Cisco SystemsメーカーASA 5585-Xの使用説明書/サービス説明書
ページ先へ移動 of 712
Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco we bsite at www.cisco.com/go/ offices. Cisco A S A S eries Fire w all CLI Conf iguration Guide Sof tw are V ers ion 9.
THE SPECIFICATION S AND INFORMAT ION REGARDING THE PRODUCTS IN THIS MA NUAL ARE SUBJ ECT TO CHANGE WITHOUT NOT ICE. ALL STATEMENTS , INFORMATION , AND RECOMMEN DATIONS I N THIS MANUA L ARE BELIEVE D TO BE ACCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED.
iii Cisco ASA Series Firewall CLI Configuration Guide CONTENTS About This Guide xxv Document Objectives xxv Related Documentation xxv Conventi ons xxv Obtaining Documentation and Submitting a Serv ice.
Contents iv Cisco ASA Series Firewall CLI Configuration Guide Applying Inspection and Connection Limits to HTTP Traffic to Sp ecific Servers 1-20 Applying Inspection to HTTP Traffic with NAT 1-21 Feat.
Contents v Cisco ASA Series Firewall CLI Configuration Guide Main Differences Between Network Ob ject NAT and Twice NAT 3-13 Information About Network Object NAT 3-14 Information About Twice NAT 3-14 .
Contents vi Cisco ASA Series Firewall CLI Configuration Guide DNS Server and FTP Server on Ma pped Interface, FTP Server is Translate d (Static NAT with DNS Modification) 4-25 IPv4 DNS Server and FTP .
Contents vii Cisco ASA Series Firewall CLI Configuration Guide Access Rule s for Returning Traffic 6-5 Allowing Broadcast and Multicast Traffic through the Transparent Fire wall Using Access Rules 6-5.
Contents viii Cisco ASA Series Firewall CLI Configuration Guide Configuring a RADIUS Server to Downl oad Per-User Ac cess Control List Names 7-21 Configuring Accounting for Network Access 7-21 Using M.
Contents ix Cisco ASA Series Firewall CLI Configuration Guide IP Options Inspec tion Overview 10-24 Configuring an IP Options Inspection Poli cy Map fo r Additional Inspection Control 10-25 IPsec Pass.
Contents x Cisco ASA Series Firewall CLI Configuration Guide Verifying and Monitorin g MGCP Inspection 11 -14 RTSP Inspection 11-14 RTSP Inspection Overv iew 11-15 Using RealPlayer 11-1 5 Restrictions.
Contents xi Cisco ASA Series Firewall CLI Configuration Guide RSH Inspection 13-10 SNMP Insp ection 13-10 SNMP Insp ection Ove rview 13-10 Configuring an SNMP Inspection Policy Ma p for Additional Ins.
Contents xii Cisco ASA Series Firewall CLI Configuration Guide Working with Certificates in the Unified Communication Wizard 15 -23 Exporting an Identity Certificate 15-23 Installing a Certificate 15-.
Contents xiii Cisco ASA Series Firewall CLI Configuration Guide Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster 16-20 Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster 16-21.
Contents xiv Cisco ASA Series Firewall CLI Configuration Guide CTL Client Overview 17-3 Licensing for the TLS Proxy 17-5 Prerequisites for the TLS Proxy for Encrypted Voice Inspection 17-7 Configuring.
Contents xv Cisco ASA Series Firewall CLI Configuration Guide Configuration Requirements for XMPP Federation 19-6 Licensing for Cisco Unified Presence 19 -7 Configuring Cisco Unified Presen ce Proxy f.
Contents xvi Cisco ASA Series Firewall CLI Configuration Guide Configuring the Cisco UC-IMC Pro xy by usin g the UC-IME Proxy Pane 20-30 Configuring the Cisco UC-IMC Proxy by us ing the Unified Commun.
Contents xvii Cisco ASA Series Firewall CLI Configuration Guide Licensing Requirement s for QoS 23-5 Guidelines and Limitations 23-5 Configuring QoS 23-6 Determining the Queue and TX Ring Limits for a.
Contents xviii Cisco ASA Series Firewall CLI Configuration Guide Cloud Web Security Actions 25-5 Bypassing Scanning with White lists 25-6 IPv4 and IPv6 Support 25 -6 Failover from Primary to Backup Pr.
Contents xix Cisco ASA Series Firewall CLI Configuration Guide Botnet Traffic Filter Address Types 26-2 Botnet Traffic Filter Actions for Known Addresses 26-2 Botnet Traffic Filter Databases 26-2 Info.
Contents xx Cisco ASA Series Firewall CLI Configuration Guide Configuring Advanced Threat Detection Statistics 27-6 Information About Advanced Threat Detection Statistics 27-6 Guidelines and Limitatio.
Contents xxi Cisco ASA Series Firewall CLI Configuration Guide Configuration Examples for Java Applet Filtering 29-5 Feature History for Java Applet Filtering 29-6 Filtering URLs and FTP Requests with.
Contents xxii Cisco ASA Series Firewall CLI Configuration Guide (ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module 30-12 (ASA 5585-X) Changing the ASA CX Management IP Add.
Contents xxiii Cisco ASA Series Firewall CLI Configuration Guide ASA 5512-X through ASA 5555-X (Software Mo dule) 31-9 ASA 5505 31-10 Sessioning to the M odule from the ASA 31-11 (ASA 5512-X through A.
Contents xxiv Cisco ASA Series Firewall CLI Configuration Guide Additional References 32-18 Feature History for the CSC SSM 32-19 I NDEX.
xxv Cisco ASA Series Firewall CLI Configuratio n Guide About This Guide This preface introduces Cisco ASA Series F ir e wall CLI Conf igur ation Guide and includes the follo wing sections: • Documen.
xxvi Cisco ASA Series Firewall CLI Configuration Guide Note Means reader take note . Ti p Means the following inf ormation will help you sol ve a pr o blem . Caution Means re a d e r b e c a re f u l . In this situation, you might perform an action t hat could result in equipment damage or loss of dat a.
P AR T 1 Conf iguring Service P olicies Using the Modular P olicy F rame work.
.
CH A P T E R 1-1 Cisco ASA Series Firewall CLI Configuratio n Guide 1 Configuring a Service Policy Using the Modular Policy Framework Service polici es using Modular Pol icy Fram ew ork provide a consistent and f lexible w ay to configure ASA features.
1-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Information About Service Policies Supported Features Ta b l e 1 - 1 lists the features supported by Modul ar Policy Frame work.
1-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Information About Service Policies Note When you use a global policy ,.
1-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Information About Service Policies For e x ample, if a packet matches a class map for co nnection limits, and also matches a class map fo r an application inspection, then both actions are applied.
1-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Information About Service Policies Incompatibility of Certain Feature Actions Some features are not compatible w i th each other for the same traf fic.
1-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Licensing Requirement s for Service Policies class ftp inspect ftp Fea.
1-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Guidelines and Limitations • TCP normalization • TCP state bypass .
1-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Default Settings Default Settings The follo wing topics describe the d.
1-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Task Flows for Co nfiguring Se rvice Polici es inspect ip-options _def.
1-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Task Flows for Configuring Service Policies Step 1 Identify the traf fic—Identify th e traf fic on which you want t o perform Modular Polic y Framework actions by creating Layer 3/4 class maps.
1-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Task Flows for Co nfiguring Se rvice Polici es See the “Defining Actions (Layer 3/ 4 Policy Map)” section on pa ge 1-15 and the “ Applying Actions to an Interface (Service Policy)” section on page 1-17 .
1-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Identifying Traffic (Layer 3/4 Class Maps) T raff ic shaping can only be applied the to class-default class map.
1-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Identifying Traffic (Layer 3/4 Cla ss Maps) match access-list access_list_name Example: hostname(config-cmap)# match access-list udp Matches traffic specified by an extended A CL.
1-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Identifying Traffic (Layer 3/4 Class Maps) Examples The follo wing is.
1-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Defining Act ions (Layer 3/4 Poli cy Map) Detailed Steps Defining Actions (Layer 3/4 Policy Map) This section describes how to associate actions with Layer 3/4 class ma ps by creatin g a Layer 3/4 policy map.
1-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Defining Actions (Layer 3/4 Policy Map) Detailed Steps Examples The follo wing is an example of a policy-map command for con nection polic y .
1-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Applying Actions to an Interface (Service Policy) The follo wing exam.
1-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Monitoring Modular Policy Framework Detailed Steps Examples For e xam.
1-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Configuration Examples for Modular Policy Framew ork Applying Inspect.
1-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Configuration Examples for Modular Policy Framework ciscoasa(config)#.
1-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 1 Configuring a Service Po licy Using the Modular Policy Framework Configuration Examples for Modular Policy Framew ork ciscoasa(config).
1-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Configuring a Service Po licy Using the Modular Polic y Framework Feature History for Service Policies Feature History for Service Policies Ta b l e 1 - 3 lists the release history for this feature.
CH A P T E R 2-1 Cisco ASA Series Firewall CLI Configuratio n Guide 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Frame work lets you conf igure specia l actions for man y application inspections.
2-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Guidelines and Limitations policy map is that you can create more comple x match criteria and you can reuse class maps.
2-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Default Inspection Policy Maps A class map is determin.
2-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Defining Actions in an Inspection Policy Map Note There are other default inspect ion policy maps such as _default_esmtp_map .
2-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Identifying Traffic in an Inspection Class Map Examples The follo wing is an example o f an HTTP inspection polic y map and the related class maps.
2-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Identifying Traffic in an Inspection Class Map Restrictions Not all application s support inspection cl ass maps.
2-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 2 Configuring Special Actions for Ap plication Inspections (Inspection Policy Map) Where to Go Nex t Where to Go Next T o use an inspection pol icy , see Chapter 1, “Configuring a Service Poli cy Using the Modular Po licy Frame work.
2-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Con figuring Special Actions fo r Application Inspections (Inspe ction Policy Map) Feature History for Inspection Policy Maps.
P AR T 2 Conf iguring Network A ddress T ranslation.
.
CH A P T E R 3-1 Cisco ASA Series Firewall CLI Configuratio n Guide 3 Information About NAT This chapter pro vides an ove rview of h ow Netw ork Address T ranslation (N A T) works on the ASA.
3-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Terminology One of the main functions of N A T is to enable pr iv ate IP networks to conn ect to the In ternet.
3-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types NAT Types • N A T T ypes Overvi ew , page 3-3 • Static NA T , page 3-3 • Dynamic N A T , page 3-.
3-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types Figure 3-1 sho ws a typical static NA T scenar io. The translation is always act iv e so both real and remote hosts can initiate co nnections. Figure 3-1 Static NA T Note Y ou can disable bidirect ionality if desired.
3-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Note For ap plications that r equire application i nspection for secondary channels (for example, FTP and V oIP), the ASA automatically transl ates the second ary ports.
3-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types For e xample, you hav e a load balancer at 10.1.2 .27.
3-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Figure 3-5 sho ws a typical many-to- few static N A T scenario.
3-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Types Note For the duratio n of the translatio n, a remote host can initiate a connection to th e translated host if an access rule allows it. Because the address is unpr edictabl e, a connectio n to the ho st is unlikely .
3-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Types Figure 3-7 sho ws a typical dynamic P A T scenario. Only real hosts can crea te a NA T session, and responding traf fic is al lo wed back. The mapped addr ess is the same for each translation, b ut the port is dynamically assigned.
3-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT in Routed a nd Transpar ent Mode Identity NAT Y o u might ha ve a N A T configur ation in which you need to transl ate an IP address to itself.
3-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT in Routed and Transparent Mode NAT in Routed Mode Figure 3-9 sho ws a typical N A T example in rou ted mode, with a pri vate netw ork on the inside. Figure 3-9 NA T Exam pl e: Routed Mode 1.
3-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT in Routed a nd Transpar ent Mode Figure 3-1 0 NA T Exampl e: T ranspar ent Mode 1. When the inside host at 10.1.1.75 sends a packet to a w eb server , the real source address of the packet, 10.
3-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT and IPv6 NAT and IPv6 Y ou can use N A T to translate between IPv6 netw orks, and also to translate between IPv4 and IPv6 networks (rou ted mode only).
3-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT How NAT is Implemen ted • How source and destinati on N A T is implemented. – Network obj ect N A T— Each rule can apply to either the source or desti n ation of a pack et.
