1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Advertisement
Quick Links
Download this manual
See also:
Manual
Cisco Security Appliance Command Line
Configuration Guide
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 8.0(1)
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Customer Order Number: N/A, Online only
Text Part Number: OL-12172-03
Advertisement
Table of Contents
Troubleshooting
Also See for Cisco PIX 500 Series
Cisco Cisco PIX 500 Manual
4 pages
Related Manuals for Cisco PIX 500 Series
-
Software Cisco ASA5500-SC-5= - ASA 5500 Security Context Datasheet
Adaptive security appliances asa software version 7.0 (20 pages)
-
Security System Cisco PIX 501 - Security Appliance Datasheet
Data sheet (8 pages)
-
Security System Cisco PIX-515-RPS - PIX 515-R - Firewall Quick Start Manual
Security appliance (42 pages)
-
Security System Cisco PIX 525 Datasheet
Security appliance (13 pages)
-
Security System Cisco Meraki MX67 Installation Manual
(14 pages)
-
Security System Cisco ASA 5506W-X Hardware Installation Manual
(52 pages)
-
Security System Cisco ASA 55 Series Software Manual
Threat defense reimage guide (37 pages)
-
Security System Cisco ISA550 Quick Start Manual
Isa500 series integrated security appliance (13 pages)
-
Security System Cisco ISA550 Administration Manual
Isa500 series (16 pages)
-
Security System Cisco NCS 4000 Series Troubleshooting Manual
(44 pages)
-
Security System Cisco ISA 3000 Product Documentation
Industrial security (12 pages)
-
Security System Cisco Small Business Pro SA 500 Series Quick Start Manual
Small business pro security appliances (2 pages)
-
Security System Cisco IronPort S670 Quick Start Manual
(2 pages)
Summary of Contents for Cisco PIX 500 Series
- Page 1 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 8.0(1) Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
- Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...
-
Page 3: Table Of Contents
Sending Traffic to the Content Security and Control Security Services Module Applying QoS Policies Applying Connection Limits and TCP Normalization Enabling Threat Detection Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Intrusion Prevention Services Functional Overview Security Context Overview Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 4 Management Access to Security Contexts System Administrator Access Context Administrator Access 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 5 Contents Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security C H A P T E R Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces Maximum Active VLAN Interfaces for Your License Default Interface Configuration...
- Page 6 Allowing Communication Between Interfaces on the Same Security Level Configuring Basic Settings C H A P T E R Changing the Login Password Changing the Enable Password Setting the Hostname Setting the Domain Name Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 7 9-21 Enabling RIP Authentication 9-22 Monitoring RIP 9-22 Configuring EIGRP 9-23 EIGRP Routing Overview 9-23 Enabling and Configuring EIGRP Routing 9-24 Enabling and Configuring EIGRP Stub Routing 9-25 Enabling EIGRP Authentication 9-26 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 8 Configuring a DHCP Server 10-1 Enabling the DHCP Server 10-2 Configuring DHCP Options 10-3 Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Configuring Dynamic DNS 10-6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2: Client Updates Both A and PTR RRs;...
- Page 9 Configuring IPv6 Default and Static Routes 12-5 Configuring IPv6 Access Lists 12-6 Configuring IPv6 Neighbor Discovery 12-7 Configuring Neighbor Solicitation Messages 12-7 Configuring Router Advertisement Messages 12-9 Configuring a Static IPv6 Neighbor 12-11 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 10 Using Certificates and User Login Credentials 13-16 Using User Login Credentials 13-16 Using certificates 13-16 Supporting a Zone Labs Integrity Server 13-17 Overview of Integrity Server and Security Appliance Interaction 13-17 Configuring Integrity Server Support 13-18 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 11 14-18 Configuring Failover 14-19 Failover Configuration Limitations 14-19 Configuring Active/Standby Failover 14-19 Prerequisites 14-20 Configuring Cable-Based Active/Standby Failover (PIX 500 Series Security Appliance Only) 14-20 Configuring LAN-Based Active/Standby Failover 14-21 Configuring Optional Active/Standby Failover Settings 14-25 Configuring Active/Active Failover 14-27...
- Page 12 Passing Traffic Not Allowed in Routed Mode 15-7 MAC Address vs. Route Lookups 15-8 Using the Transparent Firewall in Your Network 15-9 Transparent Firewall Guidelines 15-9 Unsupported Features in Transparent Mode 15-10 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 13 Adding an ICMP Type Object Group 16-14 Nesting Object Groups 16-15 Using Object Groups with an Access List 16-16 Displaying Object Groups 16-17 Removing Object Groups 16-17 Adding Remarks to Access Lists 16-17 Cisco Security Appliance Command Line Configuration Guide xiii OL-12172-03...
