Page 1 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 8.0(1) Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...
Page 3: Table Of Contents
Sending Traffic to the Content Security and Control Security Services Module Applying QoS Policies Applying Connection Limits and TCP Normalization Enabling Threat Detection Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Intrusion Prevention Services Functional Overview Security Context Overview Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 4 Management Access to Security Contexts System Administrator Access Context Administrator Access 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 5 Contents Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security C H A P T E R Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces Maximum Active VLAN Interfaces for Your License Default Interface Configuration...
Page 6 Allowing Communication Between Interfaces on the Same Security Level Configuring Basic Settings C H A P T E R Changing the Login Password Changing the Enable Password Setting the Hostname Setting the Domain Name Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 7 9-21 Enabling RIP Authentication 9-22 Monitoring RIP 9-22 Configuring EIGRP 9-23 EIGRP Routing Overview 9-23 Enabling and Configuring EIGRP Routing 9-24 Enabling and Configuring EIGRP Stub Routing 9-25 Enabling EIGRP Authentication 9-26 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 8 Configuring a DHCP Server 10-1 Enabling the DHCP Server 10-2 Configuring DHCP Options 10-3 Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Configuring Dynamic DNS 10-6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2: Client Updates Both A and PTR RRs;...
Page 9 Configuring IPv6 Default and Static Routes 12-5 Configuring IPv6 Access Lists 12-6 Configuring IPv6 Neighbor Discovery 12-7 Configuring Neighbor Solicitation Messages 12-7 Configuring Router Advertisement Messages 12-9 Configuring a Static IPv6 Neighbor 12-11 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 10 Using Certificates and User Login Credentials 13-16 Using User Login Credentials 13-16 Using certificates 13-16 Supporting a Zone Labs Integrity Server 13-17 Overview of Integrity Server and Security Appliance Interaction 13-17 Configuring Integrity Server Support 13-18 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 11 14-18 Configuring Failover 14-19 Failover Configuration Limitations 14-19 Configuring Active/Standby Failover 14-19 Prerequisites 14-20 Configuring Cable-Based Active/Standby Failover (PIX 500 Series Security Appliance Only) 14-20 Configuring LAN-Based Active/Standby Failover 14-21 Configuring Optional Active/Standby Failover Settings 14-25 Configuring Active/Active Failover 14-27...
Page 12 Passing Traffic Not Allowed in Routed Mode 15-7 MAC Address vs. Route Lookups 15-8 Using the Transparent Firewall in Your Network 15-9 Transparent Firewall Guidelines 15-9 Unsupported Features in Transparent Mode 15-10 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 13 Adding an ICMP Type Object Group 16-14 Nesting Object Groups 16-15 Using Object Groups with an Access List 16-16 Displaying Object Groups 16-17 Removing Object Groups 16-17 Adding Remarks to Access Lists 16-17 Cisco Security Appliance Command Line Configuration Guide xiii OL-12172-03...
Page 14 Using Static NAT 17-26 Using Static PAT 17-27 Bypassing NAT 17-30 Configuring Identity NAT 17-30 Configuring Static Identity NAT 17-31 Configuring NAT Exemption 17-33 NAT Examples 17-34 Overlapping Networks 17-34 Redirecting Ports 17-36 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 15 Filtering URLs and FTP Requests with an External Server 20-4 URL Filtering Overview 20-4 Identifying the Filtering Server 20-4 Buffering the Content Server Response 20-6 Caching Server Addresses 20-6 Filtering HTTP URLs 20-7 Configuring HTTP Filtering 20-7 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 16 Applying Inspection and QoS Policing to HTTP Traffic 21-19 Applying Inspection to HTTP Traffic Globally 21-20 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21-21 Applying Inspection to HTTP Traffic with NAT 21-22 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 17 Configuring TCP Normalization 23-11 Configuring Connection Limits and Timeouts 23-14 Connection Limit Overview 23-14 TCP Intercept Overview 23-14 Disabling TCP Intercept for Management Packets for WebVPN Compatibility 23-14 Dead Connection Detection Overview 23-15 Cisco Security Appliance Command Line Configuration Guide xvii OL-12172-03...
Page 18 C H A P T E R Inspection Engine Overview 25-2 When to Use Application Protocol Inspection 25-2 Inspection Limitations 25-3 Default Inspection Policy 25-3 Configuring Application Inspection 25-5 CTIQBE Inspection 25-10 CTIQBE Inspection Overview 25-10 Cisco Security Appliance Command Line Configuration Guide xviii OL-12172-03...
Page 19 Configuring H.323 and H.225 Timeout Values 25-42 Verifying and Monitoring H.323 Inspection 25-42 Monitoring H.225 Sessions 25-42 Monitoring H.245 Sessions 25-43 Monitoring H.323 RAS Sessions 25-44 HTTP Inspection 25-44 HTTP Inspection Overview 25-44 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 20 25-72 Restrictions and Limitations 25-72 Verifying and Monitoring SCCP Inspection 25-73 Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 25-73 SMTP and Extended SMTP Inspection 25-75 SNMP Inspection 25-76 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 21 ISAKMP Overview 27-2 Configuring ISAKMP Policies 27-5 Enabling ISAKMP on the Outside Interface 27-6 Disabling ISAKMP in Aggressive Mode 27-6 Determining an ID Method for ISAKMP Peers 27-6 Enabling IPSec over NAT-T 27-7 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 22 C H A P T E R Configuring VPNs in Single, Routed Mode 29-1 Configuring IPSec to Bypass ACLs 29-1 Permitting Intra-Interface Traffic 29-2 NAT Considerations for Intra-Interface Traffic 29-3 Setting Maximum Active IPSec VPN Sessions 29-3 Cisco Security Appliance Command Line Configuration Guide xxii OL-12172-03...
Page 23 Configuring Connection Profiles for Clientless SSL VPN Sessions 30-19 Specifying a Connection Profile Name and Type for Clientless SSL VPN Sessions 30-19 Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions 30-19 Cisco Security Appliance Command Line Configuration Guide xxiii OL-12172-03...
Page 24 Configuring Attributes for Specific Users 30-73 Setting a User Password and Privilege Level 30-74 Configuring User Attributes 30-74 Configuring VPN User Attributes 30-75 Configuring Clientless SSL VPN Access for Specific Users 30-79 Cisco Security Appliance Command Line Configuration Guide xxiv OL-12172-03...
Page 25 Changing Global NAC Framework Settings 33-8 Changing Clientless Authentication Settings 33-8 Enabling and Disabling Clientless Authentication 33-9 Changing the Login Credentials Used for Clientless Authentication 33-9 Changing NAC Framework Session Attributes 33-10 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 26 Contents Configuring Easy VPN Services on the ASA 5505 34-1 C H A P T E R Specifying the Client/Server Role of the Cisco ASA 5505 34-2 Specifying the Primary and Secondary Servers 34-3 Specifying the Mode 34-3 Configuring Automatic Xauth Authentication...
Page 27 Preparing the Security Appliance for a Plug-in 37-25 Providing Access to Plug-ins Redistributed By Cisco 37-25 Providing Access to Plug-ins Not Redistributed By Cisco—Example: Citrix Java Presentation Server Client Plug-in 37-27 Preparing the Citrix MetraFrame Server for Clientless SSL VPN Access...
Page 28 Viewing the Clientless SSL VPN Home Page 37-54 Viewing the Clientless SSL VPN Application Access Panel 37-55 Viewing the Floating Toolbar 37-56 Customizing Clientless SSL VPN Pages 37-56 How Customization Works 37-57 Exporting a Customization Template 37-57 Cisco Security Appliance Command Line Configuration Guide xxviii OL-12172-03...
Page 29 37-64 Customizing Help 37-65 Customizing a Help File Provided By Cisco 37-66 Creating Help Files for Languages Not Provided by Cisco 37-66 Importing a Help File to Flash Memory 37-67 Exporting a Previously Imported Help File from Flash Memory 37-67...
Page 30 The Default Local CA Server 39+\17 Customizing the Local CA Server 39+\19 Certificate Characteristics 39+\20 Defining Storage for Local CA Files 39+\22 Default Flash Memory Data Storage 39+\22 Setting up External Local CA File Storage 39+\23 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 31 Allowing HTTPS Access for ASDM 40-3 Enabling HTTPS Access 40-4 Accessing ASDM from Your PC 40-4 Managing the Security Appliance on a Different Interface from the VPN Tunnel Termination Interface 40-5 Cisco Security Appliance Command Line Configuration Guide xxxi OL-12172-03...
Page 32 41-9 Backing Up Additional Files Using the Export and Import Commands 41-9 Using a Script to Back Up and Restore Files 41-10 Prerequisites 41-10 Running the Script 41-11 Sample Script 41-11 Cisco Security Appliance Command Line Configuration Guide xxxii OL-12172-03...
Page 33 Changing the Severity Level of a System Log Message 42-22 Changing the Amount of Internal Flash Memory Available for Logs 42-23 Understanding System Log Messages 42-24 System Log Message Format 42-24 Severity Levels 42-24 Cisco Security Appliance Command Line Configuration Guide xxxiii OL-12172-03...
Page 34 Reloading the Security Appliance 43-6 Performing Password Recovery 43-6 Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance 43-7 Recovering Passwords for the PIX 500 Series Security Appliance 43-8 Disabling Password Recovery 43-9 Resetting the Password on the SSM Hardware Module 43-10...
Page 35 B-31 Example 12: Primary ctx1 Context Configuration B-32 Example 12: Secondary Unit Configuration B-32 Example 13: Dual ISP Support Using Static Route Tracking B-33 Example 14: ASA 5505 Base License B-34 Cisco Security Appliance Command Line Configuration Guide xxxv OL-12172-03...
Page 36 Subnet Masks Determining the Subnet Mask Determining the Address to Use with the Subnet Mask IPv6 Addresses IPv6 Address Format IPv6 Address Types Unicast Addresses Multicast Address Anycast Address Required Addresses D-10 Cisco Security Appliance Command Line Configuration Guide xxxvi OL-12172-03...
Page 37 Configuring an External RADIUS Server E-33 Reviewing the RADIUS Configuration Procedure E-33 Security Appliance RADIUS Authorization Attributes E-34 Security Appliance TACACS+ Attributes E-40 L O S S A R Y N D E X Cisco Security Appliance Command Line Configuration Guide xxxvii OL-12172-03...
Page 38 Contents Cisco Security Appliance Command Line Configuration Guide xxxviii OL-12172-03...
Page 39: About This Guide
Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550).
Page 40: Related Documentation
Cisco Security Appliance Command Reference • Cisco Security Appliance Logging Configuration and System Log Messages • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 • Migrating to ASA for VPN 3000 Series Concentrator Administrators •...
Page 41 Part 3: Configuring VPN Chapter 27, “Configuring IPSec Describes how to configure ISAKMP and IPSec tunneling to build and manage VPN and ISAKMP” “tunnels,” or secure connections between remote users and a private corporate network. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 42 Describes how to monitor the security appliance. Security Appliance” Chapter 43, “Troubleshooting Describes how to troubleshoot the security appliance. the Security Appliance” Part 4: Reference Appendix A, “Feature Licenses Describes the feature licenses and specifications. and Specifications” Cisco Security Appliance Command Line Configuration Guide xlii OL-12172-03...
Page 43: Document Conventions
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 44 About This Guide Obtaining Documentation, Obtaining Support, and Security Guidelines Cisco Security Appliance Command Line Configuration Guide xliv OL-12172-03...
Page 45 A R T Getting Started and General Information...
Page 47: Introduction To The Security Appliance
WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes.
Page 48: Security Policy Overview
Using AAA for Through Traffic You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 49: Applying Http, Https, Or Ftp Filtering
You can configure scanning threat detection and basic threat detection, and also how to use statistics to analyze threats. Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and automatically sends a system log message. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 50 – Performing route lookups – – Allocating NAT translations (xlates) – Establishing sessions in the “fast path” The session management path and the fast path make up the “accelerated security path.” Note Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 51: Vpn Functional Overview
• Manages data transfer across the tunnel • Manages data transfer inbound and outbound as a tunnel endpoint or router • The security appliance invokes various standard protocols to accomplish these functions. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 52: Intrusion Prevention Services Functional Overview
Intrusion Prevention Services Functional Overview Intrusion Prevention Services Functional Overview The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the system detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager.
Page 53: Chapter 2 Getting Started
• Getting Started with Your Platform Model This guide applies to multiple security appliance platforms and models: the PIX 500 series security appliances and the ASA 5500 series adaptive security appliances. There are some hardware differences between the PIX and the ASA security appliance. Moreover, the ASA 5505 includes a built-in switch, and requires some special configuration.
Page 54: Restoring The Factory Default Configuration
• All inside IP addresses are translated when accessing the outside using interface PAT. • By default, inside users can access the outside, and outside users are prevented from accessing the inside. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 55: Asa 5510 And Higher Default Configuration
The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives • an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 56: Pix 515/515E Default Configuration
If you want to use ASDM to configure the security appliance instead of the command-line interface, you Note can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 57: Setting Transparent Or Routed Firewall Mode
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 58: Working With The Configuration
Creating Text Configuration Files Offline, page 2-9 • Saving Configuration Changes This section describes how to save your configuration, and includes the following topics: Saving Configuration Changes in Single Context Mode, page 2-7 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 59: Saving Configuration Changes In Single Context Mode
Sometimes, a context is not saved because of an error. See the following information for errors: For contexts that are not saved because of low memory, the following message appears: • The context 'context a' could not be saved due to Unavailability of resources Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 60: Copying The Startup Configuration To The Running Configuration
Viewing the Configuration The following commands let you view the running and startup configurations. To view the running configuration, enter the following command: • hostname# show running-config Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 61: Clearing And Removing Configuration Settings
Alternatively, you can download a text file to the security appliance internal Flash memory. Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading the configuration file to the security appliance. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 62 In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Cisco Security Appliance Command Line Configuration Guide 2-10 OL-12172-03...