3-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT How N AT is Im plemented T wice N A T also lets you use service objects for static N A T with port translation; networ k object NA T only accepts inline def inition.
3-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT How NAT is Implemen ted Figure 3-12 sho ws the use of source and destination ports . The host on the 10.1.2.0/24 network accesses a single host for both web ser vices and T elnet se rvices.
3-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT How N AT is Im plemented Figure 3-13 sho ws a remote host con n ecting to a mapp ed host. The mapped h ost has a twice static N A T translation that translates the real address only for traf fic to and from the 2 09.
3-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT Rule Order NAT Rule Order Network ob ject N A T rules an d twice NA T rules a re stored in a single table that is divided into t hree sections. Sectio n 1 rules are appl ied first, then section 2, an d finally section 3, unt il a match is fo und.
3-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT Interfaces For section 2 r ules, for example, you ha ve the foll ow ing IP addresses def ined within netw ork objects: 192.168.1.0/24 ( static) 192.168.1.0/ 24 (dynamic) 10.
3-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT Routing NAT Packets Mapped Addresses and Routing When you translate the real addres s to a mapped address, the mapped address you choose determines ho w to conf igure routing , if necessary , for the mapped address.
3-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT Routing NAT Packets Figur e 3-14 Pro xy ARP Problems with Identity NA T In rare cases, you need proxy ARP for identity N A T ; for example for virt ual T elnet.
3-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN Determining the Egress Interface When the ASA receives traf fic for a mapped address, the ASA unstran slates the destination address according to the NA T rule, and then it sends the packet on to the real address.
3-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN NAT and Remote Access VPN Figure 3-17 sh ow s both an inside serv er (10.
3-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN Figur e 3-18 Identity NA T for VPN Clients See the follo wing sample N A T conf iguration for the a.
3-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN Figur e 3-19 Interf ace P A T and Identity NA T for Sit e-to-Site VPN Figure 3-20 sho ws a VPN clie nt connected to ASA1 (Boul der), with a T elnet request for a server (10.
3-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT NAT for VPN object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside Boulder network, & perform object interface PAT when going to Internet: object network boulder_inside subnet 10.
3-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT NAT for VPN Figure 3-21 sho ws a VPN client T elnet ting to the ASA inside interface.
3-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT ! Use twice NAT to pass traffic between the inside network and the VPN client without ! address tra.
3-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT DNS and NAT Figure 3-22 sho ws a D NS server that is access ible from the outside interface. A serv er, ftp .cisco.com, is on the inside interface. Y ou co nfigure the ASA to st atic ally translate the ft p.
3-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT a static rule between the inside and DMZ, then you al so need to enable DNS reply modif ication on this rule. The DNS reply will then be modif ied two times.
3-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT DNS and NAT Figure 3-24 sho ws an FTP server and DNS server on the outside. The ASA has a static translation for the outside serv er . In this case, when an inside us er requests the address fo r ftp.
3-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (200 1:DB8::D1A5:C8E1) you need to conf igure DNS reply modif ication for the stat ic translation.
3-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 3 In formation About NAT Where to Go Nex t Figure 3-26 sho ws an FTP server and DNS server on the outside. The ASA has a static translation for the outside server . In this case, wh en an inside user performs a rev e rse DNS lookup for 10.
3-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Info rmation Abo ut NAT Where to Go Next.
CH A P T E R 4-1 Cisco ASA Series Firewall CLI Configuratio n Guide 4 Configuring Network Object NAT All N A T rules that are configured as a paramete r of a network object are considered to be network object NAT rules. Net work object N A T is a quick an d easy way to configure N A T for a single IP address, a range of addresses, or a subnet.
4-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Licensing Requirements for Network Object NAT Licensing Requirements for Network Object NAT The follo w.
4-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Default Settings Additional Guidelines • Y ou can only def ine a single NA T rule for a gi ven object.
4-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Configuring Network Object NAT This section descri bes ho w to conf igur.
4-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Detailed Steps Configuring Dynamic NAT This section descri bes ho w to conf igure network object N A T for dynamic NA T . For more information, see the “Dynamic N A T” section on page 3-7 .
4-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures dynamic N A T that hides 192.168.2.0 network beh ind a range of outside addresses 10.
4-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT ciscoasa(config-network-object)# host 10.
4-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT • If you enable e xtended P A T for a dynamic P A T rule, then you cannot also us e an address in the P A T pool as the P A T address in a separate static N A T -with-port-translation rule.
4-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Step 4 nat [ ( real_ifc , mapped_ifc ) ] dynamic { mapped_inline_host_i.
4-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures dynamic P A T that hides the 192.168.2.0 netw ork behind address 10.2.2.2: ciscoasa(config)# object network my-inside-net ciscoasa(config-network-object)# subnet 192.
4-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT The follo wing example conf igures dynamic P A T with a P A T pool to translate the inside IPv6 network to an outside IPv4 network: ciscoasa(config)# object network IPv4_POOL ciscoasa(config-network-object)# range 203.
4-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Step 3 { host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2 } Example: ciscoasa(config-network-object)# subnet 10.
4-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Step 4 nat [ ( real_ifc , mapped_ifc ) ] static { mapped_inline_ip | m.
4-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT Examples The follo wing example conf igures static N A T for the real host 10.1.1.1 o n the inside to 10.2.2.2 on the outside with DNS rewrite enabled.
4-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuring Ne twork Object NAT Example The follo wing example maps a host address to it self using an inline mapped ad dress: ciscoasa(config)# object network my-host-obj1 ciscoasa(config-network-object)# host 10.
4-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuring Network Object NAT The follo wing example maps a host address to it self using a network o bject: ciscoasa(config)# object network my-host-obj1-identity ciscoasa(config-network-object)# host 10.
4-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Monitoring Ne twork Object NAT Detailed Steps Examples The follo wing example creates a deny rule for H.323 traf fic, so that it uses multi-session P A T : ciscoasa(config)# xlate per-session deny tcp any4 209.
4-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Configuration Examples for Network Object NAT This sect.
4-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Providing Access to an Inside Web Server (Static NAT) The follo wing example performs static N A T for an inside web server .
4-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Figur e 4-2 Dynamic NA T for Inside, Static NA T for Ou.
4-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) The follo wing example sho ws an inside load balancer that is translated to multiple IP addresses.
4-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT Single Address for FTP, HTTP, and SMTP (Static NAT-with.
4-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Step 5 Create a network object for the SMTP server add.
4-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT When an inside host sends a DNS request for the add r ess of ftp.cisco.com, the DNS server replies with the mapped address (209.
4-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) Figure 4-6 sho ws an FTP server and DNS server on the outs id e.
4-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Configuration Examples for Network Object N AT IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) Figure 4-6 sho ws an FTP server and DNS server on the outside IPv4 netw ork.
4-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Configuration Examp les for Network Objec t NAT Step 2 Configure N A T for the DNS server . a. Create a network object for the DNS server address. ciscoasa(config)# object network DNS_SERVER b.
4-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT Feature History for Network Object NAT Ta b l e 4 - 1 lists each feature change and the platfo rm release in which it was impl emented.
4-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Feature Hist ory for Netwo rk Object NA T Flat range of P A T ports for a P A T pool 8.4(3) If av aila ble, the real source port number is used for the mapped port.
4-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.
4-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 4 Configuring Network O bject NAT Feature Hist ory for Netwo rk Object NA T N A T support for rev erse DNS lookups 9.
4-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Co nfiguring Network Ob ject NAT Feature History for Network Object NAT.
CH A P T E R 5-1 Cisco ASA Series Firewall CLI Configuratio n Guide 5 Configuring Twice NAT T wice N A T lets you identify both the source and destin ation address in a single rule.
5-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Licensing Require ments for Twice NAT T wice N A T also lets you use service objects for static N A T -with-port-translation; netw ork object N A T only accepts inline definition.
5-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Guidelines and Limitations • For routed mode, you can also translate between IPv4 and IPv6. • For transparent mode, translating between IPv4 and IPv6 netw orks is not supported.
5-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Default Settings • Y ou can use the same objects in mul tiple rules. • The mapped IP address pool cann ot include: – The mapped interface IP address. If you specify any interf ace for the rule, then all interface I P addresses are disallowed.
5-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Guidelines • A network ob ject group can contain objects and/or in line addresses of eith er IPv4 or IPv6 addresses. The group cannot co ntain both IPv4 and IPv6 addresses; it must co ntain one type only .
5-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps (Optional) Adding Service Objec ts for Real and Mapped Ports Config ure servi.
5-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT • Source Dynami c P A T (Hide)—Source Dynamic P A T does not support port transl ation.
5-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source .
5-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-auto [ line ]}] source dynamic { .
5-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT (Continued) • Destination addresses (Optional): – Mapped—Specify a netw ork object or group, or for stati c interface N A T with port translation only , specify the interfac e keyw ord.
5-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Examples The follo wing example configures dynamic N A T for inside network 10 .1.1.0/24 whe n accessing servers on the 209.165.201 .1/27 network as well as serv ers on the 203.
5-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT • If av ailable, the real source port number is used for the mapped port.
5-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Sour.
5-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-auto [ line ]}] source dynamic { r.
5-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT (continued) For a P A T pool, you can specify one or more of t he follo wing options: -- Round robin—Th e round-r obin keyw ord enables round-robin address allocati on for a P A T pool.
5-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT (continued) • Destination addresses (Optional): – Mapped—Specify a netw ork object or group, or for stati c interface N A T with port translation o nly (routed mode), specify the interf ace keyw ord.
5-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Examples The follo wing example conf igures interface P A T for inside network 192 .168.1.0/24 when accessi ng outside T elnet server 209.165 .
5-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Configuring Static NAT or Static NAT-with-Port-Translation This section describes ho w to configure a static N A T rule using twice NA T . For more informatio n about static N A T , see the “S tatic NA T” section on page 3-3 .
5-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-object [ line ]}] source static .
5-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Examples The following e xample shows the use of static interface N A T with port translation.
5-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT to the command k eyw ords; the actual source and dest ination address and port in a packet depends on which host sent the packet.
5-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuring Twice NAT Detailed Steps Command Purpose Step 1 Create network objects or groups for t he: • Source.
5-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuri ng Twice NAT Step 3 nat [ ( real_ifc , mapped_ifc ) ] [ line |{ after-object [ line ]}] source static .
5-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Monitoring Twice NAT Configuring Per-Session PAT Rules By default, all TCP P A T traffic and all UDP DNS traf fic uses per-session P A T .
5-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Configuration Examples for Twice NAT This section includes the following co.
5-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Step 4 Config ure the first twice N A T rule: ciscoasa(config)# nat (inside,.
5-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Different Translation Depending on the De stination Address and Port (Dynamic PAT) Figure 5-2 sho ws the use of source and destination port s.
5-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Configuration Examples for Twice NAT Step 5 Config ure the first twice N A T rule: ciscoasa(config)# nat (inside,.
5-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Feature History for Twice NAT Ta b l e 5 - 1 lists each feature change and the platfo rm release in which it was imple mented.
5-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Round robin P A T pool allocation uses the same IP address for existing hosts 8.
5-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT Automatic N A T rules to translate a VPN peer’ s local IP address back to the peer’ s real IP address 8.
5-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 Configuring Twice NAT Feature History for Twice NAT N A T support for rev erse DNS lookups 9.0(1) N A T now supports tran slation of the DNS PTR record fo r re verse DNS lo okups when using IPv4 N A T , IPv6 N A T , and N A T64 with DNS inspection enabled for the N A T rule.
P AR T 3 Conf iguring Access Contr ol.
.
CH A P T E R 6-1 Cisco ASA Series Firewall CLI Configuratio n Guide 6 Configuring Access Rules This chapter describes ho w to control netw ork acce ss through t he ASA using access rul es and includes.
6-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules • Information Ab out EtherT ype Rules, page 6-6 General Information About Rul.
6-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Information About Access Rules Implicit Deny A CLs have an implicit deny at the end of the list, so un less you exp licitly permit i t, traf fic cannot pass.
6-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules Figur e 6-1 Outbound ACL See the follo wing commands for this example: ciscoasa(config)# access-list OUTSIDE extended permit tcp host 10.
6-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Information About Access Rules Firewall Mode Guidelines Supported in routed an d tr ansparent f irewall mod e.