- Page 14 Using Static NAT 17-26 Using Static PAT 17-27 Bypassing NAT 17-30 Configuring Identity NAT 17-30 Configuring Static Identity NAT 17-31 Configuring NAT Exemption 17-33 NAT Examples 17-34 Overlapping Networks 17-34 Redirecting Ports 17-36 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 15 Filtering URLs and FTP Requests with an External Server 20-4 URL Filtering Overview 20-4 Identifying the Filtering Server 20-4 Buffering the Content Server Response 20-6 Caching Server Addresses 20-6 Filtering HTTP URLs 20-7 Configuring HTTP Filtering 20-7 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 16 Applying Inspection and QoS Policing to HTTP Traffic 21-19 Applying Inspection to HTTP Traffic Globally 21-20 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21-21 Applying Inspection to HTTP Traffic with NAT 21-22 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 17 Configuring TCP Normalization 23-11 Configuring Connection Limits and Timeouts 23-14 Connection Limit Overview 23-14 TCP Intercept Overview 23-14 Disabling TCP Intercept for Management Packets for WebVPN Compatibility 23-14 Dead Connection Detection Overview 23-15 Cisco Security Appliance Command Line Configuration Guide xvii OL-12172-03...
- Page 18 C H A P T E R Inspection Engine Overview 25-2 When to Use Application Protocol Inspection 25-2 Inspection Limitations 25-3 Default Inspection Policy 25-3 Configuring Application Inspection 25-5 CTIQBE Inspection 25-10 CTIQBE Inspection Overview 25-10 Cisco Security Appliance Command Line Configuration Guide xviii OL-12172-03...
- Page 19 Configuring H.323 and H.225 Timeout Values 25-42 Verifying and Monitoring H.323 Inspection 25-42 Monitoring H.225 Sessions 25-42 Monitoring H.245 Sessions 25-43 Monitoring H.323 RAS Sessions 25-44 HTTP Inspection 25-44 HTTP Inspection Overview 25-44 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 20 25-72 Restrictions and Limitations 25-72 Verifying and Monitoring SCCP Inspection 25-73 Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 25-73 SMTP and Extended SMTP Inspection 25-75 SNMP Inspection 25-76 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 21 ISAKMP Overview 27-2 Configuring ISAKMP Policies 27-5 Enabling ISAKMP on the Outside Interface 27-6 Disabling ISAKMP in Aggressive Mode 27-6 Determining an ID Method for ISAKMP Peers 27-6 Enabling IPSec over NAT-T 27-7 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 22 C H A P T E R Configuring VPNs in Single, Routed Mode 29-1 Configuring IPSec to Bypass ACLs 29-1 Permitting Intra-Interface Traffic 29-2 NAT Considerations for Intra-Interface Traffic 29-3 Setting Maximum Active IPSec VPN Sessions 29-3 Cisco Security Appliance Command Line Configuration Guide xxii OL-12172-03...
- Page 23 Configuring Connection Profiles for Clientless SSL VPN Sessions 30-19 Specifying a Connection Profile Name and Type for Clientless SSL VPN Sessions 30-19 Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions 30-19 Cisco Security Appliance Command Line Configuration Guide xxiii OL-12172-03...
- Page 24 Configuring Attributes for Specific Users 30-73 Setting a User Password and Privilege Level 30-74 Configuring User Attributes 30-74 Configuring VPN User Attributes 30-75 Configuring Clientless SSL VPN Access for Specific Users 30-79 Cisco Security Appliance Command Line Configuration Guide xxiv OL-12172-03...
- Page 25 Changing Global NAC Framework Settings 33-8 Changing Clientless Authentication Settings 33-8 Enabling and Disabling Clientless Authentication 33-9 Changing the Login Credentials Used for Clientless Authentication 33-9 Changing NAC Framework Session Attributes 33-10 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 26 Contents Configuring Easy VPN Services on the ASA 5505 34-1 C H A P T E R Specifying the Client/Server Role of the Cisco ASA 5505 34-2 Specifying the Primary and Secondary Servers 34-3 Specifying the Mode 34-3 Configuring Automatic Xauth Authentication...
- Page 27 Preparing the Security Appliance for a Plug-in 37-25 Providing Access to Plug-ins Redistributed By Cisco 37-25 Providing Access to Plug-ins Not Redistributed By Cisco—Example: Citrix Java Presentation Server Client Plug-in 37-27 Preparing the Citrix MetraFrame Server for Clientless SSL VPN Access...
- Page 28 Viewing the Clientless SSL VPN Home Page 37-54 Viewing the Clientless SSL VPN Application Access Panel 37-55 Viewing the Floating Toolbar 37-56 Customizing Clientless SSL VPN Pages 37-56 How Customization Works 37-57 Exporting a Customization Template 37-57 Cisco Security Appliance Command Line Configuration Guide xxviii OL-12172-03...
- Page 29 37-64 Customizing Help 37-65 Customizing a Help File Provided By Cisco 37-66 Creating Help Files for Languages Not Provided by Cisco 37-66 Importing a Help File to Flash Memory 37-67 Exporting a Previously Imported Help File from Flash Memory 37-67...
- Page 30 The Default Local CA Server 39+\17 Customizing the Local CA Server 39+\19 Certificate Characteristics 39+\20 Defining Storage for Local CA Files 39+\22 Default Flash Memory Data Storage 39+\22 Setting up External Local CA File Storage 39+\23 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 31 Allowing HTTPS Access for ASDM 40-3 Enabling HTTPS Access 40-4 Accessing ASDM from Your PC 40-4 Managing the Security Appliance on a Different Interface from the VPN Tunnel Termination Interface 40-5 Cisco Security Appliance Command Line Configuration Guide xxxi OL-12172-03...
