS Creating a Policy for Standard Priority Queueing and/or Policing This setting guarantees that the hardware-based transmit ring imposes no more than 10-ms of extra latency for a high-priority packet. This option sets the maximum number of low-latency or normal priority packets allowed into the Ethernet transmit driver before the driver pushes back to the queues on the interface to let them buffer packets until the congestion clears.
Chapter 25 Configuring QoS Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing • Conform Action—The action to take when the rate is less than the conform-burst value. Values are transmit or drop. • Exceed Action—Take this action when the rate is between the conform-rate value and the conform-burst value. Values are transmit or drop.
Chapter 25 Configuring QoS Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing Step 4 (Optional) To configure priority queueing for a subset of shaped traffic: a. Click Enforce priority to selected shape traffic. b. Click Configure to identify the traffic that you want to prioritize. You are prompted to identify the traffic for which you want to apply priority queueing. c.
C H A P T E R 26 Configuring Filter Rules This chapter includes the following sections: • URL Filtering, page 26-1 • Filter Rules, page 26-5 URL Filtering You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet.
Chapter 26 Configuring Filter Rules URL Filtering Configuring URL Filtering To enable filtering with an external filtering server, perform the following steps. Step 1 Go to Configuration > Firewall > URL Filter Servers to specify an external filtering server. See URL Filtering Servers, page 26-2. Step 2 (Optional) Buffer responses from the content server. See Advanced URL Filtering, page 26-4. Step 3 (Optional) Cache content server addresses to improve performance.
Chapter 26 Configuring Filter Rules URL Filtering – Add/Edit Parameters for Websense URL Filtering, page 26-3 – Add/Edit Parameters for Secure Computing SmartFilter URL Filtering, page 26-4 • Insert Before—Adds a new filtering server in a higher priority position than the currently selected server. • Insert After—Adds a new filtering server in a lower priority position than the currently selected server. • Edit—Lets you modify parameters for the selected filtering server.
Chapter 26 Configuring Filter Rules URL Filtering Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Add/Edit Parameters for Secure Computing SmartFilter URL Filtering • Interface—Specifies the interface on which the URL filtering server is connected. • IP Address—Specifies the IP address of the URL filtering server. • Timeout—Specifies the number of seconds after which the request to the filtering server times out.
Chapter 26 Configuring Filter Rules Filter Rules – Source/Destination Address—Caches entries based on both the source address initiating the URL request as well as the URL destination address. Choose this mode if users do not share the same URL filtering policy on the server. – Cache size—Specifies the size of the cache.
Chapter 26 Configuring Filter Rules Filter Rules Benefits The Filter Rules pane provides information about the filter rules that are currently configured on the security appliance. It also provides buttons that you can use to add or modify the filter rules and to increase or decrease the amount of detail shown in the pane. Filtering allows greater control over any traffic that your security policy allows to pass through the security appliance.
Chapter 26 Configuring Filter Rules Filter Rules – Add—Lets you add a filter rule. – Edit—Lets you edit a filter rule. – Delete—Lets you delete a filter rule. – Find—Lets you find a filter rule. • Use the Services tab to choose a predefined filter rule. – Type—Lets you choose a source from the drop-down list, selecting from All, IP Address Objects, IP Names, or Network Object groups. – Name—Lists the name(s) of the filter rule. – Edit—Lets you edit a filter rule. – Delete—Lets you delete a filter rule.
Chapter 26 Configuring Filter Rules Filter Rules – Filter HTTP (URL) – Do not filter HTTP (URL) – Filter HTTPS – Do not filter HTTPS – Filter FTP – Do not filter FTP • Source—Enter the source of the traffic to which the filtering action applies. You can enter the source in one of the following ways: – any—Enter “any” (without quotation marks) to indicate any source address. – name—Enter a hostname. – address/mask—Enter an IP address and optional network mask.
Chapter 26 Configuring Filter Rules Filter Rules – Block users from connecting to an HTTP proxy server—Prevent HTTP requests made through a proxy server. – Truncate CGI parameters from URL sent to URL server—The security appliance forwards only the CGI script location and the script name, without any parameters, to the filtering server. • HTTPS Options—This area appears only when you choose the Filter HTTPS option from the drop-down list.
Chapter 26 Configuring Filter Rules Filter Rules Step 3 For Source, Destination, Source or Destination, and Service filters, perform the following steps: a. Choose the match criteria from the drop-down list. Choose “is” (without the quotes) for exact string matches or choose “contains” for partial string matches. b. Enter the string to match using one of the following methods: – Type the source, destination, or service name into the condition field. – Click ...
Chapter 26 Configuring Filter Rules Filter Rules Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — For More Information Filtering the Rule Table, page 26-9 Browse Source/Destination/Service The Browse Source/Destination/Service dialog box lets you choose from existing IP address, name, or service objects. Fields • Add—Click to add a new IP address, name, or service object. • Edit—Click to edit an existing IP address, name, or service object.
Chapter 26 Configuring Filter Rules Filter Rules For More Information Filter Rules, page 26-5 URL Filtering, page 26-1 Cisco ASDM User Guide 26-12 OL-16647-01
C H A P T E R 27 Configuring Advanced Firewall Protection This chapter describes how to prevent network attacks by configuring protection features, and includes the following sections: Note • Configuring Threat Detection, page 27-1 • Configuring Connection Settings, page 27-6 • Configuring IP Audit, page 27-10 • Configuring the Fragment Size, page 27-17 • Configuring Anti-Spoofing, page 27-20 • Configuring TCP Options, page 27-20 • Configuring Global Timeouts, page 27-23 For Sun RPC server
Chapter 27 Configuring Advanced Firewall Protection Configuring Threat Detection • Basic Threat Detection Overview, page 27-2 • Configuring Basic Threat Detection, page 27-2 Basic Threat Detection Overview Using basic threat detection, the security appliance monitors the rate of dropped packets and security events due to the following reasons: • Denial by access lists • Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length) • Connection limits exceeded (both system-wide resource
Chapter 27 Configuring Advanced Firewall Protection Configuring Threat Detection Table 27-1 Basic Threat Detection Default Settings Trigger Settings Packet Drop Reason • DoS attack detected • Bad packet format • Connection limits exceeded • Suspicious ICMP packets detected Scanning attack detected Average Rate Burst Rate 100 drops/sec over the last 600 400 drops/sec over the last 10 seconds. second period. 80 drops/sec over the last 3600 320 drops/sec over the last 60 seconds. second period.
Chapter 27 Configuring Advanced Firewall Protection Configuring Threat Detection Caution The scanning threat detection feature can affect the security appliance performance and memory significantly while it creates and gathers host- and subnet-based data structure and information. To configure scanning threat detection, perform the following steps: Step 1 To enable scanning threat detection, on the Configuration > Firewall > Threat Detection pane, click the Enable Scanning Threat Detection check box.
Chapter 27 Configuring Advanced Firewall Protection Configuring Threat Detection Caution Enabling statistics can affect the security appliance performance, depending on the type of statistics enabled. Enabling statistics for hosts affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. Enabling statistics for ports, however, has modest impact.
Chapter 27 Configuring Advanced Firewall Protection Configuring Connection Settings Configuring Connection Settings This section describes how to set maximum TCP and UDP connections, maximum embryonic connections, maximum per-client connections, connection timeouts, dead connection detection, and how to disable TCP sequence randomization. This section also describes how to configure TCP normalization.
Chapter 27 Configuring Advanced Firewall Protection Configuring Connection Settings VPN requires the ability to process the 3-way handshake packets to provide selective ACK and other TCP options for Clientless SSL VPN connections. To disable TCP Intercept for management traffic, you can set the embryonic connection limit; only after the embryonic connection limit is reached is TCP Intercept enabled.
Chapter 27 Configuring Advanced Firewall Protection Configuring Connection Settings Step 1 Configure a service policy on the Configuration > Firewall > Service Policy Rules pane according to Chapter 22, “Configuring Service Policy Rules.” You can configure connection limits as part of a new service policy rule, or you can edit an existing service policy. Step 2 On the Rule Actions dialog box, click the Connection Settings tab.
Chapter 27 Configuring Advanced Firewall Protection Configuring Connection Settings Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session. Step 6 To configure TCP normalization, check Use TCP Map. Choose an existing TCP map from the drop-down list (if available), or add a new one by clicking New. The Add TCP Map dialog box appears. a. In the TCP Map Name field, enter a name. b.
Chapter 27 Configuring Advanced Firewall Protection Configuring IP Audit • Drop SYN Packets with data—Drops SYN packets with data. • Drop SYNACK Packets with data—Drops TCP SYNACK packets that contain data. • Drop packets with invalid ACK—Drops packets with an invalid ACK.
Chapter 27 Configuring Advanced Firewall Protection Configuring IP Audit IP Audit Policy The IP Audit Policy pane lets you add audit policies and assign them to interfaces. You can assign an attack policy and an informational policy to each interface. The attack policy determines the action to take with packets that match an attack signature; the packet might be part of an attack on your network, such as a DoS attack.
Chapter 27 Configuring Advanced Firewall Protection Configuring IP Audit – Attack—Sets the policy type as attack. – Information—Sets the policy type as informational. • Action—Sets one or more actions to take when a packet matches a signature. If you do not choose an action, then the default policy is used. – Alarm—Generates a system message showing that a packet matched a signature. For a complete list of signatures, see IP Audit Signature List. – Drop—Drops the packet.
Chapter 27 Configuring Advanced Firewall Protection Configuring IP Audit IP Audit Signature List Table 27-3 lists supported signatures and system message numbers. Table 27-3 Signature IDs and System Message Numbers Signature Message ID Number Signature Title Signature Type Description 1000 400000 IP options-Bad Option List Informational Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed.
Chapter 27 Configuring Advanced Firewall Protection Configuring IP Audit Table 27-3 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 1103 400009 IP Overlapping Fragments (Teardrop) Attack Triggers when two fragments contained within the same IP datagram have offsets that indicate that they share positioning within the datagram.
Chapter 27 Configuring Advanced Firewall Protection Configuring IP Audit Table 27-3 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 2008 400018 ICMP Timestamp Reply Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 14 (Timestamp Reply).
Chapter 27 Configuring Advanced Firewall Protection Configuring IP Audit Table 27-3 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 3042 400028 TCP FIN only flags Attack Triggers when a single orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a specific host.
Chapter 27 Configuring Advanced Firewall Protection Configuring the Fragment Size Table 27-3 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 6152 400044 yppasswdd (YP password daemon) Portmap Request Informational Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port.
Chapter 27 Configuring Advanced Firewall Protection Configuring the Fragment Size – Timeout—Specifies the maximum number of seconds to wait for an entire fragmented packet to arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds specified, all fragments of the packet that were already received will be discarded. The default is 5 seconds. • Edit—Opens the Edit Fragment dialog box.
Chapter 27 Configuring Advanced Firewall Protection Configuring the Fragment Size • Fail—Display only. Displays the number of failed reassembly attempts. • Overflow—Display only. Displays the number of IP packets in the overflow queue.
Chapter 27 Configuring Advanced Firewall Protection Configuring Anti-Spoofing Configuring Anti-Spoofing The Anti-Spoofing window lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
Chapter 27 Configuring Advanced Firewall Protection Configuring TCP Options Fields • Inbound and Outbound Reset—Sets whether to reset denied TCP connections for inbound and outbound traffic. – Interface—Shows the interface name. – Inbound Reset—Shows the interface reset setting for inbound TCP traffic, Yes or No.
Chapter 27 Configuring Advanced Firewall Protection Configuring TCP Options CLOSING state. Having many sockets in the CLOSING state can degrade the performance of an end host. For example, some WinSock mainframe clients are known to exhibit this behavior and degrade the performance of the mainframe server. Using this feature creates a window for the simultaneous close down sequence to complete.
Chapter 27 Configuring Advanced Firewall Protection Configuring Global Timeouts Configuring Global Timeouts The Timeouts pane lets you set the timeout durations for use with the security appliance. All durations are displayed in the format hh:mm:ss. It sets the idle time for the connection and translation slots of various protocols. If the slot has not been used for the idle time specified, the resource is returned to the free pool.
Chapter 27 Configuring Advanced Firewall Protection Configuring Global Timeouts • SIP Disconnect—Modifies the idle time after which SIP session is deleted if the 200 OK is not received for a CANCEL or a BYE message. The minimum value is 0:0:1, the maximum value is 0:10:0. The default value is 0:02:00. • Authentication absolute—Modifies the duration until the authentication cache times out and you have to reauthenticate a new connection. This duration must be shorter than the Translation Slot value.
C H A P T E R 28 Configuring IPS This chapter describes how to configure the adaptive security appliance to support an AIP SSM that is installed in the security appliance. Note The Cisco PIX 500 series security appliances do not support SSMs.
Chapter 28 Configuring IPS AIP SSM Overview How the AIP SSM Works with the Adaptive Security Appliance The AIP SSM runs a separate application from the adaptive security appliance. It is, however, integrated into the adaptive security appliance traffic flow. The AIP SSM does not contain any external interfaces itself, other than a management interface.
Chapter 28 Configuring IPS AIP SSM Overview • Promiscuous mode—This mode sends a duplicate stream of traffic to the AIP SSM. This mode is less secure, but has little impact on traffic throughput. Unlike the inline mode, in promiscuous mode the AIP SSM can only block traffic by instructing the adaptive security appliance to shun the traffic or by resetting a connection on the adaptive security appliance.
Chapter 28 Configuring IPS AIP SSM Overview Figure 28-3 Security Contexts and Virtual Sensors Security Appliance Context 1 Main System Context 2 Context 3 Sensor 1 191316 Sensor 2 AIP SSM Figure 28-4 shows a single mode security appliance paired with multiple virtual sensors (in inline mode); each defined traffic flow goes to a different sensor.
Chapter 28 Configuring IPS Accessing IDM from ASDM 4. Using ASDM on the ASA 5500 series adaptive security appliance, identify traffic to divert to the AIP SSM. See the “Diverting Traffic to the AIP SSM” section on page 28-6. Accessing IDM from ASDM ASDM uses IDM to configure the AIP SSM. If the AIP SSM is running IPS Version 6.0 or later, ASDM retrieves IDM from the AIP SSM and displays it as part of the ASDM interface. For earlier versions of the IPS software, IDM launches in a separate browser window.
Chapter 28 Configuring IPS Diverting Traffic to the AIP SSM Step 1 In the ASDM Device List pane, double-click System under the active device IP address. Step 2 On the Context Management > Security Contexts pane, choose a context that you want to configure, and click Edit. The Edit Context dialog box appears. For more information about configuring contexts, see the “Configuring Security Contexts” section on page 10-16. Step 3 In the IPS Sensor Allocation area, click Add.
Chapter 28 Configuring IPS Diverting Traffic to the AIP SSM The Add Service Policy Rule Wizard - Service Policy dialog box appears. Complete the Service Policy and Traffic Classification Criteria dialog boxes. See the “Adding a Service Policy Rule for Through Traffic” section on page 22-6 for more information. Click Next to show the Add Service Policy Rule Wizard - Rule Actions dialog box. Step 4 Click the Intrusion Prevention tab.
Chapter 28 Configuring IPS Resetting the AIP SSM Password Virtual Sensors to Security Contexts” section on page 28-5). If you do not specify a sensor name, then the traffic uses the default sensor. In multiple context mode, you can specify a default sensor for the context. In single mode or if you do not specify a default sensor in multiple mode, the traffic uses the default sensor that is set on the AIP SSM.
C H A P T E R 29 Configuring Trend Micro Content Security Note The ASA 5580 does not support the CSC SSM feature.
Chapter 29 Configuring Trend Micro Content Security Managing the CSC SSM • Other IP Address or Hostname—Connects to an alternate IP address or hostname on the SSM. Step 3 Enter the port number in the Port field, and then click Continue. Step 4 In the CSC Password dialog box, type your CSC password, and then click OK.
Chapter 29 Configuring Trend Micro Content Security Managing the CSC SSM • A service policy that determines which traffic is diverted to the SSM for scans. In this example, the client could be a network user who is accessing a website, downloading files from an FTP server, or retrieving e-mail from a POP3 server. SMTP scans differ in that you should configure the adaptive security appliance to scan traffic sent from outside to SMTP servers protected by the adaptive security appliance.
Chapter 29 Configuring Trend Micro Content Security Managing the CSC SSM • The management port of the adaptive security appliance is connected to the management network. To allow management of the adaptive security appliance and the CSC SSM, hosts running ASDM must be connected to the management network. • The management network includes an SMTP server for e-mail notifications for the CSC SSM and a syslog server to which the CSC SSM can send system log messages.
Chapter 29 Configuring Trend Micro Content Security Managing the CSC SSM Step 4 Step 5 • Activation keys, received after completing Step 2. • The SSM management port IP address, netmask, and gateway IP address. The SSM management port IP address must be accessible by the hosts used to run ASDM. The IP addresses for the SSM management port and the adaptive security appliance management interface can be in different subnets. • DNS server IP address.
Chapter 29 Configuring Trend Micro Content Security Managing the CSC SSM The new service policy appears in the Service Policy Rules pane. g. Click Apply. The adaptive security appliance begins diverting traffic to the CSC SSM, which performs the content security scans that have been enabled according to the license that you purchased. Step 7 (Optional) Review the default content security policies in the CSC SSM GUI. The default content security policies are suitable for most implementations.
Chapter 29 Configuring Trend Micro Content Security Managing the CSC SSM You enable traffic scanning with the CSC SSM on the CSC Scan tab in the Add Service Policy Rule Wizard Rule Actions screen. You can apply service policies that include CSC scanning globally or to specific interfaces; therefore, you can choose to enable CSC scans globally or for specific interfaces. For more information, see Rule Actions for CSC Scanning, page 29-8.
Chapter 29 Configuring Trend Micro Content Security Managing the CSC SSM Figure 29-4 shows service policy rules that select only the traffic that the adaptive security appliance should scan. Figure 29-4 Optimized Traffic Selection for CSC Scans In the inside-policy, the first class, inside-class1, ensures that the adaptive security appliance does not scan HTTP traffic between the inside network and the DMZ network. The Match column indicates this setting by displaying the “Do not match” icon.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup • If CSC card fails—Configures the action to take if the CSC SSM becomes inoperable. – Permit traffic—Allows traffic if the CSC SSM fails. – Close traffic—Blocks traffic if the CSC SSM fails.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • 1 System — 1. In multiple-context mode, the panes under the CSC Setup node are available only in the admin context.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup For More Information See Managing the CSC SSM, page 29-2 IP Configuration The IP Configuration pane lets you configure IP addresses and other relevant details for the CSC SSM, the DNS servers it should use, and a proxy server for retrieving CSC SSM software updates. Fields • Management Interface—Contains parameters for management access to the CSC SSM. – IP Address—Sets the IP address for management access to the CSC SSM.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup Fields • Host and Domain Names—Contains information about the hostname and domain name of the CSC SSM. – HostName—Sets the hostname of the CSC SSM. – Domain Name—Sets the domain name that contains the CSC SSM. • Incoming E-mail Domain Name—Contains information about a trusted incoming e-mail domain name for SMTP-based e-mail. – Incoming Email Domain—Sets the incoming e-mail domain name.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup Fields • IP Address—Sets the address of a host or network you want to add to the Selected Hosts/Network list. • Mask—Sets the netmask for the host or network you specified in the IP Address field. To allow all hosts and networks, enter 0.0.0.0 in the IP Address field and choose 0.0.0.0 from the Mask list. • Selected Hosts/Networks—Displays the hosts or networks trusted for management access to the CSC SSM.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup Note The default password is “cisco.” Fields • Old Password—Requires the current password for management access to the CSC SSM. • New Password—Sets the new password for management access to the CSC SSM. • Confirm New Password—Verifies the new password for management access to the CSC SSM.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup Note This feature is available only in multiple-context mode in the system context. For More Information See Password, page 29-13 Wizard Setup The Wizard Setup screen lets you start the CSC Setup Wizard. Before you can directly access any of the other screens under CSC Setup, you must complete the CSC Setup Wizard.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup Fields • Activation Code—Display only. Displays the activation code settings you have made on this screen. – Base License—Shows the activation code. The Base License includes anti-virus, anti-spyware, and file blocking. – Plus License—Shows the activation code, if you have entered one. If not, this field is blank. The Plus License includes anti-spam, anti-phishing, content filtering, and URL blocking and filtering.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup For More Information See Managing the CSC SSM, page 29-2 CSC Setup Wizard Host Configuration The CSC Setup Wizard Host Configuration screen displays the host and domain names, incoming e-mail domain name, administrator e-mail address, e-mail server IP address, and the port number that you have entered for the CSC SSM. Fields • Hostname—Shows the hostname of the CSC SSM.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — For More Information See Managing the CSC SSM, page 29-2 CSC Setup Wizard Password Configuration The CSC Setup Wizard Password Configuration ascreen displays the password settings that you have entered to grant access to the CSC SSM.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup • Add—Click to specify additional traffic details for CSC scanning. For more information, see Specify traffic for CSC Scan, page 29-19. • Edit—Click to modify additional traffic details for CSC scanning. For more information, see Specify traffic for CSC Scan, page 29-19. • Delete—Click to remove additional traffic details for CSC scanning.