6-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Information About Access Rules Ta b l e 6 - 1 lists common traff ic types that you can allow through the transparen t fire wa ll. Management Access Rules Y ou can config ure access rules that control management traff ic destined to the ASA.
6-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Licensing Requiremen ts for Access Ru les Access Rules for Returning Traffic Because EtherT ypes are conne ctionless, you need to a pply the rule to both interf aces if you want traf fic to pass in both direct ions.
6-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Guidelines and Limitations Per-User ACL Guidelines • The per-user A CL uses the value in the timeout uauth command, b u t it can be ov erridden by the AAA per-u ser session timeout v alue.
6-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Guidelines and Limitations Detailed Steps Examples The follo wing example sho ws how to use the access-group command: hostname(config)# access-list outside_access permit tcp any host 209.
6-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Monitoring Access Rule s Monitoring Access Rules T o monitor network access, enter the follo w ing command: C.
6-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 6 Configuring Access Rules Feature History for Access Rules hostname (config-service)# service-object tcp source range 2000 3000 hostnam.
6-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 6 Con figuring Access Rules Feature History for Access Rules Unif ied A CL for IPv4 and IPv6 9.0(1) A CLs now supp ort IPv4 and IPv6 addresses. Y ou can e ven specify a mix of IPv4 and IPv6 addresses fo r the source and destination.
CH A P T E R 7-1 Cisco ASA Series Firewall CLI Configuratio n Guide 7 Configuring AAA Rules for Network Access This chapter describes ho w to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the general operations configuration guide.
7-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode.
7-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access One-Time Authentication A user at a gi ven I P address only needs to authenticat e one time for all rules and types, u ntil the authentication session e xpires.
7-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Note If you use HTTP authenticati on, by defaul.
7-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access • For T elnet and FTP traf fic, users must log in thro ugh the cut-throug h proxy server and again to the T elnet and FTP servers.
7-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access nat (inside,outside) static 10.48.66.155 service tcp 111 889 Then users do not see the authentication page.
7-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access Configuring Network Access Authentication T o c.
7-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Examples The follo wing example authenticates a.
7-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access The following e xample shows a typical cut-through proxy co nfigu ration to allo w a user to log in through the ASA.
7-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access For more inf ormation about authentication, see the “Info rmation About Authen tication” section on page 7-2 .
7-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access nat (inside,outside) static 10.
7-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentic ation for Ne twork Access Authenticating Telnet Connecti ons with a Virt.
7-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authentication fo r Network Access Examples The follo wing example sho ws how to enable virtual T elnet together with AAA authentication for ot her services: ciscoasa(config)# virtual telnet 209.
7-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Configuring Authorization for Network Access After a user authenticates for a giv en connection, the ASA can use authorization to further control traff ic from the user .
7-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss T o conf igure T A CA CS+ authorization, perfo.
7-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access Examples The follo wing example authenticates an d authorizes inside T elnet traff ic. T e lnet traf fic to serv e rs other than 209.
7-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss ciscoasa(config-aaa-server-host)# key TACPlusU.
7-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access • Simplified and centralize d manage ment of ACLs—Do w nloadable ACLs enable you to w rite a set of A CLs once and apply it to many user or gro up prof iles and distrib ute it to many ASAs.
7-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Auth orization for Network Acce ss .
7-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Authoriz ation for Network Access The do wnloaded A C L on the ASA consists of th e follo wing lines: access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.
7-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Accounting fo r Network Access Converting Wildcard Netma sk Expressions in Downlo.
7-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Configuring Accoun ting for Network Ac cess T o conf igure accounting, perform the follo wing steps: Examples The follo wing example authenticates, au thorizes, and accoun ts for inside T elnet traf f ic.
7-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Using MAC Addresses to Ex empt Traffi c from Authentica tion and Authorization ciscoasa(confi.
7-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Using MAC Addresses to Exempt Traffic from Authenticatio n and Authorization T o use MA C addr.
7-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 7 Configuring AAA Rules for Network Access Feature History for AAA Rules The follo wing example bypasses au thentication for a a group of MAC addresses e xcept for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.
7-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 Configuring AAA Rules for Network Access Feature History for AAA Rules.
P AR T 4 Conf iguring Applic ation Inspection.
.
CH A P T E R 9-1 Cisco ASA Series Firewall CLI Configuratio n Guide 9 Getting Started with Application Layer Protocol Inspection This chapter descri bes how to configure application lay er protocol i nspection.
9-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Information about Application Layer Protoc ol Inspection Figur e 9-1 How Inspec tion En gines W o r k In Figure 9-1 , operations are numbered in the order th ey occur , and are described as follows: 1.
9-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Guidelines and Limitations When you enable applicat ion inspection for a ser.
9-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Default Settings and NAT Limitations Inspected protocols are subject to adv anced TCP-state tracking, and th e TCP state of these connections is not automatically replicated.
9-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limita tions ICMP ERR OR — — — — ILS (LD AP) TCP/389 No extended P A T . No N A T64. —— Instant Messagin g (IM) V aries by client No ext ended P A T .
9-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Default Settings and NAT Limitations The default po licy conf iguration includes the follo wing commands: SIP TCP/5060 UDP/5060 No outside N A T .
9-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection class-map inspection_def.
9-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection Y ou can specify a match access-list command along with the match default-inspection- traffi c command to narro w the matched traff ic to specific IP addresses.
9-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection • H323—See the “Conf iguring an H.
9-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection class in Step 5 .
9-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 9 Getting Started with Application Layer Protocol Inspection Configuring Applicati on Layer Protocol In spection http [ map_name ] If yo.
9-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Getti ng Started wit h Applicatio n Layer Protoc ol Inspection Configuring Applicatio n Layer Pro tocol Inspection Step 6 T o acti v a .
CH A P T E R 10-1 Cisco ASA Series Firewall CLI Configuratio n Guide 10 Configuring Inspection of Basic Internet Protocols This chapter descri bes how to configure application lay er protocol i nspection.
10-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection • Config uring DNS Inspection, page 10-8 • Monitoring DNS Insp.
10-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection policy-map type inspect dns preset_dns_map parameters message-le.
10-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection policy-map type inspect dns name Example: ciscoasa(config)# policy-map type inspect dns dns-map Creates an inspection polic y map in which you want t o match traf fic di rectly .
10-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Step 4 match [ not ] dns-class { eq { in | c_val }} | range c_va.
10-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Step 6 match [ not ] domain-name regex { regex_id | class class_id.
10-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Step 7 (If you are using a DNS inspection class map) policy-map .
10-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols DNS Inspection Examples The follo wing example sho ws a how to d efine a DN S inspection polic y map. regex domain_example “example.
10-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s DNS Inspection Examples The follo wing example sho ws a how to use a ne w inspe.
10-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection For connections using a DNS serv er, the source port of the connection may be replaced by the IP address of DNS server i n the sho w conn command output.
10-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection Using the strict Option Using the strict option with the inspect ftp command increases the security of protected netw orks by prev ent ing web browsers from sending embedded commands in FTP requests.
10-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection Configuring an FTP Inspection Policy Map for Additional Inspection Control FTP command fi ltering and securit y checks are pro vided using strict FTP inspection for impro ved security and contr ol.
10-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s FTP Inspection d. (Optiona l) T o ma tch a file type for F TP transfe r , ente.
10-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols FTP Inspection Step 5 (Optional) T o add a description to the polic y map, enter the followi ng command: ciscoasa(config-pmap)# description string Step 6 T o apply actions to mat ching traf fic, perform the follo wing steps.
10-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# mas.
10-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection The enhanced HTTP inspection feature, wh ich is also kno wn as a.
10-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection ciscoasa(config-cmap)# description string c.
10-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols HTTP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 .
10-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s HTTP Inspection The res e t ke yword drops t h e packet, cl oses the connec tion, and sends a TCP reset to the server and/or client.
10-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols ICMP Inspection ICMP Inspection The ICMP inspection engine allows ICMP traff ic to ha ve a “session” so it can be inspected like TCP and UDP traf fic.
10-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s Instant Messa ging Inspection Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control T o specify actions when a message violates a parame ter , create an IM inspection po licy map.
10-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols Instant Messaging In spection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 .
10-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IP Options Inspection Y ou can specify multiple class or match commands in the policy map.
10-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IP Options Inspection • IP Options Inspection Ov erview , page 10-24 • Confi.
10-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPsec Pass Through Inspection Configuring an IP Options Inspecti on Policy Map.
10-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IPv6 Inspection • IPsec Pass Through Insp ection Ov ervie w , page 10-26 • .
10-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPv6 Inspection Information about IPv6 Inspection IPv6 inspection lets you selecti vely log or drop IPv6 traf fic based on the extensio n header .
10-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols IPv6 Inspection Detailed Steps Examples The following e xam ple creates an insp .
10-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s IPv6 Inspection drop log match header destination-option drop log match header.
10-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols NetBIOS Inspection Examples The follo wing example drops all IPv6 traf fic with .
10-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s NetBIOS Inspection Step 4 (Optional) T o add a description to the polic y map, enter the follo wing command: ciscoasa(config-pmap)# description string Step 5 T o apply actions to matching traf fic, perform the follo wing steps.
10-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols PPTP Inspection ciscoasa(config)# policy-map netbios_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# inspect netbios netbios_map PPTP Inspection PPTP is a protocol for tunneling PPP tr af fic.
10-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s SMTP and Extended SMTP Inspection includes support for SMTP sessions.
10-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols SMTP and Extende d SMTP Inspection T o specify actions when a message viola tes a parame ter , create an ESMTP inspect ion polic y map.
10-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 10 Configuring Insp ection of Basic Inte rnet Protocol s TFTP Inspec tion Step 6 T o conf igure parameters that af fect the inspection engine, perform the follo wing steps: a.
10-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 Configuring Inspe ction of Basic Internet Pr otocols TFTP Inspec tion.
CH A P T E R 11-1 Cisco ASA Series Firewall CLI Configuratio n Guide 11 Configuring Inspection for Voice and Video Protocols This chapter descri bes how to configure application lay er protocol i nspection.
11-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols CTIQBE Inspection Limitations and Restrictions The follo wing summarizes limitat.
11-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection The line be ginning with RTP/R TCP: PAT xlate s: appears onl y .
11-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 complia nt appl ications such as Cisco CallManage r and V ocalT e c Gatekeeper .
11-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection After inspecting the H.225 messages, t he ASA opens the H.245 channel and then inspects traf fic sent ov er the H.
11-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection • Only static N A T is fully supported. Static P A T may not properly translate IP addresses embedded in optional f ields within H.
11-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection b. (Optional) T o add a description to the class map , enter the follo wing command: ciscoasa(config-cmap)# description string Where string is th e description of the cl ass map (up to 200 characters).
11-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection Y ou can specify multiple class or match commands in the policy map.
11-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols H.323 Inspection The follo wing example sho ws how to confi g ure phone number f.
11-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols H.323 Inspection 0 Concurrent Call(s) for Local: 10.130.56.4/1050 Foreign: 172.30.254.205/1720 This output indi cates that there is curr ently 1 acti ve H.
11-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection Total: 1 GK Caller 172.30.254.214 10.130.56.14 This output sho ws that there is one acti ve registration between the gatekeeper 1 72.
11-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols MGCP Inspection MGCP transactions are composed of a command an d a mandatory response.
11-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols MGCP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# b.
11-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols RTSP Inspection Verifying and Monitoring MGCP Inspection The show mgcp com mands command lists the number of MGCP com mands in the command queue.
11-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection RTSP Inspection Overview The R TSP inspection engine lets the ASA pass R TSP packets. R TSP is used by RealAudio, RealNetworks, Ap ple QuickT ime 4, Real Player, and Cisco IP/TV connections.
11-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols RTSP Inspection • Y o u can conf igure N A T for Apple QuickT ime 4 or RealPlayer . Cisco IP/TV only works with NA T if the V iewer and Content Manager are on the ou tside network and the serv er is on the inside network.
11-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols RTSP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expression you created i n Step 1 . The class r e gex_cl ass_name is the regular e xpression class map you create d in Step 2 .
11-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection ciscoasa(config-pmap-p)# url-length-limit length Where the length ar gument specifies the URL length i n bytes (0 to 6000).