- Page 32 41-9 Backing Up Additional Files Using the Export and Import Commands 41-9 Using a Script to Back Up and Restore Files 41-10 Prerequisites 41-10 Running the Script 41-11 Sample Script 41-11 Cisco Security Appliance Command Line Configuration Guide xxxii OL-12172-03...
- Page 33 Changing the Severity Level of a System Log Message 42-22 Changing the Amount of Internal Flash Memory Available for Logs 42-23 Understanding System Log Messages 42-24 System Log Message Format 42-24 Severity Levels 42-24 Cisco Security Appliance Command Line Configuration Guide xxxiii OL-12172-03...
- Page 34 Reloading the Security Appliance 43-6 Performing Password Recovery 43-6 Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance 43-7 Recovering Passwords for the PIX 500 Series Security Appliance 43-8 Disabling Password Recovery 43-9 Resetting the Password on the SSM Hardware Module 43-10...
- Page 35 B-31 Example 12: Primary ctx1 Context Configuration B-32 Example 12: Secondary Unit Configuration B-32 Example 13: Dual ISP Support Using Static Route Tracking B-33 Example 14: ASA 5505 Base License B-34 Cisco Security Appliance Command Line Configuration Guide xxxv OL-12172-03...
- Page 36 Subnet Masks Determining the Subnet Mask Determining the Address to Use with the Subnet Mask IPv6 Addresses IPv6 Address Format IPv6 Address Types Unicast Addresses Multicast Address Anycast Address Required Addresses D-10 Cisco Security Appliance Command Line Configuration Guide xxxvi OL-12172-03...
- Page 37 Configuring an External RADIUS Server E-33 Reviewing the RADIUS Configuration Procedure E-33 Security Appliance RADIUS Authorization Attributes E-34 Security Appliance TACACS+ Attributes E-40 L O S S A R Y N D E X Cisco Security Appliance Command Line Configuration Guide xxxvii OL-12172-03...
- Page 38 Contents Cisco Security Appliance Command Line Configuration Guide xxxviii OL-12172-03...
-
Page 39: About This Guide
Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550). -
Page 40: Related Documentation
Cisco Security Appliance Command Reference • Cisco Security Appliance Logging Configuration and System Log Messages • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 • Migrating to ASA for VPN 3000 Series Concentrator Administrators •... - Page 41 Part 3: Configuring VPN Chapter 27, “Configuring IPSec Describes how to configure ISAKMP and IPSec tunneling to build and manage VPN and ISAKMP” “tunnels,” or secure connections between remote users and a private corporate network. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 42 Describes how to monitor the security appliance. Security Appliance” Chapter 43, “Troubleshooting Describes how to troubleshoot the security appliance. the Security Appliance” Part 4: Reference Appendix A, “Feature Licenses Describes the feature licenses and specifications. and Specifications” Cisco Security Appliance Command Line Configuration Guide xlii OL-12172-03...
-
Page 43: Document Conventions
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html... - Page 44 About This Guide Obtaining Documentation, Obtaining Support, and Security Guidelines Cisco Security Appliance Command Line Configuration Guide xliv OL-12172-03...
- Page 45 A R T Getting Started and General Information...
-
Page 47: Introduction To The Security Appliance
WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes. -
Page 48: Security Policy Overview
Using AAA for Through Traffic You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 49: Applying Http, Https, Or Ftp Filtering
You can configure scanning threat detection and basic threat detection, and also how to use statistics to analyze threats. Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and automatically sends a system log message. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 50 – Performing route lookups – – Allocating NAT translations (xlates) – Establishing sessions in the “fast path” The session management path and the fast path make up the “accelerated security path.” Note Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
-
Page 51: Vpn Functional Overview
• Manages data transfer across the tunnel • Manages data transfer inbound and outbound as a tunnel endpoint or router • The security appliance invokes various standard protocols to accomplish these functions. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 52: Intrusion Prevention Services Functional Overview
Intrusion Prevention Services Functional Overview Intrusion Prevention Services Functional Overview The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the system detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager. -
Page 53: Chapter 2 Getting Started
• Getting Started with Your Platform Model This guide applies to multiple security appliance platforms and models: the PIX 500 series security appliances and the ASA 5500 series adaptive security appliances. There are some hardware differences between the PIX and the ASA security appliance. Moreover, the ASA 5505 includes a built-in switch, and requires some special configuration. -
Page 54: Restoring The Factory Default Configuration
• All inside IP addresses are translated when accessing the outside using interface PAT. • By default, inside users can access the outside, and outside users are prevented from accessing the inside. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 55: Asa 5510 And Higher Default Configuration
The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives • an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. • Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 56: Pix 515/515E Default Configuration
If you want to use ASDM to configure the security appliance instead of the command-line interface, you Note can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 57: Setting Transparent Or Routed Firewall Mode
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 58: Working With The Configuration
Creating Text Configuration Files Offline, page 2-9 • Saving Configuration Changes This section describes how to save your configuration, and includes the following topics: Saving Configuration Changes in Single Context Mode, page 2-7 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 59: Saving Configuration Changes In Single Context Mode
Sometimes, a context is not saved because of an error. See the following information for errors: For contexts that are not saved because of low memory, the following message appears: • The context 'context a' could not be saved due to Unavailability of resources Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 60: Copying The Startup Configuration To The Running Configuration
Viewing the Configuration The following commands let you view the running and startup configurations. To view the running configuration, enter the following command: • hostname# show running-config Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 61: Clearing And Removing Configuration Settings
Alternatively, you can download a text file to the security appliance internal Flash memory. Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading the configuration file to the security appliance. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 62 In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Cisco Security Appliance Command Line Configuration Guide 2-10 OL-12172-03...