Chapter 29 Configuring Trend Micro Content Security CSC SSM Setup Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — For More Information See CSC Setup Wizard Traffic Selection for CSC Scan, page 29-18 CSC Setup Wizard Summary The CSC Setup Wizard Summary screen displays the settings that you have made with the CSC Setup Wizard. You can review your selections before you exit the wizard.
Chapter 29 Configuring Trend Micro Content Security Web • Password—Display only. Indicates whether or not you have changed the password in the Password Configuration screen. • Back—Click to return to preceding screens of the CSC Setup Wizard. • Next—Dimmed; however, if you click Back to access any of the preceding screens in this wizard, click Next to return to this screen. • Finish—Completes the CSC Setup Wizard and saves all settings that you have specified.
Chapter 29 Configuring Trend Micro Content Security Mail • Scanning—Includes a field and a link about HTTP scanning on the CSC SSM. – HTTP Scanning—Display only. Shows whether or not HTTP scanning is enabled on the CSC SSM. – Configure Web Scanning—Opens a screen for configuring HTTP scanning on the CSC SSM.
Chapter 29 Configuring Trend Micro Content Security Mail Fields • Scanning—Includes fields and links about SMTP scanning. – Incoming Scan—Display only. Shows whether or not the incoming SMTP scanning feature is enabled on the CSC SSM. – Configure Incoming Scan—Opens a screen for configuring incoming SMTP scan settings on the CSC SSM. – Outgoing Scan—Display only. Shows whether or not the outgoing SMTP scanning feature is enabled on the CSC SSM.
Chapter 29 Configuring Trend Micro Content Security File Transfer Note To access the CSC SSM, you must reenter the CSC SSM password. Sessions in the CSC SSM browser time out after ten minutes of inactivity. If you close the CSC SSM browser and click another link in ASDM, you are not prompted for the CSC SSM password again, because one session is already open. Fields • Scanning—Display only. Shows whether or not POP3 e-mail scanning is enabled on the CSC SSM.
Chapter 29 Configuring Trend Micro Content Security Updates • Configure File Blocking—Opens a screen for configuring FTP file blocking settings on the CSC SSM.
Chapter 29 Configuring Trend Micro Content Security Updates For More Information See Managing the CSC SSM, page 29-2 Cisco ASDM User Guide 29-26 OL-16647-01
C H A P T E R 30 Configuring ARP Inspection and Bridging Parameters This chapter describes how to enable ARP inspection and how to customize bridging operations for the security appliance in transparent firewall mode. In multiple context mode, the commands in this chapter can be entered in a security context, but not the system. For information about transparent firewall mode, see Chapter 18, “Firewall Mode Overview.
Chapter 30 Configuring ARP Inspection and Bridging Parameters Configuring ARP Inspection Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood. ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address.
Chapter 30 Configuring ARP Inspection and Bridging Parameters Configuring ARP Inspection Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed — Transparent Single • • Context • System — ARP Static Table Although hosts identify a packet destination by an IP address, the actual delivery of the packet on Ethernet relies on the Ethernet MAC address.
Chapter 30 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table Firewall Mode Security Context Multiple Routed Transparent Single • • Context • • System — Add/Edit ARP Static Configuration The Add/Edit ARP Static Configuration dialog box lets you add or edit a static ARP entry. Fields • Interface—Sets the interface attached to the host network. • IP Address—Sets the host IP address. • MAC Address—Sets the host MAC address; for example, 00e0.1e4e.3d8b.
Chapter 30 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table drops the traffic and generates a system message. When you add a static ARP entry (see the “ARP Static Table” section on page 30-3), a static MAC address entry is automatically added to the MAC address table.
Chapter 30 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table Add/Edit MAC Address Entry The Add/Edit MAC Address Entry dialog box lets you add or edit a static MAC address entry. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. One benefit to adding static entries is to guard against MAC spoofing.
PA R T 4 Configuring VPN
CH A P T E R 31 SSL VPN Wizard SSL VPN Feature Clientless, browser-based SSL VPN lets users establish a secure, remote-access VPN tunnel to the security appliance using a web browser. After authentication, users access a portal page and can access specific, supported internal resources. The network administrator provides access to resources by users on a group basis. Users have no direct access to resources on the internal network.
Chapter 31 SSL VPN Wizard SSL VPN Interface SSL VPN Interface Provide a Connection name (previously called tunnel group), enable an interface for SSL VPN connections, and provide digital certificate information in this window. Fields • Connection Name—Provide a connection name for this group of connection-oriented attributes. • SSL VPN Interface—Specify the interface to allow SSL VPN connections. • Digital Certificate—Specify a certificate, if any, that the security appliance sends to the remote PC.
Chapter 31 SSL VPN Wizard Group Policy Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Group Policy Group policies configure common attributes for groups of users. Create a new group policy or select an existing one to modify. Fields • Create new group policy—Enable to create a new group policy. Provide a name for the new policy.
Chapter 31 SSL VPN Wizard IP Address Pools and Client Image Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • IP Address Pools and Client Image Provide a range of IP addresses to remote SSL VPN users and identify SSL VPN client images to the security appliance in this window. Fields • IP Address Pool—SSL VPN clients receive new IP addresses when they connect to the security appliance. Clientless connections do not require new IP addresses.
Chapter 31 SSL VPN Wizard Summary Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Cisco ASDM User Guide OL-16647-01 31-5
Chapter 31 SSL VPN Wizard Summary Cisco ASDM User Guide 31-6 OL-16647-01
C H A P T E R 32 VPN The security appliance creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections and LAN-to-LAN connections.
Chapter 32 VPN VPN Wizard Note The VPN wizard lets you assign either preshared keys or digital certificates for authentication. However, to use certificates, you must enroll with a certification authority and configure a trustpoint prior to using the wizard. Use the ASDM Device Administration > Certificate panels and online Help to accomplish these tasks.
Chapter 32 VPN VPN Wizard • Enable inbound IPsec sessions to bypass interface access lists—Enable IPsec authenticated inbound sessions to always be permitted through the security appliance (that is, without a check of the interface access-list statements). Be aware that the inbound sessions bypass only the interface ACLs. Configured group-policy, user, and downloaded ACLs still apply.
Chapter 32 VPN VPN Wizard When two peers want to communicate, they exchange certificates and digitally sign data to authenticate each other. When you add a new peer to the network, it enrolls with a CA, and none of the other peers require additional configuration. – Certificate Signing Algorithm—Displays the algorithm for signing digital certificates, rsa-sig for RSA. – Certificate Name—Select the name that identifies the certificate the security appliance sends to the remote peer.
Chapter 32 VPN VPN Wizard Fields • Encryption—Select the symmetric encryption algorithm the security appliance uses to establish the Phase 1 SA that protects Phase 2 negotiations. The security appliance supports the following encryption algorithms: Algorithm Explanation DES Data Encryption Standard. Uses a 56-bit key. 3DES Triple DES. Performs encryption three times using a 56-bit key. AES-128 Advanced Encryption Standard. Uses a 128-bit key. AES-192 AES using a 192-bit key.
Chapter 32 VPN VPN Wizard For IPsec to succeed, both peers in the LAN-to-LAN connection must have compatible entries for hosts and networks. The hosts and networks you configure as Local Hosts and Networks in this panel must be configured as Remote Hosts and Networks on the device at the remote site for the LAN-to-LAN connection. The local security appliance and the remote device must have at least one transform set in common for this LAN-to-LAN connection.
Chapter 32 VPN VPN Wizard Fields • Cisco VPN Client Release 3.x or higher, or other Easy VPN Remote product—Click for IPsec connections, including compatible software and hardware clients other than those named here. • Microsoft Windows client using L2TP over IPsec—Click to enable connections from Microsoft Windows and Microsoft Windows Mobile clients over a public IP network. L2TP uses PPP over UDP (port 1701) to tunnel the data.
Chapter 32 VPN VPN Wizard – Pre-shared Key—Type the preshared key. – Certificate—Click to use certificates for authentication between the local security appliance and the remote IPsec peer. To complete this section, you must have previously enrolled with a CA and downloaded one or more certificates to the security appliance. Digital certificates are an efficient way to manage the security keys used to establish an IPsec tunnel.
Chapter 32 VPN VPN Wizard • Authenticate using an AAA server group—Click to use an external server group for remote user authentication. • AAA Server Group Name—Select a AAA server group configured previously. • New ...—Click to configure a new AAA server group.
Chapter 32 VPN VPN Wizard User Accounts Use the User Accounts panel to add new users to the security appliance internal user database for authentication purposes. Fields Provide the following information: • User to Be Added—Use the fields in this section to add a user. – Username—Enter the username. – Password—(Optional) Enter a password. – Confirm Password—(Optional) Reenter the password. • Add — Click to add a user to the database after you have entered the username and optional password.
Chapter 32 VPN VPN Wizard Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Attributes Pushed to Client Use the Attributes Pushed to Client (Optional) panel to have the security appliance pass information about DNS and WINS servers and the default domain name to remote access clients. Fields Provide information for remote access clients to use. • Tunnel Group—Displays the name of the connection policy to which the address pool applies.
Chapter 32 VPN VPN Wizard Fields • Host/Network to Be Added—Complete these fields to exempt a particular host or network from NAT. – Interface—Select the name of the interface that connects to the hosts or networks you have selected. – IP address—Select the IP address of the host or network. Either type the IP address or click the adjacent ... button to view a diagram of the network and select a host or network.
Chapter 32 VPN VPN Wizard Cisco ASDM User Guide OL-16647-01 32-13
Chapter 32 VPN VPN Wizard Cisco ASDM User Guide 32-14 OL-16647-01
C H A P T E R 33 Configuring Certificates Digital certificates provide digital identification for authentication. A digital certificate contains information that identifies a device or user, such as the name, serial number, company, department, or IP address. CAs issue digital certificates in the context of a PKI, which uses public-key/private-key encryption to ensure security.
Chapter 33 Configuring Certificates CA Certificate Authentication CA Certificates Fields • Certificates —Displays a list of the certificates available identified by issued to and by, the date the certificate expires, and the certificate’s usage or purpose. You can click a certificate in the list and edit its configuration, or you can add a new certificate to the displayed list. • Add Button—Add a new certificate configuration to the list. See Add/Install a CA Certificate.
Chapter 33 Configuring Certificates CA Certificate Authentication Add/Install a CA Certificate The CA Certificate panel lets you add a new certificate configuration from an existing file, by manually pasting a certificate, or by automatic enrollment. Click the appropriate option to activate one of the following: • Install from a File:—To add a certificate configuration from an existing file, enter the path and file name, then click Install Certificate.
Chapter 33 Configuring Certificates CA Certificate Authentication – Retry Period: Specify the maximum number of minutes to retry installing a certificate.The default is one minute. – Retry Count: Specify the number of retries for installing a certificate. The default is 0, which indicates unlimited retries within the retry period. More Options... —For additional options for new certificates, click the More Options... button to display configuration options for new and existing certificates.
Chapter 33 Configuring Certificates CA Certificate Authentication Request CRL The Request CRL button updates the current version of the Certificate Revocation List (CRL). CRL update provides the current status of certificate users. If the request fails, an error message displays. The CRL is generated and regenerated automatically until it expires; the Request CRL button forces an immediate CRL file update and regeneration.
Chapter 33 Configuring Certificates CA Certificate Authentication The following panels are the tab-selectable displays that address CA certificate configuration specifics. Each tabbed display is summarized in the following list: Revocation Check —The Revocation Check panel lets you chose or reject revocation checking, specify a method of revocation checking (CRL or OCSP) and allows you to ignore revocation-checking errors when validating a certificate.
Chapter 33 Configuring Certificates CA Certificate Authentication The methods you select are implemented in the order in which you add them. If a method detects an error, subsequent revocation checking methods activate. Revocation Checking Override - Click the Consider certificate valid if revocation checking returns errors button to ignore revocation-checking errors.
Chapter 33 Configuring Certificates CA Certificate Authentication • Click the Enable Lightweight Directory Access Protocol (LDAP) button to specify LDAP CRL retrieval. With LDAP, CRL retrieval starts an LDAP session by connecting to a named LDAP server, accessed by password. The connection is on TCP port 389 by default.
Chapter 33 Configuring Certificates CA Certificate Authentication OCSP Rules Fields • Certificate Map—Displays the name of the certificate map to match to this OCSP rule. Certificate maps match user permissions to specific fields in a certificate. You must configure the certificate map before you configure OCSP rules. • Certificate—Displays the name of the CA the security appliance uses to validate responder certificates. • Index—Displays the priority number for the rule.
Chapter 33 Configuring Certificates CA Certificate Authentication The security appliance supports two methods of checking revocation status: CRL and OCSP. Fields • CRL Options – Cache Refresh Time—Specify the number of minutes between cache refreshes. The default number of minutes is 60. The range is 1-1440. To avoid having to retrieve the same CRL from a CA repeatedly, The security appliance can store retrieved CRLs locally, which is called CRL caching.
Chapter 33 Configuring Certificates Identity Certificates Authentication – Disable nonce extension—By default the OCSP request includes the nonce extension, which cryptographically binds requests with responses to avoid replay attacks. It works by matching the extension in the request to that in the response, ensuring that they are the same. Disable the nonce extension if the OCSP server you are using sends pre-generated responses that do not contain this matching nonce extension.
Chapter 33 Configuring Certificates Identity Certificates Authentication Add/Install an Identity Certificate The Identity Certificate panel lets you import an existing identity certificate from a file or add a new certificate configuration from an existing file.
Chapter 33 Configuring Certificates Identity Certificates Authentication Click the appropriate option to activate one of the following: Add Identity Certificate Fields Assign values to the fields in the Add Identity Certificate dialog box as follows: • To import an identity certificate from an existing file, select Import the identity certificate from a file and enter the following information: – Decryption Pass Phrase—Specify the passphrase used to decrypt the PKCS12 file.
Chapter 33 Configuring Certificates Identity Certificates Authentication – Name (in Key Pair > New window)—Selects a default key pair name, such as , or you can enter a new key pair name. – Size (in Key Pair > New window)—Specifies the default key pair size: 512, 788, 1024 (the default) or 2048. – Usage (in Key Pair > New window)— Specifies the key pair usage as general purpose or special.
Chapter 33 Configuring Certificates Identity Certificates Authentication – Value: (in Certificate Subject DN > Select window)— Enter the value for each of the DN attributes that you select in the Attribute list. With a value assigned to an attribute, use the now-active Add button to add the attribute to the Attribute/Value field on the right. To remove attributes and their values, select the attribute and click the now-active Delete button.
Chapter 33 Configuring Certificates Identity Certificates Authentication Export Identity Certificate Fields • Export to a file—Specify the name of the PKCS12-format file to use in exporting the certificate configuration; • Certificate Format—Click PKCS12 format, the public key cryptography standard, which can be base64 encoded or hexadecimal, or click PEM format. – Browse—Display the Select a File dialog box that lets you navigate to the file to which you want to export the certificate configuration.
Chapter 33 Configuring Certificates Identity Certificates Authentication – New—Click to add a new key pair, providing a name, modulus size, and usage. When you generate the key pair, you have the option of sending it to the security appliance or saving it to a file. • Certificate Subject DN—Identifies DN attributes for the certificate. – Common Name (CN)—Enter the FQDN or IP address of the security appliance. – Organization (O)—Provide the name of the company.
Chapter 33 Configuring Certificates Code-Signer Certificates Step 7 In the Advanced Options panel, verify that the FQDN: field is the correct FQDN of the security appliance and click OK to close the window. Step 8 In the Add Identity Certificate panel, click the Add Certificate at the bottom. Step 9 When prompted to enter a name for the CSR, specify an easily-accessible file name of type text, such as c:\verisign-csr.txt. Step 10 Send the CSR text file to the CA.
Chapter 33 Configuring Certificates Code-Signer Certificates Show Code-Signer Certificate Details The Show Details button displays the Code Signer Details dialog box, which shows the following information about the selected certificate: • General—Displays the values for type, serial number, status, usage, public key type, CRL distribution point, the times within which the certificate is valid, and associated certificates. This applies to both available and pending status. • Issued to— Displays the X.
Chapter 33 Configuring Certificates Local Certificate Authority Import or Export a Code-Signer Certificate Assign values to the fields in the Import Certificate window as follows: • Decryption Passphrase: Specify the passphrase used to decrypt the PKCS12 file • Files to Import From: You can type the pathname of the file in the box or you can click Browse and search for the file. Browse displays the Import Certificate dialog box, which lets you navigate to the file containing the certificate.
Chapter 33 Configuring Certificates Local Certificate Authority Note The local CA provides a certificate authority on the adaptive security appliance for use with SSL VPN connections, both browser- and client-based. User enrollment is by browser webpage login. The Local CA integrates basic certificate authority functionality on the security appliance, deploys certificates, and provides secure revocation checking of issued certificates.
Chapter 33 Configuring Certificates Local Certificate Authority Configurable Parameters Defaults Length of time a one-time password is valid 72 hrs. (three days) Caution: Delete Certificate Authority Server button permanently removes the server configuration. Configuring the Local CA Sever The CA Server window lets you customize, modify, and control Local CA server operation. This section describes the parameters that can be specified. Additional parameters are available when you click More Options.
Chapter 33 Configuring Certificates Local Certificate Authority Note Click Apply to be sure you save the Local CA certificate and key pair so the configuration is not lost if you reboot the security appliance. When you select the Disable button to halt the Local CA server, you shutdown its operation on the security appliance. The configuration and all associated files remain in storage. Webpage enrollment is disabled while you change or reconfigure the Local CA.
Chapter 33 Configuring Certificates Local Certificate Authority SMTP Server & Email Settings To set up e-mail access for the Local CA server, you configure The Simple Mail Transfer Protocol (SMTP) e-mail server, the e-mail address from which to send e-mails to Local CA users, and you specify a standard subject line for Local CA e-mails. • Server IP Address - The Server IP Address field requires the Local CA e-mail server’s IP address.
Chapter 33 Configuring Certificates Local Certificate Authority That Local CA database resides can be configured to be on an off-box file system that is mounted and accessible to the security appliance. To specify an external file or share, enter the pathname to the external file or click Browse and search for the file. Note Flash memory can store a database with 3500 users or less, but a database of more than 3500 users requires off-box storage.
Chapter 33 Configuring Certificates Manage User Certificates Reset Button The Reset button removes any changes or edits and returns the display to the original contents. Deleting the Local CA Server The Delete Certificate Authority Server button at the bottom of the More Options section of the CA Server panel, immediately removes the Local CA Certificate configuration from the security appliance.
Chapter 33 Configuring Certificates Manage User Certificates Whenever you change any certificate status, be sure to update the CRL to reflect the latest changes. • To change certificate status, see Revoking a Local CA Certificate and Unrevoking a Local CA Certificate. Revoking a Local CA Certificate The Local CA Server keeps track of the lifetime of every user certificate and e-mails renewal notices when they are needed. If a user’s certificate lifetime period runs out, that user’s access is revoked.
Chapter 33 Configuring Certificates Manage User Database Manage User Database The Local CA user database contains user identification information and the status of each user in the system (enrolled, allowed, revoked, etc.). With the Manage User Database window, you can add new users, select specific users by username to edit user information, and you can delete existing users and their certificates.
Chapter 33 Configuring Certificates Manage User Database Add a Local CA User The Add button allows you to enter a new user into the Local CA database. Each new user to be entered into the database must have a predefined user name, e-mail address, and subject name. Local CA Add User Fields • Username: Enter a valid user name. • Email: Specify an existing valid e-mail address. • Subject: Enter the user’s subject name.