Page 63 You are a large enterprise or a college campus and want to keep departments completely separate. • You are an enterprise that wants to provide distinct security policies to different departments. • You have any network that requires more than one security appliance. • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 64: Security Context Overview
The admin context must reside on Flash memory, and not remotely. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 65: How The Security Appliance Classifies Packets
The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 66: Invalid Classifier Criteria
Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 67: Classification Examples
MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 68 (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 69 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 70: Cascading Security Contexts
Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 71: Management Access To Security Contexts
To log in with a username, enter the login command. For example, you log in to the admin context with the Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 72: Context Administrator Access
Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
Page 73: Restoring Single Context Mode
To set the mode to single mode, enter the following command in the system execution space: Step 2 hostname(config)# mode single The security appliance reboots. Cisco Security Appliance Command Line Configuration Guide 3-11 OL-12172-03...
Page 74 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode Cisco Security Appliance Command Line Configuration Guide 3-12 OL-12172-03...
Page 75: Appliance
C H A P T E R Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance.
Page 76: Understanding Asa 5505 Ports And Interfaces
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that...
Page 77 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 4-1 for an example network where the Home VLAN can communicate with the Internet, but cannot initiate contact with Business.
Page 78: Default Interface Configuration
“Configuring Switch Ports as Access Ports” section on page 4-9 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring.
Page 79: Security Level Overview
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces See the switchport monitor command in the Cisco Security Appliance Command Reference for more information. Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100.
Page 80 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces If you are using failover, do not use this procedure to name interfaces that you are reserving for failover Note communications. See Chapter 14, “Configuring Failover,”...
Page 81 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Where number is an integer between 0 (lowest) and 100 (highest). Step 5 (Routed mode only) To set the IP address, enter one of the following commands.
Page 82 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown...
Page 83: Configuring Switch Ports As Access Ports
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports Configuring Switch Ports as Access Ports By default, all switch ports are shut down. To assign a switch port to one VLAN, configure it as an access port.
Page 84 The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
Page 85: Configuring A Switch Port As A Trunk Port
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port hostname(config-if)# switchport access vlan 400 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/4 hostname(config-if)# switchport access vlan 500...
Page 86 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach.
Page 87: Allowing Communication Between Vlan Interfaces On The Same Security Level
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.1.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# failover lan faillink vlan500 hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2...
Page 88 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide 4-14 OL-12172-03...
Page 89: Configuring Ethernet Settings, Redundant Interfaces, And Subinterfaces
To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Configuring and Enabling RJ-45 Interfaces, page 5-1 •...
Page 90: Default State Of Physical Interfaces
The physical interface types include the following: • ethernet gigabitethernet • management (ASA 5500 only) • For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet0. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 91: Configuring And Enabling Fiber Interfaces
However, before traffic can pass through the context interface, you must first enable the physical interface in the system configuration according to this procedure. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 92: Configuring The Fiber Interface
This section describes how to configure redundant interfaces, and includes the following topics: Redundant Interface Overview, page 5-5 • Adding a Redundant Interface, page 5-6 • Changing the Active Interface, page 5-7 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 93: Redundant Interface Overview
Both member interfaces must be of the same physical type. For example, both must be Ethernet. • You cannot add a physical interface to the redundant interface if you configured a name for it. You • must first remove the name using the no nameif command. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 94: Adding A Redundant Interface
The following example creates two redundant interfaces: hostname(config)# interface redundant 1 hostname(config-if)# member-interface gigabitethernet 0/0 hostname(config-if)# member-interface gigabitethernet 0/1 hostname(config-if)# interface redundant 2 hostname(config-if)# member-interface gigabitethernet 0/2 hostname(config-if)# member-interface gigabitethernet 0/3 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 95: Changing The Active Interface
(see the “Configuring and Enabling RJ-45 Interfaces” section on page 5-1, “Configuring and Enabling Fiber Interfaces” section on page 5-3, or the “Configuring a Redundant Interface” section on page 5-4). Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 96: Maximum Subinterfaces
VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID. To enable the subinterface (if you previously disabled it), enter the following command: Step 3 hostname(config-subif)# no shutdown Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 97 By default, the subinterface is enabled. To disable the interface, enter the shutdown command. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 98 Chapter 5 Configuring Ethernet Settings, Redundant Interfaces, and Subinterfaces Configuring VLAN Subinterfaces and 802.1Q Trunking Cisco Security Appliance Command Line Configuration Guide 5-10 OL-12172-03...
Page 99 The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics: Resource Limits, page 6-2 • Default Class, page 6-3 • Class Members, page 6-4 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 100: Configuring Resource Management
Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 101: Default Class
By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context: Telnet sessions—5 sessions. • SSH sessions—5 sessions. • IPSec sessions—5 sessions. • • MAC addresses—65,535 entries. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 102: Class Members
To set the resource limits, see the following options: Step 2 To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command: • hostname(config-resmgmt)# limit-resource all 0 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 103 Table 6-1 lists the resource types and the limits. See also the show resource types command. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 104 For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands: hostname(config)# class default hostname(config-class)# limit-resource conns 10% All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 105: Configuring A Security Context
[visible | invisible] • To allocate one or more subinterfaces, enter the following command: hostname(config-ctx)# allocate-interface physical_interface . subinterface [- physical_interface . subinterface ] [ mapped_name [- mapped_name ]] [visible | invisible] Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 106 The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8. hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 107 “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL http:// url INFO: Creating context with default config Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 108 Cisco Security Appliance Command Line Configuration Guide 6-10 OL-12172-03...
Page 109: Automatically Assigning Mac Addresses To Context Interfaces
In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the “Configuring Interface Parameters” section on page 7-2 to manually set the MAC address. Cisco Security Appliance Command Line Configuration Guide 6-11 OL-12172-03...
Page 110: Changing Between Contexts And The System Execution Space
You might see an error message indicating that the number of interfaces on the active and standby units are not consistent; this error is temporary and can be ignored. Cisco Security Appliance Command Line Configuration Guide 6-12 OL-12172-03...
Page 111: Changing The Admin Context
If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL. Cisco Security Appliance Command Line Configuration Guide 6-13 OL-12172-03...
Page 112: Reloading A Security Context
To change to the context that you want to reload, enter the following command: hostname# changeto context name To access configuration mode, enter the following command: Step 2 hostname/ name # configure terminal To clear the running configuration, enter the following command: Step 3 Cisco Security Appliance Command Line Configuration Guide 6-14 OL-12172-03...
Page 113: Monitoring Security Contexts
The following is sample output from the show context command. The following sample display shows three contexts: hostname# show context Context Name Interfaces *admin GigabitEthernet0/1.100 disk0:/admin.cfg GigabitEthernet0/1.101 contexta GigabitEthernet0/1.200 disk0:/contexta.cfg GigabitEthernet0/1.201 contextb GigabitEthernet0/1.300 disk0:/contextb.cfg GigabitEthernet0/1.301 Cisco Security Appliance Command Line Configuration Guide 6-15 OL-12172-03...
Page 114: Viewing Resource Allocation
Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 See the Cisco Security Appliance Command Reference for more information about the detail output. The following is sample output from the show context count command: hostname# show context count Total active contexts: 2...
Page 115 All Contexts: 51000 Inspects [rate] default unlimited gold unlimited silver 10000 10000 bronze 5000 All Contexts: 10000 Syslogs [rate] default unlimited gold 6000 6000 silver 3000 3000 bronze 1500 All Contexts: 9000 Cisco Security Appliance Command Line Configuration Guide 6-17 OL-12172-03...
Page 116 D—This limit was not defined in the member class, but was derived from the • default class. For a context assigned to the default class, the value will be “C” instead of “D.” The security appliance can combine “A” with “C” or “D.” Cisco Security Appliance Command Line Configuration Guide 6-18 OL-12172-03...
Page 117: Viewing Resource Usage
If you specify all for the counter name, then the count_threshold applies to the current usage. To show all resources, set the count_threshold to 0. Note Cisco Security Appliance Command Line Configuration Guide 6-19 OL-12172-03...
Page 118: Monitoring Syn Attacks In Contexts
The security appliance prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the Cisco Security Appliance Command Line Configuration Guide 6-20 OL-12172-03...
Page 119 0 c1 chunk:fixup unlimited 0 c1 chunk:global unlimited 0 c1 chunk:hole unlimited 0 c1 chunk:ip-users unlimited 0 c1 chunk:udp-ctrl-blk unlimited 0 c1 chunk:list-elem unlimited 0 c1 chunk:list-hdr unlimited 0 c1 Cisco Security Appliance Command Line Configuration Guide 6-21 OL-12172-03...
Page 120 0 Summary tcp-intercept-rate 341306 811579 unlimited 0 Summary globals unlimited 0 Summary np-statics unlimited 0 Summary statics 0 Summary nats 0 Summary ace-rules 0 Summary console-access-rul 0 Summary fixup-rules 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-22 OL-12172-03...
Page 121: Chapter 7 Configuring Interface Parameters
To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Security Level Overview, page 7-1 •...
Page 122: Configuring Interface Parameters
Interface Parameters Overview This section describes interface parameters and includes the following topics: Default State of Interfaces, page 7-3 • Default Security Level, page 7-3 • Multiple Context Mode Guidelines, page 7-3 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 123: Default State Of Interfaces
} hostname(config-if)# The redundant number argument is the redundant interface ID, such as redundant 1. Append the subinterface ID to the physical or redundant interface ID separated by a period (.). Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 124 (ASA 5500 only) • For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet 0. For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example, gigabitethernet 0/1.
Page 125 Using a shared interface without unique MAC addresses is possible, but has some limitations. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 126 0/1.1 The following example configures parameters in multiple context mode for the context configuration: hostname/contextA(config)# interface gigabitethernet 0/1.1 hostname/contextA(config-if)# nameif inside hostname/contextA(config-if)# security-level 100 hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 127: Allowing Communication Between Interfaces On The Same Security Level
To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface To disable this setting, use the no form of this command. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 128 Chapter 7 Configuring Interface Parameters Allowing Communication Between Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 129: Chapter 8 Configuring Basic Settings
Setting the Management IP Address for a Transparent Firewall, page 8-5 Changing the Login Password The login password is used for Telnet and SSH connections. By default, the login password is “cisco.” To change the password, enter the following command: hostname(config)# {passwd | password} password You can enter passwd or password.
Page 130: Setting The Hostname
Time derived from an NTP server overrides any time set manually. This section also describes how to set the time zone and daylight saving time date range. Note In multiple context mode, set the time in the system configuration only. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 131: Setting The Time Zone And Daylight Saving Time Date Range
The week value specifies the week of the month as an integer between 1 and 4 or as the words first or last. For example, if the day might fall in the partial fifth week, then specify last. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 132: Setting The Date And Time Using An Ntp Server
3 that is preferred. You can identify multiple servers; the security appliance uses the most accurate server. Setting the Date and Time Manually To set the date time manually, enter the following command: Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 133: Setting The Management Ip Address For A Transparent Firewall
(255.255.255.255). This address must be IPv4; the transparent firewall does not support IPv6. The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 134 Chapter 8 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 135: Configuring Ip Routing
Websense or N2H2 server, or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 136: Configuring A Static Route
The security appliance distributes the traffic among the specified gateways. hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 137: Configuring A Default Static Route
IP address 192.168.2.4. hostname(config)# route outside 0 0 192.168.2.1 hostname(config)# route outside 0 0 192.168.2.2 hostname(config)# route outside 0 0 192.168.2.3 hostname(config)# route outside 0 0 192.168.2.4 tunneled Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 138: Configuring Static Route Tracking
[life {forever | seconds }] [start-time { hh : mm [: ss ] [ month day | day month ] | pending | now | after hh : mm : ss }] [ageout seconds ] [recurring] Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 139 To use a default route obtained through DHCP, enter the following commands: • hostname(config)# interface phy_if hostname(config-if)# dhcp client route track track_id hostname(config-if)# dhcp client route distance admin_distance hostname(config-if)# ip addresss dhcp setroute Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 140: Defining Route Maps
If you specify more than one ACL, then the route can match any of the ACLs. To match any routes with the specified next hop interface, enter the following command: • hostname(config-route-map)# match interface if_name Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 141: Configuring Ospf
Configuring Route Summarization Between OSPF Areas, page 9-15 • Configuring Route Summarization When Redistributing Routes into OSPF, page 9-15 Generating a Default Route, page 9-16 • Configuring Route Calculation Timers, page 9-17 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 142: Ospf Overview
To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 143: Redistributing Routes Into Ospf
[match {internal | external [1 | 2] | nssa-external [1 | 2]}] [metric metric-value ] [metric-type {type-1 | type-2}] [tag tag_value ] [subnets] [route-map map_name ] Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 144: Configuring Ospf Interface Parameters
To enter the interface configuration mode, enter the following command: Step 1 hostname(config)# interface interface_name Enter any of the following commands: Step 2 • To specify the authentication type for an interface, enter the following command: Cisco Security Appliance Command Line Configuration Guide 9-10 OL-12172-03...
Page 145 The number_value is between 0 to 255. To specify the number of seconds between LSA retransmissions for adjacencies belonging to an • OSPF interface, enter the following command: hostname(config-interface)# ospf retransmit-interval seconds Cisco Security Appliance Command Line Configuration Guide 9-11 OL-12172-03...
Page 146 Number of LSA 5. Checksum Sum 0x 209a3 Number of opaque link LSA 0. Checksum Sum 0x Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 Cisco Security Appliance Command Line Configuration Guide 9-12 OL-12172-03...