- Page 63 You are a large enterprise or a college campus and want to keep departments completely separate. • You are an enterprise that wants to provide distinct security policies to different departments. • You have any network that requires more than one security appliance. • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
-
Page 64: Security Context Overview
The admin context must reside on Flash memory, and not remotely. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 65: How The Security Appliance Classifies Packets
The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 66: Invalid Classifier Criteria
Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 67: Classification Examples
MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 68 (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 69 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
-
Page 70: Cascading Security Contexts
Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 71: Management Access To Security Contexts
To log in with a username, enter the login command. For example, you log in to the admin context with the Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 72: Context Administrator Access
Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI. -
Page 73: Restoring Single Context Mode
To set the mode to single mode, enter the following command in the system execution space: Step 2 hostname(config)# mode single The security appliance reboots. Cisco Security Appliance Command Line Configuration Guide 3-11 OL-12172-03... - Page 74 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode Cisco Security Appliance Command Line Configuration Guide 3-12 OL-12172-03...
-
Page 75: Appliance
C H A P T E R Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance. -
Page 76: Understanding Asa 5505 Ports And Interfaces
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that... - Page 77 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 4-1 for an example network where the Home VLAN can communicate with the Internet, but cannot initiate contact with Business.
-
Page 78: Default Interface Configuration
“Configuring Switch Ports as Access Ports” section on page 4-9 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring. -
Page 79: Security Level Overview
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces See the switchport monitor command in the Cisco Security Appliance Command Reference for more information. Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100. - Page 80 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces If you are using failover, do not use this procedure to name interfaces that you are reserving for failover Note communications. See Chapter 14, “Configuring Failover,”...
- Page 81 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Where number is an integer between 0 (lowest) and 100 (highest). Step 5 (Routed mode only) To set the IP address, enter one of the following commands.
- Page 82 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown...
-
Page 83: Configuring Switch Ports As Access Ports
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports Configuring Switch Ports as Access Ports By default, all switch ports are shut down. To assign a switch port to one VLAN, configure it as an access port. - Page 84 The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
-
Page 85: Configuring A Switch Port As A Trunk Port
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port hostname(config-if)# switchport access vlan 400 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/4 hostname(config-if)# switchport access vlan 500... - Page 86 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach.
-
Page 87: Allowing Communication Between Vlan Interfaces On The Same Security Level
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.1.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# failover lan faillink vlan500 hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2... - Page 88 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide 4-14 OL-12172-03...
-
Page 89: Configuring Ethernet Settings, Redundant Interfaces, And Subinterfaces
To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Configuring and Enabling RJ-45 Interfaces, page 5-1 •... -
Page 90: Default State Of Physical Interfaces
The physical interface types include the following: • ethernet gigabitethernet • management (ASA 5500 only) • For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet0. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 91: Configuring And Enabling Fiber Interfaces
However, before traffic can pass through the context interface, you must first enable the physical interface in the system configuration according to this procedure. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 92: Configuring The Fiber Interface
This section describes how to configure redundant interfaces, and includes the following topics: Redundant Interface Overview, page 5-5 • Adding a Redundant Interface, page 5-6 • Changing the Active Interface, page 5-7 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 93: Redundant Interface Overview
Both member interfaces must be of the same physical type. For example, both must be Ethernet. • You cannot add a physical interface to the redundant interface if you configured a name for it. You • must first remove the name using the no nameif command. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 94: Adding A Redundant Interface
The following example creates two redundant interfaces: hostname(config)# interface redundant 1 hostname(config-if)# member-interface gigabitethernet 0/0 hostname(config-if)# member-interface gigabitethernet 0/1 hostname(config-if)# interface redundant 2 hostname(config-if)# member-interface gigabitethernet 0/2 hostname(config-if)# member-interface gigabitethernet 0/3 Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 95: Changing The Active Interface
(see the “Configuring and Enabling RJ-45 Interfaces” section on page 5-1, “Configuring and Enabling Fiber Interfaces” section on page 5-3, or the “Configuring a Redundant Interface” section on page 5-4). Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 96: Maximum Subinterfaces
VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID. To enable the subinterface (if you previously disabled it), enter the following command: Step 3 hostname(config-subif)# no shutdown Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 97 By default, the subinterface is enabled. To disable the interface, enter the shutdown command. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 98 Chapter 5 Configuring Ethernet Settings, Redundant Interfaces, and Subinterfaces Configuring VLAN Subinterfaces and 802.1Q Trunking Cisco Security Appliance Command Line Configuration Guide 5-10 OL-12172-03...