Chapter 33 Configuring Certificates Manage User Database Delete a Local CA User The Delete button removes the selected user from the database and removes any certificates issued to that user from the Local CA Database. A deleted user cannot be restored; to recreate the deleted user record, you must use the Add button to reenter the user information. Allow Enrollment The Allow Enrollment button enrolls the selected user. Email OTP The Email OTP button sends an OTP to the selected user by email.
C H A P T E R 34 IKE IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec security association. To configure the security appliance for virtual private networks, you set global IKE parameters that apply system wide, and you also create IKE policies that the peers negotiate to establish a VPN connection. Here is some text marked print. Print is hidden. IKE Parameters This panel lets you set system wide values for VPN connections.
Chapter 34 IKE IKE Parameters • Select the second or third option for the Fragmentation Policy parameter in the Configuration > VPN > IPsec > Pre-Fragmentation panel. These options let traffic travel across NAT devices that do not support IP fragmentation; they do not impede the operation of NAT devices that do support IP fragmentation.
Chapter 34 IKE IKE Parameters Alerting Peers Before Disconnecting Client or LAN-to-LAN sessions may be dropped for several reasons, such as: a security appliance shutdown or reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off. The security appliance can notify qualified peers (in LAN-to-LAN configurations), VPN Clients and VPN 3002 Hardware Clients of sessions that are about to be disconnected, and it conveys to them the reason.
Chapter 34 IKE IKE Policies – Key Id String—Type the alpha-numeric string the peers use to look up the preshared key. • Disable inbound aggressive mode connections—Select to disable aggressive mode connections. • Alert peers before disconnecting—Select to have the security appliance notify qualified LAN-to-LAN peers and remote access clients before disconnecting sessions.
Chapter 34 IKE IKE Policies – Priority #—Shows the priority of the policy. – Encryption—Shows the encryption method. – Hash—Shows the has algorithm. – D-H Group—Shows the Diffie-Hellman group. – Authentication—Shows the authentication method. – Lifetime (secs)—Shows the SA lifetime in seconds. • Add/Edit/Delete—Click to add, edit, or delete an IKE policy.
Chapter 34 IKE IKE Policies rsa-sig A digital certificate with keys generated by the RSA signatures algorithm. crack IKE Challenge/Response for Authenticated Cryptographic Keys protocol for mobile IPsec-enabled clients which use authentication techniques other than certificates. D-H Group—Select the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other.
Chapter 34 IKE IKE Policies only with the private IP addresses that get assigned to clients. The IP addresses assigned to other resources on your private network are part of your network administration responsibilities, not part of security appliance management. Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private network addressing scheme, that let the client function as a tunnel endpoint.
Chapter 34 IKE IPsec • Ending Address—Shows the last IP address available in each configured pool. • Subnet Mask—Shows the subnet mask for addresses in each configured pool. • Add—Click to add a new address pool. • Edit/Delete—Click to edit or delete an already configured address pool.
Chapter 34 IKE IPsec Note The ASA supports LAN-to-LAN IPsec connections with Cisco peers, and with third-party peers that comply with all relevant standards. During tunnel establishment, the two peers negotiate security associations that govern authentication, encryption, encapsulation, and key management. These negotiations involve two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPsec SA).
Chapter 34 IKE IPsec Fields Note You cannot edit, delete, or copy an implicit rule. The security appliance implicitly accepts the traffic selection proposal from remote clients when configured with a dynamic tunnel policy. You can override it by giving a specific traffic selection. • Add—Click to launch the Add IPsec Rule dialog, where you can configure basic, advanced, and traffic selection parameters for a rule, or choose • Edit—Click to edit an existing rule.
Chapter 34 IKE IPsec • SA Lifetime—Displays the SA lifetime for the rule. • CA Certificate—Displays the CA certificate for the policy. This applies to static connections only. • IKE Negotiation Mode—Displays whether IKE negotiations use main or aggressive mode. • Description—(Optional) Specifies a brief description for this rule. For an existing rule, this is the description you typed when you added the rule. An implicit rule includes the following description: “Implicit rule.
Chapter 34 IKE IPsec central-site device. A dynamic tunnel policy is useful when the remote access clients have dynamically assigned IP addresses or when you do not want to configure separate policies for a large number of remote access clients. Fields • Interface—Select the interface name to which this policy applies. • Policy Type—Select the type, static or dynamic, of this tunnel policy. • Priority—Enter the priority of the policy.
Chapter 34 IKE IPsec Create IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab Fields • Security Association Lifetime parameters—Configures the duration of a Security Association (SA). This parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the IPsec SA lasts until it expires and must be renegotiated with new keys. – Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).
Chapter 34 IKE IPsec – Add/Edit—Choose IP Address or Network Object Group to add more source addresses or groups. – Delete—Click to delete an entry. – Filter—Enter an IP Address to filter the results displayed. – Name—Indicates that the parameters that follow specify the name of the source host or network. – IP Address—Indicates that the parameters that follow specify the interface, IP address, and subnet mask of the source host or network.
Chapter 34 IKE IPsec – Destination—Specify the IP address, network object group or interface IP address for the source or destination host or network. A rule cannot use the same address as both the source and destination. Click ... for either of these fields to launch the Browse dialogs that contain the following fields: – Name—Selects the interface name to use as the source or destination host or network. This parameter appears when you select the Name option button.
Chapter 34 IKE IPsec – Time Range—Specify the name of an existing time range or create a new range. – ... —Displays the Add Time Range pane, on which you can define a new time range. – Please enter the description below (optional)—Provides space for you to enter a brief description of the rule.
Chapter 34 IKE IPsec Fields • Pre-Fragmentation—Shows the current pre-fragmentation configuration for every configured interface. – Interface—Shows the name of each configured interface. – Pre-Fragmentation Enabled—Shows, for each interface, whether pre-fragmentation is enabled. – DF Bit Policy—Shows the DF Bit Policy for each interface. • Edit—Displays the Edit IPsec Pre-Fragmentation Policy dialog box.
Chapter 34 IKE IPsec IPsec Transform Sets Use this panel to view and add or edit transform sets. A transform is a set of operations done on a data flow to provide data authentication, data confidentiality, and data compression. For example, one transform is the ESP protocol with 3DES encryption and the HMAC-MD5 authentication algorithm (ESP-3DES-MD5). Fields • Transform Sets—Shows the configured transform sets. – Name—Shows the name of the transform sets.
Chapter 34 IKE Load Balancing – ESP Encryption—Selects the Encapsulating Security Protocol (ESP) encryption algorithms for the transform sets. ESP provides data privacy services, optional data authentication, and anti-replay services. ESP encapsulates the data being protected. – ESP Authentication—Selects the ESP authentication algorithms for the transform sets. The IPsec ESP (Encapsulating Security Payload) protocol provides both encryption and authentication.
Chapter 34 IKE Load Balancing To implement load balancing, you group together logically two or more devices on the same private LAN-to-LAN network into a virtual cluster. All devices in the virtual cluster carry session loads. One device in the virtual cluster, the virtual cluster master, directs incoming calls to the other devices, called secondary devices. The virtual cluster master monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load accordingly.
Chapter 34 IKE Load Balancing – Enable IPsec Encryption—Enables or disables IPsec encryption. If you select this check box, you must also specify and verify a shared secret.The security appliances in the virtual cluster communicate via LAN-to-LAN tunnels using IPsec. To ensure that all load-balancing information communicated between the devices is encrypted, select this check box. Note When using encryption, you must have previously configured the load-balancing inside interface.
Chapter 34 IKE Setting Global NAC Parameters Step 2 Add an entry for each of your security appliance outside interfaces into your DNS server, if such entries are not already present. Each security appliance outside IP address should have a DNS entry associated with it for lookups. These DNS entries must also be enabled for Reverse Lookup.
Chapter 34 IKE Configuring Network Admission Control Policies server. When the timer expires, the security appliance tries to initiate a new EAP over UDP association with the remote host. The setting is in seconds. Enter a value in the range 60 to 86400. The default setting is 180. The Clientless Authentication area of the NAC window lets you configure settings for hosts that are not responsive to the EAPoUDP requests. Hosts for which there is no CTA running do not respond to these requests.
Chapter 34 IKE Configuring Network Admission Control Policies • Uses, Requirements, and Limitations • Fields • What to Do Next About NAC NAC protects the enterprise network from intrusion and infection from worms, viruses, and rogue applications by performing endpoint compliancy and vulnerability checks as a condition for production access to the network. We refer to these checks as posture validation.
Chapter 34 IKE Configuring Network Admission Control Policies Uses, Requirements, and Limitations When configured to support NAC, the security appliance functions as a client of a Cisco Secure Access Control Server, requiring that you install a minimum of one Access Control Server on the network to provide NAC authentication services.
Chapter 34 IKE Configuring Network Admission Control Policies • Delete—Removes an entry from the Posture Validation Exception list. What to Do Next Following the configuration of the NAC policy, you must assign it to a group policy for it to become active. To do so, choose Configuration > Remote Access VPN> Network (Client) Access > Group Policies > Add or Edit > General > More Options and the NAC policy name from the drop-down list next to the NAC Policy attribute.
Chapter 34 IKE Configuring Network Admission Control Policies Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Cisco ASDM User Guide OL-16647-01 34-27
Chapter 34 IKE Configuring Network Admission Control Policies Cisco ASDM User Guide 34-28 OL-16647-01
CH A P T E R 35 General A virtual private network is a network of virtual circuits that carry private traffic over a public network such as the Internet. VPNs can connect two or more LANS, or remote users to a LAN. VPNs provide privacy and security by requiring all users to authenticate and by encrypting all data traffic.
Chapter 35 General Client Software Fields • Enable Client Update—Enables or disables client update, both globally and for specific tunnel groups. You must enable client update before you can send a client update notification to Windows, MAC OS X, and Linux VPN clients, or initiate an automatic update to hardware clients. • Client Type—Lists the clients to upgrade: software or hardware, and for Windows software clients, all Windows or a subset.
Chapter 35 General Client Software For VPN 3002 hardware clients, the upgrade proceeds automatically, with no notification. You must check Enable Client Update in the window for the upgrade to work. Clients that are not connected receive the upgrade notification or automatically upgrade the next time they log on.
Chapter 35 General Default Tunnel Gateway Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Default Tunnel Gateway To configure the default tunnel gateway, click the Static Route link in this window. The Configuration > Routing > Routing > Static Route window opens.
Chapter 35 General Group Policies • IPSec Security Associations. • Network lists for filtering and split tunneling • User authentication servers, and specifically the internal authentication server. Fields • Group Policy—Lists the currently configured group policies and Add, Edit, and Delete buttons to help you manage VPN group policies. – Name—Lists the name of the currently configured group policies. – Type—Lists the type of each currently configured group policy.
Chapter 35 General Group Policies Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add AAA Server Group The Add AAA Server Group dialog box lets you configure a new AAA server group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols. Fields • Server Group—Specifies the name of the server group.
Chapter 35 General Group Policies • Address Pools—(Network (Client) Access only) Specifies the name of one or more address pools to use for this group policy. • Select—(Network (Client) Access only) Opens the Select Address Pools window, which shows the pool name, starting and ending addresses, and subnet mask of address pools available for client address assignment and lets you select, add, edit, delete, and assign entries from that list.
Chapter 35 General Group Policies • Manage—Opens the Browse Time Range dialog box, on which you can add, edit, or delete a time range. • Simultaneous Logins—Specifies the maximum number of simultaneous logins allowed for this user. The default value is 3. The minimum value is 0, which disables login and prevents user access. While there is no maximum limit, allowing several simultaneous connections might compromise security and affect performance.
Chapter 35 General Group Policies Fields • Bookmark List—Select a previously-configured Bookmark list or click Manage to create a new one. Bookmarks appear as links, from which users can navigate from the portal page. • URL Entry—Enable to allow remote users to enter URLs directly into the portal URL field. • File Access Control—Controls the visibility of “hidden shares” for Common Internet File System (CIFS) files. A hidden share is identified by a dollar sign ($) at the end of the share name.
Chapter 35 General Group Policies • HTTP Proxy—Enables or disables the forwarding of an HTTP applet proxy to the client. The proxy is useful for technologies that interfere with proper content transformation, such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browser’s old proxy configuration automatically and redirects all HTTP and HTTPS requests to the new proxy configuration.
Chapter 35 General Group Policies Adding or Editing a Site-to-Site Internal Group Policy The Add or Edit Group Policy window lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. For each of the fields on this window, checking the Inherit check box lets the corresponding setting take its value from the default group policy. Inherit is the default value for all of the attributes on this dialog box.
Chapter 35 General Group Policies example, you can attach an access list to a time range to restrict access to the security appliance. A time range consists of a start time, an end time, and optional recurring (that is, periodic) entries. For more information about time ranges, see the online Help for the Add or Edit Time Range dialog box. Fields • Add—Opens the Add Time Range dialog box, on which you can create a new time range. Creating a time range does not restrict access to the device.
Chapter 35 General Group Policies • Recurring Time Ranges—Constrains the active time of this time range within the start and end times when the time range is active. For example, if the start time is start now and the end time is never end, and you want the time range to be effective every weekday, Monday through Friday, from 8:00 AM to 5:00 PM, you could configure a recurring time range, specifying that it is to be active weekdays from 08:00 through 17:00, inclusive.
Chapter 35 General ACL Manager Firewall Mode Security Context Multiple Routed • Transparent Single • • Context • System — ACL Manager The ACL Manager dialog box lets you define access control lists (ACLs) to control the access of a specific host or network to another host/network, including the protocol or port that can be used. You can configure ACLs (Access Control Lists) to apply to user sessions.
Chapter 35 General ACL Manager Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Extended ACL This pane provides summary information about extended ACLs, and lets you add or edit ACLs and ACEs. Fields • Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL. • Edit—Opens the Edit ACE dialog box, on which you can change an existing access control list rule. • Delete—Removes an ACL or ACE.
Chapter 35 General ACL Manager • Time—Specifies the name of the time range to be applied in this rule. • Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: “Implicit outbound rule.
Chapter 35 General ACL Manager – Protocol—Selects the protocol to which this rule applies. Possible values are ip, tcp, udp, icmp, and other. The remaining available fields in the Protocol and Service area depend upon the protocol you select. The next few bullets describe the consequences of each of these selections: – Protocol: TCP and UDP—Selects the TCP/UDP protocol for the rule. The Source Port and Destination Port areas allow you to specify the ports that the ACL uses to match packets.
Chapter 35 General ACL Manager Browse Source/Destination Address The Browse Source or Destination Address dialog box lets you select an object to use a s a source or destination for this rule. Fields • Type—Determines the type of object to use as the source or destination for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.
Chapter 35 General ACL Manager Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add TCP Service Group The Add TCP Service Group dialog box lets you configure a new a TCP service group or port to add to the browsable source or destination port list for this protocol in this rule.
Chapter 35 General ACL Manager • Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.
Chapter 35 General ACL Manager Browse Other The Browse Other dialog box lets you select a protocol group for this rule. Fields • Add—Opens the Add Protocol Group dialog box, on which you can configure a new service group. • Find—Opens the Filter field. • Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active.
Chapter 35 General ACL Manager Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add/Edit Internal Group Policy > Servers The Add or Edit Group Policy window, Servers item lets you specify DNS and WINS servers, as well as the DHCP scope and default domain.
Chapter 35 General ACL Manager – Server Addresses (space delimited)—Specifies the IP addresses of the IPSec backup servers. This field is available only when the value of the Server Configuration selection is Use the Backup Servers Below.
Chapter 35 General ACL Manager – You must specify the software version for this client. You can specify * to match any version. – Your entries must match exactly those on the URL for the VPN client, or the TFTP server for the VPN 3002. – The TFTP server for distributing the hardware client image must be a robust TFTP server. – If the client is already running a software version on the list, it does not need a software update.
Chapter 35 General ACL Manager Fields • Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy. Deselecting the Inherit check box makes other options available for the parameter. This is the default option for all attributes on this tab. • Banner—Specifies whether to inherit the banner from the default group policy or enter new banner text.
Chapter 35 General ACL Manager Note A carriage return/line feed, created by pressing Enter, counts as 2 characters.
Chapter 35 General ACL Manager Add or Edit Internal Group Policy > Advanced > IE Browser Proxy This dialog box configures attributes for Microsoft Internet Explorer. Fields • Proxy Server Policy—Configures the Microsoft Internet Explorer browser proxy actions (“methods”) for a client PC. – Do not modify client proxy settings—Leaves the HTTP browser proxy server setting in Internet Explorer unchanged for this client PC.
Chapter 35 General ACL Manager – Rotating proxies by time of day or day of the week to accommodate a server maintenance schedule. – Specifying a backup proxy server to use in case the primary proxy fails. – Specifying the nearest proxy for roaming users, based on the local subnet. You can use a text editor to create a proxy auto-configuration (.pac) file for your browser. A .
Chapter 35 General ACL Manager Add/Edit Internal Group Policy > Client Firewall Tab The Add or Edit Group Policy window, Client Firewall tab, lets you configure firewall settings for VPN clients for the group policy being added or modified. Note Only VPN clients running Microsoft Windows can use these firewall features. They are currently not available to hardware clients or other (non-Windows) software clients.
Chapter 35 General ACL Manager If you require a firewall for a group, make sure the group does not include any clients other than Windows VPN clients. Any other clients in the group (including ASA 5505 in client mode and VPN 3002 hardware clients) are unable to connect. Note If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect.
Chapter 35 General ACL Manager Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add/Edit Internal Group Policy > Hardware Client Tab The Add or Edit Group Policy > Hardware Client dialog box lets you configure settings for the VPN 3002 hardware client for the group policy being added or modified. The Hardware Client tab parameters do not pertain to the ASA 5505 in client mode.
Chapter 35 General ACL Manager If you have a default home page on the remote network behind the security appliance, or if you direct the browser to a website on the remote network behind the security appliance, the hardware client directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered.
Chapter 35 General ACL Manager Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services. Note LEAP users behind a hardware client have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they have not authenticated on the wireless network.
Chapter 35 General Configuring SSL VPN Connections Fields • List Name—Specifies the name of the list to be added or selects the name of the list to be modified or deleted. • URL Display Name—Specifies the URL name displayed to the user. • URL—Specifies the actual URL associated with the display name. • Add—Opens the Add Server or URL dialog box, on which you can configure a new server or URL and display name.
Chapter 35 General Configuring SSL VPN Connections Connection Profiles—Configure protocol-specific attributes for connections (tunnel groups). • Add/Edit—Click to Add or Edit a Connection Profile (tunnel group). • Name—The name of the Connection Profile. • Aliases—Other names by which the Connection Profile is known. • SSL VPN Client Protocol—Specifies whether SSL VPN client have access. • Group Policy—Shows the default group policy for this Connection Profile.
Chapter 35 General Configuring SSL VPN Connections Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Setting Advanced Attributes for an IPSec or SSL VPN Connection Use the advanced attributes to fine-tune the parameters of the IPSec or SSL VPN connection.
Chapter 35 General Configuring SSL VPN Connections Lookup. You append the group to the username in the format usernamegroup, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup. • Password Management—Lets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration. The security appliance supports password management for the RADIUS and LDAP protocols.
Chapter 35 General Configuring SSL VPN Client Connections Note This does not change the number of days before the password expires, but rather, it enables the notification. If you select this option, you must also specify the number of days.
Chapter 35 General Configuring SSL VPN Client Connections • Keep Installer on Client System—Enable to allow permanent client installation on the remote computer. Enabling disables the automatic uninstalling feature of the client. The client remains installed on the remote computer for subsequent connections, reducing the connection time for the remote user.
Chapter 35 General Configuring SSL VPN Client Connections Figure 35-1 Prompt Displayed to Remote Users for SSL VPN Client Download Fields • Inherit—Check to inherit the value from the default group policy. • Post Login Setting—Choose to prompt the user and set the timeout to perform the default post login selection. • Default Post Login Selection—Choose an action to perform after login.
Chapter 35 General Configuring SSL VPN Client Connections Dead Peer Detection Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the client can quickly detect a condition where the peer is not responding, and the connection has failed. Fields • Gateway Side Detection—Uncheck the Disable check box to specify that DPD is performed by the security appliance (gateway). Enter the interval, from 30 to 3600 seconds, with which the security appliance performs DPD.
Chapter 35 General Configuring Clientless SSL VPN Connections Fields • View (Unlabeled)—Indicates whether the selected entry is expanded (minus sign) or contracted (plus sign). • # column—Specifies the ACE ID number. • Enable—Indicates whether this ACL is enabled or disabled. You can enable or disable the ACL using this check box. • Action—Specifies whether this ACL permits or denies access. • Type—Specifies whether this ACL applies to a URL or a TCP address/port.