Page 147: Configuring Ospf Area Parameters
The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area. Cisco Security Appliance Command Line Configuration Guide 9-13 OL-12172-03...
Page 148 Type 7 default into the NSSA or the NSSA area boundary router. – Every router within the same area must agree that the area is NSSA; otherwise, the routers will not be able to communicate. Cisco Security Appliance Command Line Configuration Guide 9-14 OL-12172-03...
Page 149: Configuring Route Summarization Between Ospf Areas
The following example shows how to configure route summarization. The summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement: hostname(config)# router ospf 1 Cisco Security Appliance Command Line Configuration Guide 9-15 OL-12172-03...
Page 150: Defining Static Ospf Neighbors
[always] [metric metric-value ] [metric-type {1 | 2}] [route-map map-name ] The following example shows how to generate a default route: hostname(config)# router ospf 2 hostname(config-router)# default-information originate always Cisco Security Appliance Command Line Configuration Guide 9-16 OL-12172-03...
Page 151: Configuring Route Calculation Timers
To configure logging for neighbors going up or down, enter the following command: Step 2 hostname(config-router)# log-adj-changes [detail] Logging must be enabled for the the neighbor up/down messages to be sent. Note The following example shows how to log neighbors up/down messages: Cisco Security Appliance Command Line Configuration Guide 9-17 OL-12172-03...
Page 152: Displaying Ospf Update Packet Pacing
To display OSPF-related interface information, enter the following command: • hostname# show ospf interface [ if_name ] • To display OSPF neighbor information on a per-interface basis, enter the following command: Cisco Security Appliance Command Line Configuration Guide 9-18 OL-12172-03...
Page 153: Restarting The Ospf Process
By default, the security appliance sends RIP Version 1 updates and accepts RIP Version 1 and Version 2 updates. Cisco Security Appliance Command Line Configuration Guide 9-19 OL-12172-03...
Page 154 Enter the following command to apply the filter. You can specify an interface to apply the filter to only those updates sent by that interface. hostname(config-router): distribute-list acl out [interface if_name ] Cisco Security Appliance Command Line Configuration Guide 9-20 OL-12172-03...
Page 155: Redistributing Routes Into The Rip Routing Process
(Optional) To specify the version of RIP advertisements sent from an interface, perform the following Step 1 steps: Enter interface configuration mode for the interface you are configuring by entering the following command: hostname(config)# interface phy_if Cisco Security Appliance Command Line Configuration Guide 9-21 OL-12172-03...
Page 156: Enabling Rip Authentication
To display the contents of the RIP routing database, enter the following command: • hostname# show rip database To display the RIP commands in the running configuration, enter the following command: • hostname# show running-config router rip Cisco Security Appliance Command Line Configuration Guide 9-22 OL-12172-03...
Page 157: Configuring Eigrp
• EIGRP Routing Overview EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes. Neighbor discovery is the process that the security appliance uses to dynamically learn of other routers on directly attached networks.
Page 158: Enabling And Configuring Eigrp Routing
EIGRP updates. (Optional) To prevent an interface from sending or receiving EIGRP routing message, enter the Step 3 following command: Cisco Security Appliance Command Line Configuration Guide 9-24 OL-12172-03...
Page 159: Enabling And Configuring Eigrp Stub Routing
To enable and configure and EIGRP stub routing process, perform the following steps: Create the EIGRP routing process and enter router configuration mode for that process by entering the Step 1 following command: hostname(config)# router eigrp as-num Cisco Security Appliance Command Line Configuration Guide 9-25 OL-12172-03...
Page 160: Enabling Eigrp Authentication
If EIGRP is not enabled or if you enter the wrong number, the security appliance returns the following error message: % Asystem(100) specified does not exist The key argument can contain up to 16 characters. The key-id argument is a number from 0 to 255. Cisco Security Appliance Command Line Configuration Guide 9-26 OL-12172-03...
Page 161: Defining An Eigrp Neighbor
Choose one of the following options to redistribute the selected route type into the EIGRP routing Step 4 process. To redistribute connected routes into the EIGRP routing process, enter the following command: • hostname(config-router): redistribute connected [metric bandwidth delay reliability loading mtu ] [route-map map_name ] Cisco Security Appliance Command Line Configuration Guide 9-27 OL-12172-03...
Page 162: Configuring The Eigrp Hello Interval And Hold Time
Disabling Automatic Route Summarization Automatic route summarization is enabled by default. The EIGRP routing process summarizes on network number boundaries. This can cause routing problems if you have non-contiguous networks. Cisco Security Appliance Command Line Configuration Guide 9-28 OL-12172-03...
Page 163: Configuring Summary Aggregate Addresses
However, with nonbroadcast networks, there may be situations where this behavior is not desired. For these situations, including networks in which you have EIGRP configured, you may want to disable split horizon. Cisco Security Appliance Command Line Configuration Guide 9-29 OL-12172-03...
Page 164: Changing The Interface Delay Value
Monitoring EIGRP You can use the following commands to monitor the EIGRP routing process. For examples and descriptions of the command output, see the Cisco Security Appliance Command Reference. To display the EIGRP event log, enter the following command: •...
Page 165: Disabling Neighbor Change And Warning Message Logging
On the ASA 5505 adaptive security appliance, the following route is also shown. It is the internal loopback interface, which is used by the VPN hardware client feature for individual user authentication. C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback Cisco Security Appliance Command Line Configuration Guide 9-31 OL-12172-03...
Page 166: How The Routing Table Is Populated
Table 9-1 Default Administrative Distance for Supported Routing Protocols Route Source Default Administrative Distance Connected interface Static route EIGRP Summary Route Cisco Security Appliance Command Line Configuration Guide 9-32 OL-12172-03...
Page 167: Backup Routes
If a default route has not been configured, the packet is discarded. If the destination matches a single entry in the routing table, the packet is forwarded through the • interface associated with that route. Cisco Security Appliance Command Line Configuration Guide 9-33 OL-12172-03...
Page 168: Dynamic Routing And Failover
Therefore, immediately after a failover occurs, some packets received by the security appliance may be dropped because of a lack of routing information or routed to a default static route while the routing table is repopulated by the configured dynamic routing protocols. Cisco Security Appliance Command Line Configuration Guide 9-34 OL-12172-03...
Page 169: Configuring Dhcp, Ddns, And Wccp Services
This section describes how to configure DHCP server provided by the security appliance. This section includes the following topics: Enabling the DHCP Server, page 10-2 • • Configuring DHCP Options, page 10-3 Using Cisco IP Phones with a DHCP Server, page 10-4 • Cisco Security Appliance Command Line Configuration Guide 10-1 OL-12172-03...
Page 170: Enabling The Dhcp Server
To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the timeout value for those packets. Cisco Security Appliance Command Line Configuration Guide 10-2...
Page 171: Configuring Dhcp Options
46 ascii hello command and the security appliance accepts the configuration although option 46 is defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the option codes and their associated types and expected values, refer to RFC 2132. Cisco Security Appliance Command Line Configuration Guide 10-3 OL-12172-03...
Page 172: Using Cisco Ip Phones With A Dhcp Server
Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security appliance DHCP server provides values for both options in the response if they are configured on the security appliance.
Page 173: Configuring Dhcp Relay Services
To set the IP address of a DHCP server on a different interface from the DHCP client, enter the following command: hostname(config)# dhcprelay server ip_address if_name You can use this command up to 4 times to identify up to 4 servers. Cisco Security Appliance Command Line Configuration Guide 10-5 OL-12172-03...
Page 174: Configuring Dynamic Dns
FQDN to the server using a DHCP option called Client FQDN. The following examples present these common scenarios: • Example 1: Client Updates Both A and PTR RRs for Static IP Addresses, page 10-7 Cisco Security Appliance Command Line Configuration Guide 10-6 OL-12172-03...
Page 175: Example 1: Client Updates Both A And Ptr Rrs For Static Ip Addresses
To associate the method named ddns-2 with the security appliance interface named Ethernet0, and enable Step 3 DHCP on the interface, enter the following commands: hostname(DDNS-update-method)# interface Ethernet0 hostname(if-config)# ddns update ddns-2 hostname(if-config)# ddns update hostname asa.example.com hostname(if-config)# ip address dhcp Cisco Security Appliance Command Line Configuration Guide 10-7 OL-12172-03...
Page 176: Client And Updates Both Rrs
Step 1 hostname(config)# interface Ethernet0 hostname(config-if)# dhcp client update dns both hostname(config-if)# ddns update hostname asa Step 2 To configure the DHCP server, enter the following commands: hostname(config-if)# dhcpd update dns Cisco Security Appliance Command Line Configuration Guide 10-8 OL-12172-03...
Page 177: Example 5: Client Updates A Rr; Server Updates Ptr Rr
WCCP Feature Support, page 10-9 • WCCP Interaction With Other Features, page 10-10 • • Enabling WCCP Redirection, page 10-10 WCCP Feature Support The following WCCPv2 features are supported with the security appliance: Cisco Security Appliance Command Line Configuration Guide 10-9 OL-12172-03...
Page 178: Wccp Interaction With Other Features
To configure WCCP redirection, perform the following steps: To enable a WCCP service group, enter the following command: Step 1 hostname(config)# wccp {web-cache | service_number } [redirect-list access_list ] [group-list access_list ] [password password ] Cisco Security Appliance Command Line Configuration Guide 10-10 OL-12172-03...
Page 179 For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside interface to a web cache, enter the following commands: hostname(config)# wccp web-cache hostname(config)# wccp interface inside web-cache redirect in Cisco Security Appliance Command Line Configuration Guide 10-11 OL-12172-03...
Page 180 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Web Cache Services Using WCCP Cisco Security Appliance Command Line Configuration Guide 10-12 OL-12172-03...
Page 181: Configuring Multicast Routing
The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as Note the RP address. Cisco Security Appliance Command Line Configuration Guide 11-13 OL-12172-03...
Page 182: Enabling Multicast Routing
Limiting the Number of IGMP States on an Interface, page 11-16 Modifying the Query Interval and Query Timeout, page 11-16 • Changing the Query Response Time, page 11-17 • Changing the IGMP Version, page 11-17 • Cisco Security Appliance Command Line Configuration Guide 11-14 OL-12172-03...
Page 183: Disabling Igmp On An Interface
Create an access list for the multicast traffic. You can create more than one entry for a single access list. Step 1 You can use extended or standard access lists. To create a standard access list, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 11-15 OL-12172-03...
Page 184: Limiting The Number Of Igmp States On An Interface
(by default, 255 seconds), then the security appliance becomes the designated router and starts sending the query messages. To change this timeout value, enter the following command: hostname(config-if)# igmp query-timeout seconds Cisco Security Appliance Command Line Configuration Guide 11-16 OL-12172-03...
Page 185: Changing The Query Response Time
In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another. Static multicast routes are not advertised or redistributed. Cisco Security Appliance Command Line Configuration Guide 11-17 OL-12172-03...
Page 186: Configuring Pim Features
You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: hostname(config-if)# no pim To reenable PIM on an interface, enter the following command: hostname(config-if)# pim Only the no pim command appears in the interface configuration. Note Cisco Security Appliance Command Line Configuration Guide 11-18 OL-12172-03...
Page 187: Configuring A Static Rendezvous Point Address
Filtering PIM Register Messages You can configure the security appliance to filter PIM register messages. To filter PIM register messages, enter the following command: hostname(config)# pim accept-register {list acl | route-map map-name } Cisco Security Appliance Command Line Configuration Guide 11-19 OL-12172-03...
Page 188: Configuring Pim Message Intervals
Prevent unauthorized routers from becoming PIM neighbors. • Prevent attached stub routers from participating in PIM. • To define the neighbors that can become a PIM neighbor, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 11-20 OL-12172-03...
Page 189: Supporting Mixed Bidirctional/Sparse-Mode Pim Networks
Enable the pim bidir-neighbor-filter command on an interface. Step 2 The following example applies the access list created previous step to the interface GigabitEthernet0/3. hostname(config)# interface GigabitEthernet0/3 hostname(config-if)# pim bidir-neighbor-filter pim_bidir Cisco Security Appliance Command Line Configuration Guide 11-21 OL-12172-03...
Page 190: For More Information About Multicast Routing
SMR feature: RFC 2236 IGMPv2 • RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt Cisco Security Appliance Command Line Configuration Guide 11-22 OL-12172-03...
Page 191: Chapter 12 Configuring Ipv6
• configure • copy • http • name • • object-group • ping show conn • show local-host • show tcpstat • • telnet • tftp-server • • • write Cisco Security Appliance Command Line Configuration Guide 12-1 OL-12172-03...
Page 192 Configuring IPv6 Default and Static Routes, page 12-5 • Configuring IPv6 Access Lists, page 12-6 • Configuring IPv6 Neighbor Discovery, page 12-7 • Configuring a Static IPv6 Neighbor, page 12-11 • Cisco Security Appliance Command Line Configuration Guide 12-2 OL-12172-03...
Page 193: Configuring Ipv6 On An Interface
Enter the following command to add a global to the interface. Use the optional eui-64 keyword to use the Modified EUI-64 interface ID in the low order 64 bits of the address. hostname(config-if)# ipv6 address ipv6-prefix/prefix-length [eui-64] Cisco Security Appliance Command Line Configuration Guide 12-3 OL-12172-03...
Page 194: Configuring A Dual Ip Stack On An Interface
When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface. Cisco Security Appliance Command Line Configuration Guide 12-4 OL-12172-03...
Page 195: Configuring Ipv6 Default And Static Routes
%PIX|ASA-6-110001: No route to dest_address from source_address You can add a default route and static routes using the ipv6 route command. To configure an IPv6 default route and static routes, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 12-5 OL-12172-03...
Page 196: Configuring Ipv6 Access Lists
• can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr. Cisco Security Appliance Command Line Configuration Guide 12-6 OL-12172-03...