- Page 99 The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics: Resource Limits, page 6-2 • Default Class, page 6-3 • Class Members, page 6-4 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
-
Page 100: Configuring Resource Management
Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 101: Default Class
By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context: Telnet sessions—5 sessions. • SSH sessions—5 sessions. • IPSec sessions—5 sessions. • • MAC addresses—65,535 entries. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 102: Class Members
To set the resource limits, see the following options: Step 2 To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command: • hostname(config-resmgmt)# limit-resource all 0 Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 103 Table 6-1 lists the resource types and the limits. See also the show resource types command. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 104 For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands: hostname(config)# class default hostname(config-class)# limit-resource conns 10% All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
-
Page 105: Configuring A Security Context
[visible | invisible] • To allocate one or more subinterfaces, enter the following command: hostname(config-ctx)# allocate-interface physical_interface . subinterface [- physical_interface . subinterface ] [ mapped_name [- mapped_name ]] [visible | invisible] Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 106 The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8. hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 107 “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL http:// url INFO: Creating context with default config Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 108 Cisco Security Appliance Command Line Configuration Guide 6-10 OL-12172-03...
-
Page 109: Automatically Assigning Mac Addresses To Context Interfaces
In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the “Configuring Interface Parameters” section on page 7-2 to manually set the MAC address. Cisco Security Appliance Command Line Configuration Guide 6-11 OL-12172-03... -
Page 110: Changing Between Contexts And The System Execution Space
You might see an error message indicating that the number of interfaces on the active and standby units are not consistent; this error is temporary and can be ignored. Cisco Security Appliance Command Line Configuration Guide 6-12 OL-12172-03... -
Page 111: Changing The Admin Context
If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL. Cisco Security Appliance Command Line Configuration Guide 6-13 OL-12172-03... -
Page 112: Reloading A Security Context
To change to the context that you want to reload, enter the following command: hostname# changeto context name To access configuration mode, enter the following command: Step 2 hostname/ name # configure terminal To clear the running configuration, enter the following command: Step 3 Cisco Security Appliance Command Line Configuration Guide 6-14 OL-12172-03... -
Page 113: Monitoring Security Contexts
The following is sample output from the show context command. The following sample display shows three contexts: hostname# show context Context Name Interfaces *admin GigabitEthernet0/1.100 disk0:/admin.cfg GigabitEthernet0/1.101 contexta GigabitEthernet0/1.200 disk0:/contexta.cfg GigabitEthernet0/1.201 contextb GigabitEthernet0/1.300 disk0:/contextb.cfg GigabitEthernet0/1.301 Cisco Security Appliance Command Line Configuration Guide 6-15 OL-12172-03... -
Page 114: Viewing Resource Allocation
Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 See the Cisco Security Appliance Command Reference for more information about the detail output. The following is sample output from the show context count command: hostname# show context count Total active contexts: 2... - Page 115 All Contexts: 51000 Inspects [rate] default unlimited gold unlimited silver 10000 10000 bronze 5000 All Contexts: 10000 Syslogs [rate] default unlimited gold 6000 6000 silver 3000 3000 bronze 1500 All Contexts: 9000 Cisco Security Appliance Command Line Configuration Guide 6-17 OL-12172-03...
- Page 116 D—This limit was not defined in the member class, but was derived from the • default class. For a context assigned to the default class, the value will be “C” instead of “D.” The security appliance can combine “A” with “C” or “D.” Cisco Security Appliance Command Line Configuration Guide 6-18 OL-12172-03...
-
Page 117: Viewing Resource Usage
If you specify all for the counter name, then the count_threshold applies to the current usage. To show all resources, set the count_threshold to 0. Note Cisco Security Appliance Command Line Configuration Guide 6-19 OL-12172-03... -
Page 118: Monitoring Syn Attacks In Contexts
The security appliance prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the Cisco Security Appliance Command Line Configuration Guide 6-20 OL-12172-03... - Page 119 0 c1 chunk:fixup unlimited 0 c1 chunk:global unlimited 0 c1 chunk:hole unlimited 0 c1 chunk:ip-users unlimited 0 c1 chunk:udp-ctrl-blk unlimited 0 c1 chunk:list-elem unlimited 0 c1 chunk:list-hdr unlimited 0 c1 Cisco Security Appliance Command Line Configuration Guide 6-21 OL-12172-03...
- Page 120 0 Summary tcp-intercept-rate 341306 811579 unlimited 0 Summary globals unlimited 0 Summary np-statics unlimited 0 Summary statics 0 Summary nats 0 Summary ace-rules 0 Summary console-access-rul 0 Summary fixup-rules 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-22 OL-12172-03...
-
Page 121: Chapter 7 Configuring Interface Parameters
To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Security Level Overview, page 7-1 •... -
Page 122: Configuring Interface Parameters
Interface Parameters Overview This section describes interface parameters and includes the following topics: Default State of Interfaces, page 7-3 • Default Security Level, page 7-3 • Multiple Context Mode Guidelines, page 7-3 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 123: Default State Of Interfaces
} hostname(config-if)# The redundant number argument is the redundant interface ID, such as redundant 1. Append the subinterface ID to the physical or redundant interface ID separated by a period (.). Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 124 (ASA 5500 only) • For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet 0. For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example, gigabitethernet 0/1.