Chapter 35 General Configuring Clientless SSL VPN Connections – Add—Opens the Add Clientless SSL VPN dialog box for the selected connection. – Edit—Opens the Edit Clientless SSL VPN dialog box for the selected connection. – Delete—Removes the selected connection from the table. There is no confirmation or undo.
Chapter 35 General Configuring Clientless SSL VPN Connections • Clientless SSL VPN attributes. Add or Edit Clientless SSL VPN Connections > Advanced > General Use this window to specify whether to strip the realm and group from the username before passing them to the AAA server, and to specify password management options.
Chapter 35 General Configuring Clientless SSL VPN Connections day that the password expires. The default is to notify the user 14 days prior to password expiration and every day thereafter until the user changes the password. The range is 1 through 180 days. Note This does not change the number of days before the password expires, but rather, it enables the notification. If you select this option, you must also specify the number of days.
Chapter 35 General Configuring Clientless SSL VPN Connections Assign Authentication Server Group to Interface This dialog box lets you associate an interface with a AAA server group. The results appear in the table on the Authentication dialog box. Fields • Interface—Selects an interface, DMZ, Outside, or Inside. The default is DMZ. • Server Group—Selects a server group to assign to the selected interface. The default is LOCAL. • Manage—Opens the Configure AAA Server Groups dialog box.
Chapter 35 General Configuring Clientless SSL VPN Connections Add or Edit SSL VPN Connections > Advanced > SSL VPN This dialog box lets you configure attributes that affect what the remote user sees upon login. Fields • Login Page Customization—Configures the look and feel of the user login page by specifying which preconfigured customization attributes to apply. The default is DfltCustomization. • Manage—Opens the Configure GUI Customization Objects window.
Chapter 35 General Configuring Clientless SSL VPN Connections Add or Edit Clientless SSL VPN Connections > Advanced > Name Servers The table on this dialog box shows the attributes of the already-configured NetBIOS servers. The Add or Edit Tunnel Group window for Clientless SSL VPN access, NetBIOS dialog box, lets you configure the NetBIOS attributes for the tunnel group. Clientless SSL VPN uses NetBIOS and the Common Internet File System protocol to access or share files on remote systems.
Chapter 35 General IPSec Remote Access Connection Profiles Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN This dialog box lets you specify portal-related attributes for Clientless SSL VPN connections. Fields • Portal Page Customization—Selects the customization to apply to the user interface. • Manage—Opens the Configure GUI Customization Objects dialog box.
Chapter 35 General Add or Edit an IPSec Remote Access Connection Profile Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add or Edit an IPSec Remote Access Connection Profile The Add or Edit IPSec Remote Access Connection Profile dialog box has a navigation pane that lets you select basic or advanced elements to configure.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles – Manage—Opens the Configure Group Policies dialog box, from which you can add, edit, or delete group policies. – Client Protocols—Selects the protocol or protocols to use for this connection. By default, both IPSec and L2TP over IPSec are selected.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles • Add/Edit Certificate Matching Rule Criterion Add/Edit Certificate Matching Rule Use the Add/Edit Certificate Matching Rule dialog box to assign the name of a list (map) to a connection profile. Fields • Map—Choose one of the following: – Existing—Select the name of the map to include the rule. – New—Enter a new map name for a rule.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add/Edit Certificate Matching Rule Criterion Use the Add/Edit Certificate Matching Rule Criterion dialog box to configure a certificate matching rule criterion for the selected group. Fields • Rule Priority—(Display only). Sequence with which the security appliance evaluates the map when it receives a connection request.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles DN Field Definition Surname (SN) The family name or last name of the certificate owner. State/Province (S/P) The state or province where the organization is located. Title (T) The title of the certificate owner, such as Dr. User ID (UID) The identification number of the certificate owner.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Add/Edit Site-to-Site Connection The Add or Edit IPSec Site-to-Site Connection dialog box lets you create or modify an IPSec Site-to-Site connection. These dialog boxes let you specify the peer IP address, specify a connection name, select an interface, specify IKE peer and user authentication parameters, specify protected networks, and specify encryption algorithms.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Adding or Editing a Site-to-Site Tunnel Group The Add or Edit IPSec Site-to-Site Tunnel Group dialog box lets you specify attributes for the IPSec site-to-site connection that you are adding. In addition, you can select IKE peer and user authentication parameters, configure IKE keepalive monitoring, and select the default group policy. Fields • Name—Specifies the name assigned to this tunnel group.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Crypto Map Entry In this window, specify crypto parameters for the Connection Profile. Fields • Priority—A unique priority (1 through 65,543, with 1 the highest priority).
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles • Perfect Forward Secrecy—Ensures that the key for a given IPSec SA was not derived from any other secret (like some other keys). If someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If you enable PFS, the Diffie-Hellman Group list becomes active.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles • Show Details—Displays detailed information about a certificate that you select in the table. • Delete—Removes the selected certificate from the table. There is no confirmation or undo.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Fields • The radio buttons specify whether to check certificates for revocation. The values of these buttons are as follows: – Do not check certificates for revocation – Check Certificates for revocation • Revocation Methods area—Lets you specify the method–CRL or OCSP–to use for revocation checking, a nd the order in which to use these methods. You can choose either or both methods.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Allowing override account-disabled is a potential security risk. Note – Enable notification upon password expiration to allow user to change password—Checking this check box makes the following two parameters available. You can select either to notify the user at login a specific number of days before the password expires or to notify the user only on the day that the password expires.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles – To add an address pool to the security appliance, choose Add. The Add IP Pool dialog box opens. – To change the configuration of an address pool on the security appliance, choose Edit. The Edit IP Pool dialog box opens if the addresses in the pool are not in use. Note You cannot modify an address pool if it is already in use.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Fields Use the following descriptions to assign values to the fields in this window: • Global Client Address Assignment Policy—Configures a policy that affects all IPSec and SSL VPN Client connections (including AnyConnect client connections).
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Select Address Pools The Select Address Pools window shows the pool name, starting and ending addresses, and subnet mask of address pools available for client address assignment and lets you add, edit, or delete entries from that list. To access this window, choose Config > Remote Access VPN > Network (Client) Access > IPsec or SSL VPN Connections > Add or Edit > Advanced > Client Addressing > Add or Edit > Select.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add/Edit Tunnel Group > General Tab > Authentication This dialog box is available for IPSec on Remote Access and Site-to-Site tunnel groups. The settings on this dialog box apply to the tunnel group globally across the security appliance. To set authentication server group settings per interface, click Advanced.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles – Server Group—Select an available, previously configured authorization server group or group of servers, including the LOCAL group. You can associate a server group with more than one interface. – Add—Click Add to add the interface/server group setting to the table and remove the interface from the available list.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Add/Edit SSL VPN Connections > Advanced > Accounting The settings on this dialog box apply to the connection (tunnel group) globally across the security appliance. This dialog box lets you configure the following attribute: • Accounting Server Group—Lists the available accounting server groups. You can also select None (the default). LOCAL is not an option. • Manage—Opens the Configure AAA Server Groups dialog box.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Add/Edit Tunnel Group > General > Advanced The Add or Edit Tunnel Group window, General, Advanced dialog box, lets you configure the following interface-specific attributes: • Interface-Specific Authentication Server Groups—Lets you configure an interface and server group for authentication. – Interface—Lists available interfaces for selection. – Server Group—Lists authentication server groups available for this interface.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles • Authentication Mode—Specifies the authentication mode: none, xauth, or hybrid. – none—Specifies no authentication mode. – xauth—Specifies the use of IKE Extended Authentication mode, which provides the capability of authenticating a user within IKE using TACACS+ or RADIUS.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles • Client VPN Software Update Table—Lists the client type, VPN Client revisions, and image URL for each client VPN software package installed. For each client type, you can specify the acceptable client software revisions and the URL or IP address from which to download software upgrades, if necessary.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles • Default Group Policy—Specifies the following group-policy attributes: – Group Policy—Selects a group policy to use as the default group policy. The default value is DfltGrpPolicy. – Manage—Opens the Configure Group Policies dialog box. – IPSec Protocol—Enables or disables the use of the IPSec protocol for this connection profile.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Fields • Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only. • Type—(Display-only) Displays the type of tunnel group you are adding or editing. The contents of this field depend on your selection on the previous window. • Group Policy—Lists the currently configured group policies. The default value is the default group policy, DfltGrpPolicy.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles – Enable notification prior to expiration—When you check this option, the security appliance notifies the remote user at login that the current password is about to expire or has expired, then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles 2. Note An extended authentication (xauth) exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods. Before setting the authentication type to hybrid, you must configure the authentication server and create a pre-shared key.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles – Image URL—Specifies the URL or IP address from which the correct VPN client software image can be downloaded. For Windows-based VPN clients, the URL must be of the form http:// or https://. For ASA 5505 in client mode or VPN 3002 hardware clients, the URL must be of the form tftp://.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured. Note that this does not change the number of days before the password expires, but rather, it enables the notification. If you check this check box, you must also specify the number of days. – Notify...
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Configuring Internal Group Policy IPSec Client Attributes Use this window to specify whether to strip the realm and group from the username before passing them to the AAA server, and to specify password management options.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles Allowing override account-disabled is a potential security risk. Note – Enable notification upon password expiration to allow user to change password—Checking this check box makes the following two parameters available. You can select either to notify the user at login a specific number of days before the password expires or to notify the user only on the day that the password expires.
Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connection Profiles • Add—Opens the Assign Address Pools to Interface window, on which you can select an interface and select an address pool to assign. • Edit—Opens the Assign Address Pools to Interface window with the interface and address pool fields filled in. • Delete—Deletes the selected interface-specific address pool. There is no confirmation or undo.
Chapter 35 General System Options Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add or Edit an IP Address Pool Configures or modifies an IP address pool. Fields • Name—Specifies the name assigned to the IP address pool. • Starting IP Address—Specifies the first IP address in the pool. • Ending IP Address—Specifies the last IP address in the pool. • Subnet Mask—Selects the subnet mask to apply to the addresses in the pool.
Chapter 35 General System Options You can require an access rule to apply to the local IP addresses by unchecking this option. The access rule applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted. • Limit the maximum number of active IPSec VPN sessions—Enables or disables limiting the maximum number of active IPSec VPN sessions. The range depends on the hardware platform and the software license.
Chapter 35 General Zone Labs Integrity Server • Policy—Selects the split-tunneling policy, specifying whether to include or exclude from the tunnel the indicated network lists. If you do not select Inherit, the default is Exclude Network List Below. • Network List—Selects the networks to which to apply the split-tunneling policy. If you do not select Inherit, the default is --None--. • Manage—Opens the ACL Manager dialog box, on which you can configure access control lists to use as network lists.
Chapter 35 General Zone Labs Integrity Server Note The current release of the security appliance supports one Integrity Server at a time even though the user interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure another Integrity Server on the security appliance and then reestablish the client VPN session. Fields • Server IP address—Type the IP address of the Integrity Server. Use dotted decimal notation.
Chapter 35 General Easy VPN Remote Easy VPN Remote Easy VPN Remote lets the ASA 5505 act as an Easy VPN client device. The ASA 5505 can then initiate a VPN tunnel to an Easy VPN server, which can be a security appliance, a Cisco VPN 3000 Concentrator, an IOS-based router, or a firewall acting as an Easy VPN server. The Easy VPN client supports one of two modes of operation: Client Mode or Network Extension Mode (NEM).
Chapter 35 General Easy VPN Remote – Group Password—Specifies the password to use with the specified group policy. – Confirm Password—Requires you to confirm the group password just entered. – X.509 Certificate—Specifies the use of an X.509 digital certificate, supplied by a Certificate Authority, for authentication. – Select Trustpoint—Lets you select a trustpoint, which can be an IP address or a hostname, from the drop-down list.
Chapter 35 General Advanced Easy VPN Properties Advanced Easy VPN Properties Device Pass-Through Certain devices like Cisco IP phones, printers, and the like are incapable of performing authentication, and therefore of participating in individual unit authentication. To accommodate these devices, the device pass-through feature, enabled by the MAC Exemption attributes, exempts devices with the specified MAC addresses from authentication when Individual User Authentication is enabled.
Chapter 35 General Advanced Easy VPN Properties – Add—Moves the specified IP address and mask to the IP Address/Mask list. – Remove—Moves the selected IP address and mask pair from the IP Address/Mask list to the individual IP Address and Mask fields in this area. – IP Address/Mask—Lists the configured IP address and mask pairs to be operated on by the Enable or Clear functions in this area. • IPSec Over TCP—Configure the Easy VPN Remote connection to use TCP-encapsulated IPSec.
Chapter 35 General Advanced Easy VPN Properties Cisco ASDM User Guide 35-88 OL-16647-01
C H A P T E R 36 Configuring Dynamic Access Policies This chapater describes how to configure dynamic access policies. It includes the following sections. • Understanding VPN Access Policies • Add/Edit Dynamic Access Policies • Add/Edit AAA Attributes • Retrieve AD Groups from selected AD Server Group • Add/Edit Endpoint Attributes • Operator for Endpoint Category • DAP Examples Understanding VPN Access Policies VPN gateways operate in dynamic environments.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies • DfltAccess Policy—Always the last entry in the DAP summary table, always with a priority of 0. You can configure Access Policy attributes for the default access policy, but it does not contain—and you cannot configure—AAA or endpoint attributes. You cannot delete the DfltAccessPolicy, and it must be the last entry in the summary table.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies Firewall Mode Security Context Multiple Routed Transparent Single • • • Context System — — DAP Support for Remote Access Connection Types The DAP system supports the following remote access methods: • IPsec VPN • Clientless (browser-based) SSLVPN • Cisco AnyConnect SSL VPN • PIX cut-through proxy (posture assessment not available) DAP and AAA DAP complements AAA services.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies Table 36-1 AAA Selection Attributes for DAP Use (continued) LDAP aaa.ldap.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies Table 36-3 Endpoint Attribute Definitions (continued) Attribute Type Attribute Name Source Value Max String Length Description Host Scan true — Antivirus program exists Antivirus endpoint.av.label.exists (Requires Cisco Secure Desktop) endpoint.av.label.version string 32 Version endpoint.av.label.description string 128 Antivirus description endpoint.av.label.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies DAP and Anti-Virus, Anti-Spyware, and Personal Firewall Programs The security appliance uses a DAP policy when the user attributes matches the configured AAA and endpoint attributes.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies Fields • Selection Criteria—Determine the AAA and endpoint attributes to test for dynamic access policy retrieval. • AAA Attributes – AAA Attribute—Identifies the AAA attribute. – Operation Value—Identifies the attribute as =/!= to the given value. – Add/Edit—Click to add or edit a AAA attribute. • Endpoint Attributes—Identifies the endpoint attribute. – Endpoint ID—Provides the endpoint attribute ID.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies Step 8 In the Advanced field you can enter one or more logical expressions to set AAA or endpoint attributes other than what is possible in the AAA and Endpoint areas above. Step 9 To configure network and webtype ACLs, file browsing, file server entry, HTTP proxy, URL entry, port forwarding lists and URL lists, set values in the Access Policy Attributes fields.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies • Access Policy Attributes—These tabs let you set attributes for network and webtype ACL filters, file access, HTTP proxy, URL entry and lists, port forwarding, and clientless SSL VPN access methods. Attribute values that you configure here override authorization values in the AAA system, including those in existing user, group, tunnel group, and default group records.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies – File Server Browsing—Enables or disables CIFS browsing for file servers or shared features. Note Browsing requires NBNS (Master Browser or WINS). If that fails or is not configured, we use DNS. Note The CIFS browse feature does not support internationalization. – File Server Entry—Lets or prohibits a user from entering file server paths and names on the portal page.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies has tested the following applications: Windows Terminal Services, Telnet, Secure FTP (FTP over SSH), Perforce, Outlook Express, and Lotus Notes. Other TCP-based applications may also work, but Cisco has not tested them. Note Caution Port Forwarding does not work with some SSL/TLS versions. Make sure Sun Microsystems Java™ Runtime Environment (JRE) 1.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies – Both-default-AnyConnect Client—Connect via either clientless or the AnyConnect client, with a default of AnyConnect.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies LDAP attributes consist of an attribute name and attribute value pair in the DAP record. • RADIUS—The RADIUS client stores all native RADIUS response attribute value pairs in a database associated with the AAA session for the user. The RADIUS client writes the response attributes to the database in the order in which it receives them. It discards all subsequent attributes with that name.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies Retrieve AD Groups from selected AD Server Group You can query an Active Directory server for available AD groups in this window. This feature applies only to Active Directory servers using LDAP. Use the group information to specify dynamic access policy AAA selection criteria. You can change the level in the Active Directory hierarchy where the search begins by changing the Group Base DN in the Edit AAA Server window.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies Fields • Endpoint Attribute Type—Select from the drop-down list the endpoint attribute you want to set. Options include Antispyware, Antivirus, Application, File, NAC, Operating System, Personal Firewall, Process, Registry, VLAN, and Priority. Endpoint attributes include these components, but not all attributes include all components.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies QUARANTINE Posture assessment failed, switch to quarantine VLAN ERROR Posture assessment failed due to fatal error • Policy (Location)—Enter the Cisco Secure Desktop Microsoft Windows location profile, case sensitive.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies “EQ” equal “NE” not equal “LT” less than “GT” greater than “LE” less than or equal “GE” greater than or equal A string in quotation marks that contains the value to compare the attribute against One of the following strings (quotation marks required) “string” case-sensitive string comparison “caseless” case-insensitive string comparison “integer” number comparison, converts string values to
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies You use ASDM to configure CheckAndMsg through the Advanced field in DAP. The security appliance displays the message to the user only when the DAP record containing the LUA CheckAndMsg function is selected and results in a clientless SSL VPN or AnyConnect termination.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies You can build the expression in this example because the debug dap trace returns: endpoint.os.windows.hotfix["KB923414"] = "true"; Checking for Antivirus Programs You can configure messages so that the end user is aware of and able to fix problems with missing or not running AVs.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies The expected result is that the connection is not allowed and the message appears as a blinking ! point. Step 5 Click the blinking ! to see the message and links for remediation. Advanced Lua Functions When working with dynamic access policies for clientless SSL VPN, you might need additional flexibility of match criteria.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies end)() Further Information on Lua You can find detailed LUA programming information at http://www.lua.org/manual/5.1/manual.html. Operator for Endpoint Category You can configure multiple instances of each type of endpoint. In this pane, set each type of endpoint to require only one instance of a type (Match Any = OR) or to have all instances of a type (Match All = AND).
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies Using DAP to Apply a WebVPN ACL DAP can directly enforce a subset of access policy attributes including Network ACLs (for IPsec and AnyConnect), clientless SSL VPN Web-Type ACLs, URL lists, and Functions. It cannot directly enforce, for example, a banner or the split tunnel list, which the group policy enforces.
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies Cisco ASDM User Guide OL-16647-01 36-23
Chapter 36 Configuring Dynamic Access Policies Understanding VPN Access Policies Cisco ASDM User Guide 36-24 OL-16647-01
C H A P T E R 37 Clientless SSL VPN End User Set-up This ections is for the system administrator who sets up Clientless (browser-based) SSL VPN for end users. It summarizes configuration requirements and tasks for the user remote system. It also specifies information to communicate to users to get them started using Clientless SSL VPN.
Chapter 37 Clientless SSL VPN End User Set-up Communicating Security Tips Communicating Security Tips Advise users always to log out from the session. (To log out of Clientless SSL VPN, click the logout icon on the Clientless SSL VPN toolbar or close the browser.) Advise users that using Clientless SSL VPN does not ensure that communication with every site is secure.
Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features Table 37-2 Clientless SSL VPN Remote System Configuration and End User Requirements Task Remote System or End User Requirements Specifications or Use Suggestions Starting Clientless SSL VPN Connection to the Internet Any Internet connection is supported, including: Clientless SSL VPN-supported browser • Home DSL, cable, or dial-ups • Public kiosks • Hotel hook-ups • Airport wireless
Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features Table 37-2 Clientless SSL VPN Remote System Configuration and End User Requirements (continued) Task Remote System or End User Requirements Using the Floating Toolbar in a Clientless SSL VPN Connection Specifications or Use Suggestions A floating toolbar is available to simplify the use of Clientless SSL VPN.
Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features Table 37-2 Clientless SSL VPN Remote System Configuration and End User Requirements (continued) Task Remote System or End User Requirements Specifications or Use Suggestions Network Browsing and File Management File permissions configured for shared remote access Only shared folders and files are accessible via Clientless SSL VPN.
Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features Table 37-2 Clientless SSL VPN Remote System Configuration and End User Requirements (continued) Task Remote System or End User Requirements Using Applications Note Specifications or Use Suggestions On Macintosh OS X, only the Safari browser supports this feature.
Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data Table 37-2 Clientless SSL VPN Remote System Configuration and End User Requirements (continued) Task Remote System or End User Requirements Using E-mail via Application Access Fulfill requirements for Application Access (See Using Applications) Note Specifications or Use Suggestions To use mail, start Application Access from the Clientless SSL VPN Home page. The mail client is then available for use.
Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data Creating a Capture File Perform the following steps to capture data about a Clientless SSL VPN session to a file. Step 1 To start the Clientless SSL VPN capture utility, use the capture command from privileged EXEC mode. capture capture_name type webvpn user webvpn_username where: • capture_name is a name you assign to the capture, which is also prepended to the name of the capture files.
Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data https://IP_address or hostname of the security appliance/webvpn_capture.html The captured content displays in a sniffer format. Step 4 When you finish examining the capture content, stop the capture by using the no version of the command.
Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data Cisco ASDM User Guide 37-10 OL-16647-01
C H A P T E R 38 Clientless SSL VPN Clientless SSL VPN lets users establish a secure, remote-access VPN tunnel to the security appliance using a web browser. There is no need for either a software or hardware client. Clientless SSL VPN provides easy access to a broad range of web resources and both web-enabled and legacy applications from almost any computer that can reach HTTPS Internet sites.
Chapter 38 Clientless SSL VPN Security Precautions • Educate users. If an SSL-enabled site is not inside the private network, users should not visit this site over a Clientless SSL VPN connection. They should open a separate browser window to visit such sites, and use that browser to view the presented certificate. ACLs You can configure ACLs (Access Control Lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.
Chapter 38 Clientless SSL VPN Security Precautions Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add ACL This pane lets you create a new ACL. Fields • ACL Name—Enter a name for the ACL. Maximum 55 characters. Add/Edit ACE An Access Control Entry permits or denies access to specific URLs and services. You can configure multiple ACEs for an ACL. ACLs apply ACEs in priority order, acting on the first match.
Chapter 38 Clientless SSL VPN Configuring the Setup for Cisco Secure Desktop Examples Here are examples of ACLs for Clientless SSL VPN: Action Filter Effect Deny url http://*.yahoo.com/ Denies access to all of Yahoo! Deny url cifs://fileserver/share/directory Denies access to all files in the specified location. Deny url https://www.company.com/ directory/file.html Denies access to the specified file. Permit url https://www.company.
Chapter 38 Clientless SSL VPN Configuring the Setup for Cisco Secure Desktop Note • If you click the Browse Flash button to upgrade or downgrade the Cisco Secure Desktop image, select the package to install, and click OK, the Uninstall Cisco Secure Desktop dialog window asks you if you want to delete the Cisco Secure Desktop distribution currently in the running configuration from the flash device.
Chapter 38 Clientless SSL VPN Configuring the Setup for Cisco Secure Desktop You can use the buttons in this window as follows: • To select the path of the securedesktop_asa__*.pkg file to be transferred, click Upload. The Selected File Path dialog box displays the contents of the folder you last accessed on your local computer. Navigate to the securedesktop_asa__*.pkg file, select it, and click Open. • To select the target directory for the file, click Browse Flash.
Chapter 38 Clientless SSL VPN Configuring Application Helper Configuring Application Helper Clientless SSL VPN includes an Application Profile Customization Framework option that lets the security appliance handle non-standard applications and web resources so they display correctly over a Clientless SSL VPN connection. An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and what data to transform for a particular application.
Chapter 38 Clientless SSL VPN Configuring Application Helper Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Upload APCF package Fields • Local File Path—Shows the path to the APCF file on your computer. Click Browse Local to automatically insert the path in this field, or enter the path. • Browse Local Files—Click to locate and choose the APCF file on your computer that you want to transfer.
Chapter 38 Clientless SSL VPN Auto Signon Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Auto Signon The Auto Signon window or tab lets you configure or edit auto signon for users of Clientless SSL VPN. Auto signon is a simplified single signon method that you can use if you do not already have an SSO method deployed on your internal network.
Chapter 38 Clientless SSL VPN Auto Signon Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add/Edit Auto Signon Entry The Add/Edit Auto Signon Entry dialog box lets you add or edit a new auto signon instruction. An auto signon instruction defines a range of internal servers using the auto signon feature and the particular authentication method. Fields • IP Block—Click this button to specify a range of internal servers using an IP address and mask.
Chapter 38 Clientless SSL VPN Configuring Session Settings Configuring Session Settings The Clientless SSL VPN Add/Edit Internal Group Policy > More Options > Session Settings window lets you specify personalized user information between clientless SSL VPN sessions. By default, each group policy inherits the settings from the default group policy.
Chapter 38 Clientless SSL VPN Java Code Signer Java Code Signer Code signing appends a digital signature to the executable code itself. This digital signature provides enough information to authenticate the signer as well as to ensure that the code has not been subsequently modified since signed. Code-signer certificates are special certificates whose associated private keys are used to create digital signatures.
Chapter 38 Clientless SSL VPN Content Rewrite • Restore Cache Default—Click to restore default values for all cache parameters. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Content Rewrite The Content Rewrite pane lists all applications for which content rewrite is enabled or disabled.
Chapter 38 Clientless SSL VPN Java Code Signer Add/Edit Content Rewrite Rule • Enable content rewrite—Click to enable content rewrite for this rewrite rule. • Rule Number—(Optional) Enter a number for this rule. This number specifies the priority of the rule, relative to the others in the list. Rules without a number are at the end of the list. The range is 1 to 65534. • Rule Name—(Optional) Provide an alphanumeric string that describes the rule, maximum 128 characters.
Chapter 38 Clientless SSL VPN Encoding Fields • Code Signer Certificate —Choose the configured certificate that you want to employ in Java object signing. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Encoding This window lets you view or specify the character encoding for Clientless SSL VPN portal pages.
Chapter 38 Clientless SSL VPN Encoding – windows-1252 – none If you choose none or specify a value that the browser on the Clientless SSL VPN session does not support, it uses its own default encoding. You can type a string consisting of up to 40 characters, and equal to one of the valid character sets identified in http://www.iana.org/assignments/character-sets. You can use either the name or the alias of a character set listed on that page. The string is case-insensitive.
Chapter 38 Clientless SSL VPN Encoding – shift_jis Note If you are using Japanese Shift_jis Character encoding, click Do not specify in the Font Family area of the associated Select Page Font pane to remove the font family. – unicode – windows-1252 – none If you choose none or specify a value that the browser on the Clientless SSL VPN session does not support, it uses its own default encoding.
Chapter 38 Clientless SSL VPN Encoding • The following example matches URLs such as http://www.cisco.com and ftp://wwz.carrier.com: access-list test webtype permit url *://ww?.c*co*/ • The following example matches URLs such as http://www.cisco.com:80 and https://www.cisco.com:81: access-list test webtype permit url *://ww?.c*co*:8[01]/ The range operator “[]” in the preceding example specifies that either character 0 or 1 can occur. • The following example matches URLs such as http://www.google.
Chapter 38 Clientless SSL VPN Port Forwarding Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Port Forwarding Both the Port Forwarding pane and Configure Port Forwarding Lists dialog box let you view the port forwarding lists.
Chapter 38 Clientless SSL VPN Port Forwarding Requirements and Restrictions The following restrictions apply to port forwarding: • The remote host must be running a 32-bit version of one of the following: – Microsoft Windows Vista, Windows XP SP2 or SP3; or Windows 2000 SP4. – Apple Mac OS X 10.4 or 10.5 with Safari 2.0.4(419.3). – Fedora Core 4 • The remote host must also be running Sun JRE 1.5 or later. • Browser-based users of Safari on Mac OS X 10.5.
Chapter 38 Clientless SSL VPN Port Forwarding • Neither port forwarding nor the ASDM Java applet work with user authentication using digital certificates. Java does not have the ability to access the web browser keystore. Therefore Java cannot use certificates that the browser uses to authenticate users, and the application cannot start.
Chapter 38 Clientless SSL VPN Configuring the Use of External Proxy Servers Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Configuring the Use of External Proxy Servers Use the Proxies pane to configure the security appliance to use external proxy servers to handle HTTP requests and HTTPS requests. These servers act as an intermediary between users and the Internet.
Chapter 38 Clientless SSL VPN Configuring Proxy Bypass • IP Address—Enter the hostname or IP address of the external HTTPS proxy server • Port—Enter the port that listens for HTTPS requests. The default port is 443. • Exception Address List— (Optional) Enter a URL or a comma-delimited list of several URLs to exclude from those that can be sent to the HTTPS proxy server. The string does not have a character limit, but the entire command cannot exceed 512 characters.
Chapter 38 Clientless SSL VPN Configuring Proxy Bypass • Path Mask—Displays the URI path to match for proxy bypass. • URL—Displays the target URLs. • Rewrite—Displays the rewrite options. These are a combination of XML, link, or none. • Add/Edit—Click to add a proxy bypass entry or edit a selected entry. • Delete—Click to delete a proxy bypass entry.
Chapter 38 Clientless SSL VPN DTLS Settings DTLS Settings Enabling Datagram Transport Layer Security (DTLS) allows the AnyConnect VPN Client establishing an SSL VPN connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
Chapter 38 Clientless SSL VPN SSL VPN Client Settings The security appliance downloads the client based on the group policy or local user policy attributes. You can configure the security appliance to automatically download the client, or you can configure it to prompt the remote user about whether to download the client. In the latter case, if the user does not respond, you can configure the security appliance to either download the client after a timeout period or present the login page.
Chapter 38 Clientless SSL VPN SSL VPN Client Settings Add/Replace SSL VPN Client Image In this window, you can specify a filename for a file on the security appliance flash memory that you want to add as an SSL VPN client image, or to replace an image already listed in the table. You can also browse the flash memory for a file to identify, or you can upload a file from a local computer. Fields • Flash SVC Image—Specify the file in flash memory that you want to identify as an SSL VPN client image.
Chapter 38 Clientless SSL VPN SSL VPN Client Settings Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Add/Edit SSL VPN Client Profiles In this window, you can specify the path of a file on the local computer or in flash memory of the security appliance that you want to identify as an SSL VPN client profile.
Chapter 38 Clientless SSL VPN Bypass Interface Access List • Flash File System Path—Identifies the filename of the file in the flash memory of the security appliance that you want to identify as an client profile. • Browse Flash—Displays the Browse Flash Dialog window where you can view all the files on flash memory of the security appliance and where you can select a file to identify as a client profile. • Upload File—Initiates the file upload.
Chapter 38 Clientless SSL VPN SSO Servers • To configure SSO with the HTTP Form protocol, see Configuring Session Settings. The SSO mechanism either starts as part of the AAA process (HTTP Forms) or just after successful user authentication to either a AAA server (SiteMinder) or a SAML Browser Post Profile server. In these cases, the Clientless SSL VPN server running on the security appliance acts as a proxy for the user to the authenticating server.
Chapter 38 Clientless SSL VPN SSO Servers Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • SAML POST SSO Server Configuration Use the SAML server documentation provided by the server software vendor to configure the SAML server in Relying Party mode.
Chapter 38 Clientless SSL VPN Clientless SSL VPN Access Step 2 Using your Cisco.com login, download the file cisco_vpn_auth.jar from http://www.cisco.com/cgi-bin/tablebuild.pl/asa and copy it to the default library directory for the SiteMinder server. This .jar file is also available on the Cisco security appliance CD. Add/Edit SSO Servers This SSO method uses CA SiteMinder and SAML Browser Post Profile. You can also set up SSO using the HTTP Form protocol, or Basic HTML and NTLM authentication.
Chapter 38 Clientless SSL VPN Clientless SSL VPN Access • Configure the amount of security appliance memory that Clientless SSL VPN can use. To configure Clientless SSL VPN services for individual users, the best practice is to use the Configuration > VPN > General > Group Policy >Add/Edit >WebVPN panel. Then use the Configuration > Properties >Device Administration >User Accounts > VPN Policy panel to assign the group policy to a user.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • For More Information Clientless SSL VPN End User Set-up Configuring Smart Tunnel Access The Smart Tunnels table displays the smart tunnel lists, each of which identifies one or more applications eligible for smart tunnel access, and its associated OS.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access • Create one or more smart tunnel lists of the client applications, then assign the list to the group policies or local user policies for whom you want to provide smart tunnel access. • Create one or more bookmark list entries that specify the URLs of the web-enabled applications eligible for smart tunnel access, then assign the list to the DAPs, group policies, or local user policies for whom you want to provide smart tunnel access.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access • When smart tunnel starts, the security appliance tunnels all traffic from the browser process the user used to initiate the clientless session. If the user starts another instance of the browser process, it passes all traffic to the tunnel. If the browser process is the same and the security appliance does not provide access to a given URL, the user cannot open it.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Configuring a Smart Tunnel (Lotus example) To configure a Smart Tunnel, perform the following steps: Note These example instructions provide the minimum instructions required to add smart tunnel support for an application. See the field descriptions in the sections that follow for more information. Step 1 Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Add or Edit Smart Tunnel List The Add Smart Tunnel List dialog box lets you add a list of smart tunnel entries to the security appliance configuration. The Edit Smart Tunnel List dialog box lets you modify the contents of the list. Field • List Name—Enter a unique name for the list of applications or programs. There is no restriction on the number of characters in the name. Do not use spaces.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access For Windows, if you want to add smart tunnel access to an application started from the command prompt, you must specify “cmd.exe” in the Process Name of one entry in the smart tunnel list, and specify the path to the application itself in another entry, because “cmd.exe” is the parent of the application. Mac OS requires the full path to the process, and is case-sensitive.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Table 38-2 Example Smart Tunnel Entries Application ID (Any unique string is OK.) Smart Tunnel Support Process Name OS More restrictive alternative—Microsoft outlook-express Outlook Express only if the executable file is in a predefined path. \Program Files\Outlook Express\msimn.exe Windows Open a new Terminal window on a Mac.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Add or Edit Smart Tunnel Auto Sign-on Server Entry The Add or Edit Smart Tunnel Entry dialog box lets you identify a server to be added to a smart tunnel auto sign-on list. You can identify it by its hostname, or IP address and subnet mask. Caution Use the address format used in the source code of the web pages on the intranet.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Configuring Customization Objects You can customize all end-user visible content on the clientless SSL VPN portal. To do so, you create an XML customization object, using an XML template, the Customization Editor in ASDM, or by exporting and editing an already existing customization object, which you then reimport to the security appliance. Version 8.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Add Customization Object To add a customization object, create a copy of and provide a unique name for the DfltCustomization object. Then you can modify or edit it to meet your requirements. Field Customization Object Name—Enter a name for the new customization object. Maximum 64 characters, no spaces.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Creating XML-Based Portal Customization Objects and URL Lists This section includes the following topics: • Understanding the XML Customization File Structure • Customization Example • Using the Customization Template Understanding the XML Customization File Structure Table 38-3 presents the file structure for an XML customization object.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Table 38-3 XML-Based Customization File Structure text text info-panel node Arbitrary URL empty string The panel with a custom text and image mode string enable|disable disable image-position string above|below above image-url string Arbitrary URL empty image text string Arbitrary string empty string logon-form The image position, relative to text node The form with username, password, group prompt title-text string
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Table 38-3 XML-Based Customization File Structure window title-text title-panel node string see authentication page description Arbitrary string Empty string node see authentication page description mode string enable|disable Disable text string Arbitrary string Empty string logo-url string Arbitrary URL navigation-panel mode application id Empty image URL node string The panel on the left with application tabs ena
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Table 38-3 XML-Based Customization File Structure prompt-box-title string Arbitrary string Address Title for URL prompt box browse-button-text string Arbitrary string Browse Browse button text logout-prompt-text string Arbitrary string Logout column node (multiple) One column will be shown by default width string N/A order number N/A url-lists mode node string Value used to sort elements.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Table 38-3 XML-Based Customization File Structure text string column number Text for TEXT type panes Customization Example The following example illustrates the following customization options: • Hides tab for the File access application • Changes title and order of Web Access application • Defines two columns on the home page • Adds an RSS pane • Adds three panes (text, image, and html) at the top of second pane
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access code1 text1 code2 text2
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access RSS rss.xyz.com?id=78 text_pane TEXT rss.xyz.com?id=78 1 0
Welcome to XYZ WebVPN Service IMAGE http://www.xyz.com/logo.gif 1 2
HTML XYZ news http://www.xyz.com/news.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Note: all white spaces in tag values are significant and preserved. Tag: custom Description: Root customization tag Tag: custom/languages Description: Contains list of languages, Value: string containing comma-separated a set dash-separated alphanumeric alpha-character (for example: en, Default value: en-us recognized by ASA language codes.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Tag: custom/auth-page/title-panel/font-color Description: The background color of the title panel Value: HTML color format, for example #FFFFFF Default value: #000000 Tag: custom/auth-page/title-panel/font-weight Description: The font weight Value: CSS font size value, for example bold, bolder,lighter etc.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Description: Text of the information panel Text: arbitrary string Default value: empty string ********************************************************* Tag: custom/auth-page/logon-form Description: Contains logon form settings Tag: custom/auth-page/logon-form/title-text Description: The logon form title text Value: arbitrary string Default value: "Logon" Tag: custom/auth-page/logon-form/message-text Description: The message inside of the logon
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Value: HTML color format, for example #FFFFFF Default value: #000000 Tag: custom/auth-page/logon-form/background-color Description: The background color of the logon form Value: HTML color format, for example #FFFFFF Default value: #000000 ********************************************************* Tag: custom/auth-page/logout-form Description: Contains the logout form settings Tag: custom/auth-page/logout-form/title-text Description: The logou
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access ********************************************************* Tag: custom/portal/window Description: Contains the portal page browser window settings Tag: custom/portal/window/title-text Description: The title of the browser window of the portal page Value: arbitrary string Default value: Browser's default value ********************************************************* Tag: custom/portal/title-panel Description: Contains settings for the title pane
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Tag: custom/portal/application/mode Description: The application mode Value: enable|disable Default value: enable Tag: custom/portal/application/id Description: The application ID.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Tag: custom/portal/column (multiple) Description: Contains settings of the home page column(s) Tag: custom/portal/column/order Description: The order the column from left to right.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Value: URL string Default value: empty string Tag: custom/portal/pane/text Description: The text value for panes with type TEXT Value: arbitrary string Default value:empty string Tag: custom/portal/pane/column Description: The column where the pane located.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access ?? (Japanese) - ru ??????? (Russian) - ua ?????????? (Ukrainian) - - - - - - - -
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access #000000 #ffffff - - - - - - enable - - /+CSCOU+/csco_logo.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access /+CSCOU+/csco_logo.
Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access enable app-access - - 4 - enable net-access AnyConnect 4 - enable help Help 1000000 - enable
Chapter 38 Clientless SSL VPN Help Customization
|
- group Help Customization The security appliance displays help content on the application panels during clientless sessions. Each clientless application panel displays its own help file content using a predetermined filename.Chapter 38 Clientless SSL VPN Help Customization Language—Displays the abbreviation of the language rendered by the browser. This field is not used for file translation; it indicates the language used in the file. To identify the name of a language associated with an abbreviation in the table, display the list of languages rendered by your browser.
Chapter 38 Clientless SSL VPN Help Customization https://address_of_security_appliance/+CSCOE+/help/en/rdp-hlp.inc Step 3 Caution Choose File > Save (Page) As. Do not change the contents of the File name box. Step 4 Change the Save as type option to “Web Page, HTML only” and click Save. Step 5 Use your preferred HTML editor to customize the file. Note You can use most HTML tags, but do not use tags that define the document and its structure (e.g.
Chapter 38 Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins present in the Browse Language Code dialog box, enter the abbreviation for the language you want into the Language Code field and click OK, or enter it into the Language text box to the left of the dots. To identify the abbreviation for the language of a help file to be imported if it is not present in the Browse Language Code dialog box, display the list of languages and abbreviations rendered by your browser.