Page 197: Configuring Ipv6 Neighbor Discovery
After the source node receives the neighbor advertisement, the source node and destination node can communicate. Figure 12-1 shows the neighbor solicitation and response process. Cisco Security Appliance Command Line Configuration Guide 12-7 OL-12172-03...
Page 198 IPv6 operation. To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value Cisco Security Appliance Command Line Configuration Guide 12-8 OL-12172-03...
Page 199: Configuring Router Advertisement Messages
When a router advertisement is sent in response to a router solicitation, the destination address in the router advertisement message is the unicast address of the source of the router solicitation message. Cisco Security Appliance Command Line Configuration Guide 12-9...
Page 200 To configure which IPv6 prefixes are included in IPv6 router advertisements, enter the following command: hostname(config-if)# ipv6 nd prefix ipv6-prefix / prefix-length Note For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement messages must always be 64 bits. Cisco Security Appliance Command Line Configuration Guide 12-10 OL-12172-03...
Page 201: Configuring A Static Ipv6 Neighbor
Excluding the name from the command displays the setting for all interfaces that have IPv6 enabled on them. The output for the command shows the following: The name and status of the interface. • The link-local and global unicast addresses. • Cisco Security Appliance Command Line Configuration Guide 12-11 OL-12172-03...
Page 202: The Show Ipv6 Route Command
IPv6 Routing Table - 7 entries Codes: C - Connected, L - Local, S - Static fe80::/10 [0/0] via ::, inside fec0::a:0:0:a0a:a70/128 [0/0] via ::, inside fec0:0:0:a::/64 [0/0] via ::, inside ff00::/8 [0/0] via ::, inside Cisco Security Appliance Command Line Configuration Guide 12-12 OL-12172-03...
Page 203: Configuring Aaa Servers And The Local Database
You can use accounting alone, or with authentication and authorization. This section includes the following topics: • About Authentication, page 13-2 About Authorization, page 13-2 • About Accounting, page 13-2 • Cisco Security Appliance Command Line Configuration Guide 13-1 OL-12172-03...
Page 204: About Authentication
IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session. Cisco Security Appliance Command Line Configuration Guide 13-2 OL-12172-03...
Page 205: Aaa Server And Local Database Support
2. SDI is not supported for HTTP administrative access. 3. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified in a RADIUS authentication response. Cisco Security Appliance Command Line Configuration Guide 13-3 OL-12172-03...
Page 206: Radius Server Support
Accounting attributes defined in RFC 2139. • • RADIUS attributes for tunneled protocol support, defined in RFC 2868. • Cisco IOS VSAs, identified by RADIUS vendor ID 9. Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076. • Microsoft VSAs, defined in RFC 2548. •...
Page 207: Sdi Server Support
NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated. This is a limitation of NTLM version 1. Kerberos Server Support The security appliance supports 3DES, DES, and RC4 encryption types. Cisco Security Appliance Command Line Configuration Guide 13-5 OL-12172-03...
Page 208: Ldap Server Support
The username attributes command lets you enter the username mode. In this mode, you can add other information to a specific user profile. The information you can add includes VPN-related attributes, such as a VPN session timeout value. Cisco Security Appliance Command Line Configuration Guide 13-6 OL-12172-03...
Page 209: Fallback Support
To define a user account in the local database, perform the following steps: To create the user account, enter the following command: Step 1 hostname(config)# username name {nopassword | password password [mschap]} [privilege priv_level ] Cisco Security Appliance Command Line Configuration Guide 13-7 OL-12172-03...
Page 210 {admin | nas-prompt | remote-access} where the admin keyword allows full access to any services specified by the aaa authentication console LOCAL commands. admin is the default. Cisco Security Appliance Command Line Configuration Guide 13-8 OL-12172-03...
Page 211: Identifying Aaa Server Groups And Servers
For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers. Cisco Security Appliance Command Line Configuration Guide 13-9 OL-12172-03...
Page 212 Where a command is applicable to the server type you specified and no default value is provided (indicated by “—”), use the command to specify the value. For more information about these commands, see the Cisco Security Appliance Command Reference. Cisco Security Appliance Command Line Configuration Guide...
Page 213 Example 13-1 Multiple AAA Server Groups and Servers hostname(config)# aaa-server AuthInbound protocol tacacs+ hostname(config-aaa-server-group)# max-failed-attempts 2 hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20 hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey Cisco Security Appliance Command Line Configuration Guide 13-11 OL-12172-03...
Page 214: Configuring An Ldap Server
LDAP server in plain text. Whether using SASL or plain text, you can secure the communications between the security appliance and the LDAP server with SSL using the ldap-over-ssl command. Cisco Security Appliance Command Line Configuration Guide 13-12 OL-12172-03...
Page 215 If you do not configure SASL, we strongly recommend that you secure LDAP communications with Note SSL. See the ldap-over-ssl command in the Cisco Security Appliance Command Reference. When user LDAP authentication has succeeded, the LDAP server returns the attributes for the authenticated user.
Page 216: Authorization With Ldap For Vpn
You must create LDAP attribute maps that map your existing user-defined attribute names and values to Cisco attribute names and values that are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or remove them as needed.
Page 217 Chapter 13 Configuring AAA Servers and the Local Database Configuring an LDAP Server To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names Note and values as well as the user-defined attribute names and values.
Page 218: Using Certificates And User Login Credentials
DISABLED (set to None) by authentication server group setting – – No credentials used • Authorization Enabled by authorization server group setting – Uses the username value of the certificate primary DN field as a credential – Cisco Security Appliance Command Line Configuration Guide 13-16 OL-12172-03...
Page 219: Supporting A Zone Labs Integrity Server
Note interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure another Integrity Server on the security appliance and then reestablish the client VPN session. Cisco Security Appliance Command Line Configuration Guide 13-17 OL-12172-03...
Page 220: Configuring Integrity Server Support
“Configuring Firewall Policies” section on page 30-58. The command arguments that specify firewall policies are not used when the firewall type is zonelabs-integrity because the Integrity server determines the policies. Cisco Security Appliance Command Line Configuration Guide 13-18 OL-12172-03...
Page 221: Understanding Failover
Active/Standby failover configurations only. This section includes the following topics: Failover System Requirements, page 14-2 • The Failover and Stateful Failover Links, page 14-3 • Active/Active and Active/Standby Failover, page 14-6 • Cisco Security Appliance Command Line Configuration Guide 14-1 OL-12172-03...
Page 222: Failover System Requirements
License Requirements On the PIX 500 series security appliance, at least one of the units must have an unrestricted (UR) license. The other unit can have a Failover Only (FO) license, a Failover Only Active-Active (FO_AA) license, or another UR license.
Page 223: The Failover And Stateful Failover Links
VPN tunnels. On the PIX 500 series security appliance, the failover link can be either a LAN-based connection or a dedicated serial Failover cable. On the ASA 5500 series adaptive security appliance, the failover link can only be a LAN-based connection.
Page 224 You cannot override these designations in the PIX 500 series security appliance software. If you purchased a PIX 500 series security appliance failover bundle, this cable is included. To order a spare, use part number PIX-FO=.
Page 225: Stateful Failover Link
If you use a switch, no other hosts or routers should be on this link. Enable the PortFast option on Cisco switch ports that connect directly to the security appliance. Note If you are using the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available.
Page 226: Active/Active And Active/Standby Failover
MAC to IP address pairing, no ARP entries change or time out anywhere on the network. For multiple context mode, the security appliance can fail over the entire unit (including all contexts) Note but cannot fail over individual contexts separately. Cisco Security Appliance Command Line Configuration Guide 14-6 OL-12172-03...
Page 227 • For single context mode, enter the write memory command on the active unit. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory. Cisco Security Appliance Command Line Configuration Guide 14-7 OL-12172-03...
Page 228 If you enter the write standby command on the active unit, the standby unit clears its running configuration (except for the failover commands used to communicate with the active unit), and the active unit sends its entire configuration to the standby unit. Cisco Security Appliance Command Line Configuration Guide 14-8 OL-12172-03...
Page 229 You should restore the failover link operation interface as failed interface as failed as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Cisco Security Appliance Command Line Configuration Guide 14-9 OL-12172-03...
Page 230: Active/Active Failover
A failover group failing on a unit does not mean that the unit has failed. The unit may still have another Note failover group passing traffic on it. When creating the failover groups, you should create them on the unit that will have failover group 1 in the active state. Cisco Security Appliance Command Line Configuration Guide 14-10 OL-12172-03...
Page 231 When a unit boots while the peer unit is active (with both failover groups active on it), the booting • unit contacts the active unit to obtain the running configuration regardless of the primary or secondary designation of the booting unit. Cisco Security Appliance Command Line Configuration Guide 14-11 OL-12172-03...
Page 232 The following commands are replicated to the standby unit: all configuration commands except for the mode, firewall, and failover lan unit commands • • copy running-config startup-config • delete mkdir • rename • rmdir • write memory • Cisco Security Appliance Command Line Configuration Guide 14-12 OL-12172-03...
Page 233 Because a failover group can contain multiple contexts, and each context can contain multiple interfaces, it is possible for all interfaces in a single context to fail without causing the associated failover group to fail. Cisco Security Appliance Command Line Configuration Guide 14-13 OL-12172-03...
Page 234 Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Cisco Security Appliance Command Line Configuration Guide 14-14 OL-12172-03...
Page 235: Determining Which Type Of Failover To Use
Supported end-user applications are not required to reconnect to keep the same communication session. The state information passed to the standby unit includes the following: NAT translation table. • TCP connection states. • Cisco Security Appliance Command Line Configuration Guide 14-15 OL-12172-03...
Page 236: Failover Health Monitoring
Citrix authentication (Citrix users must reauthenticate after failover) • If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call Note session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Cisco CallManager.
Page 237: Unit Health Monitoring
Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. Cisco Security Appliance Command Line Configuration Guide 14-17 OL-12172-03...
Page 238: Failover Feature/Platform Matrix
(other than the ASA 5505) PIX 500 series security appliance Failover Times by Platform Table 14-5 shows the minimum, default, and maximum failover times for the PIX 500 series security appliance. Table 14-5 PIX 500 series security appliance failover times. Failover Condition...
Page 239: Configuring Failover
The crypto ca server command and associated commands are not synchronized or replicated to the peer unit. Configuring Active/Standby Failover This section provides step-by-step procedures for configuring Active/Standby failover. This section includes the following topics: Cisco Security Appliance Command Line Configuration Guide 14-19 OL-12172-03...
Page 240: Prerequisites
Cable-based failover is only available on the PIX 500 series security appliance. To configure cable-based Active/Standby failover, perform the following steps: Connect the Failover cable to the PIX 500 series security appliances. Make sure that you attach the end Step 1 of the cable marked “Primary”...
Page 241: Configuring Lan-Based Active/Standby Failover
This section describes how to configure Active/Standby failover using an Ethernet failover link. When configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device. Cisco Security Appliance Command Line Configuration Guide 14-21 OL-12172-03...
Page 242 , where context is the name of the current context. You must enter a hostname/ context (config-if)# management IP address for each context in transparent firewall multiple context mode. (PIX 500 series security appliance only) Enable LAN-based failover: Step 2 hostname(config)# failover lan enable...
Page 243 If the Stateful Failover link uses the failover link or data interface, skip this step. You have Note already enabled the interface. hostname(config)# interface phy_if hostname(config-if)# no shutdown Step 6 Enable failover: hostname(config)# failover Cisco Security Appliance Command Line Configuration Guide 14-23 OL-12172-03...
Page 244 For multiple context mode, all steps are performed in the system execution space unless noted otherwise. To configure the secondary unit, perform the following steps: Step 1 (PIX 500 series security appliance only) Enable LAN-based failover: hostname(config)# failover lan enable Define the failover interface. Use the same settings as you used for the primary unit.
Page 245: Configuring Optional Active/Standby Failover Settings
For units in single configuration mode, use the following commands to enable or disable health monitoring for specific interfaces: • To disable health monitoring for an interface, enter the following command in global configuration mode: hostname(config)# no monitor-interface if_name Cisco Security Appliance Command Line Configuration Guide 14-25 OL-12172-03...
Page 246 MAC addresses the failover pair uses the burned-in NIC addresses as the MAC addresses. You cannot configure a virtual MAC address for the failover or Stateful Failover links. The MAC and IP Note addresses for those links do not change during failover. Cisco Security Appliance Command Line Configuration Guide 14-26 OL-12172-03...
Page 247: Configuring Active/Active Failover
Active/Active failover is not available on the ASA 5505 adaptive security appliance. This section includes the following topics: Prerequisites, page 14-27 • Configuring Cable-Based Active/Active Failover (PIX 500 series security appliance), page 14-27 • Configuring LAN-Based Active/Active Failover, page 14-29 •...
Page 248 Step 1 Connect the failover cable to the PIX 500 series security appliances. Make sure that you attach the end of the cable marked “Primary” to the unit you use as the primary unit, and that you attach the end of the cable marked “Secondary”...
Page 249: Configuring Lan-Based Active/Active Failover
LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device. This section includes the following topics: Cisco Security Appliance Command Line Configuration Guide 14-29 OL-12172-03...
Page 250 Configure the basic failover parameters in the system execution space. Step 2 (PIX 500 series security appliance only) Enable LAN-based failover: hostname(config)# hostname(config)# failover lan enable Designate the unit as the primary unit: hostname(config)# failover lan unit primary...
Page 251 Assign each user context to a failover group using the join-failover-group command in context configuration mode. Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member of failover group 1. Cisco Security Appliance Command Line Configuration Guide 14-31 OL-12172-03...