- Page 125 Using a shared interface without unique MAC addresses is possible, but has some limitations. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
- Page 126 0/1.1 The following example configures parameters in multiple context mode for the context configuration: hostname/contextA(config)# interface gigabitethernet 0/1.1 hostname/contextA(config-if)# nameif inside hostname/contextA(config-if)# security-level 100 hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
-
Page 127: Allowing Communication Between Interfaces On The Same Security Level
To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface To disable this setting, use the no form of this command. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 128 Chapter 7 Configuring Interface Parameters Allowing Communication Between Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
-
Page 129: Chapter 8 Configuring Basic Settings
Setting the Management IP Address for a Transparent Firewall, page 8-5 Changing the Login Password The login password is used for Telnet and SSH connections. By default, the login password is “cisco.” To change the password, enter the following command: hostname(config)# {passwd | password} password You can enter passwd or password. -
Page 130: Setting The Hostname
Time derived from an NTP server overrides any time set manually. This section also describes how to set the time zone and daylight saving time date range. Note In multiple context mode, set the time in the system configuration only. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 131: Setting The Time Zone And Daylight Saving Time Date Range
The week value specifies the week of the month as an integer between 1 and 4 or as the words first or last. For example, if the day might fall in the partial fifth week, then specify last. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 132: Setting The Date And Time Using An Ntp Server
3 that is preferred. You can identify multiple servers; the security appliance uses the most accurate server. Setting the Date and Time Manually To set the date time manually, enter the following command: Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 133: Setting The Management Ip Address For A Transparent Firewall
(255.255.255.255). This address must be IPv4; the transparent firewall does not support IPv6. The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 134 Chapter 8 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
-
Page 135: Configuring Ip Routing
Websense or N2H2 server, or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 136: Configuring A Static Route
The security appliance distributes the traffic among the specified gateways. hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3 Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 137: Configuring A Default Static Route
IP address 192.168.2.4. hostname(config)# route outside 0 0 192.168.2.1 hostname(config)# route outside 0 0 192.168.2.2 hostname(config)# route outside 0 0 192.168.2.3 hostname(config)# route outside 0 0 192.168.2.4 tunneled Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 138: Configuring Static Route Tracking
[life {forever | seconds }] [start-time { hh : mm [: ss ] [ month day | day month ] | pending | now | after hh : mm : ss }] [ageout seconds ] [recurring] Cisco Security Appliance Command Line Configuration Guide OL-12172-03... - Page 139 To use a default route obtained through DHCP, enter the following commands: • hostname(config)# interface phy_if hostname(config-if)# dhcp client route track track_id hostname(config-if)# dhcp client route distance admin_distance hostname(config-if)# ip addresss dhcp setroute Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
-
Page 140: Defining Route Maps
If you specify more than one ACL, then the route can match any of the ACLs. To match any routes with the specified next hop interface, enter the following command: • hostname(config-route-map)# match interface if_name Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 141: Configuring Ospf
Configuring Route Summarization Between OSPF Areas, page 9-15 • Configuring Route Summarization When Redistributing Routes into OSPF, page 9-15 Generating a Default Route, page 9-16 • Configuring Route Calculation Timers, page 9-17 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 142: Ospf Overview
To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses. Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 143: Redistributing Routes Into Ospf
[match {internal | external [1 | 2] | nssa-external [1 | 2]}] [metric metric-value ] [metric-type {type-1 | type-2}] [tag tag_value ] [subnets] [route-map map_name ] Cisco Security Appliance Command Line Configuration Guide OL-12172-03... -
Page 144: Configuring Ospf Interface Parameters
To enter the interface configuration mode, enter the following command: Step 1 hostname(config)# interface interface_name Enter any of the following commands: Step 2 • To specify the authentication type for an interface, enter the following command: Cisco Security Appliance Command Line Configuration Guide 9-10 OL-12172-03... - Page 145 The number_value is between 0 to 255. To specify the number of seconds between LSA retransmissions for adjacencies belonging to an • OSPF interface, enter the following command: hostname(config-interface)# ospf retransmit-interval seconds Cisco Security Appliance Command Line Configuration Guide 9-11 OL-12172-03...
- Page 146 Number of LSA 5. Checksum Sum 0x 209a3 Number of opaque link LSA 0. Checksum Sum 0x Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 Cisco Security Appliance Command Line Configuration Guide 9-12 OL-12172-03...
-
Page 147: Configuring Ospf Area Parameters
The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area. Cisco Security Appliance Command Line Configuration Guide 9-13 OL-12172-03... - Page 148 Type 7 default into the NSSA or the NSSA area boundary router. – Every router within the same area must agree that the area is NSSA; otherwise, the routers will not be able to communicate. Cisco Security Appliance Command Line Configuration Guide 9-14 OL-12172-03...