11-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection T o support SIP calls through the ASA, signaling messages for th.
11-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection SIP inspection has a database with indices CALL_ID/FR OM/TO from the SIP payload. These ind ices identify the call, the source, and the destination.
11-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection Where the class_map_name is the name of the class map. The match-all ke yword is the def ault, and specifies that t raff ic must match all criteria to match the class map.
11-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols SIP Inspection Where the re ge x reg ex _ n a m e argument is the regul ar expressi on you created in Step 1 . The class r e gex_cl ass_name is the regular expression class map you crea ted in Step 2 .
11-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols SIP Inspection b. T o enable or disable instant messaging, enter the f o llo wing command: ciscoasa(config-pmap-p)# im c.
11-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection Configuring SIP Timeout Values The media connections are torn do wn within two min utes after the connection becomes idle.
11-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection • SCCP Inspecti on Overview , page 11-25 • Support.
11-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection When the Cisco IP Phones are on a lower security interface compared to the TFTP server , you must use an A CL to connect to the protected TF TP server on UD P port 69.
11-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 11 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Step 5 T o apply actions to matching traf fic, perform the follo wing steps.
11-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Configuring Ins pection for Voice and Video Protocols Skinny (SCCP) Inspection Where the value_length ar gument is a maximum or minim u m v alue.
CH A P T E R 12-1 Cisco ASA Series Firewall CLI Configuratio n Guide 12 Configuring Inspection of Database and Directory Protocols This chapter descri bes how to configure application lay er protocol i nspection.
12-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols SQL*Net Inspection During connection negotiati on time, a BIND PDU is sent from the client to the server .
12-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection SQL*Net V ersion 2 TNSFrame types (Connect, A ccep t, R.
12-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols Sun RPC Inspection Managing Sun RPC Services Use the Sun RPC services table to co ntrol Sun RPC traf fic through t he ASA based on established Sun RPC sessions.
12-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 12 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003 protocol UDP port 111 timeout 0:30:00 sunrpc-server inside 192.
12-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Configurin g Inspection of Databa se and Directory Pr otocols Sun RPC Inspection.
CH A P T E R 13-1 Cisco ASA Series Firewall CLI Configuratio n Guide 13 Configuring Inspection for Management Application Protocols This chapter descri bes how to configure application lay er protocol i nspection.
13-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols DCERPC Inspection DCERPC inspect maps inspect for nati ve TCP communication between the EPM and client on well known TCP port 135.
13-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection The follo wing example sho ws how to def ine a DCERPC inspection polic y map with the timeout confi gured for DCERPC pinholes.
13-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols GTP Inspection Configuring a GTP Inspection Policy Ma p for Additional Inspection Control If you w ant to enforce additi onal parameters on GTP t raf fic, creat e and conf igure a GTP map.
13-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# The mnc network_code argument is a two or th ree-digit v alue identifying the network cod e.
13-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols GTP Inspection a. Use the object-group command t o define a ne w network object group that w ill represent the SGSN that sends GTP requests to the GSN po ol.
13-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols GTP Inspection Enter this command separately for each timeout. The gsn keyw ord specif ies the period of inacti vity after which a GSN will be remo ved.
13-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols RADIUS Accounting Insp ection total created_pdpmcb 0 total deleted_pdpmcb 0 pdp_non_existent 0 Y ou can use the v e rtical bar (|) to f ilter the display .
13-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols RADIUS Accounting Inspection RADIUS Accounting Inspection Overview One of the well kno wn problems is the over -billing attack in GPRS networks.
13-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols RSH Inspection service-policy global_policy global RSH Inspection RSH inspection is enabled by default. The RSH prot ocol uses a TCP connection from th e RSH client to the RSH server on TCP port 514.
13-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 13 Configuring Inspection for Ma nagement Application Protocols XDMCP Inspection ciscoasa(config-snmp-map)# deny version 2 XDMCP Inspec.
13-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 13 Configuring Inspecti on for Management Application Protocols XDMCP Inspection.
P AR T 5 Conf iguring Unif ied Communications.
.
CH A P T E R 14-1 Cisco ASA Series Firewall CLI Configuratio n Guide 14 Information About Cisco Unified Communications Proxy Features This chapter descri bes how to configure the ad apti ve security appliance for Cisco Unif ied Communications Proxy features.
14-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Information About the A daptive Security Appliance in Cisco U nified .
14-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 14 Inform ation About Cisco Unified Co mmunications Proxy Features TLS Proxy Ap plications in Cisco Unified Communications The ASA prov ides perimeter security by en crypting signalin g connections between enterpri ses and pre venting unathorized calls.
14-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features For the Cisco Unified Mobi lity solution , the TLS clien t is a Cisco UM A client and the TLS server is a Cisco UMA server .
14-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 14 Inform ation About Cisco Unified Co mmunications Proxy Features Licensing for Cisc o Unified Communications Proxy Features ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions.
14-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 14 Information Abou t Ci sco Unified Communica tions Proxy Features Licensing for Cisco Unified Communications Proxy Features T able 14-2 sho ws the default and maximum TLS sessio n details by platform.
CH A P T E R 15-1 Cisco ASA Series Firewall CLI Configuratio n Guide 15 Using the Cisco Unified Communication Wizard This chapter descri bes how to configure the ad apti ve security appliance for Cisco Unif ied Communications Proxy features.
15-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Information about the Cis co Unified Communication Wizard The wizard simplif ies the configuration of the Unified Communications proxi es in the follo wing ways: • Y ou enter all required data in the wizard steps.
15-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Licensing Requirements for the Unified Communication W izard Using the ASA as a sec ure.
15-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Guidelines and Limitations Guidelines and Limitations This section includes the guid elines and limitations for th is feature. Context Mode Guidelines Supported in single and mult iple conte xt mode.
15-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard Note Any conf iguration created by the wizard should be maintained t hrough the wizard to ensure pr oper synchronization.
15-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard Step 2 Specify each entity in th e network (al l Cisco UCM and TFTP servers) that the IP phones mu st trust.
15-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard statements, you .
15-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard Selecting the Use interface IP radio button conf igures the server to use the IP address of the public interface.
15-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Phone Proxy by using the Unified Communication W izard See also the Cis.
15-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Ph one Proxy by using the Unified Communication Wizard • PC Port • V.
15-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Step 1 In the field for the pri vate IP addr ess, enter the IP ad dress on which pr i vate media traf fic terminates.
15-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Configuring.
15-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard • When using the wizard to co nfigu re the Cisco Mobilit y Adv antage proxy , the wizard only supports installing self-sig ned certificates.
15-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the Pr esence Federation Pr oxy by using the Unified Communication Wizard Co.
15-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the Presence Federation Proxy by using the Unified Communication W izard Step 3 In the FQDN f ield, enter the domain name for the Unif ied Presence server .
15-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard For th e TLS handshak.
15-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard T o config ure the Cisco Intercompan y Media Engine Proxy by using ASDM, choose W izards > Unif ied Communication Wi zard from the menu.
15-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Step 2 Click Next .
15-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Step 1 T o configure.
15-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Adding a Cisco Unifie.
15-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Configuring the UC-IME by us ing the Unified Communication Wizard Configuring the Loca.
15-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Configuring the UC-IME by us ing the Unified Comm unication Wizard Configuring the Remot.
15-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard Working with Certificat.
15-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Presence Federation server , and the Cisco Unifie d Communications Manager servers, respectiv ely , on the ASA.
15-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard • Remote Presence Fed.
15-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard Submit the CSR to the cert ificat e authority (CA), for example, by pastin g the CSR text in to the CSR enrollment page on th e CA website.
15-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 15 Using the Cisco Unified Commu nication Wizard Working with Ce rtificates in the Unified Communication Wizard T ypically , a certific.
15-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 15 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Comm unication Wizard.
CH A P T E R 16-1 Cisco ASA Series Firewall CLI Configuratio n Guide 16 Configuring the Cisco Phone Proxy This chapter describes ho w to confi gure the ASA for Cisco Phon e Proxy feature.
16-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Information About the Cisco Phone Proxy Figur e 16-1 Phone Pro xy Secur e Deploy ment The phone proxy supports a Cisc o UCM cluste r in mixed mode or n onsecure mode .
16-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Note As an alternativ e to auth enticating remote IP phones through the TLS h andshake, you can conf igure authentication via LSC p rovisioni ng.
16-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy • Cisco Unif ied IP Phone 7941 • Cisco Unif ied IP P.
16-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy ASA 5512-X Base Licen se: 2 sessions. Optional licenses: 24, 50, 100 , 250, or 500 sessions. ASA 5515-X Base Licen se: 2 sessions.
16-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy For more inf ormation about licensing, see the general operati ons config uration guide.
16-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy • For IP pho nes behind a router or gate way , you must also meet this prerequisite.
16-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy If N A T is configured for the TFTP server or Cisco UCMs, the translated “globa l” address must be used in the ACLs.
16-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy host 10.0.0.2 nat (inside,outside) static interface service tcp 2443 7443 Note Both P A T configurations—for the non secure and secure ports—m ust be configured.
16-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Prerequisites for the Phone Proxy Note If an IP phone already has an LSC installed on it from a different Cisco UCM cluster , delete the LSC from the dif ferent cluster and install an LSC from the current Cisco UCM cl uster .
16-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Prerequisites for the Phon e Proxy Prerequisites for Rate Limiting TFTP Requests In a remote acces.
16-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations End-User Phone Provisioning The phone proxy is a tr ansparent proxy with resp ect to the TFTP and signaling t ransactions.
16-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Phone Proxy Guidelines a nd Limitations • General Guidelines and Limitations, page 16-1 3 • Me.
16-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy – T wo SIP IP phones: both in non-secure mo de T wo SCCP IP phones:.
16-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y • Creating the TLS Proxy for a Mixed-mode Ci sco UCM Cluster , page.
16-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Step 3 Click Find and it wi ll display all the certif icates. Step 4 Find the f ilename Cisco_Manuf acturing_CA . This is the certif icate need to verify the IP p hone certificate.
16-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM C.
16-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Prerequisites Import the required certif icates, whic h are stored on the Cisco UCM. See Certificates from the Cisco UCM, page 16-7 and Importing Certif icates from the Cisco UCM, page 16-15 .
16-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Prerequisites If you are usin g domain name s for your Cisco UCM and TFTP server , you must configure DNS l ookup on the ASA.
16-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Using an Existing CTL File Note Only when the phone prox y is running in mix ed-mode clusters, you hav e the option to use an exi sting CTL file to install tr ustpoints.
16-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y What to Do Next Once you have created the TLS proxy inst ance, create the phone proxy instance. See Creating the Phone Proxy Instance, page 16-24 .
16-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy Step 6 hostname(config-ca-trustpoint)# subject-name X.
16-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y What To Do Next Once you hav e created the TLS proxy instance a nd installe d the certificate on the Cisco Unif ied Communications Manager, create the p hone proxy instance.
16-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy What To Do Next Once you ha ve created the media termin ation instan ce, create th e phone prox y instance. See Crea ting the Phone Proxy Instance, page 16-24 .
16-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Command Purpose Step 1 hostname(config)# phone-proxy phone_proxy_name Example: hostname(config)# phone-proxy myphoneproxy Creates the phone proxy instance.
16-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuring the Ph one Proxy What to Do Next Once you ha ve created the phon e proxy instance, con figur ing SIP and Skinny for the phone proxy . See Enabling the Phon e Proxy with SIP an d Skinny Inspection, page 16-26 .
16-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuring the Phone Prox y Configuring Linksys Routers with UDP Po rt Forwarding for the Phone Proxy When IP phones are behind a N A T -ca pable router , the router can be co nfigured to forward the UDP ports to the IP address of the IP phone.
16-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Configuring Your Router Y our fire wall/router needs to be conf igured to forward a range of UDP ports to the IP pho ne.
16-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y T able 16-5 lists the captu re commands to use with the phone p roxy .
16-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y T able 16-5 Security Appliance Captur e Co mmands to Use with the Phone Pro xy T o Use the Command Notes T o capture packets on the A SA interfaces.
16-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y T able 16-6 lists the sho w commands to use with the phone proxy .
16-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Debugging Information from IP Phones On the IP phone, perform th.