Page 252 This allows the secondary unit to communicate with and receive the running configuration from the primary unit. To bootstrap the secondary unit in an Active/Active failover configuration, perform the following steps: (PIX 500 series security appliance only) Enable LAN-based failover: Step 1 hostname(config)# failover lan enable Step 2 Define the failover interface.
Page 253: Configuring Optional Active/Active Failover Settings
[ delay ] You can enter an optional delay value, which specifies the number of seconds the failover group remains active on the current unit before automatically becoming active on the designated unit. Cisco Security Appliance Command Line Configuration Guide 14-33 OL-12172-03...
Page 254 By default, if a single interface fails failover occurs. You can specify a specific number of interfaces or a percentage of monitored interfaces that must fail before a failover occurs. The failover criteria is specified on a failover group basis. Cisco Security Appliance Command Line Configuration Guide 14-34 OL-12172-03...
Page 255 This most commonly occurs when the two security appliances in an Active/Active failover pair are connected to different service providers and the outbound connection does not use a NAT address. Cisco Security Appliance Command Line Configuration Guide 14-35 OL-12172-03...
Page 256 You can have more than one ASR group configured on the security appliance, but only one per interface. Only members of the same ASR group are checked for session information. Cisco Security Appliance Command Line Configuration Guide 14-36 OL-12172-03...
Page 257 GigabitEthernet0/1 failover link folink failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11 failover group 1 primary failover group 2 secondary admin-context admin context admin description admin Cisco Security Appliance Command Line Configuration Guide 14-37 OL-12172-03...
Page 258 192.168.1.2, where it can then return through the interface on the unit from which it originated (192.168.1.1 on SecAppA). This forwarding continues as needed until the session ends. Cisco Security Appliance Command Line Configuration Guide 14-38 OL-12172-03...
Page 259: Configuring Unit Health Monitoring
You can encrypt and authenticate the communication between failover peers by specifying a shared secret or hexadecimal key. On the PIX 500 series security appliance, if you are using the dedicated serial failover cable to connect Note the units, then communication over the failover link is not encrypted even if a failover key is configured.
Page 260: Verifying The Failover Configuration
This host: Primary - Active Active time: 13434 (sec) Interface inside (10.130.9.3): Normal Interface outside (10.132.9.3): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface inside (10.130.9.4): Normal Interface outside (10.132.9.4): Normal Cisco Security Appliance Command Line Configuration Guide 14-40 OL-12172-03...
Page 261 Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. Stateful Obj xmit xerr rerr RPC services TCP conn UDP conn ARP tbl Xlate_Timeout GTP PDP GTP PDPMCB SIP Session Cisco Security Appliance Command Line Configuration Guide 14-41 OL-12172-03...
Page 262 The amount of time the unit has been active. This time is cumulative, so the standby unit, if it was active in the past, also shows a value. slot x Information about the module in the slot or empty. Cisco Security Appliance Command Line Configuration Guide 14-42 OL-12172-03...
Page 263 Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Cisco Security Appliance Command Line Configuration Guide 14-43 OL-12172-03...
Page 264 Interface inside (10.130.8.5): Normal admin Interface fourth (10.130.9.5): Normal ctx1 Interface outside (10.1.1.1): Normal ctx1 Interface inside (10.2.2.1): Normal ctx2 Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Secondary Cisco Security Appliance Command Line Configuration Guide 14-44 OL-12172-03...
Page 265 Interface outside (192.168.5.121): Normal admin Interface inside (192.168.0.1): Normal Other host: Primary State: Standby Active time: 0 (sec) admin Interface outside (192.168.5.131): Normal admin Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Cisco Security Appliance Command Line Configuration Guide 14-45 OL-12172-03...
Page 266 Active Time in seconds • Group 1 State Active or Standby Ready • Group 2 State Active Time in seconds • slot x Information about the module in the slot or empty. Cisco Security Appliance Command Line Configuration Guide 14-46 OL-12172-03...
Page 267 Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Cisco Security Appliance Command Line Configuration Guide 14-47 OL-12172-03...
Page 268: Viewing Monitored Interfaces
All of the failover commands are displayed. On units running multiple context mode, enter this command in the system execution space. Entering show running-config all failover displays the failover commands in the running configuration and includes commands for which you have not changed the default value. Cisco Security Appliance Command Line Configuration Guide 14-48 OL-12172-03...
Page 269: Testing The Failover Functionality
To force the standby unit or failover group to become active, enter one of the following commands: For Active/Standby failover: • Enter the following command on the standby unit: hostname# failover active Or, enter the following command on the active unit: Cisco Security Appliance Command Line Configuration Guide 14-49 OL-12172-03...
Page 270: Disabling Failover
Monitoring Failover When a failover occurs, both security appliances send out system messages. This section includes the following topics: Failover System Messages, page 14-51 • Cisco Security Appliance Command Line Configuration Guide 14-50 OL-12172-03...
Page 271: Failover System Messages
411002 messages. This is normal activity. Debug Messages To see debug messages, enter the debug fover command. See the Cisco Security Appliance Command Reference for more information. Because debugging output is assigned high priority in the CPU process, it can drastically affect system Note performance.
Page 272: Changing Command Modes
The result would be that your session to the device remains in interface configuration mode, while commands entered using failover exec active are sent to router configuration mode for the specified routing process. hostname(config-if)# failover exec active router ospf 100 hostname(config-if)# Cisco Security Appliance Command Line Configuration Guide 14-52 OL-12172-03...
Page 273: Security Considerations
• You cannot enter recursive failover exec commands, such as failover exec mate failover exec mate command. • Commands that require user input or confirmation must use the /nonconfirm option. Cisco Security Appliance Command Line Configuration Guide 14-53 OL-12172-03...
Page 274: Auto Update Server Support In Failover Configurations
If hitless upgrade cannot be performed when the standby unit boots, then both units reload at – the same time. If only the secondary (standby) unit has new image, then only the secondary unit reloads. The primary unit waits until the secondary unit finishes reloading. Cisco Security Appliance Command Line Configuration Guide 14-54 OL-12172-03...
Page 275: Monitoring The Auto Update Process
Fover copyfile, seq = 4 type = 1, pseq = 8001, len = 1024 auto-update: Fover copyfile, seq = 4 type = 1, pseq = 8501, len = 1024 auto-update: Fover copyfile, seq = 4 type = 1, pseq = 9001, len = 1024 Cisco Security Appliance Command Line Configuration Guide 14-55 OL-12172-03...
Page 276 %PIX|ASA4-612002: Auto Update failed: file version: version reason: reason The file is “image”, “asdm”, or “configuration”, depending on which update failed. The version is the version number of the update. And the reason is the reason the update failed. Cisco Security Appliance Command Line Configuration Guide 14-56 OL-12172-03...
Page 277: Configuring The Firewall
A R T Configuring the Firewall...
Page 279: Routed Mode Overview
An Inside User Visits a Web Server, page 15-2 • An Outside User Visits a Web Server on the DMZ, page 15-3 • An Inside User Visits a Web Server on the DMZ, page 15-4 • Cisco Security Appliance Command Line Configuration Guide 15-1 OL-12172-03...
Page 280: An Inside User Visits A Web Server
The security appliance translates the local source address (10.1.2.27) to the global address 209.165.201.10, which is on the outside interface subnet. The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet. Cisco Security Appliance Command Line Configuration Guide 15-2 OL-12172-03...
Page 281: An Outside User Visits A Web Server On The Dmz
In this case, the classifier “knows” that the DMZ web server address belongs to a certain context because of the server address translation. Cisco Security Appliance Command Line Configuration Guide 15-3...
Page 282: An Inside User Visits A Web Server On The Dmz
The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). Cisco Security Appliance Command Line Configuration Guide 15-4 OL-12172-03...
Page 283: An Outside User Attempts To Access An Inside Host
The security appliance receives the packet and because it is a new session, the security appliance verifies if the packet is allowed according to the security policy (access lists, filters, AAA). Cisco Security Appliance Command Line Configuration Guide 15-5 OL-12172-03...
Page 284: A Dmz User Attempts To Access An Inside Host
“stealth firewall,” and is not seen as a router hop to connected devices. This section describes transparent firewall mode, and includes the following topics: Transparent Firewall Network, page 15-7 • Allowing Layer 3 Traffic, page 15-7 • Cisco Security Appliance Command Line Configuration Guide 15-6 OL-12172-03...
Page 285: Transparent Firewall Network
The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that Note do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported. Cisco Security Appliance Command Line Configuration Guide 15-7 OL-12172-03...
Page 286: Mac Address Vs. Route Lookups
For example, if the real destination address is not directly-connected to the security appliance, then you need to add a static route on the security appliance for the real destination address that points to the downstream router. Cisco Security Appliance Command Line Configuration Guide 15-8 OL-12172-03...
Page 287: Using The Transparent Firewall In Your Network
The transparent security appliance uses an inside interface and an outside interface only. If your • platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only. Cisco Security Appliance Command Line Configuration Guide 15-9 OL-12172-03...
Page 288: Unsupported Features In Transparent Mode
You can pass VPN traffic through the security appliance using an extended access list, but it does not terminate non-management connections. WebVPN is also not supported. Cisco Security Appliance Command Line Configuration Guide 15-10 OL-12172-03...
Page 289: How Data Moves Through The Transparent Firewall
An Inside User Visits a Web Server Using NAT, page 15-13 • An Outside User Visits a Web Server on the Inside Network, page 15-14 • An Outside User Attempts to Access an Inside Host, page 15-15 • Cisco Security Appliance Command Line Configuration Guide 15-11 OL-12172-03...
Page 290: An Inside User Visits A Web Server
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance forwards the packet to the inside user. Cisco Security Appliance Command Line Configuration Guide 15-12 OL-12172-03...
Page 291: An Inside User Visits A Web Server Using Nat
MAC address by sending an ARP request and a ping. The first packet is dropped. The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. Cisco Security Appliance Command Line Configuration Guide 15-13 OL-12172-03...
Page 292: An Outside User Visits A Web Server On The Inside Network
If the destination MAC address is in its table, the security appliance forwards the packet out of the inside interface. The destination MAC address is that of the downstream router, 209.186.201.1. Cisco Security Appliance Command Line Configuration Guide 15-14 OL-12172-03...
Page 293: An Outside User Attempts To Access An Inside Host
The packet is denied, and the security appliance drops the packet. If the outside user is attempting to attack the inside network, the security appliance employs many technologies to determine if a packet is valid for an already established session. Cisco Security Appliance Command Line Configuration Guide 15-15 OL-12172-03...
Page 294 Chapter 15 Firewall Mode Overview Transparent Mode Overview Cisco Security Appliance Command Line Configuration Guide 15-16 OL-12172-03...
Page 295: Access List Overview
Access List Types, page 16-2 • Access Control Entry Order, page 16-2 • Access Control Implicit Deny, page 16-3 • • IP Addresses Used for Access Lists When You Use NAT, page 16-3 Cisco Security Appliance Command Line Configuration Guide 16-1 OL-12172-03...
Page 296: Access List Types
After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked. Cisco Security Appliance Command Line Configuration Guide 16-2...
Page 297: Access Control Implicit Deny
IP Addresses in Access Lists: NAT Used for Source Addresses 209.165.200.225 Outside Inside Inbound ACL Permit from 10.1.1.0/24 209.165.200.225 10.1.1.0/24 10.1.1.0/24 209.165.201.4:port See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 Cisco Security Appliance Command Line Configuration Guide 16-3 OL-12172-03...
Page 298 209.165.200.225 209.165.201.5 Outside Inside 10.1.1.34 209.165.201.5 Static NAT See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside Cisco Security Appliance Command Line Configuration Guide 16-4 OL-12172-03...
Page 299: Adding An Extended Access List
This section describes how to identify the parameters within the command. To use object groups, see the “Simplifying Access Lists with Object Grouping” section on page 16-11. Cisco Security Appliance Command Line Configuration Guide 16-5 OL-12172-03...
Page 300: Allowing Broadcast And Multicast Traffic Through The Transparent Firewall
Adding an Extended ACE When you enter the access-list command for a given access list name, the ACE is added to the end of the access list unless you specify the line number. Cisco Security Appliance Command Line Configuration Guide 16-6 OL-12172-03...
Page 301 ICMP types. When you specify a network mask, the method is different from the Cisco IOS software access-list command. The security appliance uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
Page 302: Adding An Ethertype Access List
802.3-formatted frames are not handled by the access list because they use a length field as opposed to a type field. BPDUs, which are handled by the access list, are the only exception: they are SNAP-encapsulated, and the security appliance is designed to specifically handle BPDUs. Cisco Security Appliance Command Line Configuration Guide 16-8 OL-12172-03...
Page 303: Ipv6 Unsupported
TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the security appliance.
Page 304: Adding An Ethertype Ace
The following command adds a standard ACE. To add another ACE at the end of the access list, enter another access-list command specifying the same access list name. Apply the access list using the “Defining Route Maps” section on page 9-6. Cisco Security Appliance Command Line Configuration Guide 16-10 OL-12172-03...
Page 305: Adding A Webtype Access List
TrustedHosts—Includes the host and network addresses allowed access to the greatest range of • services and servers PublicServers—Includes the host addresses of servers to which the greatest access is provided • Cisco Security Appliance Command Line Configuration Guide 16-11 OL-12172-03...
Page 306: Adding Object Groups
To include all IP protocols, use the keyword ip. For a list of protocols you can specify, see the “Protocols and Applications” section on page D-11. Cisco Security Appliance Command Line Configuration Guide 16-12 OL-12172-03...
Page 307 You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. Cisco Security Appliance Command Line Configuration Guide 16-13 OL-12172-03...
Page 308 To add an ICMP type group, enter the following command: Step 1 hostname(config)# object-group icmp-type grp_id The grp_id is a text string up to 64 characters in length. The prompt changes to ICMP type configuration mode. Cisco Security Appliance Command Line Configuration Guide 16-14 OL-12172-03...