-
Page 149: Configuring Route Summarization Between Ospf Areas
The following example shows how to configure route summarization. The summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement: hostname(config)# router ospf 1 Cisco Security Appliance Command Line Configuration Guide 9-15 OL-12172-03... -
Page 150: Defining Static Ospf Neighbors
[always] [metric metric-value ] [metric-type {1 | 2}] [route-map map-name ] The following example shows how to generate a default route: hostname(config)# router ospf 2 hostname(config-router)# default-information originate always Cisco Security Appliance Command Line Configuration Guide 9-16 OL-12172-03... -
Page 151: Configuring Route Calculation Timers
To configure logging for neighbors going up or down, enter the following command: Step 2 hostname(config-router)# log-adj-changes [detail] Logging must be enabled for the the neighbor up/down messages to be sent. Note The following example shows how to log neighbors up/down messages: Cisco Security Appliance Command Line Configuration Guide 9-17 OL-12172-03... -
Page 152: Displaying Ospf Update Packet Pacing
To display OSPF-related interface information, enter the following command: • hostname# show ospf interface [ if_name ] • To display OSPF neighbor information on a per-interface basis, enter the following command: Cisco Security Appliance Command Line Configuration Guide 9-18 OL-12172-03... -
Page 153: Restarting The Ospf Process
By default, the security appliance sends RIP Version 1 updates and accepts RIP Version 1 and Version 2 updates. Cisco Security Appliance Command Line Configuration Guide 9-19 OL-12172-03... - Page 154 Enter the following command to apply the filter. You can specify an interface to apply the filter to only those updates sent by that interface. hostname(config-router): distribute-list acl out [interface if_name ] Cisco Security Appliance Command Line Configuration Guide 9-20 OL-12172-03...
-
Page 155: Redistributing Routes Into The Rip Routing Process
(Optional) To specify the version of RIP advertisements sent from an interface, perform the following Step 1 steps: Enter interface configuration mode for the interface you are configuring by entering the following command: hostname(config)# interface phy_if Cisco Security Appliance Command Line Configuration Guide 9-21 OL-12172-03... -
Page 156: Enabling Rip Authentication
To display the contents of the RIP routing database, enter the following command: • hostname# show rip database To display the RIP commands in the running configuration, enter the following command: • hostname# show running-config router rip Cisco Security Appliance Command Line Configuration Guide 9-22 OL-12172-03... -
Page 157: Configuring Eigrp
• EIGRP Routing Overview EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes. Neighbor discovery is the process that the security appliance uses to dynamically learn of other routers on directly attached networks. -
Page 158: Enabling And Configuring Eigrp Routing
EIGRP updates. (Optional) To prevent an interface from sending or receiving EIGRP routing message, enter the Step 3 following command: Cisco Security Appliance Command Line Configuration Guide 9-24 OL-12172-03... -
Page 159: Enabling And Configuring Eigrp Stub Routing
To enable and configure and EIGRP stub routing process, perform the following steps: Create the EIGRP routing process and enter router configuration mode for that process by entering the Step 1 following command: hostname(config)# router eigrp as-num Cisco Security Appliance Command Line Configuration Guide 9-25 OL-12172-03... -
Page 160: Enabling Eigrp Authentication
If EIGRP is not enabled or if you enter the wrong number, the security appliance returns the following error message: % Asystem(100) specified does not exist The key argument can contain up to 16 characters. The key-id argument is a number from 0 to 255. Cisco Security Appliance Command Line Configuration Guide 9-26 OL-12172-03... -
Page 161: Defining An Eigrp Neighbor
Choose one of the following options to redistribute the selected route type into the EIGRP routing Step 4 process. To redistribute connected routes into the EIGRP routing process, enter the following command: • hostname(config-router): redistribute connected [metric bandwidth delay reliability loading mtu ] [route-map map_name ] Cisco Security Appliance Command Line Configuration Guide 9-27 OL-12172-03... -
Page 162: Configuring The Eigrp Hello Interval And Hold Time
Disabling Automatic Route Summarization Automatic route summarization is enabled by default. The EIGRP routing process summarizes on network number boundaries. This can cause routing problems if you have non-contiguous networks. Cisco Security Appliance Command Line Configuration Guide 9-28 OL-12172-03... -
Page 163: Configuring Summary Aggregate Addresses
However, with nonbroadcast networks, there may be situations where this behavior is not desired. For these situations, including networks in which you have EIGRP configured, you may want to disable split horizon. Cisco Security Appliance Command Line Configuration Guide 9-29 OL-12172-03... -
Page 164: Changing The Interface Delay Value
Monitoring EIGRP You can use the following commands to monitor the EIGRP routing process. For examples and descriptions of the command output, see the Cisco Security Appliance Command Reference. To display the EIGRP event log, enter the following command: •... -
Page 165: Disabling Neighbor Change And Warning Message Logging
On the ASA 5505 adaptive security appliance, the following route is also shown. It is the internal loopback interface, which is used by the VPN hardware client feature for individual user authentication. C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback Cisco Security Appliance Command Line Configuration Guide 9-31 OL-12172-03... -
Page 166: How The Routing Table Is Populated
Table 9-1 Default Administrative Distance for Supported Routing Protocols Route Source Default Administrative Distance Connected interface Static route EIGRP Summary Route Cisco Security Appliance Command Line Configuration Guide 9-32 OL-12172-03... -
Page 167: Backup Routes
If a default route has not been configured, the packet is discarded. If the destination matches a single entry in the routing table, the packet is forwarded through the • interface associated with that route. Cisco Security Appliance Command Line Configuration Guide 9-33 OL-12172-03... -