16-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y • Check the Security sett ings on the IP phone by selecting the Set tings button > Secu rity Config uration. Settings fo r web access, Security mode, MIC, LSC, CTL file, tru st list, and CAPF appear .
16-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Step 2 From the ASA, verify that the CTL f ile for the phone pro.
16-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y Solution Step 1 V erify that DNS lookup is config ured on the ASA. Step 2 If DNS lookup is conf igured, determine whether you can p ing the FQDN for the Ci sco UCM from the ASA.
16-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y PP: Client outside:192.168.10.5/49355 retransmitting request for Config file SEP001562106AF3.cnf.xml.sgn PP: opened 0x17ccde PP: 192.
16-37 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y Step 3 If the router is a Linksys router , see Configu ring Linksys Routers wit h UDP Port Fo rwarding for t he Phone Proxy , page 16 -27 for information on the con fig uration requiremen ts.
16-38 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y Make sure that each media-termination instance is cr eated correctly and that th e address or addresses are set correctly .
16-39 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y b. V erify that the list o f installed certif icates contains all required certif icates for the phone proxy .
16-40 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y SSL Handshake Failure Problem The phone proxy is not fu nctioning. Initial troub leshooting unco vered the follo wing errors in the ASA syslogs: %ASA-7-725014: SSL lib error.
16-41 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y [3des-sha1] [des-sha1] [rc4-md5] [p ossibly others] See the command reference for more informatio n about setting ciphers wit h the ssl encry ption command.
16-42 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Troublesho oting the Phone Prox y phone-proxy mypp media-termination address 10.
16-43 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Troubleshooting the Phone Prox y The SAST keys can be seen via the show crypto k ey mypubkey rsa command.
16-44 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy mGF/hfDDNAICBAA= hostname(config)# quit INFO: Import PK.
16-45 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-2 Nonsecure Cisco UCM clust er , Ci sco UCM and TFTP Se rver on Publisher object network obj-192.
16-46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy Example 2: Mixed-mode Cisco UCM clu ster, Cisco UCM and TFTP Server on Publisher Figure 16-3 sho ws an example of the configuration fo r a mixed-mode Cisco UCM cluster using the follo wing topology .
16-47 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy address 10.10.0.25 interface outside phone-proxy mypp media-termination my_mediaterm tftp-server address 192.
16-48 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy host 192.0.2.101 nat (inside,outside) static interface udp 69 69 access-list pp extended permit udp any host 10.
16-49 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figure 16-5 Mixed-mode Cisco UCM cluster , Pr i mar y Cisco UCM, Secondary Cisco UCM, and TFTP Serv er on Dif f erent Serv ers object network obj-192.
16-50 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy crypto ca trustpoint ldc_server enrollment self proxy_ldc_issuer fqdn my-ldc-ca.
16-51 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-6 LSC Pro visioning in Mix ed-mode Cisco UCM clust er; Cisco UCM and TFTP Serv er on Publisher object network obj-192.
16-52 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Configuration Examples for the Phone Proxy server trust-point _internal_PP_myctl client ldc issuer ldc_server client ldc keypair phone_common client cipher-suite aes128-sha1 aes256-sha1 media-termination my_mediaterm address 192.
16-53 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 16 Configuring the Cisco Phone Proxy Configuration Examples for the Phon e Proxy Figur e 16-7 VLAN T ransv ersal Between CIPC Softphon es on the Da ta VLAN and Har d Phones on the V oice VLAN object network obj-10.
16-54 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Confi guring the Cisco Phone Proxy Feature History for the Phone Proxy class sec_sip inspect sip phone-proxy mypp service-policy pp_policy interface data Feature History for the Phone Proxy T able 16-7 lists the release h ist ory for this feature .
CH A P T E R 17-1 Cisco ASA Series Firewall CLI Configuratio n Guide 17 Configuring the T LS Proxy for Encrypted Voice Inspection This chapter describes ho w to configure t he ASA for the TLS Proxy for Encrypted V oice Inspection feature.
17-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Information about the TLS Proxy for E ncrypted Voice Inspection The security appliance acts as a TLS proxy betwee n the Cisco IP Phone an d Cisco UCM.
17-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Information about the TLS Pro xy for Encrypted Voice Inspection • Cisco .
17-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Information about the TLS Proxy for E ncrypted Voice Inspection Figure 1 7.
17-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Licensing for the TLS Proxy Figure 1 7 -4 CTL Client TLS Pro xy Featur es .
17-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Licensing for the TLS Proxy ASA 5580 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 20 00, 3000, 5000, or 10,000 sessions.
17-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Prerequisites for the T LS Prox y for Encrypted Voice Inspection T able 17-1 sho ws the default and maximum TLS sessio n details by platform.
17-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n • Creating T .
17-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection Step 8 Run the CTL Client application to add the server proxy certificate (ccm_proxy) to the CTL f ile and install the CTL file on the secu rity appliance.
17-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n What to Do Next Once you have created the tr ustpoints and generate d th e certificates, create the internal CA to sign the LDC for Cisco IP Phones.
17-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection What to Do Next Once you ha ve created the internal CA, create the CTL provider instance.
17-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n What to Do Next Once you hav e created the CTL provider instance, create the TLS proxy instance.
17-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Configuring the TLS Pro xy for Encrypted Voice Inspection What to Do Next Once you hav e created TLS proxy ins tance, enab le the TLS proxy instance fo r Skinny and SIP inspection.
17-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Configuring the TLS Pr oxy for Encrypted Voice Inspectio n Command Purpos.
17-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Monitoring the TLS Proxy Monitoring the TLS Proxy Y ou can enable TLS proxy d ebug flag s along with SSL syslogs to deb ug TLS proxy connection problems.
17-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Monitoring the TLS Proxy Apr 17 2007 23:13:47: %ASA-7-711001: TLSP cbad5120: Data channel ready for the Client Apr 17 2007 23:13:47: %ASA-7-725013: SSL Server inside:195.
17-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 17 Configuring the TLS Prox y for Encrypted Voic e Inspection Feature History for the TLS Pro xy for Encrypted Voice Inspection Public .
17-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Config uring the TLS Proxy for En crypted Voice Inspectio n Feature History for the TLS Proxy for Encrypted Voice Inspection.
CH A P T E R 18-1 Cisco ASA Series Firewall CLI Configuratio n Guide 18 Configuring Cisco Mobility Advantage This chapter de scribes how to configure the ASA for Ci sco Unified Communic ations Mobi lity Advantage Proxy features.
18-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature The TCP/TLS default por t is 5443. There are no embedded N A T or secondary connections.
18-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Figur e 18-1 Securi ty Appliance.
18-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Information about the Cisco Mobility Advantage Proxy Feature Figur e 1 8-2 Cisco UMC/Cisco UMA .
18-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Information about th e Cisco Mob ility Advantage Proxy Fe ature Trust Relationships for Cisco UM.
18-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Licensing for the Cisco M obility Advantage Proxy Feature Figure 1 8-4 How the Secur ity Applia.
18-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisc o Mobility Advantage • Enabling the TLS Proxy for MMP Insp ection, page 18-9 .
18-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Configuring Cisc o Mobility Advantage What to Do Next Once you hav e created the trustpoints and installed the Cisco UMA cer tificate on the ASA, create the TLS proxy instance.
18-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuring Cisc o Mobility Advantage What to Do Next Once you ha ve created the TLS proxy inst ance, enable it for MMP inspection. See Enabling the TLS Proxy for MMP Inspection , page 18-9 .
18-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Monitoring for Ci sco Mobility Advantage Monitoring for Cisco Mobility Advantage Mobility adv antage proxy can be deb ugged the same w a y as IP T elephony .
18-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Configuration Examples for Cisco Mobility A.
18-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Configuration Examples for Cisco Mobility Advantage object network obj-10.
18-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 18 Configuring Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Figur e 18-6 Cisco UMC/Cisco UMA Arc hitectur e – Scenario 2: Secur ity Appliance as TLS Pro xy Only object network obj-172.
18-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 18 Configur ing Cisco Mobility Advantag e Feature History for Cisco Mobility Advantage tls-proxy cuma_proxy server trust-point cuma_prox.
CH A P T E R 19-1 Cisco ASA Series Firewall CLI Configuratio n Guide 19 Configuring Cisco Unified Presence This chapter descri bes how to configure the adapti v e security applia nce for Cisco Unified Presence.
19-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence Figur e 19-1 T ypical Cisco Unified Pr esence/LCS Federation Scenar io In the abov e a rchitecture, the ASA functions as a fire wall, N A T , and TLS proxy , which is the recommended architecture.
19-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 5060 For an other Cisco UP with the address 10.
19-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence http://www .
19-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Information About Cisco Un ified Presenc e Security Certificate Exchange Between C isco UP and t.
19-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Information About Cisco Unified Presence For furt her information about config uring Cisco Un ified Presence Federation for XMPP Federation, see the Integr ation Gu ide for Configurin g Cisco Un ified Pr esen ce Release 8.
19-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Licensing for Cisco Unifie d Presence nat (inside,outside) source static obj_host_<private cu.
19-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation For more inf ormation about licensing, see the general operati ons config uration guide.
19-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation • Creating T rustpoints and Gener.
19-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation What to Do Next Install the certif icate on the local entity truststore. Y ou could also enroll the certifi cate with a local CA trusted by the local entity .
19-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation Command Purpose Step 1 hostname(co.
19-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuring Cisco Unified Pr esence Proxy for SIP Federation What to Do Next Once you hav e created the trustpoi nts and installed the certif icates for the local and remote entities on the ASA, create the TLS proxy instance.
19-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuring Cisco Unified Presence Proxy fo r SIP Federation What to Do Next Once you ha ve created the TLS proxy i nst ance, enable it for SIP inspection.
19-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Monitoring Cisco Unified Presence Monitoring Cisco Unified Presence Debug ging is similar to deb ugging TLS proxy for IP T elephony . Y ou can enable TLS proxy debug flags along with SSL syslogs to deb ug TLS proxy connection problems.
19-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence • Example A CL Configuration for XMPP Federa.
19-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuration Example for Cisco Unified Pres ence Figur e 19-5 T ypical Cisco Unified Pr esence/LCS Federation Scenar io object network obj-10.0.0.2-01 host 10.
19-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence quit ! for Entity Y’s CA certificate crypto ca trustpoint ent_y_ca enrollment terminal crypto ca authenticate ent_y_ca Enter the base 64 encoded CA certificate.
19-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Configuration Example for Cisco Unified Pres ence The follo wing values are used in th is sample conf iguration: • Priv ate XMPP federation Cisco Unified Presence Release 8.
19-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 19 Config uring Cisco Un ified Presence Configuration Example for Cisco Unified Presence • Pri vate third Cisco Unifi ed Presence Release 7.x IP address = 3.3.3.3 • XMPP federation listening po rt = 5269 nat (inside,outside) source static obj_host_1.
19-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 19 Configuring Cisco U nified Presence Feature History fo r Cisco Unified Presence Feature History for Cisco Unified Presence T able 19-1 lists the release h ist ory for this feature .
CH A P T E R 20-1 Cisco ASA Series Firewall CLI Configuratio n Guide 20 Configuring Cisco Inte rcompany Media Engine Proxy This chapter descri bes how to configure the AS A for Cisco Intercompan y Media Engine Proxy .
20-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy Cisco Intercompany Medi.
20-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy On successful verif ica tion, the terminating side creates a tick et that grants permission to the call originator to mak e a Cisco IM E call to a specif ic number .
20-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy As illustr ated in Figure 20-1 . Enterprise B makes a P STN call to enterprise A.
20-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Information About Cisco In tercompany Media Engine Proxy The TLS signaling connections from the Cisco UCM are terminated on the adapti ve security appliance and a TCP or TLS connecti on is initiated to the Cisco UCM.
20-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Information Abou t Cisco Intercompany Med ia Engine Proxy Figur e 20-2 Cisco Inte.
20-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Licensing for Cisc o Intercompany Me dia Engine Off Path Deployment In an of f pat.
20-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Guidelines and Limitations For more information about licensing, see Chapter 4, “Managing Feature Licenses, ” in the general operations conf iguration guide.
20-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Guidelines and Limitations • Stateful failover of Cisco Unified Intercomp any Media Engine is no t supported.