Page 309: Nesting Object Groups
10.1.2.8 hostname(config-network)# network-object host 10.1.2.12 hostname(config-network)# object-group network finance hostname(config-network)# network-object host 10.1.4.89 hostname(config-network)# network-object host 10.1.4.100 You then nest all three groups together as follows: hostname(config)# object-group network admin Cisco Security Appliance Command Line Configuration Guide 16-15 OL-12172-03...
Page 310: Using Object Groups With An Access List
10.1.1.4 hostname(config-network)# network-object host 10.1.1.78 hostname(config-network)# network-object host 10.1.1.89 hostname(config-network)# object-group network web hostname(config-network)# network-object host 209.165.201.29 hostname(config-network)# network-object host 209.165.201.16 hostname(config-network)# network-object host 209.165.201.78 Cisco Security Appliance Command Line Configuration Guide 16-16 OL-12172-03...
Page 311: Displaying Object Groups
If you enter the remark before any access-list command, then the remark is the first line in the access list. If you delete an access list using the no access-list access_list_name command, then all the remarks are also removed. Cisco Security Appliance Command Line Configuration Guide 16-17 OL-12172-03...
Page 312: Scheduling Extended Access List Activation
The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m. The date is in the format day month year; for example, 1 january 2006. Cisco Security Appliance Command Line Configuration Guide 16-18...
Page 313: Applying The Time Range To An Ace
106023 for each denied packet, in the following form: %ASA|PIX-4-106023: Deny protocol src [ interface_name : source_address / source_port ] dst interface_name : dest_address / dest_port [type { string }, code { code }] by access_group acl_id Cisco Security Appliance Command Line Configuration Guide 16-19 OL-12172-03...
Page 314: Configuring Logging For An Access Control Entry
For connectionless protocols, such as ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed information about this system message.
Page 315: Managing Deny Flows
CPU resources. When you reach the maximum number of deny flows, the security appliance issues system message 106100: %ASA|PIX-1-106101: The number of ACL log deny-flows has reached limit (numbe r). Cisco Security Appliance Command Line Configuration Guide 16-21 OL-12172-03...
Page 316 To set the amount of time between system messages (number 106101) that identify that the • maximum number of deny flows was reached, enter the following command: hostname(config)# access-list alert-interval secs The seconds are between 1 and 3600. 300 is the default. Cisco Security Appliance Command Line Configuration Guide 16-22 OL-12172-03...
Page 317: Configuring Nat
The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control. NAT control requires that packets traversing from a higher security interface (inside) to a lower security Cisco Security Appliance Command Line Configuration Guide 17-1 OL-12172-03...
Page 318: Nat In Routed Mode
10.1.1.1.27 before sending it to the host. Figure 17-1 NAT Example: Routed Mode Web Server www.cisco.com Outside 209.165.201.2 Originating Responding Security Packet Packet Appliance Translation Undo Translation 10.1.2.27 209.165.201.10 209.165.201.10 10.1.2.27 10.1.2.1 Inside 10.1.2.27 Cisco Security Appliance Command Line Configuration Guide 17-2 OL-12172-03...
Page 319: Nat In Transparent Mode
The security appliance then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27. Because the real address is directly-connected, the security appliance sends it directly to the host. Cisco Security Appliance Command Line Configuration Guide 17-3 OL-12172-03...
Page 320: Nat Control
NAT to translate the inside host address, as shown in Figure 17-3. Figure 17-3 NAT Control and Outbound Traffic Security Appliance 10.1.1.1 209.165.201.1 No NAT 10.1.2.1 Inside Outside Cisco Security Appliance Command Line Configuration Guide 17-4 OL-12172-03...
Page 321 MAC addresses for shared interfaces. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more information about the relationship between the classifier and NAT. Cisco Security Appliance Command Line Configuration Guide 17-5 OL-12172-03...
Page 322: Nat Types
IP address after the translation times out. For an example, see the timeout xlate command in the Cisco Security Appliance Command Reference. Users on the destination network, therefore, cannot initiate a reliable connection to a host that uses dynamic NAT, although the connection is allowed by an access list, and the security appliance rejects any attempt to connect to a real host address directly.
Page 323 Note access list allows it. Because the address is unpredictable, a connection to the host is unlikely. Nevertheless, in this case, you can rely on the security of the access list. Cisco Security Appliance Command Line Configuration Guide 17-7 OL-12172-03...
Page 324: Pat
NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if an access list exists that allows it). Cisco Security Appliance Command Line Configuration Guide 17-8 OL-12172-03...
Page 325: Static Pat
See the following commands for this example: hostname(config)# static (inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask 255.255.255.255 hostname(config)# static (inside,outside) tcp 209.165.201.3 http 10.1.2.28 http netmask 255.255.255.255 hostname(config)# static (inside,outside) tcp 209.165.201.3 smtp 10.1.2.29 smtp netmask 255.255.255.255 Cisco Security Appliance Command Line Configuration Guide 17-9 OL-12172-03...
Page 326: Bypassing Nat When Nat Control Is Enabled
NAT, you can translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B. Cisco Security Appliance Command Line Configuration Guide 17-10...
Page 327 NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 hostname(config)# nat (inside) 1 access-list NET1 hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list NET2 hostname(config)# global (outside) 2 209.165.202.130 Cisco Security Appliance Command Line Configuration Guide 17-11 OL-12172-03...
Page 328 NAT access list specifies the real addresses and the destination addresses, but for traffic originated on the remote network, the access list identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using this translation. Cisco Security Appliance Command Line Configuration Guide 17-12 OL-12172-03...
Page 329: Nat And Same Security Level Interfaces
(even when NAT control is not enabled). Traffic identified for static NAT is not affected. See the “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-7 to enable same security communication. Cisco Security Appliance Command Line Configuration Guide 17-13 OL-12172-03...
Page 330: Order Of Nat Commands Used To Match Real Addresses
If the mapped interface is passive (not advertising routes) or you are using static routing, then you need to add a static route on the upstream router that sends traffic destined for the mapped addresses to the security appliance. Cisco Security Appliance Command Line Configuration Guide 17-14 OL-12172-03...
Page 331: Dns And Nat
DNS server, and not the mapped address. When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The security appliance refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14.
Page 332: Configuring Nat Control
Configuring NAT Control Note If a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though the user is not on the Inside interface referenced by the static command.
Page 333: Using Dynamic Nat And Pat
Outside Global 1: 209.165.201.3- 209.165.201.10 Translation 10.1.2.27 209.165.201.3 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Cisco Security Appliance Command Line Configuration Guide 17-17 OL-12172-03...
Page 334 209.165.201.3 10.1.1.15 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Cisco Security Appliance Command Line Configuration Guide 17-18 OL-12172-03...
Page 335 17-17). If you use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the the destination addresses and ports are unique in each access list. Cisco Security Appliance Command Line Configuration Guide 17-19 OL-12172-03...
Page 336 PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT mapped statement supports (see Figure 17-18). Cisco Security Appliance Command Line Configuration Guide 17-20 OL-12172-03...
Page 337 17-19). Note that for outside NAT (DMZ interface to Inside interface), the inside host uses a static command to allow outside access, so both the source and destination addresses are translated. Cisco Security Appliance Command Line Configuration Guide 17-21 OL-12172-03...
Page 338 If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected. Cisco Security Appliance Command Line Configuration Guide 17-22 OL-12172-03...
Page 339: Configuring Dynamic Nat Or Pat
However, clearing the translation table disconnects all current connections that use translations. To configure dynamic NAT or PAT, perform the following steps: To identify the real addresses that you want to translate, enter one of the following commands: Step 1 Cisco Security Appliance Command Line Configuration Guide 17-23 OL-12172-03...
Page 340 ( mapped_interface ) nat_id { mapped_ip [- mapped_ip ] | interface} This NAT ID should match a nat command NAT ID. The matching nat command identifies the addresses that you want to translate when they exit this interface. Cisco Security Appliance Command Line Configuration Guide 17-24 OL-12172-03...
Page 341 TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23 hostname(config)# nat (inside) 1 access-list WEB hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list TELNET hostname(config)# global (outside) 2 209.165.202.130 Cisco Security Appliance Command Line Configuration Guide 17-25 OL-12172-03...
Page 342: Using Static Nat
10.1.1.1 to the mapped address 192.168.1.1 when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are: hostname(config)# access-list TEST extended ip host 10.1.1.1 209.165.200.224 255.255.255.224 hostname(config)# static (inside,outside) 192.168.1.1 access-list TEST Cisco Security Appliance Command Line Configuration Guide 17-26 OL-12172-03...
Page 343: Using Static Pat
IP address, as well as the real port to a mapped port. You can choose to translate the real port to the same port, which lets you translate only specific types of traffic, or you can take it further by translating to a different port. Cisco Security Appliance Command Line Configuration Guide 17-27 OL-12172-03...
Page 344 10.1.1.1/Telnet to the mapped address 192.168.1.1/Telnet when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are: hostname(config)# access-list TEST extended tcp host 10.1.1.1 eq telnet 209.165.200.224 255.255.255.224 hostname(config)# static (inside,outside) tcp 192.168.1.1 telnet access-list TEST Cisco Security Appliance Command Line Configuration Guide 17-28 OL-12172-03...
Page 345 PAT for outbound connections from the server. hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 255.255.255.255 hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255 hostname(config)# global (outside) 1 10.1.2.14 Cisco Security Appliance Command Line Configuration Guide 17-29 OL-12172-03...
Page 346: Bypassing Nat
Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create NAT translations, and responding traffic is allowed back. Figure 17-24 shows a typical identity NAT scenario. Figure 17-24 Identity NAT Security Appliance 209.165.201.1 209.165.201.1 209.165.201.2 209.165.201.2 Inside Outside Cisco Security Appliance Command Line Configuration Guide 17-30 OL-12172-03...
Page 347: Configuring Static Identity Nat
Only dynamic translations created by the nat and global commands can be removed with the clear xlate command. To configure static identity NAT, enter one of the following commands: To configure policy static identity NAT, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 17-31 OL-12172-03...
Page 348 NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224 hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224 255.255.255.224 hostname(config)# static (inside,outside) 10.1.2.27 access-list NET1 hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2 Cisco Security Appliance Command Line Configuration Guide 17-32 OL-12172-03...
Page 349: Configuring Nat Exemption
To use dynamic outside NAT for a DMZ network, and exempt another DMZ network, enter the following command: hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns hostname(config)# global (inside) 1 10.1.1.45 hostname(config)# access-list EXEMPT permit ip 10.1.3.0 255.255.255.0 any hostname(config)# nat (dmz) 0 access-list EXEMPT Cisco Security Appliance Command Line Configuration Guide 17-33 OL-12172-03...
Page 350: Nat Examples
This example shows static NAT. To configure static NAT for these two interfaces, perform the following steps. The 10.1.1.0/24 network on the DMZ is not translated. Cisco Security Appliance Command Line Configuration Guide 17-34 OL-12172-03...
Page 351 When the security appliance receives this packet, the security appliance translates the source address from 192.168.100.2 to 10.1.3.2. Then the security appliance translates the destination address from 10.1.2.2 to 192.168.100.2, and the packet is forwarded. Cisco Security Appliance Command Line Configuration Guide 17-35 OL-12172-03...
Page 352: Redirecting Ports
(inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask 255.255.255.255 Redirect HTTP requests for the security appliance outside interface address to 10.1.1.5 by entering the Step 4 following command: hostname(config)# static (inside,outside) tcp interface www 10.1.1.5 www netmask 255.255.255.255 Cisco Security Appliance Command Line Configuration Guide 17-36 OL-12172-03...
Page 353 Step 5 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering the following command: hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 Cisco Security Appliance Command Line Configuration Guide 17-37 OL-12172-03...
Page 354 Chapter 17 Configuring NAT NAT Examples Cisco Security Appliance Command Line Configuration Guide 17-38 OL-12172-03...
Page 355: Chapter 18 Permitting Or Denying Network Access
Rather than creating multiple inbound access lists to restrict access, you can create a single outbound access list that allows only the specified hosts Cisco Security Appliance Command Line Configuration Guide 18-1...
Page 356: Applying An Access List To An Interface
You can apply one access list of each type (extended and EtherType) to both directions of the interface. See the “Inbound and Outbound Access List Overview” section on page 18-1 for more information about access list directions. Cisco Security Appliance Command Line Configuration Guide 18-2 OL-12172-03...
Page 357 (config-service)# service-object tcp source range 2000 3000 hostname (config-service)# service-object tcp source range 3000 3010 destinatio$ hostname (config-service)# service-object ipsec hostname (config-service)# service-object udp destination range 1002 1006 hostname (config-service)# service-object icmp echo Cisco Security Appliance Command Line Configuration Guide 18-3 OL-12172-03...
Page 358 Chapter 18 Permitting or Denying Network Access Applying an Access List to an Interface hostname(config)# access-list outsideacl extended permit object-group myaclog interface inside any Cisco Security Appliance Command Line Configuration Guide 18-4 OL-12172-03...
Page 359: Chapter 19 Applying Aaa For Network Access
This section includes the following topics: Authentication Overview, page 19-2 • Enabling Network Access Authentication, page 19-3 • Enabling Secure Authentication of Web Clients, page 19-5 • Authenticating Directly with the Security Appliance, page 19-6 • Cisco Security Appliance Command Line Configuration Guide 19-1 OL-12172-03...
Page 360: Authentication Overview
A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command in the Cisco Security Appliance Command Reference for timeout values.) For example, if you configure the security appliance to authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the authentication session exists, the user does not also have to authenticate for FTP.