Chapter 38 Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins About Installing Browser Plug-ins A browser plug-in is a separate program that a web browser invokes to perform a dedicated function, such as connect a client to a server within the browser window. The security appliance lets you import plug-ins for download to remote browsers in Clientless SSL VPN sessions.
Chapter 38 Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins Plug-in Requirements and Restrictions Clientless SSL VPN must be enabled on the security appliance to provide remote access to the plug-ins. The minimum access rights required for remote use belong to the guest privilege mode. A stateful failover does not retain sessions established using plug-ins. Users must reconnect following a failover.
Chapter 38 Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins • vnc-plugin.jar—The Virtual Network Computing plug-in lets the remote user use a monitor, keyboard, and mouse to view and control a computer with remote desktop sharing turned on. Cisco redistributes this plug-in without any changes to it per the GNU General Public License. The web site containing the source of the redistributed plug-in is http://www.tightvnc.com.
Chapter 38 Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins The plug-in is now available for future Clientless SSL VPN sessions.
Chapter 38 Clientless SSL VPN Language Localization Step 3 Extract the following files from the Citrix Java client: • JICA-configN.jar • JICAEngN.jar You can use WinZip to perform this step and the next. Step 4 Add the extracted files to the ica-plugin.zip file. Step 5 Ensure the EULA included with the Citrix Java client grants you the rights and permissions to deploy the client on your web servers.
Chapter 38 Clientless SSL VPN Language Localization Table 38-1 Translation Domains and Functional Areas Affected Translation Domain Functional Areas Translated AnyConnect Messages displayed on the user interface of the Cisco AnyConnect VPN Client. CSD Messages for the Cisco Secure Desktop (CSD). customization Messages on the logon and logout pages, portal page, and all the messages customizable by the user. keepout Message displayed to remote users when VPN access is denied.
Chapter 38 Clientless SSL VPN Language Localization Language—The language of existing Language Localization tables. Language Localization Template—The template that the table is based on. Creating a Translation Table The following procedure describes how to create a translation table: Step 1 Go to Remove Access VPN > Clientless SSL VPN Access > Portal > Advanced > Language Localization. The Language Localization pane displays. Click Add. The Add Language Localization window displays.
Chapter 38 Clientless SSL VPN AnyConnect Customization Translation Domain Functional Areas Translated customization Messages on the logon and logout pages, portal page, and all the messages customizable by the user. keepout Message displayed to remote users when VPN access is denied. PortForwarder Messages displayed to Port Forwarding users. url-list Text that user specifies for URL bookmarks on the portal page. webvpn All the layer 7, AAA and portal messages that are not customizable.
Chapter 38 Clientless SSL VPN AnyConnect Customization Fields Import—Launches the Import AnyConnect Customization Objects dialog, where you can specify a file to import as an object. Export—Launches the Export AnyConnect Customization Objects dialog, where you can specify a file to export as an object. Delete—Removes the selected object. Platform—The type of remote PC platform supported by the object. Object Name—The name of the object.
Chapter 38 Clientless SSL VPN AnyConnect Customization Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Installs Specify files for customizing the AnyConnect client installation in this panel. Note The security appliance does not support this feature for the AnyConnect VPN client, versions 2.0 and 2.1.
Chapter 38 Clientless SSL VPN AnyConnect Customization When exporting, it is automatically filled-in with the name from the entry you selected in the table. When importing, you enter the language name in the manner that you want it to be identified. The imported translation table then appears in the list with the abbreviation you designated. To ensure that your browser recognizes the language, use language abbreviations that are compatible with the language options of the browser.
Chapter 38 Clientless SSL VPN AnyConnect Customization Configure GUI Customization Objects (Bookmark Lists) This dialog box lets you add, edit, and delete, import and export bookmark lists. The Bookmarks window lets you configure lists of servers and URLs for access over clientless SSL VPN. Following the configuration of a bookmark list, you can assign the list to one or more usernames, group policies, and DAPs. Each username, group policy, and DAP can have only one bookmark list.
Chapter 38 Clientless SSL VPN AnyConnect Customization • Add—Opens the Add Bookmark Entry dialog box, on which you can configure a new server or URL and display name. • Edit—Opens the Edit Bookmark Entry dialog box, on which you can configure a new server or URL and display name. • Delete—Removes the selected item from the URL list. There is no confirmation or undo. • Move Up/Move Down—Changes the position of the selected item in the URL list.
Chapter 38 Clientless SSL VPN AnyConnect Customization • Enable Smart Tunnel Option—Select to open the bookmark in a new window that uses the smart tunnel feature to pass data through the security appliance to or from the destination server.
Chapter 38 Clientless SSL VPN AnyConnect Customization Firewall Mode Security Context Multiple Routed • Transparent Single • • Context System — — Configure GUI Customization Objects (Web Contents) This dialogue box lets you import and export web content objects. Fields • File Name—Displays the names of the web content objects. • File Type—Identifies the file type(s). • Import/Export—Click to import or export a web content object. • Delete—Click to delete the object.
Chapter 38 Clientless SSL VPN AnyConnect Customization Firewall Mode Security Context Multiple Routed Transparent Single • • • Context System — — Add/Edit Post Parameter Use this pane to configure post parameters for bookmark entries and URL lists. Since these are often personalized resources that contain the user ID and password or other input parameters, you might need to define Clientless SSL VPN Macro Substitutions. Click the link for detailed instructions.
Chapter 38 Clientless SSL VPN AnyConnect Customization No.
Chapter 38 Clientless SSL VPN AnyConnect Customization Figure 38-1 Using ASDM to Configure a Macro that Sets a Homepage Example 2: Setting a Bookmark or URL Entry You can use an HTTP Post to log in to an OWA resource using an RSA one-time password (OTP) for SSL VPN authentication, and then the static, internal password for OWA e-mail access. The best way to do this is to add or edit a bookmark entry in ASDM, as in Figure Figure 38-2.
Chapter 38 Clientless SSL VPN AnyConnect Customization Figure 38-2 Configuring a Bookmark Entry Cisco ASDM User Guide OL-16647-01 38-85
Chapter 38 Clientless SSL VPN AnyConnect Customization Cisco ASDM User Guide 38-86 OL-16647-01
C H A P T E R 39 E-Mail Proxy E-mail proxies extend remote e-mail capability to users of Clientless SSL VPN. When users attempt an e-mail session via e-mail proxy, the e-mail client establishes a tunnel using the SSL protocol. The e-mail proxy protocols are as follows: POP3S POP3S is one of the e-mail proxies Clientless SSL VPN supports. By default the Security Appliance listens to port 995, and connections are automatically allowed to port 995 or to the configured port.
Chapter 39 E-Mail Proxy AAA AAA This panel has three tabs: • POP3S Tab • IMAP4S Tab • SMTPS Tab Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • POP3S Tab The POP3S AAA panel associates AAA server groups and configures the default group policy for POP3S sessions.
Chapter 39 E-Mail Proxy AAA Fields • AAA server groups—Click to go to the AAA Server Groups panel (Configuration > Features > Properties > AAA Setup > AAA Server Groups), where you can add or edit AAA server groups. • group policies—Click to go to the Group Policy panel (Configuration > Features > VPN > General > Group Policy), where you can add or edit group policies. • Authentication Server Group—Select the authentication server group for POP3S user authentication.
Chapter 39 E-Mail Proxy AAA DN Field Definition Name (N) The name of the certificate owner. Organization (O) The name of the company, institution, agency, association, or other entity. Organizational Unit (OU) The subgroup within the organization. Serial Number (SER) The serial number of the certificate. Surname (SN) The family name or last name of the certificate owner. State/Province (S/P) The state or province where the organization is located.
Chapter 39 E-Mail Proxy AAA • Default Group Policy—Select the group policy to apply to IMAP4S users when AAA does not return a CLASSID attribute. If you do not specify a default group policy, and there is no CLASSID, the security appliance can not establish the session. • Authorization Settings—Lets you set values for usernames that the security appliance recognizes for IMAP4S authorization.
Chapter 39 E-Mail Proxy AAA Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • SMTPS Tab The SMTPS AAA panel associates AAA server groups and configures the default group policy for SMTPS sessions.
Chapter 39 E-Mail Proxy Access – Primary DN Field—Select the primary DN field you want to configure for SMTPS authorization. The default is CN. Options include the following: DN Field Definition Country (C) The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations. Common Name (CN) The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. DN Qualifier (DNQ) A specific DN attribute.
Chapter 39 E-Mail Proxy Access Fields • Interface—Displays the names of all configured interfaces. • POP3S Enabled—Shows whether POP3S is enabled for the interface. • IMAP4s Enabled—Shows whether IMAP4S is enabled for the interface. • SMTPS Enabled—Shows whether SMTPS is enabled for the interface. • Edit—Click to edit the e-mail proxy settings for the highlighted interface.
Chapter 39 E-Mail Proxy Authentication Edit E-Mail Proxy Access The E-mail Proxy Access screen lets you identify interfaces on which to configure e-mail proxy. You can configure e-mail proxies on individual interfaces, and you can configure e-mail proxies for one interface and then apply your settings to all interfaces. Fields • Interface—Displays the name of the selected interface. • POP3S Enabled—Select to enable POP3S for the interface. • IMAP4S Enabled—elect to enable IMAP4S for the interface.
Chapter 39 E-Mail Proxy Authentication Fields POP3S/IMAP4S/SMTPS Authentication—Let you configure authentication methods for each of the e-mail proxy types. You can select multiple methods of authentication. • AAA—Select to require AAA authentication. This option requires a configured AAA server. The user presents a username, server and password. Users must present both the VPN username and the e-mail username, separated by the VPN Name Delimiter, only if the usernames are different from each other.
Chapter 39 E-Mail Proxy Default Servers Note IMAP generates a number of sessions that are not limited by the simultaneous user count but do count against the number of simultaneous logins allowed for a username. If the number of IMAP sessions exceeds this maximum and the Clientless SSL VPN connection expires, a user cannot subsequently establish a new connection.
Chapter 39 E-Mail Proxy Default Servers Fields • POP3S/IMAP4S/SMTPS Default Server—Let you configure a default server, port and non-authenticated session limit for e-mail proxies. • Name or IP Address—Type the DNS name or IP address for the default e-mail proxy server. • Port—Type the port number on which the security appliance listens for e-mail proxy traffic. Connections are automatically allowed to the configured port. The e-mail proxy allows only SSL connections on this port.
Chapter 39 E-Mail Proxy Delimiters Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Delimiters This panel lets you configure username/password delimiters and server delimiters for e-mail proxy authentication. Fields • POP3S/IMAP4S/SMTPS Delimiters—Let you configure username/password and server delimiters for each of the e-mail proxies.
Chapter 39 E-Mail Proxy Delimiters Passwords for Clientless SSL VPN e-mail proxy users cannot contain characters that are used as delimiters. Note – Server Delimiter—Select a delimiter to separate the username from the name of the e-mail server. It must be different from the VPN Name Delimiter. Users enter both their username and server in the username field when they log in to an e-mail proxy session.
C H A P T E R 40 Configuring SSL Settings SSL The security appliance uses the Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS) to achieve secure message transmission for both ASDM and Clientless, browser-based sessions. The SSL window lets you configure SSL versions for clients and servers and encryption algorithms.
Chapter 40 Configuring SSL Settings SSL Options for Client SSL versions include the following: any The security appliance sends SSL version3 hellos, and negotiates either SSL version 3 or TLS version 1. sslv3-only The security appliance sends SSL version 3 hellos, and accepts only SSL version 3. tlsv1-only The security appliance sends TLSv1 client hellos, and accepts only TLS version 1. • Encryption—Lets you set SSL encryption algorithms.
Chapter 40 Configuring SSL Settings SSL • Certificate—Click to select a previously enrolled certificate to associate with the named interface. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — SSL Certificates In this pane, you can require that device management sessions require user certificates for SSL authentication.
Chapter 40 Configuring SSL Settings SSL Cisco ASDM User Guide 40-4 OL-16647-01
PA R T 5 Monitoring the Security Appliance
C H A P T E R 41 Monitoring Interfaces ASDM lets you monitor interface statistics as well as interface-related features. ARP Table The ARP Table pane displays the ARP table, including static and dynamic entries. The ARP table includes entries that map a MAC address to an IP address for a given interface. See Configuration > Properties > ARP Static Table for more information about the ARP table. Fields • Interface—Lists the interface name associated with the mapping. • IP Address—Shows the IP address.
Chapter 41 Monitoring Interfaces DHCP DHCP Server Table The DHCP Server Table lists the IP addresses assigned to DHCP clients. Fields • IP Address—Shows the IP address assigned to the client. • Client-ID—Shows the client MAC address or ID. • Lease Expiration—Shows the date that the DHCP lease expires. The lease indicates how long the client can use the assigned IP address. Remaining time is also specified in the number of seconds and is based on the timestamp in the Last Updated display-only field.
Chapter 41 Monitoring Interfaces DHCP Bound—The security appliance has a valid lease and is operating normally. Renewing—The security appliance is trying to renew the lease. It regularly sends DHCPREQUEST messages to the current DHCP server, and waits for a reply. Rebinding—The security appliance failed to renew the lease with the original server, and now sends DHCPREQUEST messages until it gets a reply from any server or the lease ends.
Chapter 41 Monitoring Interfaces MAC Address Table – DHCPREQUEST – DHCPDECLINE – DHCPRELEASE – DHCPINFORM – BOOTREPLY – DHCPOFFER – DHCPACK – DHCPNAK • Count—Shows the number of times a specific message was processed. • Direction—Shows if the message type is Sent or Received. • Total Messages Received—Shows the total number of messages received by the security appliance. • Total Messages Sent—Shows the total number of messages sent by the security appliance.
Chapter 41 Monitoring Interfaces Dynamic ACLs • Type—Shows if the entry is static or dynamic. • Age—Shows the age of the entry, in minutes. To set the timeout, see MAC Address Table. • Refresh—Refreshes the table with current information from the security appliance.
Chapter 41 Monitoring Interfaces Interface Graphs Fields • Available Graphs for—Lists the types of statistics available for monitoring. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. – Byte Counts—Shows the number of bytes input and output on the interface. – Packet Counts—Shows the number of packets input and output on the interface. – Packet Rates—Shows the rate of packets input and output on the interface.
Chapter 41 Monitoring Interfaces Interface Graphs Collisions—The number of messages retransmitted due to an Ethernet collision (single and multiple collisions). This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets.
Chapter 41 Monitoring Interfaces PPPoE Client Firewall Mode Security Context Multiple Routed Transparent Single • • Context • • System — Graph/Table The Graph window shows a graph for the selected statistics. The Graph window can show up to four graphs and tables at a time. By default, the graph or table displays the real-time statistics. If you enable History Metrics, page 6-6, you can view statistics for past time periods. Fields • View—Sets the time period for the graph or table.
Chapter 41 Monitoring Interfaces interface connection Fields Select a PPPoE interface—Select an interface that you want to view PPPoE client lease information. Refresh—loads the latest PPPoE connection information from the security appliance for display. interface connection The interface connection node in the Monitoring > Interfaces tree only appears if static route tracking is configured. If you have several routes tracked, there will be a node for each interface that contains a tracked route.
Chapter 41 Monitoring Interfaces interface connection Modes Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Cisco ASDM User Guide 41-10 OL-16647-01
C H A P T E R 42 Monitoring VPN The VPN Monitoring sections show parameters and statistics for the following: • VPN statistics for specific Remote Access, LAN-to-LAN, Clientless SSL VPN, and E-mail Proxy sessions • Encryption statistics for tunnel groups • Protocol statistics for tunnel groups • Global IPSec and IKE statistics • Crypto statistics for IPSec, IKE, SSL, and other protocols • Statistics for cluster VPN server loads VPN Connection Graphs Displays VPN connection data in graphical or
Chapter 42 Monitoring VPN VPN Connection Graphs • Remove—Moves the selected tunnel type from the Selected Graphs box to the Available Graphs box. • Show Graphs—Displays a window consisting of graphs of the tunnel types displayed in the Selected Graphs box. Each type in the window displayed has a Graph tab and a Table tab you can click to alternate the representation of active tunnel data.
Chapter 42 Monitoring VPN VPN Statistics Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • VPN Statistics These panels show detailed parameters and statistics for a specific remote-access, LAN-to-LAN, Clientless SSL VPN, or E-mail Proxy session. The parameters and statistics differ depending on the session protocol. The contents of the statistical tables depend on the type of connection you select.
Chapter 42 Monitoring VPN VPN Statistics The contents of the second table, also unlabeled, on this panel depend on the selection in the Filter By list. In the following list, the first-level bullets show the Filter By selection, and the second-level bullets show the column headings for this table. • Remote Access—Indicates that the values in this table relate to remote access traffic. – Username/Tunnel Group—Shows the username or login name and the tunnel group for the session.
Chapter 42 Monitoring VPN VPN Statistics – Bytes Tx/Bytes Rx—Shows the total number of bytes transmitted to/received from the remote peer or client by the security appliance. • Clientless SSL VPN—Indicates that the values in this table relate to Clientless SSL VPN traffic. – Username/IP Address—Shows the username or login name for the session and the IP address of the client. – Protocol/Encryption—Shows the protocol and the data encryption algorithm this session is using, if any.
Chapter 42 Monitoring VPN VPN Statistics Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Sessions Details The Session Details window displays configuration settings, statistics, and state information about the selected session.
Chapter 42 Monitoring VPN VPN Statistics – Unknown—Posture validation is in progress. The posture token is an informational text string which is configurable on the Access Control Server. The ACS downloads the posture token to the security appliance for informational purposes to aid in system monitoring, reporting, debugging, and logging. The typical posture token that follows the NAC result is as follows: Healthy, Checkup, Quarantine, Infected, or Unknown.
Chapter 42 Monitoring VPN VPN Statistics Redirect URLs remain in force until either the IPSec session ends or until posture revalidation, for which the ACS downloads a new access policy that can contain a different redirect URL or no redirect URL. More—Press this button to revalidate or initialize the session or tunnel group. The ACL tab displays the ACL containing the ACEs that matched the session.
Chapter 42 Monitoring VPN VPN Statistics The buttons in this window are as follows: Note Choose Monitoring > VPN > VPN Statistics > NAC Session Summary if you want to revalidate or initialize all sessions that are subject to posture validation. • Revalidate Session—Click if the posture of the peer or the assigned access policy (that is, the downloaded ACL, if any) has changed. Clicking this button initiates a new, unconditional posture validation.
Chapter 42 Monitoring VPN VPN Statistics • Encryption Statistics—Shows the statistics for all the data encryption algorithms in use by currently active sessions. – Encryption Algorithm—Lists the encryption algorithm to which the statistics in this row apply. – Sessions—Lists the number of sessions using this algorithm. – Percentage—Indicates the percentage of sessions using this algorithm relative to the total active sessions, as a number. The sum of this column equals 100 percent (rounded).
Chapter 42 Monitoring VPN VPN Statistics • N/A—Number of peers for which NAC is disabled according to the VPN NAC group policy. • Revalidate All—Click if the posture of the peers or the assigned access policies (that is, the downloaded ACLs), have changed. Clicking this button initiates new, unconditional posture validations of all NAC sessions managed by the security appliance.
Chapter 42 Monitoring VPN VPN Statistics Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • VLAN Mapping Sessions This panel displays the number of sessions assigned to an egress VLAN, as determined by the value of the Restrict Access to VLAN parameter of each group policy in use. The security appliance forwards all traffic to the specified VLAN. Field • Active VLAN Mapping Sessions—Number of VPN sessions assigned to an egress VLAN.
Chapter 42 Monitoring VPN VPN Statistics Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Crypto Statistics This panel displays the crypto statistics for currently active user and administrator sessions on the security appliance. Each row in the table represents one crypto statistic. Fields • Show Statistics For—Selects a specific protocol, IKE Protocol (the default), IPSec Protocol, SSL Protocol, or other protocols.
Chapter 42 Monitoring VPN VPN Statistics Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Cluster Loads Use this panel to view the current traffic load distribution among the servers in a VPN load-balancing cluster. If the server is not part of a cluster, you receive an information message saying that this server does not participate in a VPN load-balancing cluster.
Chapter 42 Monitoring VPN VPN Statistics Note These statistics are for SSO with SiteMinder and SAML Browser Post Profile servers only. Fields • Show Statistics For SSO Server — Selects an SSO server. • SSO Statistics—Shows the statistics for all the currently active sessions on the selected SSO server.