20-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Assume for e x ample, the ASA is conf igured to hav e a maximum of 100 TLS pro xy sessions and IME calls between SCCP IP phon es establish 101 TLS proxy sessions.
20-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Note Step 1 through Step 8 apply to both basic (in- line) and of f path deployments and Step 9 applies onl y to of f path deployment.
20-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Figure 20-6 Exampl e for Conf.
20-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What to Do Next Create the A CLs for the Cisco Intercompany Media Engine Proxy .
20-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Command Purpose Step 1 hostname(config)# object network name Examples: hostname(config)# object network ucm-pat-209.
20-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Creating ACLs for Cisco Inter.
20-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Create the media termination inst ance on the ASA fo r the Cisco Intercompany Media Engi ne Proxy .
20-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy What To Do Next Once you hav e created the media termination instance, c reate the Cisco Intercompan y Media Engine Proxy .
20-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Note Y ou cannot change an y .
20-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Step 4 hostname(config-uc-ime.
20-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Install the certif icate on the local entity truststore. Y ou could also enroll the certifi cate with a local CA trusted by the local entity .
20-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy connections between the local Ci sco UCM and the local ASA. The instructions in that task describe ho w to create tr ustpoint s between the local Cisc o UCM and t he local A SA.
20-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Create the TLS proxy for the Cisco Intercompany Media Engi ne. See the “Creating the TLS Proxy” section on page 20 -23 .
20-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Creating the TLS Proxy Becaus.
20-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you hav e created the TLS prox y , enable it for SIP inspect ion.
20-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Command Purpose Step 1 hostna.
20-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you ha ve enabled the TLS proxy for SIP i nspection, if necessary , configur e TLS within the enterprise.
20-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Commands Purpose Step 1 hostn.
20-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy What to Do Next Once you ha ve conf igured the TLS within the enterprise, if ne cessary , configure of f path signaling for an off path deployment.
20-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy (Optional) Configuring Off Path Signaling Perform this task only w hen you are conf iguring the Cisco Intercompan y Media Engine Proxy as part of an of f path deployment.
20-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy This section contains the fol.
20-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Configuring Cisco Inter company Media Engin e Proxy Step 2 Check the Enable Cisco UC-IME prox y check box to enable the feature.
20-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Configuring Cisco Intercompa ny Media Engine Proxy Note In an of f path deployment any e xisting ASA that you ha ve deployed in your en vironment are not capable of transmitting Cisco Intercompan y Medi a Engine traf fic.
20-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Troublesh ooting Cisco Inte rcompany Media Eng ine Proxy Step 4 Specify the public netw ork settings. Step 5 Specify the media termin ation address settings of Cisco UCM.
20-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Troublesho oting Cisco Intercom pany Medi a Engine Proxy Local SRTP key set : Remote SRTP key set Remote Media (audio) conn: 192.168.
20-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 20 Configuring Cisco Intercompany Media Engin e Proxy Troublesh ooting Cisco Inte rcompany Media Eng ine Proxy Sum_all_packets : 20196 .
20-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 20 Configurin g Ci sco Intercompan y Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy T able 20-1 lists the release h ist ory for this feature .
P AR T 6 Conf iguring Connection Set tings and QoS.
.
CH A P T E R 22-1 Cisco ASA Series Firewall CLI Configuratio n Guide 22 Configuring Connection Settings This chapter describe s how to configure connection settings for connections th at go through the A SA, or for manage ment connec tions, that go to the ASA.
22-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Information Abou t Connection Settings TCP Intercept and Limiti ng Embryonic Connections Limiting the number of embryonic connections pro tects you from a DoS att ack.
22-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Information About Connec tion Settings TCP Sequence Randomization Each TCP connection has tw o ISNs: one generated by the client and one generated by the server .
22-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Licensing Requirement s for Connection Settings fast path (an established con nection), or the co ntrol plane path (advanced inspection).
22-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Guidelines and Limitations Guidelines and Limitations Context Mode Guidelines Supported in single and mult iple conte xt mode. Firewall Mode Guidelines Supported in routed an d transparent mode.
22-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings no check-retransmission no checksum-verification exceed-mss allow qu.
22-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings Step 2 (Optional) Conf igure the TCP map criteria by entering one o r more of the follo wing commands (see T able 22-1 ).
22-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings T able 22-1 tcp-map Commands Command Notes check-retransmission Pre vents inconsistent TCP retransmissions. checksum-verif ication V erifies the checksum.
22-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings queue-limit pkt_num [ timeout seconds ] Sets the maximum number of out - of-order packets that can be buf fered and put in order for a TCP connection, between 1 and 250 packets.
22-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings synack-data { allow | dr op } Sets the action for TCP SYNA C K packets that contain data. The allow k eyword allows TCP SYN A C K packets that contain data.
22-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings Configuring Connection Settings T o set connection sett ings, perform the foll ow ing steps. Detailed Steps urgent-flag { allo w | clear } Sets the action for packets with the URG flag.
22-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings Step 3 policy-map name Example: ciscoasa(config)# policy-map tcp_bypass_policy Adds or edits a polic y map that sets the actions to take with the class map traf fic.
22-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Configuring Connec tion Settings set connection {[ conn-max n ] [ embryonic-conn-max n ] [ per-clie.
22-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuring Co nnection Settings set connection timeout {[ embryonic hh : mm : ss ] { idle hh : mm :.
22-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Monitoring Con nection Settings Monitoring Connection Settings T o monitor TCP state byp ass, perfo.
22-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Configuration Exampl es for Connection Settings ciscoasa(config-pmap-c)# set connection conn-max 100.
22-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 22 Configuring Connection Se ttings Feature History for Connection Setting s Feature History for Connection Settings T able 22-2 lists each feature change and the plat form release in which it w as implemented.
22-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 22 Configuring Conne ction Settings Feature History for Connection Settings Increased maximum connection limi ts for service polic y rules 9.0(1) The maximum number of conn ections for service polic y rules was increased from 65 535 to 2000000.
CH A P T E R 23-1 Cisco ASA Series Firewall CLI Configuratio n Guide 23 Configuring QoS Hav e you ev er participated in a long-distance phon e call that in volv ed a satellite connection? The con versation might be interrup ted with brief, b ut per ceptible, gaps at odd intervals.
23-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Information About QoS Supported QoS Features The ASA supports the foll ow ing QoS features: • Policing—T o prev ent indi vidual flows fr om hogging the netw ork bandwidth, you can limit the maximum bandwidth used per flo w .
23-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Information About QoS For traf fic shap ing, a token b ucket permits b urstiness but bounds i t.
23-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Information About QoS Information About Traffic Shaping T raff ic shaping is used to match de vice and link spee ds, ther eby controlling pack et loss, variable delay , and link saturation , which can cause jitter and delay .
23-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Licensing Requirements for Qo S Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical prio rity queuing is allo wed.
23-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS • (ASA 5512-X through ASA 5555-X) Priority q ueuing is not support e d on the Management 0/0 interface.
23-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue T o determine the priority queue and TX ri ng limits, use the w orksheets belo w .
23-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS Configuring the Standard Priority Queue for an Interface If you enable standard pr iority queuing for t raff ic on a physical interface, then you need to also create the priori ty queue on each interface.
23-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Examples The follo wing example establishes a priority queue on interface “out side” (the Gigabi.
23-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS Restrictions • Y ou cannot use the class-default class map for priority traf fic. • Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical priori ty queuing is allo wed.
23-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Examples Example 23-1 Class Map Exam ples for VPN T r affic In the follo wing example, the class-ma.
23-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS ciscoasa(config)# class-map tcp_traffic ciscoasa(config-cmap)# match access-list tcp_traffic In the follo wing example, other , more specif ic match criteria are used for classifying traffi c for specific, security-r elated tunne l groups.
23-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS Example 23-2 Prior ity and P olicing Exa mple In this exampl e, the maximum rate for traf fic of the tcp_traf fic class is 56,00 0 bits/second and a maximum b urst size of 10,500 bytes per second.
23-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Configuring QoS • For hierarchical pr iority queuing, you do not need to create a priority queue on an interface.
23-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Configuri ng QoS • Y ou cannot conf igure traff ic shaping and standard priority queuing for t he same interface; only hierarchical priority queui ng is allowed.
23-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Monitoring QoS ciscoasa(config-cmap)# match access-list ike ciscoasa(config-cmap)# class-map voice_traffic ciscoasa(c.
23-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Monitorin g QoS Viewing QoS Standard Priority Statistics T o view statistics for service policies implementi ng the .
23-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Monitoring QoS Service-policy: voip Class-map: voip Queueing queue limit 64 packets (queue depth/total drops/no-buffe.
23-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 23 Configuring QoS Feature History for QoS Feature History for QoS T able 23-3 lists each feature change and the plat form release in which it w as implemented. T able 23-3 Featur e History for QoS Feature Name Platform Releases Feature Information Priority queuing and pol icing 7.
23-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 23 Configuring QoS Feature History for QoS.
CH A P T E R 24-1 Cisco ASA Series Firewall CLI Configuratio n Guide 24 Troubleshooting Connec tions and Resources This chapter describes ho w to troubleshoot the ASA and includes the follo wing secti.
24-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Enabling ICMP Debugging Messages and Syslog Messages Debugging messages and syslog messages can help you troubleshoot why yo ur pings are not successful.
24-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Pinging ASA Interfaces T o test whether the ASA interfaces are up and r unning and that the ASA and connected routers are operating correctly , you ca n ping the ASA interfaces.
24-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Figur e 24-2 Ping Failur e at the ASA Int er f ace If the ping reaches the ASA, and it r e sponds, debu gging messages similar to the follo wing appear: ICMP echo reply (len 32 id 1 seq 256) 209.
24-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Testing Your Config uration Passing Traffic Through the ASA After you successfully ping the ASA interf aces, make sure that traff ic can pass successfully through the ASA.
24-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Testing Your Configuration Disabling the Test Configuration After you complete your testing, d isable the test c onf iguration that allo ws ICMP to and through the ASA and that prints debugging messages.
24-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 24 Troubleshooting Connec tions and Resources Monitoring Per-Process CPU Usage Determining Packet R outing with Traceroute Y ou can trace the route of a packet using the traceroute feature, w hich is accessed with the traceroute command.
24-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 24 Troublesh ooting Connection s and Resources Monitoring Per-Pro cess CPU Usage.
P AR T 7 Conf iguring Adv anced Netw ork Pr otection.
.
CH A P T E R 25-1 Cisco ASA Series Firewall CLI Configuratio n Guide 25 Configuring the ASA for Cisco Cloud Web Security Cisco Cloud W eb Security pro vides web security and web f iltering services through the Software-as-a-Service (SaaS ) mode l.
25-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security This chapte r includes the follo wing sec.
25-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security The ASA supports the follo wing methods .
25-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security For more inf ormation, see the Cloud W eb Security documentation: http://www .cisco.com/en/ US/products/ps11720/produ ct s_installation_and_conf iguration_guides_list.
25-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Clo ud Web Security – AAA usernames, when u sing RADIUS or.
25-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Licensing Require ments for Cisco Cloud Web Se curity Bypassing Scanning with Whitel.
25-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Prerequisites for Cloud W eb Security On the Cloud W eb Security side, you must purchase a Cisco Cloud W eb Security license and identi fy the number of users that the ASA handles.
25-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Default Settings • When an interface to the Clo ud W eb Security proxy serv ers goes down, output fro m the show scansafe server command sho ws both servers up for appro ximately 15-25 minutes.
25-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Detailed Steps Examples The follo wing example conf igures a primary and backup server: scansafe general-options server primary ip 10.
25-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Note Y ou must confi gure a route pointing to the Scansafe to wers in both; the admin context an d the specif ic context.
25-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Detailed Steps Command Purpose Step 1 policy-.
25-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 7 policy-map type inspect scansafe name2 .
25-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security Step 10 match access-list acl1 Example: ciscoasa(config-cmap)# match access-list SCANSAFE_HTTP Specifies an A CL created in Step 8 .
25-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Examples The follo wing example conf igures two classes: one for HTTP and one for HTTPS. Each A CL exempts traf fic to www .
25-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Clo ud Web Security (Optional) Configuring Whitelisted Traffic If you use user authenti cation, you can e xempt some traf fic from being f iltered by Cloud W eb Security based on the username and/or gro upname.
25-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security hostname(config-pmap-p)# https hostname(config.