Page 361: Static Pat And Http
Then users do not see the authentication page. Instead, the security appliance sends to the web browser an error message indicating that the user must be authenticated prior using the requested service. Enabling Network Access Authentication To enable network access authentication, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 19-3 OL-12172-03...
Page 362 Step You can alternatively use the aaa authentication include command (which identifies traffic within the Note command). However, you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. Step 4 (Optional) To enable the redirection method of authentication for HTTP or HTTPS connections, enter...
Page 363: Enabling Secure Authentication Of Web Clients
Secured web-client authentication has the following limitations: A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS – authentication processes are running, a new connection requiring authentication will not succeed. Cisco Security Appliance Command Line Configuration Guide 19-5 OL-12172-03...
Page 364: Authenticating Directly With The Security Appliance
HTTP server; you are not prompted separately for the HTTP server username and password. Assuming the username and password is not the same for the AAA and HTTP servers, then the HTTP authentication fails. Cisco Security Appliance Command Line Configuration Guide 19-6 OL-12172-03...
Page 365: Enabling Direct Authentication Using Telnet
Telnet IP address, even if NAT is not required (using the no nat-control command). An identity NAT command is typically used (where you translate the address to itself). Cisco Security Appliance Command Line Configuration Guide 19-7 OL-12172-03...
Page 366: Configuring Authorization For Network Access
Because a user at a given IP address only needs to authenticate one time for all rules and types, if the authentication session hasn’t expired, authorization can occur even if the traffic is matched by an authentication statement. Cisco Security Appliance Command Line Configuration Guide 19-8 OL-12172-03...
Page 367 Alternatively, you can use the aaa authorization include command (which identifies traffic Note within the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
Page 368: Configuring Radius Authorization
Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-14 • Configuring a RADIUS Server to Send Downloadable Access Control Lists This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics: •...
Page 369 Because the name of the downloadable access list includes the date and time it was last modified, matching the name sent by Cisco Secure ACS to the name of an access list previous downloaded means that the security appliance has the most recent version of the downloadable access list.
Page 370 An example of an attribute-value pair follows: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds with an access-challenge message that contains a portion of the access list, formatted as described above, and an State attribute (IETF RADIUS attribute 24), which contains control data used by Cisco Secure ACS to track the progress of the download.
Page 371 If this parameter is omitted, the sequence value is 0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used. The following example is an access list definition as it should be configured for a cisco-av-pair VSA on a RADIUS server: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0...
Page 372: Configuring Accounting For Network Access
Note In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface, omitting filter-id= and entering only acl_name. For information about making unique per user the filter-id attribute value, see the documentation for your RADIUS server.
Page 373 Alternatively, you can use the aaa accounting include command (which identifies traffic within Note the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires...
Page 374: Using Mac Addresses To Exempt Traffic From Authentication And Authorization
The following example bypasses authentication for a single MAC address: hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# aaa mac-exempt match abc The following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3: hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000...
Page 375 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000 hostname(config)# aaa mac-exempt match 1 Cisco Security Appliance Command Line Configuration Guide 19-17 OL-12172-03...
Page 376 Chapter 19 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Cisco Security Appliance Command Line Configuration Guide 19-18 OL-12172-03...
Page 377: Chapter 20 Applying Filtering Services
However, depending on the speed of your network and the capacity of your URL filtering server, the time required for the initial connection may be noticeably slower when filtering traffic with an external filtering server. Cisco Security Appliance Command Line Configuration Guide 20-1 OL-12172-03...
Page 378: Filtering Activex Objects
(or in shortened form, 0) to specify all hosts. The following example specifies that ActiveX objects are blocked on all outbound connections: hostname(config)# filter activex 80 0 0 0 0 Cisco Security Appliance Command Line Configuration Guide 20-2 OL-12172-03...
Page 379: Filtering Java Applets
This command prevents host 192.168.3.3 from downloading Java applets. To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 Cisco Security Appliance Command Line Configuration Guide 20-3 OL-12172-03...
Page 380: Filtering Urls And Ftp Requests With An External Server
You can identify up to four filtering servers per context. The security appliance uses the servers in order until a server responds. You can only configure a single type of server (Websense or Secure Computing SmartFilter ) in your configuration. Cisco Security Appliance Command Line Configuration Guide 20-4 OL-12172-03...
Page 381 To identify redundant Secure Computing SmartFilter servers, enter the following commands: hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.1 hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.2 This identifies two Sentian filtering servers, both on a perimeter interface of the security appliance. Cisco Security Appliance Command Line Configuration Guide 20-5 OL-12172-03...
Page 382: Buffering The Content Server Response
Replace size with a value for the cache size within the range 1 to 128 (KB). Use the dst keyword to cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server. Cisco Security Appliance Command Line Configuration Guide 20-6 OL-12172-03...
Page 383: Filtering Http Urls
By default, if a URL exceeds the maximum permitted size, then it is dropped. To avoid this, you can set the security appliance to truncate a long URL by entering the following command: Cisco Security Appliance Command Line Configuration Guide 20-7...
Page 384: Exempting Traffic From Filtering
Replace port[-port] with a range of port numbers if a different port than the default port for HTTPS (443) is used. Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests. Cisco Security Appliance Command Line Configuration Guide 20-8 OL-12172-03...
Page 385: Filtering Ftp Requests
Viewing Filtering Server Statistics, page 20-10 • Viewing Buffer Configuration and Statistics, page 20-11 Viewing Caching Statistics, page 20-11 • Viewing Filtering Performance Statistics, page 20-11 • Viewing Filtering Configuration, page 20-12 • Cisco Security Appliance Command Line Configuration Guide 20-9 OL-12172-03...
Page 386: Viewing Filtering Server Statistics
Response time average 60s/300s URL Packets Sent and Received Stats: ------------------------------------ Message Sent Received STATUS_REQUEST 1609 1601 LOOKUP_REQUEST 1526 1526 LOG_REQUEST Errors: ------- RFC noncompliant GET method URL buffer update failure Cisco Security Appliance Command Line Configuration Guide 20-10 OL-12172-03...
Page 387: Viewing Buffer Configuration And Statistics
The following is sample output from the show perfmon command: hostname# show perfmon PERFMON STATS: Current Average Xlates Connections TCP Conns UDP Conns URL Access URL Server Req TCP Fixup TCPIntercept HTTP Fixup Cisco Security Appliance Command Line Configuration Guide 20-11 OL-12172-03...
Page 388: Viewing Filtering Configuration
URL Access and URL Server Req rows. Viewing Filtering Configuration The following is sample output from the show running-config filter command: hostname# show running-config filter filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Cisco Security Appliance Command Line Configuration Guide 20-12 OL-12172-03...
Page 389: Chapter 21 Using Modular Policy Framework
Using a Layer 3/4 Class Map” section on page 21-2. (Application inspection only) Define special actions for application inspection traffic. See the “Configuring Special Actions for Application Inspections” section on page 21-6. Cisco Security Appliance Command Line Configuration Guide 21-1 OL-12172-03...
Page 390: Default Global Policy
You can create multiple Layer 3/4 class maps for each Layer 3/4 policy map. You can create the following types of class maps: Creating a Layer 3/4 Class Map for Through Traffic, page 21-3 • • Creating a Layer 3/4 Class Map for Management Traffic, page 21-5 Cisco Security Appliance Command Line Configuration Guide 21-2 OL-12172-03...
Page 391: Creating A Layer 3/4 Class Map For Through Traffic
Not all applications whose ports are included in the match default-inspection-traffic command are enabled by default in the policy map. Cisco Security Appliance Command Line Configuration Guide 21-3 OL-12172-03...
Page 392 "This class-map matches all HTTP traffic" hostname(config-cmap)# match port tcp eq http hostname(config-cmap)# class-map to_server hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1" hostname(config-cmap)# match access-list host_foo Cisco Security Appliance Command Line Configuration Guide 21-4 OL-12172-03...
Page 393: Creating A Layer 3/4 Class Map For Management Traffic
For a list of ports you can specify, see the “TCP and UDP Ports” section on page D-11. For example, enter the following command to match TCP packets on port 80 (HTTP): hostname(config-cmap)# match tcp eq 80 Cisco Security Appliance Command Line Configuration Guide 21-5 OL-12172-03...
Page 394: Configuring Special Actions For Application Inspections
You can use a regular expression to match the content of certain application traffic; for example, you can match a URL string inside an HTTP packet. Cisco Security Appliance Command Line Configuration Guide 21-6...
Page 395 Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For example, type d[Ctrl+V]g to enter d?g in the configuration. See the regex command in the Cisco Security Appliance Command Reference for performance impact information when matching a regular expression to packets.
Page 396 If the regular expression does not match the input text, you see the following message: INFO: Regular expression match failed. To add a regular expression after you tested it, enter the following command: Step 2 Cisco Security Appliance Command Line Configuration Guide 21-8 OL-12172-03...
Page 397: Creating A Regular Expression Class Map
Traffic matches the class map if it includes the string “example.com” or “example2.com.” hostname(config)# regex url_example example\.com hostname(config)# regex url_example2 example2\.com hostname(config)# class-map type regex match-any URLs hostname(config-cmap)# match regex url_example hostname(config-cmap)# match regex url_example2 Cisco Security Appliance Command Line Configuration Guide 21-9 OL-12172-03...
Page 398: Identifying Traffic In An Inspection Class Map
The following example creates an HTTP class map that must match all criteria: hostname(config-cmap)# class-map type inspect http match-all http-traffic hostname(config-cmap)# match req-resp content-type mismatch hostname(config-cmap)# match request body length gt 1000 hostname(config-cmap)# match not request uri regex class URLs Cisco Security Appliance Command Line Configuration Guide 21-10 OL-12172-03...
Page 399: Defining Actions In An Inspection Policy Map
The drop-connection keyword drops the packet and closes the connection. The mask keyword masks out the matching portion of the packet. The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server and/or client. Cisco Security Appliance Command Line Configuration Guide 21-11 OL-12172-03...
Page 400 Cisco Security Appliance Command Line Configuration Guide 21-12 OL-12172-03...
Page 401: Defining Actions Using A Layer 3/4 Policy Map
Adding a Layer 3/4 Policy Map, page 21-16 Layer 3/4 Policy Map Overview This section describes how Layer 3/4 policy maps work, and includes the following topics: Policy Map Guidelines, page 21-14 • Cisco Security Appliance Command Line Configuration Guide 21-13 OL-12172-03...
Page 402: Policy Map Guidelines
Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant. Cisco Security Appliance Command Line Configuration Guide 21-14 OL-12172-03...
Page 403: Feature Matching Guidelines Within A Policy Map
IPS inspection on the inside and outside interfaces, but the inside policy uses virtual sensor 1 while the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor 1 outbound, but will match virtual sensor 2 inbound. Cisco Security Appliance Command Line Configuration Guide 21-15 OL-12172-03...
Page 404: Order In Which Multiple Feature Actions Are Applied
Adding a Layer 3/4 Policy Map The maximum number of policy maps is 64. To create a Layer 3/4 policy map, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 21-16 OL-12172-03...
Page 405 The following example shows how multi-match works in a policy map: hostname(config)# class-map inspection_default hostname(config-cmap)# match default-inspection-traffic hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map outside_policy hostname(config-pmap)# class inspection_default Cisco Security Appliance Command Line Configuration Guide 21-17 OL-12172-03...
Page 406: Applying A Layer 3/4 Policy To An Interface Using A Service Policy
The default service policy includes the following command: service-policy global_policy global For example, the following command enables the inbound_policy policy map on the outside interface: Cisco Security Appliance Command Line Configuration Guide 21-18 OL-12172-03...
Page 407: Modular Policy Framework Examples
See the following commands for this example: hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config-pmap-c)# police output 250000 hostname(config)# service-policy http_traffic_policy interface outside Cisco Security Appliance Command Line Configuration Guide 21-19 OL-12172-03...
Page 408: Applying Inspection To Http Traffic Globally
Host A See the following commands for this example: hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_traffic_policy global Cisco Security Appliance Command Line Configuration Guide 21-20 OL-12172-03...
Page 409: Applying Inspection And Connection Limits To Http Traffic To Specific Servers
100 hostname(config)# policy-map policy_serverB hostname(config-pmap)# class http_serverB hostname(config-pmap-c)# inspect http hostname(config)# service-policy policy_serverB interface inside hostname(config)# service-policy policy_serverA interface outside Cisco Security Appliance Command Line Configuration Guide 21-21 OL-12172-03...
Page 410: Applying Inspection To Http Traffic With Nat
192.168.1.1 any eq 80 hostname(config)# class-map http_client hostname(config-cmap)# match access-list http_client hostname(config)# policy-map http_client hostname(config-pmap)# class http_client hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_client interface inside Cisco Security Appliance Command Line Configuration Guide 21-22 OL-12172-03...
Page 411: Chapter 22 Managing The Aip Ssm And Csc Ssm
For information about the 4GE SSM for the ASA 5000 series adaptive security appliance, see Chapter 5, “Configuring Ethernet Settings, Redundant Interfaces, and Subinterfaces”. The Cisco PIX 500 series security appliances do not support SSMs. Note This chapter includes the following sections: Managing the AIP SSM, page 22-1 •...
Page 412: How The Aip Ssm Works With The Adaptive Security Appliance
IPS inspection can continue through the adaptive security appliance without first passing through, and being inspected by, the AIP SSM. This mode is the most secure because Cisco Security Appliance Command Line Configuration Guide 22-2 OL-12172-03...
Page 413: Using Virtual Sensors
See the IPS documentation for more information about virtual sensors, including the maximum number of sensors supported. Figure 22-3 shows one security context paired with one virtual sensor (in inline mode), while two security contexts share the same virtual sensor. Cisco Security Appliance Command Line Configuration Guide 22-3 OL-12172-03...