Chapter 42 Monitoring VPN VPN Statistics – Number of rejects – Number of timeouts – Number of unrecognized responses • Refresh—Updates the statistics shown in the SSO Statistics table • Clear SSO Server Statistics—Resets statistics for the displayed server.
C H A P T E R 43 Monitoring Routing You can use ASDM to monitor OSPF LSAs, OSPF and EIGRP neighbors, and the routing table. To access the routing monitoring screens, go to Monitoring > Routing in the ASDM interface.
Chapter 43 Monitoring Routing Monitoring OSPF LSAs The Type 1 pane displays all Type 1 LSAs received by the security appliance. Each row in the table represents a single LSA. Fields • Process—Display only. Displays the OSPF process for the LSA. • Area—Display only. Displays the OSPF area for the LSA. • Router ID—Display only. Displays the OSPF router ID of the router originating the LSA. • Advertiser—Display only. Displays the ID of the router originating the LSA.
Chapter 43 Monitoring Routing Monitoring OSPF LSAs Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Type 3 Type 3 LSA are summary link advertisements that are passed between areas. They describe the networks within an area. Fields • Process—Display only. Displays the OSPF process for the LSA. • Area—Display only. Displays the OSPF area for the LSA. • Destination—Display only. Displays the address of the destination network being advertised.
Chapter 43 Monitoring Routing Monitoring OSPF LSAs • Sequence #—Display only. Displays the link state sequence number. The link state sequence number is used to detect old or duplicate LSAs. • Checksum—Display only. Displays the checksum of the contents of the LSA.
Chapter 43 Monitoring Routing Monitoring OSPF Neighbors Fields • Process—Display only. Displays the OSPF process for the LSA. • Area—Display only. Displays the OSPF area for the LSA. • Network—Display only. Displays the address of the external network. • Advertiser—Display only. Displays the router ID of the ASBR that sent the LSA. • Age—Display only. Displays the age of the link state. • Sequence #—Display only. Displays the link state sequence number.
Chapter 43 Monitoring Routing Monitoring OSPF Neighbors – 2-Way—This state designates that bi-directional communication has been established between the security appliance and the neighbor. Bi-directional means that each device has seen the hello packet from the other device. This state is attained when the router receiving the hello packet sees its own Router ID within the neighbor field of the received hello packet.
Chapter 43 Monitoring Routing Monitoring EIGRP Neighbors • Interface—Display only. Displays the interface on which the OSPF neighbor has formed adjacency. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Monitoring EIGRP Neighbors The EIGRP Neighbors pane displays dynamically discovered EIGRP neighbors. Statically defined neighbors do not appear in this pane.
Chapter 43 Monitoring Routing Displaying Routes Firewall Mode Security Context Multiple Routed • Transparent Single Context System — — — • Displaying Routes The Routes pane displays the statically configured, connected, and discovered routes in the security appliance routing table. Fields • Protocol—Display only. Displays the origin of the route information. – RIP—The route was derived using RIP. – OSPF—The route was derived using OSPF. – EIGRP—The route was derived using EIGRP.
C H A P T E R 44 Monitoring Properties This chapter includes the following sections: • Monitoring AAA Servers, page 44-1 • Monitoring Device Access, page 44-4 • Connection Graphs • CRL • DNS Cache • IP Audit • System Resources Graphs • WCCP Monitoring AAA Servers This section includes the following topics: • Viewing AAA Server Statistics, page 44-1 • Updating the Operational State of an AAA Server, page 44-2 • Fields Used to Monitor AAA Servers, page 44-3 Viewing AAA Server Statistic
Chapter 44 Monitoring Properties Monitoring AAA Servers Step 1 From the ASDM toolbar, click Monitoring. The monitoring functions display in the left-hand Navigation pane. Step 2 Click Properties. The Properties Navigation pane opens. Step 3 Click AAA Servers. The AAA Servers dialog box opens in the right-hand pane, displaying a list of the configured AAA servers. Step 4 Click the row for the server whose statistics you want to monitor.
Chapter 44 Monitoring Properties Monitoring AAA Servers The dialog box closes. Fields Used to Monitor AAA Servers The following table describes the fields for monitoring AAA Servers. Field Description Server Group The name of the server group where the server resides. Protocol The protocol used by the AAA server group. IP Address The IP address for the AAA server. Status The operational status of the AAA server.
Chapter 44 Monitoring Properties Monitoring Device Access Firewall Mode Security Context Multiple Routed • Transparent Single • Context • • System — Monitoring Device Access This section includes the following topics: • Monitoring User Lockouts • Monitoring Authenticated Users • Monitoring Active Sessions • Fields Used to Monitor Device Access Monitoring User Lockouts This section includes the following topics: • Viewing Lockouts, page 44-4 • Removing All User Lockouts, page 44-5 • R
Chapter 44 Monitoring Properties Monitoring Device Access Step 2 Click Properties. The Properties Navigation pane opens. Step 3 Click the plus (+) symbol next to Device Access. The list of Device Access functions expands below it. Step 4 Click AAA Local Locked Out Users. The AAA Local Locked Out Users dialog box opens in the right-hand pane, displaying a list of users who failed to successfully authenticate with an AAA server.
Chapter 44 Monitoring Properties Monitoring Device Access All lockouts from the security appliance are removed and usernames removed from the list. Removing One User Lockout Use this procedure to remove a lockout for one user who was locked out of the security appliance after failing to successfully authenticate with an AAA server. Prerequisites • You are connected to the security appliance using ASDM.
Chapter 44 Monitoring Properties Monitoring Device Access Prerequisites • You are connected to the security appliance using ASDM. • You have already completed the initial security appliance configurations included in the ASDM startup wizard. For more information, see Using the Startup Wizard, page 5-1. • You have already configured the servers and server groups that are being managed by the security appliance. For more information, see the Summary of Support, page 14-3.
Chapter 44 Monitoring Properties Monitoring Device Access • You have already configured the security appliance access for the session traffic you want to monitor. See the procedures in one of the following sections: – Configuring Device Access for ASDM, Telnet, or SSH, page 16-1 – Configuring CLI Parameters, page 16-2 Procedure To monitor active sessions, perform the following steps: Step 1 From the ASDM toolbar, click Monitoring. The monitoring functions display in the left-hand Navigation pane.
Chapter 44 Monitoring Properties Monitoring Device Access The following table describes the fields for monitoring active SSH sessions. Field Description Client The client type for the selected SSH session. User The user name for the selected SSH session. State The state of the selected SSH session. Version The version of SSH used to connect to the security appliance. Encryption (In) The inbound encryption method used for the selected session.
Chapter 44 Monitoring Properties Monitoring Device Access Procedure To disconnect an active security appliance session, perform the following steps: Step 1 From the ASDM toolbar, click Monitoring. The monitoring functions display in the left-hand Navigation pane. Step 2 Click Properties. The Properties Navigation pane opens. Step 3 Click the plus (+) symbol next to Device Access. The list of Device Access functions expands below it. Step 4 Click ASDM/HTTPS/Telnet/SSH Sessions.
Chapter 44 Monitoring Properties Connection Graphs Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Fields for Monitoring Users Who Have Authenticated with a Server The following table describes the fields for monitoring authenticated users. Field Description User The usernames of users who have successfully authenticated with an authentication server.
Chapter 44 Monitoring Properties Connection Graphs Perfmon The Perfmon pane lets you view the performance information in a graphical format. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Fields • Available Graphs—Lists the components you can graph. – AAA Perfmon—Displays the security appliance AAA performance information. – Inspection Perfmon—Displays the security appliance inspection performance information.
Chapter 44 Monitoring Properties CRL • Show Graphs—Click to display a new or updated graph window. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — CRL This pane allows you to view or clear associated CRLs of selected CA certificates. Fields • CA Certificate Name—Choose the name of the selected certificate from the drop-down list. • View CRL—Click to view the selected CRL.
Chapter 44 Monitoring Properties IP Audit • If new entries arrive but there is no room in the cache because the size was exceeded or no more memory is available, the cache will be thinned by one third, based on the entries age. The oldest entries will be removed. Fields • Host— Shows the DNS name of the host. • IP Address—Shows the address that resolves to the hostname. • Permanent—Indicates whether the entry was made though a name command.
Chapter 44 Monitoring Properties IP Audit Impossible IP Packet (1102) IP Teardrop (1103) – ICMP Requests—Shows the packet count for the following signatures: Echo Request (2004) Time Request (2007) Info Request (2009) Address Mask Request (2011) – ICMP Responses—Shows the packet count for the following signatures: Echo Reply (2000) Source Quench (2002) Redirect (2003) Time Exceeded (2005) Parameter Problem (2006) – ICMP Replies—Shows the packet count for the following signatures: Unreachable (2001) Tim
Chapter 44 Monitoring Properties System Resources Graphs – RPC Requests to Target Hosts—Shows the packet count for the following signatures: Port Registration (6100) Port Unregistration (6101) Dump (6102) – YP Daemon Portmap Requests—Shows the packet count for the following signatures: ypserv Portmap Request (6150) ypbind Portmap Request (6151) yppasswdd Portmap Request (6152) ypupdated Portmap Request (6153) ypxfrd Portmap Request (6154) – Miscellaneous Portmap Requests—Shows the packet count for the
Chapter 44 Monitoring Properties System Resources Graphs Blocks This pane lets you view the free and used memory blocks. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Fields • Available Graphs —Lists the components you can graph. – Blocks Used—Displays the security appliance used memory blocks. – Blocks Free—Displays the security appliance free memory blocks.
Chapter 44 Monitoring Properties WCCP Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Memory This pane lets you view the memory utilization. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Fields • Available Graphs—Lists the components you can graph. – Free Memory—Displays the security appliance free memory. – Used Memory—Displays the security appliance used memory.
Chapter 44 Monitoring Properties WCCP Service Groups This pane allows you to view and refresh the service group, the display mode, and hash settings, which include the source and destination IP addresses and the source and destination port numbers. Fields • Service Group—Choose the applicable service group from the drop-down list. • Display Mode—Choose the display mode from the drop-down list. • Destination IP Address—Specify the destination IP address.
Chapter 44 Monitoring Properties WCCP • WCCP Interface Statistics—Display-only. Shows the current WCCP interface statistics.
Chapter 44 Monitoring Properties WCCP Cisco ASDM User Guide OL-16647-01 44-21
Chapter 44 Monitoring Properties WCCP Cisco ASDM User Guide 44-22 OL-16647-01
C H A P T E R 45 Monitoring Logging You can view real-time syslog messages that appear in the log buffer. When you open the Cisco ASDM 6.1(3) for ASA 8.0(4) main application window, the most recent ASDM system log messages appear at the bottom of a scrolling window. You can use these messages to help troubleshoot errors or monitor system usage and performance. For a description of the Logging feature, see Chapter 17, “Configuring Logging.
Chapter 45 Monitoring Logging Log Buffer Firewall Mode Security Context Multiple Routed • Transparent Single • • Context • System — Log Buffer Viewer The Log Buffer Viewer pane lets you view messages that appear in the log buffer, an explanation of the message, details about the message, and recommended actions to take, if necessary, to resolve an error. To access this pane, choose Monitoring > Logging > Log Buffer > View.
Chapter 45 Monitoring Logging Real-Time Log Viewer Firewall Mode Security Context Multiple Routed Transparent Single • • • Context • System — Real-Time Log Viewer The Real-Time Log Viewer lets you view real-time syslog messages in a separate window. To access this pane, choose Monitoring > Logging > Real-Time Log Viewer.
Chapter 45 Monitoring Logging Real-Time Log Viewer • Click Save Log to save the contents of the log to your computer. • Click Clear Display to clear the list of messages. • Click Color Settings to specify that messages of different severity levels display in different colors. • Click Create Access Rule to create an access control rule that performs the opposite action of the access control rule that originally generated the message.
C H A P T E R 46 Monitoring Failover Failover monitoring in ASDM depends upon the mode of the device. In single context mode, or within a security context in multiple context mode, you can monitor the state of failover for the device and view stateful failover statistics.
Chapter 46 Monitoring Failover Monitoring Failover in Single Context Mode or in a Security Context Fields Failover state of the system—Display only. Displays the failover state of the security appliance. The information in this field is the same output you would receive from the show failover command. The following information is included in the display: Note Only a subset of the fields below appear when viewing the failover status within a security context.
Chapter 46 Monitoring Failover Monitoring Failover in Single Context Mode or in a Security Context – *Active Time—The amount of time, in seconds, that the unit has been in the active state. – *[context_name] Interface name (n.n.n.n)—For each interface, the display shows the IP address currently being used on each unit, as well as one of the following conditions. In multiple context mode, the context name appears before each interface. Failed—The interface has failed.
Chapter 46 Monitoring Failover Monitoring Failover in Single Context Mode or in a Security Context – VPN DHCP upd—Tunneled DHCP connection information. • *Logical Update Queue Information—Displays the following statistics: – Recv Q—The status of the receive queue. – Xmit Q—The status of the transmit queue. The following information is displayed for each queue: – Cur—The current number of packets in the queue. – Max—The maximum number of packets. – Total—The total number of packets.
Chapter 46 Monitoring Failover Monitoring Failover in Single Context Mode or in a Security Context Fields • Available Graphs for—Lists the types of statistical information available for monitoring. You can choose up to four statistic types to display in one graph window. Double-clicking a statistic type in this field moves it to the Selected Graphs field. Single-clicking a statistic type in this field selects the entry. You can select multiple entries.
Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Space Monitoring Failover in the System Execution Space You can monitor the failover status of the system and of the individual failover groups in the system context. See the following topics for monitoring failover status from the system context: • System • Failover Group 1 and Failover Group 2 For More Information For more information about failover in general, see Understanding Failover.
Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Space • Monitored Interfaces—Displays the number of interfaces whose health you are monitoring for failover. • failover replication http—Specifies that HTTP replication is enabled. • Group x Last Failover—Displays the time and date the last failover occurred for each failover group.
Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Space – UDP conn—Dynamic UDP connection information. – ARP tbl—Dynamic ARP table information. – L2BRIDGE tbl—Layer 2 bridge table information (transparent firewall mode only). – Xlate_Timeout—Indicates connection translation timeout information. – VPN IKE upd—IKE connection information. – VPN IPSEC upd—IPSec connection information. – VPN CTCP upd—cTCP tunnel connection information. – VPN SDI upd—SDI AAA connection information.
Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Space For More Information For more information about failover in general, see Understanding Failover. Failover Group 1 and Failover Group 2 The Failover Group 1 and Failover Group 2 panes display the failover state of the selected group.You can also control the failover state of the group by toggling the active/standby state of the group or by resetting a failed group. Fields Failover state of Group[x]—Display only.
Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Space – xmit—Number of transmitted packets to the other unit – xerr—Number of errors that occurred while transmitting packets to the other unit – rcv—Number of received packets – rerr—Number of errors that occurred while receiving packets from the other unit The following are the stateful object field types: – General—Sum of all stateful objects. – sys cmd—Logical update system commands; for example, LOGIN and Stay Alive.
Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Space Firewall Mode Security Context Multiple Routed • Transparent Single • — Context — System • For More Information For more information about failover in general, see Understanding Failover.
Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Space Cisco ASDM User Guide 46-12 OL-16647-01
C H A P T E R 47 Monitoring Trend Micro Content Security Note The ASA 5580 does not support the CSC SSM feature. ASDM lets you monitor the CSC SSM statistics as well as CSC SSM-related features. For an introduction to the CSC SSM, see About the CSC SSM. Note If you have not completed the CSC Setup Wizard in Configuration > Trend Micro Content Security > CSC Setup, you cannot access the panes under Monitoring > Trend Micro Content Security.
Chapter 47 Monitoring Trend Micro Content Security Live Security Events • Show Graphs—Click to display a new window that shows a Graph tab and an updated graph with the selected statistics. Click the Table tab to display the same information in tabular form. • From the Graph or Table tab, click Export in the menu bar or choose File > Export to save the graph or tabular information as a file on your local PC.
Chapter 47 Monitoring Trend Micro Content Security Live Security Events Live Security Events Log The Live Log dialog box lets you view real-time security event messages that are received from the CSC SSM. You can filter security event messages based on text you specify. Fields • Filter By: Choose one of the following from the drop-down list. – Show All—Displays all messages. – Filter by Text—Lets you filter the messages to view based on text you enter. • Filter—Click to filter the messages.
Chapter 47 Monitoring Trend Micro Content Security Software Updates For More Information See Managing the CSC SSM Software Updates The Software Updates pane displays information about updates to the CSC SSM software. This pane refreshes automatically every ten seconds. To access this pane, choose Monitoring > Trend Micro Content Security > Software Updates. Fields • Component—Displays names of parts of the CSC SSM software that can be updated.
Chapter 47 Monitoring Trend Micro Content Security Resource Graphs Fields • Available Graphs—Lists the components whose statistics you can view in a graph. – CSC CPU, CPU Utilization—Displays statistics for CPU usage on the CSC SSM. • Graph Window Title—Shows the graph window name to which you want to add a statistics type. If a graph window is already open, a new graph window is listed by default. To add a statistics type to an already open graph, choose the open graph window name.
Chapter 47 Monitoring Trend Micro Content Security Resource Graphs • Remove—Click to remove the selected statistics type from the Selected Graphs list. • Show Graphs—Click to display a new window that shows a Graph tab and an updated graph with the selected statistics. Click the Table tab to display the same information in tabular form. • From the Graph or Table tab, click Export in the menu bar or choose File > Export to save the graph or tabular information as a file on your local PC.
PA R T 6 Reference
A P P E N D I X A Feature Licenses This appendix describes feature licenses per model.
Appendix A Feature Licenses ASA 5510 Feature Licenses Table A-1 ASA 5505 Adaptive Security Appliance License Features (continued) ASA 5505 Base License Security Plus TLS Proxy for SIP and Skinny Inspection Supported Supported Failover No support Active/Standby (no stateful failover) GTP/GPRS No support No support Maximum VLANs/Zones 3 (2 regular zones and 1 restricted zone that can only communicate with 1 other zone) 20 No support Unlimited 10 K 25 K Max.
Appendix A Feature Licenses ASA 5520 Feature Licenses Table A-2 ASA 5510 Adaptive Security Appliance License Features (continued) ASA 5510 Base License Security Plus 50 100 50 K 130 K Max. Physical Interfaces Unlimited Unlimited Encryption Base (DES) Min. RAM 256 MB (default) Max. VLANs Concurrent Firewall Conns 2 Optional license: Strong (3DES/AES) Base (DES) Optional license: Strong (3DES/AES) 256 MB (default) 1.
Appendix A Feature Licenses ASA 5540 Feature Licenses ASA 5540 Feature Licenses Table A-4 ASA 5540 Adaptive Security Appliance License Features ASA 5540 Base License Users, concurrent Unlimited Security Contexts 2 Optional licenses: 5 VPN Sessions 1 Unlimited 10 20 50 5000 combined IPSec and Clientless SSL VPN Max. IPSec Sessions 5000 Max.
Appendix A Feature Licenses ASA 5580 Feature Licenses Table A-5 ASA 5550 Adaptive Security Appliance License Features (continued) ASA 5550 Base License VPN Load Balancing Supported TLS Proxy for SIP and Skinny Inspection Supported Failover Active/Standby or Active/Active GTP/GPRS None Max. VLANs Optional license: Enabled 250 Concurrent Firewall Conns 2 650 K Max. Physical Interfaces Unlimited Encryption Base (DES) Min. RAM 4 GB (default) Optional license: Strong (3DES/AES) 1.
Appendix A Feature Licenses PIX 515/515E Feature Licenses Table A-6 ASA 5580 Adaptive Security Appliance License Features (continued) ASA 5580 Base License Encryption Base (DES) Min. RAM 4 GB (default) Optional license: Strong (3DES/AES) 1. Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit.