25-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Monitoring Cloud Web Se curity Monitoring Cloud Web Security The show scansafe s erv er command shows whether or not the Cloud W eb Security proxy serv ers are reachable: hostname# show scansafe server ciscoasa# Primary: proxy197.
25-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security Configuration Examples for Cisc.
25-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security hostname(cfg-scansafe)# server primary ip 192.
25-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security parameters default user user1 g.
25-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security Configuring the Active Di recto.
25-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security hostname(config)# user-identity.
25-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security domain-name uk.
25-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security timeout pat-xlate 0:00:30 timeo.
25-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuration Examples for Cisco Cloud Web Security inspect h323 ras inspect ip-opt.
25-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 25 Configurin g the ASA for Cisco Cloud Web Security Related Documents Related Documents Feature History for Cisco Cloud Web Security T able 25-1 lists each feature change and the plat form release in which it w as implemented.
CH A P T E R 26-1 Cisco ASA Series Firewall CLI Configuratio n Guide 26 Configuring the Botnet Traffic Filter Malware is malicious software that is installed on an unkno wing host.
26-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter • Botnet T raff ic Filter Actions for Kno wn Addr.
26-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter 2.
26-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About th e Botnet Traffic Filter When you add a domain name to the static datab ase, the ASA waits 1 minut e, and then sends a DNS request for that domain name an d adds th e domain name/IP address pairing to the DNS host cac he .
26-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter How the Botnet Traffic Filter Works Figure 26-1 sho ws how the Botnet T raf fic Filter works with the dynamic database pl us DNS inspection with Botnet T raffic Filter snooping.
26-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Licensing Requirements fo r the Botnet Traffic Filter Licensing Requirements for the Botnet Traf.
26-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter This section includ.
26-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Configuring the Dynamic Database This procedure enables database updates, and also enables use of the do wnloaded dynamic database by the ASA.
26-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter ciscoasa(config)# dynamic-filter use-database What to Do Next See the “ Adding Entries to the Static Datab ase” section on page 26-9 .
26-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Examples The follo wing example creates entrie s for the blacklist and whi telist: ciscoasa(config)# dynamic-filter blacklist ciscoasa(config-llist)# name bad1.
26-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Default DNS Inspection Configura tion and Recommended Configura tion The default conf iguration for DNS inspection inspec t s all UDP DNS traf fic on all interfaces, and does not have DNS snooping enabled .
26-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Examples The follo wing recommended confi guration creat.
26-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Recommended Configuration Although DNS snoopi ng is not .
26-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Step 3 (Optional) dynamic-filter drop blacklist [ interf.
26-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Examples The follo wing recommended confi guration monit.
26-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Bo tnet Traffic Filter Note A CLs block all future connections. T o block the cu rrent connection, if it is still acti ve, enter the clear c onn command.
26-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter bad.example.
26-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Examples The follo wing is sample output from the show dyn.
26-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Configuration Examples fo r the Botnet Traffic Filter horrible.
26-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuration Examples fo r the Botnet Traffic Filter ciscoasa(config-pmap-c)# inspect dns pres.
26-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 26 Configuring the Botnet Traffic Filter Where to Go Nex t ciscoasa/context1(config-llist)# address 10.1.1.1 255.255.255.0 ciscoasa/context1(config-llist)# dynamic-filter whitelist ciscoasa/context1(config-llist)# name good.
26-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Feature History for t he Botnet Traffic Filter Feature History for the Botnet Traffic Filter T able 26-1 lists each feature change and the plat form release in which it w as implemented.
CH A P T E R 27-1 Cisco ASA Series Firewall CLI Configuratio n Guide 27 Configuring Threat Detection This chapter descri bes how to configure threat detection statistics and sc anning threat det ectio.
27-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics Basic threat detect ion statistics includ e acti vity that mi ght be re lated t o an atta ck, such as a DoS attack.
27-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuri ng Basic Threa t Detection St atistics For each recei ved event, the ASA checks the a verage.
27-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Basic Thre at Detection Statistics Configuring Basic Threat Detection Statistics This section describes ho w to conf igure basic threat detection statistics, includ ing enabling or disabli ng it and changing the defau lt limits.
27-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuri ng Basic Threa t Detection St atistics Monitoring Basic Threat Detection Statistics T o moni.
27-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Feature History for Basic Threat Detection Statistics T able 27-2 lists each feature change and the plat form release in which it w as implemented.
27-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics Security Context Guidelines Only TCP Intercept statistics are a vailable in multiple mode. Firewall Mode Guidelines Supported in routed an d transparent f irewall mod e.
27-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Step 3 threat-detection statistics host [ number-of-rate { 1 | 2 | 3 }] Example: ciscoasa(config)# threat-detection statistics host number-of-rate 2 (Optional) Enables statist ics for hosts.
27-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics Monitoring Advanced Threat Detection Statistics The display output sho ws the follo wing: • The av erage rate in events/sec o ver f ixed time periods.
27-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics The ASA stores the count at the end of each b urst period, for a total of 30 com pleted burst intervals.
27-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics T o monitor adv anced threat detection statistics, p.
27-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Examples The follo wing is sample output from the show threat-detection statistics host command: ciscoasa# show threat-detection statistics host Average(eps) Current(eps) Trigger Total events Host:10.
27-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Advanced Threat Detection Statistics fw-drop Sho ws the number of f irewall d rops.
27-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Advanced T h reat Detection Statistics Feature History for Advanced Threat Detection Statistics T able 27-4 lists each feature change and the plat form release in which it w as implemented.
27-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection Configuring Scanning Threat Detection This section includes the.
27-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Guidelines and Limitations This section includes the guid elines and limitations for th is feature: Security Context Guidelines Supported in single mode only .
27-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuring Scanning Threat Detection Configuring Scanning Threat Detection Detailed Steps Monitoring.
27-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuring Scannin g Threat Detection Examples The follo wing is sample output from the show threat-detection shun command: ciscoasa# show threat-detection shun Shunned Host List: 10.
27-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 27 Con figuring Threa t Detection Configuration Examples for Threat Detection Configuration Examples for Threat Detection The follo wing example conf igures basic threat detect ion statistics, and changes the D oS attack rate settings.
27-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 27 Configuring Th reat Detection Configuration Examples for Threat Detection.
CH A P T E R 28-1 Cisco ASA Series Firewall CLI Configuratio n Guide 28 Using Protection Tools This chapter describes some o f the many too ls av ailable to protect your netw ork and includes the foll.
28-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring the Fr agment Size Configuring the Fragment Size By default, th e ASA allo ws up to 24 fragments per IP p acket, and up to 200 frag ments awaiting reassembly .
28-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature p rovides basic IPS support for the ASA t hat does not ha ve an AIP SSM.
28-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support IP Audit Signature List T able 28-1 lists supp orted signatures and system message nu mbers.
28-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 1103 400009 IP Overlapp ing Fragments (T eardrop) At tack T riggers when two fragments contained within the same IP datagram ha ve of fsets that indicat e that they sha re positio ning wi thin the datagram.
28-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 2008 400018 ICM P T ime stamp Reply I nformational T riggers when a .
28-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 3042 400028 TCP FIN only flags A ttack T riggers when a single orphaned TCP FIN packet is sent to a pri vileged por t (hav ing port number less than 1024) on a specific host.
28-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support 6152 400044 yppasswdd (YP passwo rd daemon) Portmap Request Informational T riggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port.
CH A P T E R 29-1 Cisco ASA Series Firewall CLI Configuratio n Guide 29 Configuring Filtering Services This chapter describe s how to use f iltering servic es to provide greater control over traf fic .
29-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Configuring ActiveX Filtering Configuring ActiveX Filtering This section includes the following topics:.
29-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Licensing Requirements for ActiveX Filtering Guidelines and Limitations for ActiveX Filtering This section includes the guid elines and limitations for th is feature.
29-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Configuring Java Applet Filtering Feature History for ActiveX Filtering T able 29-1 lists the release histor y for Active X Filtering.
29-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Configuring Java Applet Filtering Guidelines and Limitations for Java Applet Filtering This section includes the guid elines and limitations for th is feature.
29-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server The follo wing example remov es the co nfiguration for do wnloading Ja va applets to a host on a protected network: ciscoasa(config)# no filter java http 192.
29-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Note URL caching will only work if the version of th e URL server software from the URL server v endor supports it.
29-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Identifying the Filtering Server Y o u can identify up to four f iltering server s per contex t. The ASA uses the serv ers in order until a serv er responds.
29-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server For W eb s en s e: hostname(config)# url-serv.
29-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Configuring Additional URL Filtering Settings.
29-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Caching Server Addresses After you access a .
29-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server Enabling HTTP Filtering Y ou must identify and enable the URL fi ltering server bef ore enabling HTTP f iltering.
29-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Filtering URLs and FTP Requests with an External Server Truncating Long HTTP URLs By default, if a URL e xceeds the maximum permitted size, then it is dropped.
29-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requ ests with an External Server T o enable HTTPS f iltering, enter the follo wing command: Filtering FTP Requests Y ou must identify and enable the URL filtering serv er before enabling FTP filtering.
29-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Monitoring Filtering Statisti cs Monitoring Filtering Statistics T o monitor f iltering statistics, .
29-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics STATUS_REQUEST 1609 1601 LOOKUP_REQUEST 1526 1526 LOG_REQUEST 0 NA Err.
29-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 29 Config uring Filtering Services Monitoring Filtering Statisti cs Feature History for URL Filtering T able 29-5 lists the release h istory for URL f iltering.
29-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 29 Configuring Filtering Services Monitoring Filtering Statistics.
P AR T 8 Conf iguring Modules.
.
CH A P T E R 30-1 Cisco ASA Series Firewall CLI Configuratio n Guide 30 Configuring the ASA CX Module This chapter descri bes how to configure the ASA CX modul e that runs on the A SA.
30-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA The ASA CX module runs a separate application fro m the ASA. Th e ASA CX module includes external management interface(s) so you can connect to the ASA CX module directly .
30-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module Monitor-Only Mode For demonstr ation purposes, you can conf igure a service policy or a traf fic-forwarding interface in monitor -only mode.
30-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Information About the ASA CX Module Figur e 30-3 ASA CX T raf fic-Forwar ding Information About ASA CX .
30-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Information About the ASA CX Module or ASDM). Howe ver , physic al characteristics (suc h as enabling the interface) are configured on the ASA.
30-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Licensing Requirements for th e ASA CX Module • Do not configure ASA inspection on HTTP traf fic. • Do not conf igure Cloud W eb Security (ScanSafe) inspection.
30-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Guidelines and Limitations Firewall Mode Guidelines Supported in rout ed and transparent f irew all mode. T raff ic-forwarding interf aces are only supported in transparent mode.
30-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Default Settings Additional Guidelines and Limitations • See the “Compatibility with A SA Features” section on pa ge 30-5 .
30-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Step 3 (ASA 5585-X; Opti onal) Conf igure the ASA CX module management IP address for initial SSH access. See the “(ASA 5585-X) Changing the A SA CX Management IP Address” section on page 30-14 .
30-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule If you have an inside router If you ha ve an inside router , you can ro.
30-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module ASA 5512-X through ASA 5555-X (Software Module) These models run the ASA CX module as a softwa re module, and the ASA CX management interface shares the Management 0/0 interf ace with the ASA.
30-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule CX IP address for that interface. Because the AS A CX module is essentially a separate device from the ASA, you can conf igure the ASA CX management address to be on the same network as t he inside interface.
30-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module http://www .cisco.com/cisco/software/r elease.
30-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Username: buffy Password: angelforever Verifying Downloading Extracting.
30-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Configuring Basic ASA CX Settings at the ASA CX CLI Y ou must conf igure basic network settin gs and othe r parameters on the ASA CX module before you can confi gure your security pol icy .
30-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Applying... Done. Generating self-signed certificate, the web server will be restarted after that ... Done. Press ENTER to continue.
30-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module What to Do Next • (Optional) Configure the authen tication proxy port. See the “(Opt ional) Conf iguring the Authentication Proxy Port” section on page 30-17 .
30-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Redirecting Traffic to the ASA CX Module Y ou can redirect traffic to the ASA CX module by creating a service polic y that identifies sp ecific t raffic.