Page 168: Dynamic Routing And Failover
Therefore, immediately after a failover occurs, some packets received by the security appliance may be dropped because of a lack of routing information or routed to a default static route while the routing table is repopulated by the configured dynamic routing protocols. Cisco Security Appliance Command Line Configuration Guide 9-34 OL-12172-03... -
Page 169: Configuring Dhcp, Ddns, And Wccp Services
This section describes how to configure DHCP server provided by the security appliance. This section includes the following topics: Enabling the DHCP Server, page 10-2 • • Configuring DHCP Options, page 10-3 Using Cisco IP Phones with a DHCP Server, page 10-4 • Cisco Security Appliance Command Line Configuration Guide 10-1 OL-12172-03... -
Page 170: Enabling The Dhcp Server
To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the timeout value for those packets. Cisco Security Appliance Command Line Configuration Guide 10-2... -
Page 171: Configuring Dhcp Options
46 ascii hello command and the security appliance accepts the configuration although option 46 is defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the option codes and their associated types and expected values, refer to RFC 2132. Cisco Security Appliance Command Line Configuration Guide 10-3 OL-12172-03... -
Page 172: Using Cisco Ip Phones With A Dhcp Server
Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security appliance DHCP server provides values for both options in the response if they are configured on the security appliance. -
Page 173: Configuring Dhcp Relay Services
To set the IP address of a DHCP server on a different interface from the DHCP client, enter the following command: hostname(config)# dhcprelay server ip_address if_name You can use this command up to 4 times to identify up to 4 servers. Cisco Security Appliance Command Line Configuration Guide 10-5 OL-12172-03... -
Page 174: Configuring Dynamic Dns
FQDN to the server using a DHCP option called Client FQDN. The following examples present these common scenarios: • Example 1: Client Updates Both A and PTR RRs for Static IP Addresses, page 10-7 Cisco Security Appliance Command Line Configuration Guide 10-6 OL-12172-03... -
Page 175: Example 1: Client Updates Both A And Ptr Rrs For Static Ip Addresses
To associate the method named ddns-2 with the security appliance interface named Ethernet0, and enable Step 3 DHCP on the interface, enter the following commands: hostname(DDNS-update-method)# interface Ethernet0 hostname(if-config)# ddns update ddns-2 hostname(if-config)# ddns update hostname asa.example.com hostname(if-config)# ip address dhcp Cisco Security Appliance Command Line Configuration Guide 10-7 OL-12172-03... -
Page 176: Client And Updates Both Rrs
Step 1 hostname(config)# interface Ethernet0 hostname(config-if)# dhcp client update dns both hostname(config-if)# ddns update hostname asa Step 2 To configure the DHCP server, enter the following commands: hostname(config-if)# dhcpd update dns Cisco Security Appliance Command Line Configuration Guide 10-8 OL-12172-03... -
Page 177: Example 5: Client Updates A Rr; Server Updates Ptr Rr
WCCP Feature Support, page 10-9 • WCCP Interaction With Other Features, page 10-10 • • Enabling WCCP Redirection, page 10-10 WCCP Feature Support The following WCCPv2 features are supported with the security appliance: Cisco Security Appliance Command Line Configuration Guide 10-9 OL-12172-03... -
Page 178: Wccp Interaction With Other Features
To configure WCCP redirection, perform the following steps: To enable a WCCP service group, enter the following command: Step 1 hostname(config)# wccp {web-cache | service_number } [redirect-list access_list ] [group-list access_list ] [password password ] Cisco Security Appliance Command Line Configuration Guide 10-10 OL-12172-03... - Page 179 For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside interface to a web cache, enter the following commands: hostname(config)# wccp web-cache hostname(config)# wccp interface inside web-cache redirect in Cisco Security Appliance Command Line Configuration Guide 10-11 OL-12172-03...
- Page 180 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Web Cache Services Using WCCP Cisco Security Appliance Command Line Configuration Guide 10-12 OL-12172-03...
-
Page 181: Configuring Multicast Routing
The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as Note the RP address. Cisco Security Appliance Command Line Configuration Guide 11-13 OL-12172-03... -
Page 182: Enabling Multicast Routing
Limiting the Number of IGMP States on an Interface, page 11-16 Modifying the Query Interval and Query Timeout, page 11-16 • Changing the Query Response Time, page 11-17 • Changing the IGMP Version, page 11-17 • Cisco Security Appliance Command Line Configuration Guide 11-14 OL-12172-03... -
Page 183: Disabling Igmp On An Interface
Create an access list for the multicast traffic. You can create more than one entry for a single access list. Step 1 You can use extended or standard access lists. To create a standard access list, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 11-15 OL-12172-03... -
Page 184: Limiting The Number Of Igmp States On An Interface
(by default, 255 seconds), then the security appliance becomes the designated router and starts sending the query messages. To change this timeout value, enter the following command: hostname(config-if)# igmp query-timeout seconds Cisco Security Appliance Command Line Configuration Guide 11-16 OL-12172-03... -
Page 185: Changing The Query Response Time
In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another. Static multicast routes are not advertised or redistributed. Cisco Security Appliance Command Line Configuration Guide 11-17 OL-12172-03... -
Page 186: Configuring Pim Features
You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: hostname(config-if)# no pim To reenable PIM on an interface, enter the following command: hostname(config-if)# pim Only the no pim command appears in the interface configuration. Note Cisco Security Appliance Command Line Configuration Guide 11-18 OL-12172-03... -
Page 187: Configuring A Static Rendezvous Point Address
Filtering PIM Register