Appendix A Feature Licenses PIX 525 Feature Licenses PIX 525 Feature Licenses Table A-8 PIX 525 Security Appliance License Features PIX 525 R (Restricted) UR (Unrestricted) FO (Failover)1 FO-AA (Failover Active/Active)1 Users, concurrent Unlimited Unlimited Unlimited Unlimited Security Contexts No support 2 Optional licenses: 2 Optional licenses: 2 Optional licenses: IPSec Sessions 2000 2000 2000 2000 Clientless SSL VPN Sessions No support No support No support No support VPN Lo
Appendix A Feature Licenses PIX 535 Feature Licenses Table A-9 PIX 535 Security Appliance License Features PIX 535 R (Restricted) UR (Unrestricted) FO (Failover)1 FO-AA (Failover Active/Active)1 Users, concurrent Unlimited Unlimited Unlimited Unlimited Security Contexts No support 2 Optional licenses: 2 Optional licenses: 2 Optional licenses: IPSec Sessions 2000 2000 2000 2000 Clientless SSL VPN Sessions No support No support No support No support VPN Load Balancing No support
Appendix A Feature Licenses PIX 535 Feature Licenses Cisco ASDM User Guide OL-16647-01 A-9
Appendix A Feature Licenses PIX 535 Feature Licenses Cisco ASDM User Guide A-10 OL-16647-01
A P P E N D I X B Troubleshooting This appendix describes how to troubleshoot the security appliance, and includes the following sections: • Testing Your Configuration, page B-1 • Reloading the Security Appliance, page B-6 • Performing Password Recovery, page B-7 • Using the ROM Monitor to Load a Software Image, page B-10 • Erasing the Flash File System, page B-11 • Other Troubleshooting Tools, page B-12 • Common Problems, page B-13 Testing Your Configuration This section describes how to te
Appendix B Troubleshooting Testing Your Configuration Step 1 To show ICMP packet information for pings to the security appliance interfaces, enter the following command: hostname(config)# debug icmp trace Step 2 To set system log messages to be sent to Telnet or SSH sessions, enter the following command: hostname(config)# logging monitor debug You can alternately use the logging buffer debug command to send log messages to a buffer, and then view them later using the show logging command.
Appendix B Troubleshooting Testing Your Configuration Network Diagram with Interfaces, Routers, and Hosts Host Host Host 10.1.1.56 10.1.1.2 209.265.200.230 Router dmz1 192.1 68.1. 10.1.3.6 10.1.3.2 209.265.200.226 192.168.1.2 209.165.201.24 209.165.201.1 Router Router 209.165.201.2 outside 209.165.201.1 security0 Host 192.168.3.2 Router 10.1.0.1 dmz3 192.1 68.3. outside security0 Transp. Security Appliance 10.1.0.3 Routed Security Appliance dmz2 192.168.2.1 security40 192.168.2.
Appendix B Troubleshooting Testing Your Configuration Figure B-3 Ping Failure Because of IP Addressing Problems Ping Router 192.168.1.2 192.168.1.1 Security Appliance 126696 192.168.1.2 Host Step 3 Ping each security appliance interface from a remote host. For transparent mode, ping the management IP address.
Appendix B Troubleshooting Testing Your Configuration hostname(config-cmap)# policy-map ICMP-POLICY hostname(config-pmap)# class ICMP-CLASS hostname(config-pmap-c)# inspect icmp hostname(config-pmap-c)# service-policy ICMP-POLICY global Alternatively, you can also apply the ICMP access list to the destination interface to allow ICMP traffic back through the security appliance. Step 4 Ping from the host or router through the source interface to another host or router on another interface.
Appendix B Troubleshooting Reloading the Security Appliance Step 4 (Optional) To disable the ICMP inspection engine, enter the following command: hostname(config)# no service-policy ICMP-POLICY Traceroute You can trace the route of a packet using the traceroute feature, which is accessed with the traceroute command. A traceroute works by sending UDP packets to a destination on an invalid port.
Appendix B Troubleshooting Performing Password Recovery Performing Password Recovery This section describes how to recover passwords if you have forgotten them or you are locked out because of AAA settings, and how to disable password recovery for extra security.
Appendix B Troubleshooting Performing Password Recovery Step 11 When prompted for the password, press Enter. The password is blank.
Appendix B Troubleshooting Performing Password Recovery You can log in with the default login password of “cisco” and the blank enable password. The following example shows password recovery on a PIX 500 series security appliance with the TFTP server on the outside interface: monitor> interface 0 0: i8255X @ PCI(bus:0 dev:13 irq:10) 1: i8255X @ PCI(bus:0 dev:14 irq:7 ) Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9 monitor> address 10.21.1.99 address 10.21.1.99 monitor> server 172.18.
Appendix B Troubleshooting Using the ROM Monitor to Load a Software Image of the command does not change the setting. If you disable password recovery when the security appliance is configured to ignore the startup configuration at startup (in preparation for password recovery), then the security appliance changes the setting to load the startup configuration as usual.
Appendix B Troubleshooting Erasing the Flash File System Step 6 Ping the TFTP server by entering the ping server command. rommon #7> ping server Sending 20, 100-byte ICMP Echoes to server 10.129.0.30, timeout is 4 seconds: Success rate is 100 percent (20/20) Step 7 Load the software image by entering the tftp command. rommon #8> tftp ROMMON Variable Settings: ADDRESS=10.132.44.177 SERVER=10.129.0.30 GATEWAY=10.132.44.1 PORT=Ethernet0/0 VLAN=untagged IMAGE=f1/asa800-232-k8.
Appendix B Troubleshooting Other Troubleshooting Tools Other Troubleshooting Tools The security appliance provides other troubleshooting tools that you can use.
Appendix B Troubleshooting Common Problems User's Identity not Preserved Across Contexts If your network will be organized into multiple contexts, be aware that, when changing contexts, the user identity is not preserved. The user becomes a default (enable_15) user in the new context, with Administrative access (privilege level 15 access). Common Problems This section describes common problems with the security appliance, and how you might resolve them.
Appendix B Troubleshooting Common Problems Symptom Traffic does not pass between two interfaces on the same security level. Possible Cause You did not enable the feature that allows traffic to pass between interfaces at the same security level. Recommended Action Enable this feature.
A P P E N D I X C Configuring an External Server for Authorization and Authentication This appendix describes how to configure an external LDAP, RADIUS, or TACACS+ server to support AAA on the security appliance. Before you configure the security appliance to use an external server, you must configure the server with the correct security appliance authorization attributes and, from a subset of these attributes, assign specific permissions to individual users.
Appendix C Configuring an External Server for Authorization and Authentication Understanding Policy Enforcement of Permissions and Attributes Understanding Policy Enforcement of Permissions and Attributes The security appliance supports several methods of applying user authorization attributes (also called user entitlements or permissions) to VPN connections.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Figure C-1 Policy Enforcement Flow Dynamic Access Policy (DAP) User Attributes Group Policy Attributes System Default Group Policy Attributes 243312 Group Policy Attributes Associated with Connection Profile Configuring an External LDAP Server The VPN 3000 Concentrator and the ASA/PIX 7.0 required a Cisco LDAP schema for authorization operations. Beginning with Version 7.1.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Your LDAP configuration should reflect the logical hierarchy of your organization. For example, suppose an employee at your company, Example Corporation, is named Terry. Terry works in the Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set up a shallow, single-level hierarchy in which Terry is considered a member of Example Corporation.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-1 Example Search Configurations # LDAP Base DN Search Scope Naming Attribute Result 1 group= Engineering,ou=People,dc=ExampleCorporation, dc=com One Level cn=Terry Quicker search 2 dc=ExampleCorporation,dc=com Subtree cn=Terry Longer search Binding the Security Appliance to the LDAP Server Some LDAP servers (including the Microsoft Active Directory server) require the se
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server For software Version 7.0, LDAP attributes include the cVPN3000 prefix. For Version 7.1 and later, this prefix was removed. Supported Cisco Attributes for LDAP Authorization This section provides a complete list of attributes (Table C-2) for the ASA 5500, VPN 3000, and PIX 500 series security appliances.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 Security Appliance Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name/ VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values DHCP-Network-Scope Y Y Y String Single IP address DN-Field Y Y Y String Single Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 Security Appliance Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name/ VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values IPSec-Backup-Servers Y String Single 1 = Use Client-Configured list 2 = Disabled and clear client list 3 = Use Backup Server list String Single Specifies the name of the filter to be pushed to the client a
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 Security Appliance Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name/ VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values L2TP-Encryption Y Integer Single Bitmap: 1 = Encryption required 2 = 40 bit 4 = 128 bits 8 = Stateless-Req 15 = 40/128-Encr/Stateless-Req L2TP-MPPC-Compression Y MS-Client-Subnet-Mask Y Y PFS-Required Y
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 Security Appliance Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name/ VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values Required-Client-FirewallProduct-Code Y Integer Single Y Y Cisco Systems Products: 1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC) Zone Labs Products: 1 = Zone Alarm 2 = Zone A
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 Security Appliance Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name/ VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values WebVPN-Apply-ACL-Enable Y Y Integer Single 0 = Disabled 1 = Enabled WebVPN-Citrix-Support-Enable Y Y Integer Single 0 = Disabled 1 = Enabled WebVPN-Content-FilterParameters Y Y Integer Single 1 =
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-2 Security Appliance Supported Cisco Attributes for LDAP Authorization (continued) Attribute Name/ VPN 3000 ASA PIX Syntax/ Type Single or Multi-Valued Possible Values WebVPN-SVC-Client-DPD Y Y Integer Single 0 = Disabled n = Dead Peer Detection value in seconds (30 - 3600) WebVPN-SVC-Compression Y Y Integer Single 0 = None 1 = Deflate Compression WebVPN-SVC-Enable
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-3 AV-Pair Attribute Syntax Rules Field Description Protocol Number or name of an IP protocol. Either an integer in the range 0 - 255 or one of the following keywords: icmp, igmp, ip, tcp, udp. Source Network or host that sends the packet. Specify it as an IP address, a hostname, or the keyword “any.” If using an IP address, the source wildcard mask must follow.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table C-4 Security Appliance-Supported Tokens Token Syntax Field Description IP Protocol Internet Protocol (IP) 0 Protocol Internet Protocol (IP) TCP Protocol Transmission Control Protocol (TCP) 6 Protocol Transmission Control Protocol (TCP) UDP Protocol User Datagram Protocol (UDP) 17 Protocol User Datagram Protocol (UDP) any Hostname Rule applies to any host.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Configuring an External RADIUS Server This section presents an overview of the RADIUS configuration procedure and defines the Cisco RADIUS attributes.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-5 Security Appliance Supported RADIUS Attributes and Values Attribute Name VPN 3000 ASA PIX Attr.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-5 Security Appliance Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-5 Security Appliance Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-5 Security Appliance Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-5 Security Appliance Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-5 Security Appliance Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr. # Syntax/ Type Single or MultiValued WebVPN-Port-Forwarding-Name Y 79 String Single Y Description or Value String name (example, “Corporate-Apps”). This text replaces the default string, “Application Access,” on the clientless portal home page.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External RADIUS Server Table C-5 Security Appliance Supported RADIUS Attributes and Values (continued) Attribute Name VPN 3000 ASA PIX Attr.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External TACACS+ Server Table C-5 Security Appliance Supported RADIUS Attributes and Values (continued) VPN 3000 ASA PIX Attribute Name SVC-Ask Y Attr.
Appendix C Configuring an External Server for Authorization and Authentication Configuring an External TACACS+ Server Note To use TACACS+ attributes, make sure you have enabled AAA services on the NAS. Table C-6 lists supported TACACS+ authorization response attributes for cut-through-proxy connections. Table C-7 lists supported TACACS+ accounting attributes.
INDEX Access Group panel Numerics description 4GE SSM fields connector types 7-2, 8-2 12-2 12-2 access lists fiber 7-2, 8-2 downloadable SFP 7-2, 8-2 implicit deny support 1-2 802.
Index fields description 12-3 Add/Edit Filtering Entry dialog box description fields 12-7 description 12-18 fields fields fields fields description 19-16 28-4 sending traffic to 28-6 1-2 alternate address, ICMP message 11-16 anti-replay window size 12-16 16-8 25-7, 34-11 APN, GTP application inspection APPE command, denied request 12-16 24-88 24-82 application access 12-17 restrictions 35-68 28-1 support 11-16 Add/Edit Rendezvous Point dialog box fields 11-21 configuration
Index application firewall IP fragment 24-95 application inspection about IP impossible packet large ICMP traffic 24-2 applying ping of death 24-4 configuring described 24-4 24-60 enabling for different protocols security level requirements Apply button 24-29 description 27-16 statd buffer overflow 27-17 TCP FIN only flags 27-16 27-15 27-15 27-16 UDP chargen DoS UDP snork 11-5 27-16 27-16 attributes 11-2 RADIUS ARP inspection ARP spoofing proxied RPC request UDP bomb 11-5 con
Index certificate authentication B certificate enrollment backed up configurations restoring 33-3, 33-12 Cisco-AV-Pair LDAP attributes 3-29 Cisco Client Parameters tab backing up configurations bandwidth 33-1 3-26 C-12 35-26 Cisco IP Phones, application inspection 1-19 classes banner, view/configure 35-25 See resource management Basic tab Client Access Rule, add or edit IPSec LAN-to-LAN, General tab 35-71 basic threat detection Client Address Assignment Client Configuration tab brid
Index code-signer certificate 33-18 command authorization about CSC context files 33-10 29-15 configuring 4-1 configurations, backing up 29-10 CSC CPU 3-26 Configure IGMP Parameters dialog box description 33-10 CSC activation 10-2 factory default monitoring 12-5 47-4 CSC email 12-5 configuring 12-5 configuring 29-22 CSC file transfer CSC activation CSC email configuring 29-10 CSC license fields 29-24 CSC IP address configuring CSC management access CSC notifications con
Index CSC software updates monitoring interface lease IP addresses 47-4 CSC SSM server getting started overview support 29-2 1-2 what to scan 41-2 41-2 statistics 29-4 41-2 41-3 services 13-1 statistics 41-3 transparent firewall 29-6 CSC threats 20-6 DHCP relay monitoring overview 47-1 CSC updates 13-1 DHCP Relay - Add/Edit DHCP Server dialog box configuring description 29-25 CSC Web fields configuring 13-3 13-3 restrictions 29-21 CTIQBE 13-3 DHCP Relay panel appli
Index downloadable access lists configuring e-mail proxy and Clientless SSL VPN 23-11 converting netmask expressions DSCP preservation Enable IPSec authenticated inbound sessions 23-15 35-80, 38-29 enrolling 25-5 certificate duplex interface 37-7 33-3, 33-12 ESMTP 9-13 duplex, configuring application inspection, enabling 7-2, 8-2 dynamic NAT 24-29 established command, security level requirements See NAT 7-5, 8-9 Ethernet Auto-MDI/MDIX duplex E 7-2, 8-2 7-2, 8-2 jumbo frame suppor
Index system key fragmented ICMP traffic attack 8-2 fragment protection 15-15, 15-26 make active monitoring application inspection 46-4 enabling 46-1 monitoring interfaces 15-19 redundant interfaces 7-2, 8-4 reload standby reset 22-16, 24-62, 24-64, 24-71, 24-72, 24-79, 24-80, 24-89, 24-90, 24-96, 24-103, 24-106, 24-109, 24-113, 24-115, 24-116, 24-120 46-4 filtering option stateless status about 15-27 configuring G 15-29 gateway, default tunnel gateway adding 15-30 editing 15-30
Index limitations Identity Certificates 24-13 H225 IDM version application inspection, enabling access groups application inspection, enabling Hardware Client tab Help button group membership 12-5 static group assignment 24-82 12-5 12-3 interface parameters 1-13 12-6 IGMP panel 1-10 IGMP hierarchical policy, traffic shaping and priority queueing 25-8 history metrics 12-2 configuring interface parameters 24-29 35-31 HELP command, denied request HSRP 1-24 IGMP 24-29 H323 RAS He
Index ASA 5505 Cisco VPN Client MAC addresses duplex fragmentation policy 9-4 maximum VLANs 34-8 IPSec rules 9-2 anti-replay window size 7-2, 8-2 enabled status internal group policy jumbo frame support IPSec LAN-to-LAN multiple mode single mode monitoring SFP tunnel group 8-7 IP teardrop attack 1-19 27-14 J 7-2, 8-2 subinterfaces Java 8-5 intrusion prevention configuration IP address 35-73 8-3 7-2, 8-2 speed applet filtering 28-4 benefits of 6-1 configuration Java conso
Index See transparent firewall redundant interfaces Layer 3/4 MAC addresses matching multiple policy maps ASA 5505 22-5 LDAP 9-4 MAC address table application inspection attribute mapping Cisco-AV-pair configuring monitoring overview C-3 to ?? 30-5 30-4 30-6 management traffic C-4 30-6 41-4 static entry C-4 9-8 man-in-the-middle attack 14-6 server type 18-11 learning, disabling 14-9 hierarchy example 30-4 built-in-switch 14-22 C-12 directory search SASL about 24-14 confi
Index CSC threats 47-1 N DHCP interface lease IP addresses server about 41-3 13-9 21-1 application inspection 46-1, 46-6 46-9 history metrics 6-6 interfaces 26-5 NAT failover groups DNS 41-5 21-13 about 21-6 configuring 15-19 monitoring switch traffic, ASA 5505 21-10 dynamic NAT 41-4 43-8 monitoring interfaces 21-22 implementation 9-4 21-16 exemption from NAT MPF about about 22-1 default policy features flows 21-10 identity NAT 22-2 feature directionality about 22
Index NetFlow event matching to configured collectors 17-19 Network Admission Control 11-14 hello interval 11-14 retransmit interval uses, requirements, and limitations transmit delay 34-24 New Authentication Server Group panel, VPN wizard 32-9 NTLM support dead interval 11-14 OSPF route summarization about 14-5 11-7 defining NT server 11-8 outbound access lists configuring support 14-9 11-14 20-2 Outlook Web Access (OWA) and Clientless SSL VPN 37-7 14-5 outside, definition 2-16
Index platform model PoE SIP and 1-18 24-21 9-4 policy, QoS 25-1 Q policy map QoS Layer 3/4 feature directionality flows about 22-3 DiffServ preservation 22-5 DSCP preservation policy NAT about policies configuring client applications port forwarding entry IPSec anti-replay window 34-24 Posture Validation Exception, add/edit 34-26 25-7, 34-11 25-2 traffic shaping overview 35-71 25-4 Quality of Service PPTP application inspection, enabling See QoS 24-30 queue, QoS priority qu
Index recurring time range, add or edit redirect, ICMP message Redistribution panel description fields 35-13 16-8 RNFR command, denied request 24-82 RNTO command, denied request 24-82 routed mode 11-14 about 11-14 setting 11-15 redundant interfaces configuring failover router solicitation, ICMP message Routes panel 7-2, 8-4 fields security appliance Remote Access Client panel, VPN wizard Remote Site Peer panel, VPN wizard Rendezvous Points panel description 12-16 32-6 32-3 43-8, 47-4
Index SDI single mode configuring support backing up configuration 14-9 configuration 14-5 Secure Computing SmartFilter filtering server supported 26-1 URL for website 10-9 restoring 10-10 reloading about security contexts application inspection, enabling SMTP inspection command authorization 16-24 24-24 SNMP 10-2 10-8 multiple mode, enabling nesting or cascading overview 10-9 enabling 24-30 viewing 24-126 traps version resource management unsupported features 16-11 software
Index stateful application inspection Stateful Failover enabling 24-60 about 15-3 46-7, 46-9 switch MAC address table interface SPAN stateless failover failover link 15-3 network settings 12-6 overview 12-6 10-2 10-1 system messages See NAT device ID, including Static Neighbor panel description fields viewing last 10 11-17 17-6 1-17 11-17 11-17 T static PAT TACACS+ See PAT command authorization, configuring static routes about configuring a server 11-40 floating support
Index basic DHCP packets, allowing drop types guidelines 27-2 enabling overview HSRP 27-2 rate intervals 18-8 learning, disabling 27-2 scanning overview default limits, changing enabling 27-4 overview shunning attackers 27-4 system performance static entry multicast traffic 18-8 packet handling 20-6 VRRP system performance 1-20, 27-5 shun NAT 27-21 16-8 time range 35-12 timestamp reply, ICMP message 16-8 timestamp request, ICMP message Tools menu 35-86 tunnel gateway, de
Index virtual MAC address U defining for Active/Active failover UDP virtual MAC addresses application inspection bomb attack 24-60 about 27-16 27-16 defining connection state information snork attack 2-20 27-16 27-20 unreachable messages 15-22 defining for Active/Standby failover overview VLANs 16-7 1-18 2-17 7-3, 8-5 802.
Index W web browsing with Clientless SSL VPN web clients, secure authentication Websense filtering server 37-4 23-5 26-1, 26-5 WebVPN use suggestions Window menu 1-10 Wizards menu 1-10 37-2 X Xauth, Easy VPN client 35-85 XDMCP application inspection, enabling 24-30 Z Zone Labs Integrity Server 35-82 Cisco ASDM User Guide IN-20 OL-16647-01