30-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Configuring the ASA CX Module Detailed Steps Command Purpose Step 1 class-map name Example: ciscoasa(config)# class-map cx_class Creates a class map to identify the traf fic f o r which you want to send to the ASA CX module.
30-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuring the ASA CX Mo dule Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) This section conf igures traf fic-forw arding interfaces, where all traff ic is forwarded directly to the ASA CX module.
30-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Detailed Steps Step 8 Repeat for any additional interfaces.
30-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module Resetting the Password Y ou can reset the module password to the default. F or the user admin , the default password is Admin123 .
30-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Managing the ASA CX M odule Detailed Steps Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off with out losing confi guration data.
30-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Managing the A SA CX Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image T o uninstall a software module image and associat ed confi guration, perform th e follo wing steps.
30-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module Detailed Steps Monitoring the ASA CX Module • Showing Module Status, p.
30-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module T o check the status of a module, ent er one of the follo wing commands: .
30-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module The follo wing is sample output from the show service-policy command sho.
30-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Monitoring the ASA CX Module Examples The follo wing is sample output from the show asp table classify.
30-29 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Monitoring the ASA CX Module dst ip/id=172.23.58.52, mask=255.
30-30 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Troublesho oting the ASA CX Module cxsc-msg 1 0 1 0 1 0 The follo wing is sample output from the show .
30-31 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Troubleshooting the ASA CX Module When you enable the authentica tion pro xy , t he ASA generate s a .
30-32 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Configuration Examples for the ASA CX Module 2. Check the ou tput of the show service-policy cxsc command to see if an y packets were prox ied.
30-33 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Feature History for the ASA CX Module ciscoasa(config-pmap)# class my-cx-class2 ciscoasa(config-pmap-.
30-34 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Feature History for the ASA CX Module Monitor -only mode for demonstration purposes ASA 9.
30-35 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 30 Configuring the ASA CX Mo dule Feature History for the ASA CX Module Multiple conte xt mode support for the ASA CX module ASA 9.1(3) ASA CX 9.2(1) Y ou can no w configure ASA CX service po licies per contex t on the ASA.
30-36 Cisco ASA Series Firewall CLI Configuration Guide Chapter 30 Configuring the A SA CX Module Feature History for the ASA CX Module.
CH A P T E R 31-1 Cisco ASA Series Firewall CLI Configuratio n Guide 31 Configuring the ASA IPS Module This chapter describes h ow to config ure the ASA IPS modul e. The ASA IPS modul e might be a hardw are module or a so ftware module, d epending on your ASA model.
31-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA The ASA IPS module runs a separate application fro m the ASA.
31-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS M odule Operating Modes Y ou can send traf fic to the ASA IPS modu le using one of the follo wing modes: • Inline mode—This mode places the ASA IPS module directly in the traf fic f low (see Figure 31-1 ).
31-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Information About the ASA IPS Module Figur e 31 -3 Securi ty Contexts and V irtual Sen sors Figure 31-4 sho ws a single mode ASA paired with multiple vi rtual sensors (in inline mode); each def ined traf fic flo w goes to a dif ferent sensor .
31-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Licensing Requirement s for the ASA IPS module See the follo wing information about the management interface: – ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X —The IPS management interf ace is a separate external Gig abit Ethernet interf ace.
31-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Default Settings http://www .cisco.com/en/US/docs/securi t y/asa/compatibility/asamatrx.html • The ASA 5505 does not support multiple conte xt mode, so multiple conte xt features, such as virtual sensors, are not supported on th e AIP SSC.
31-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Configuring the ASA IPS module This section descri bes ho w to conf igu.
31-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Connecting the ASA IPS Management Interface In addition to pro viding m.
31-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside net work, then you canno t also hav e a separate m anagemen t network, which would require an inside r outer to route between the netw orks.
31-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you ha ve only one inside net work, then you cannot also ha ve a separate mana gement network.
31-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Sessioning to the Module from the ASA T o access the IPS module CLI from the ASA, you can session from the ASA.
31-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Do one of the foll o wing: • New ASA wit h IPS pre-installed—T o vie w the IPS module software f ilename in flash memory , enter:.
31-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5510 and Higher) Confi guring Basic Network Settings Session to the module from the ASA an d config ure basic settings using the setup command.
31-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Restrictions Do not conf igure N A T for the management address if you intend t o access it using ASDM. F o r initial setup with ASDM, you need to acce ss the real address.
31-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Examples The follo wing example conf igures VLAN 20 as the I PS management VLAN. Only the host at 10.1.1.30 can access the IPS management IP address.
31-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Detailed Steps Step 1 Access the ASA IPS module CLI usi ng one of the follo wing methods: • Session from the ASA to the ASA IPS modu le.
31-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Command Purpose Step 1 context name Example: ciscoasa(config)# context admin ciscoasa(config-ctx)# Identif ies the context you wa nt to conf igure.
31-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Examples The follo wing example assigns sensor1 and sensor2 t o conte xt A, and sensor1 a nd sensor3 to conte xt B. Both context s map the sensor names to “ips1” and “i ps2.
31-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps Command Purpose Step 1 class-map name Example: ciscoasa(config)# class-map ips_class Creates a class map to identify the traf fic f o r which you want to send to the ASA IPS module.
31-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuring the ASA IPS module Step 5 ips { inline | promiscuous } { fail-close | fail-open } [ senso.
31-21 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Managing the ASA IPS module This section includes proc edures that help y.
31-22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module Note Before you do wnload the IPS software to disk0, make sure at least 50% of the flash memory is free. When you install IPS, IPS reserves 50 % of the internal flas h memory for its f ile system.
31-23 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Shutting Down the Module Shutting do wn the module software prepares the modu le to be safely po wered off with out losing confi guration data.
31-24 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Managing the AS A IPS module Resetting the Password Y ou can reset the module password to the default . For the user cisco , the default passw ord is cisco .
31-25 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Monitoring the ASA IPS module Reloading or Resetting the Module T o reload or reset the module, enter on e of the follo wing commands at the ASA CLI.
31-26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Configuration Examples for the ASA IPS module Serial Number: JAB11370240 Firmware version: 1.0(14)3 Software version: 6.2(1)E2 MAC Address Range: 001d.45c2.
31-27 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 31 Configuring the ASA IPS Module Feature History for the ASA IPS module ciscoasa(config)# class-map my-ips-class ciscoasa(config-cmap).
31-28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configurin g the ASA IPS Module Feature History for the ASA IPS module Support for Dual SSPs for SSP-40 an d SSP-60 8.4(2) For SSP-40 and SSP-60, you can use two SSPs of the same le vel in the same chassi s.
CH A P T E R 32-1 Cisco ASA Series Firewall CLI Configuratio n Guide 32 Configuring the ASA CSC Module This chapter descri bes how to configure the Conten t Security and Control (CSC) appl ication that is installed in a CSC SSM in the ASA.
32-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Figur e 32-1 Flow of Scanned T raf fic with the CSC SSM Y ou use ASDM for system setup and mo nitoring of th e CSC SSM.
32-3 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Information Ab out the CSC SSM Figur e 32-2 CSC SSM Deployment with a Manage ment Networ k Determining.
32-4 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Information About the CSC SSM Based on the conf iguration shown in Figure 32-3 , conf igure the ASA to.
32-5 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Licensing Requirements for the CSC SSM In the outside- policy , outside-class matches SMTP tr af fic from an y outside source to the DMZ network.
32-6 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Guidelines and Limitations – Domain name and hostname for t he CSC SSM. – An e-mail address and an SMTP server IP addr ess and port numb er for e-mail notif ications.
32-7 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Configuring the CSC SSM This section descri bes ho w to conf igure the CSC SSM.
32-8 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM • If you manually control time settings, v erify the clock settings, includi ng time zone. Choose Conf iguration > Pr operties > Device Administration > Clock .
32-9 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM T o connect to the CSC SSM, perform the follo wing steps: Step 1 In the ASDM main application windo w , click the Content Security tab .
32-10 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM What to Do Next See the “Div erting Traf fic to the CSC SSM” section on page 32-10 . Diverting Traffic to the CSC SSM Y o u use Modular Polic y Framew ork commands to conf igure the ASA to div ert traff ic to the CSC SSM.
32-11 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Step 6 set connection per-client-max n Example: ciscoasa(config-pmap-c)# set connection per-client-max 5 Lets you conf igure limits to thw art DoS attacks.
32-12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Configuring the CSC SSM Step 7 csc { fail-close | fail-open } Example: ciscoasa(config-pmap-c)# csc {.
32-13 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Monitoring the CSC SSM What to Do Next See the “Monitorin g the CSC SSM” sect ion on page 32-13 .
32-14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module Port Mask: 255.255.224.
32-15 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Detailed Steps Resetting the Password Y ou can reset the module passwor d to the default. The def ault password is cisco.
32-16 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Troubleshooting the CSC Module T o reset the module passw ord to the def ault of cisco, perform th e follo wing steps.
32-17 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Configuration Exa mples for the CSC SSM Shutting Down the Module If you restart the ASA, the module is not automatica lly rest arted. T o shut do wn the module, perform th e follo wing steps at th e ASA CLI.
32-18 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Additional References ciscoasa(config-pmap)# class csc_inbound_class ciscoasa(config-pmap-c)# csc fai.
32-19 Cisco ASA Series Firewall CLI Configuratio n Guide Chapter 32 Configuring the ASA CSC Module Feature History for the CSC SSM Feature History for the CSC SSM T able 32-2 lists each feature change and the plat form release in which it w as implemented.
32-20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 32 Configurin g the ASA CSC Module Feature History for the CSC SSM.
IN-1 Cisco ASA Series Firewall CLI Configuration Guide INDEX A AAA accounting 7-21 authentication network access 7-2 authorization downloadable access lists 7-17 network access 7-14 performance 7-1 we.
Index IN-2 Cisco ASA Series Firewall CLI Configuration Guide IP fragment 28-4 IP impossib le packet 28-4 large ICMP traffic 28-6 ping of death 28-6 proxied RPC request 28-7 statd buffer overflow 28-8 .
Index IN-3 Cisco ASA Series Firewall CLI Configuration Guide required by phone prox y 16-16 Cisco IP Communicator 16-10 Cisco IP Phones, application inspection 11-25 Cisco UMA.
Index IN-4 Cisco ASA Series Firewall CLI Configuration Guide DNS request for all records attack 28-7 DNS zone transfer attack 28-7 DNS zone transfer from high port attack 28-7 downloadable access list.
Index IN-5 Cisco ASA Series Firewall CLI Configuration Guide inspection_default cl ass-map 1-9 inspection engines See application inspection Instant Messaging inspection 11-19 interfaces default setti.
Index IN-6 Cisco ASA Series Firewall CLI Configuration Guide default polic y 1-8 examples 1-18 feature directionality 1-3 features 1-2 flows 1-6 matching multiple policy maps 1-6 service poli cy, appl.
Index IN-7 Cisco ASA Series Firewall CLI Configuration Guide dynamic NAT 5-7 dynamic PAT 5-11 examples 5-25 guidelines 5-2 identity NAT 5-21 monitoring 5-24 prerequis ites 5-2 static NAT 5-18 types 3-.
Index IN-8 Cisco ASA Series Firewall CLI Configuration Guide CSC SSM 32-5 presence_proxy_remotecert 15-15 proxied RPC request attack 28-7 proxy servers SIP and 11-18 PRSM 30-5 Q QoS about 23-1, 23-3 D.
Index IN-9 Cisco ASA Series Firewall CLI Configuration Guide management defaults 31-6 password reset 31-24, 32-15 reload 31-25, 32-16 reset 31-25, 32-16 routing 31-10 sessioning to 31-13 shutdown 31-2.
Index IN-10 Cisco ASA Series Firewall CLI Configuration Guide applications supported by A SA 14-3 Cisco Unified Presence architecture 19-1 configuring for Cisco Un ified Presence 19-8 licenses 14-4, 1.
デバイスCisco Systems ASA 5585-Xの購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
Cisco Systems ASA 5585-Xをまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはCisco Systems ASA 5585-Xの技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。Cisco Systems ASA 5585-Xの取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。Cisco Systems ASA 5585-Xで得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
Cisco Systems ASA 5585-Xを既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はCisco Systems ASA 5585-Xの不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、Cisco Systems ASA 5585-Xに関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちCisco Systems ASA 5585-Xデバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。