Page 414: Aip Ssm Procedure Overview
Virtual Sensors to Security Contexts” section on page 22-6. On the ASA 5500 series adaptive security appliance, identify traffic to divert to the AIP SSM. See “Diverting Traffic to the AIP SSM” section on page 22-8. Cisco Security Appliance Command Line Configuration Guide 22-4 OL-12172-03...
Page 415: Sessioning To The Aip Ssm
If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
Page 416: Configuring The Security Policy On The Aip Ssm
Because the IPS software that runs on the AIP SSM is beyond the scope of this document, detailed configuration information is available in the following documents: Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface • Command Reference for Cisco Intrusion Prevention System •...
Page 417 A Cisco Security Appliance Command Line Configuration Guide 22-7 OL-12172-03...
Page 418: Diverting Traffic To The Aip Ssm
AIP SSM, you get an error, and the command is rejected. (Optional) To divert another class of traffic to the AIP SSM, and set the IPS policy, enter the following Step 4 commands: hostname(config-pmap-c)# class class_map_name2 Cisco Security Appliance Command Line Configuration Guide 22-8 OL-12172-03...
Page 419: Managing The Csc Ssm
Managing the CSC SSM This section includes the following topics: About the CSC SSM, page 22-10 • Cisco Security Appliance Command Line Configuration Guide 22-9 OL-12172-03...
Page 420: About The Csc Ssm
CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM. For instructions on use of the CSC SSM GUI, see the Trend Micro InterScan for Cisco CSC SSM Administrator Guide. Cisco Security Appliance Command Line Configuration Guide 22-10 OL-12172-03...
Page 421 Failover. The connections that a CSC SSM is scanning are dropped when the security appliance in which the CSC SSM is installed fails. When the standby adaptive security appliance becomes active, it will forward the scanned traffic to the CSC SSM and the connections will be reset. Cisco Security Appliance Command Line Configuration Guide 22-11 OL-12172-03...
Page 422: Getting Started With The Csc Ssm
To configure the adaptive security appliance and the CSC SSM, follow these steps: Step 1 If the CSC SSM did not come pre-installed in a Cisco ASA 5500 series adaptive security appliance, install it and connect a network cable to the management port of the SSM. For assistance with installation...
Page 423: Determining What Traffic To Scan
Before you modify them or enter advanced configuration settings, review the Trend Micro InterScan for Cisco CSC SSM Administrator Guide. You review the content security policies by viewing the enabled features in the CSC SSM GUI. The availability of features depends on the license level you have purchased.
Page 424 One approach is to define two service policies, one on the inside interface and the other on the outside interface, each with an access list that matches traffic to be scanned. The following access list can be used on the policy applied to the inside interface: Cisco Security Appliance Command Line Configuration Guide 22-14 OL-12172-03...
Page 425: Limiting Connections Through The Csc Ssm
You can use the set connection command to thwart DoS attacks. After you configure a per-client maximum that can be supported by hosts likely to be attacked, malicious clients will be unable to overwhelm hosts on protected networks. Cisco Security Appliance Command Line Configuration Guide 22-15 OL-12172-03...
Page 426: Diverting Traffic To The Csc Ssm
If you want to enforce a per-client limit for simultaneous connections that the adaptive security appliance diverts to the CSC SSM, use the set connection command, as follows: hostname(config-pmap-c)# set connection per-client-max n Cisco Security Appliance Command Line Configuration Guide 22-16 OL-12172-03...
Page 427 192.168.20.0 255.255.255.0 eq 25 hostname access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80 hostname class-map csc_inbound_class Cisco Security Appliance Command Line Configuration Guide 22-17 OL-12172-03...
Page 428: Checking Ssm Status
CSC SSM installed. hostname# show module 1 details Getting details from the Service Module, please wait... ASA 5500 Series Security Services Module-20 Model: ASA-SSM-20 Hardware version: Serial Number: Firmware version: 1.0(10)0 Cisco Security Appliance Command Line Configuration Guide 22-18 OL-12172-03...
Page 429: Transferring An Image Onto An Ssm
Image URL: tftp://10.21.18.1/ids-oldimg Port IP Address: 10.1.2.10 Port Mask: 255.255.255.0 Gateway IP Address: 10.1.2.254 To create or modify the recovery configuration, use the hw-module module recover command with the configure keyword: Cisco Security Appliance Command Line Configuration Guide 22-19 OL-12172-03...
Page 430 If the SSM supports configuration backups and you want to restore the configuration of the application Note running on the SSM, see the documentation of the specified SSM for details. Cisco Security Appliance Command Line Configuration Guide 22-20 OL-12172-03...
Page 431: Chapter 23 Preventing Network Attacks
This section includes the following topics: Basic Threat Detection Overview, page 23-2 • Configuring Basic Threat Detection, page 23-2 • Managing Basic Threat Statistics, page 23-4 • Cisco Security Appliance Command Line Configuration Guide 23-1 OL-12172-03...
Page 432: Basic Threat Detection Overview
To disable basic threat detection, enter the no threat-detection basic-threat command. Table 23-1 lists the default settings. You can view all these default settings using the show running-config all threat-detection command. Cisco Security Appliance Command Line Configuration Guide 23-2 OL-12172-03...
Page 433 The rate-interface rate_interval argument is between 600 seconds and 2592000 seconds (30 days). The rate interval is used to determine the length of time over which to average the drops. It also determines the burst threshold rate interval (see below). Cisco Security Appliance Command Line Configuration Guide 23-3 OL-12172-03...
Page 434: Managing Basic Threat Statistics
The following is sample output from the show threat-detection rate command: hostname# show threat-detection rate Average(eps) Current(eps) Trigger Total events 10-min ACL drop: 1-hour ACL drop: 1-hour SYN attck: 21438 10-min Scanning: Cisco Security Appliance Command Line Configuration Guide 23-4 OL-12172-03...
Page 435: Configuring Scanning Threat Detection
(Optional) To change the default event limit for when the security appliance identifies a host as an attacker or as a target, enter the following command: hostname(config)# threat-detection rate scanning-threat rate-interval rate_interval average-rate av_rate burst-rate burst_rate Cisco Security Appliance Command Line Configuration Guide 23-5 OL-12172-03...
Page 436: Managing Shunned Hosts
To release a host from being shunned, enter the following command: hostname# clear threat-detection shun [ ip_address [ mask ]] If you do not specify an IP address, all hosts are cleared from the shun list. Cisco Security Appliance Command Line Configuration Guide 23-6 OL-12172-03...
Page 437: Viewing Attackers And Targets
Access list statistics are only displayed using the show threat-detection top access-list command. • To enable statistics for hosts, enter the following command: hostname(config)# threat-detection statistics host Cisco Security Appliance Command Line Configuration Guide 23-7 OL-12172-03...
Page 438: Viewing Threat Statistics
UDP (protocol 17) are not included in the display for IP protocols; TCP and UDP ports are, however, included in the display for ports. If you only enable statistics for one of these types, port or protocol, then you will only view the enabled statistics. Cisco Security Appliance Command Line Configuration Guide 23-8 OL-12172-03...
Page 439 1-hour Sent pkts: 8-hour Sent pkts: 24-hour Sent pkts: 20-min Sent drop: 1-hour Sent drop: 1-hour Recv byte: 8-hour Recv byte: 24-hour Recv byte: 1-hour Recv pkts: Table 23-3 shows each field description. Cisco Security Appliance Command Line Configuration Guide 23-9 OL-12172-03...
Page 440 Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic. Cisco Security Appliance Command Line Configuration Guide 23-10 OL-12172-03...
Page 441: Configuring Tcp Normalization
Allow packets whose data length exceeds the TCP maximum segment size. The default is to drop • these packets, so use this command to allow them. hostname(config-tcp-map)# exceed-mss {allow | drop} Cisco Security Appliance Command Line Configuration Guide 23-11 OL-12172-03...
Page 442 To the endpoint host, however, it is the first packet that has been received by the attacker. In this case, an attacker is able to succeed without security preventing the attack. Cisco Security Appliance Command Line Configuration Guide 23-12 OL-12172-03...
Page 443 Cisco Security Appliance Command Line Configuration Guide 23-13 OL-12172-03...
Page 444: Configuring Connection Limits And Timeouts
3-way handshake packets to provide selective ACK and other TCP options for WebVPN connections. To disable TCP Intercept for management traffic, you can set the embryonic connection limit; only after the embryonic connection limit is reached is TCP Intercept enabled. Cisco Security Appliance Command Line Configuration Guide 23-14 OL-12172-03...
Page 445: Dead Connection Detection Overview
{[conn-max number ] [embryonic-conn-max number ] [per-client-embryonic-max number ] [per-client-max number ] [random-sequence-number {enable | disable}]} where number is an integer between 0 and 65535. The default is 0, which means no limit on connections. Cisco Security Appliance Command Line Configuration Guide 23-15 OL-12172-03...
Page 446: Preventing Ip Spoofing
Reverse Path Forwarding. For any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address. See RFC 2267 for more information. Cisco Security Appliance Command Line Configuration Guide 23-16 OL-12172-03...
Page 447: Configuring The Fragment Size
To shun a connection manually, perform the following steps: If necessary, view information about the connection by entering the following command: Step 1 hostname# show conn The security appliance shows information about each connection, such as the following: Cisco Security Appliance Command Line Configuration Guide 23-17 OL-12172-03...
Page 448: Configuring Ip Audit For Basic Ips Support
Step 3 ip audit interface interface_name policy_name To disable signatures, or for more information about signatures, see the ip audit signature command in Step 4 the Cisco Security Appliance Command Reference. Cisco Security Appliance Command Line Configuration Guide 23-18 OL-12172-03...
Page 449: Chapter 24 Applying Qos Policies
A flow can be defined in a number of ways. In the security appliance, QoS can apply to a combination of source and destination IP addresses, source and destination port number, and the TOS byte of the IP header. Cisco Security Appliance Command Line Configuration Guide 24-1 OL-12172-03...
Page 450: Qos Concepts
Associating actions with each traffic class to formulate policies. Activating the policies. The specification of a classification policy—that is, the definition of traffic classes—is separate from the specification of the policies that act on the results of the classification. Cisco Security Appliance Command Line Configuration Guide 24-2 OL-12172-03...
Page 451 (priority-queue command) on each named, physical interface transmitting prioritized traffic. The following example enables a default priority-queue with the default queue-limit and tx-ring-limit: priority-queue name-interface The following sections explain each of these uses in more detail. Cisco Security Appliance Command Line Configuration Guide 24-3 OL-12172-03...
Page 452: Identifying Traffic For Qos
By creating a class-map (named “host-specific”), you can then police the “host-specific” class before the LAN-to-LAN connection polices the tunnel. In this example, the “host-specific” traffic is rate-limited before the tunnel, then the tunnel is rate-limited: Cisco Security Appliance Command Line Configuration Guide 24-4 OL-12172-03...
Page 453: Defining A Qos Policy Map
The following table summarizes the match command criteria available and relevant to QoS. For the full list of all match commands and their syntax, see Cisco Security Appliance Command Reference: Command Description match access-list Matches, by name or number, access list traffic within a class map.
Page 454: Applying Rate Limiting
LAN-to-LAN VPN flow if there is no police command defined for tunnel-group of LAN-to-LAN VPN. In other words, the policing values of class-default are never applied to the individual flow of a LAN-to-LAN VPN that exists before encryption. Cisco Security Appliance Command Line Configuration Guide 24-6 OL-12172-03...
Page 455: Activating The Service Policy
Using the policy-map example in the previous section, the following service-policy command activates the policy-map “qos,” defined in the previous section, for traffic on the outside interface: hostname(config)# service-policy qos interface outside Cisco Security Appliance Command Line Configuration Guide 24-7 OL-12172-03...
Page 456: Applying Low Latency Queueing
The queue-limit command specifies a maximum number of packets that can be queued to a priority queue before it drops data. This limit must be in the range of 0 through 2048 packets. Cisco Security Appliance Command Line Configuration Guide 24-8...
Page 457: Reducing Queue Latency
Create a class map or modify an existing class map to identify traffic that you want to police or to identify Step 2 as priority traffic. Use the class-map command to do so, as follows: hostname(config)# class-map class_map_name hostname(config-cmap)# Cisco Security Appliance Command Line Configuration Guide 24-9 OL-12172-03...
Page 458 • command. hostname(config-pmap-c)# priority Priority queuing does not occur automatically to traffic marked as priority. To enable priority Note queuing, you must complete Step 8 also, which enables the priority queues. Cisco Security Appliance Command Line Configuration Guide 24-10 OL-12172-03...
Page 459 For details about priority queuing, see the “Applying Low Latency Queueing” section on page 24-8 and the priority command page in the Cisco Security Appliance Command Reference. If you want the security appliance to police the traffic selected by the class map, enter the police •...
Page 460: Viewing Qos Configuration
Class-map: browse police Interface outside: cir 56000 bps, bc 10500 bytes conformed 10065 packets, 12621510 bytes; actions: transmit exceeded 499 packets, 625146 bytes; actions: drop conformed 5600 bps, exceed 5016 bps Cisco Security Appliance Command Line Configuration Guide 24-12 OL-12172-03...
Page 461: Viewing Qos Policy Map Configuration
The following is sample output from the show running-config priority-queue command for the interface named “test”: hostname(config)# show running-config priority-queue test priority-queue test queue-limit 2048 tx-ring-limit 256 hostname(config)# Cisco Security Appliance Command Line Configuration Guide 24-13 OL-12172-03...
Page 462: Viewing Qos Statistics
EXEC mode: hostname# show service-policy priority This is the same command you use to view configuration of policies that include the priority keyword. Note Cisco Security Appliance Command Line Configuration Guide 24-14 OL-12172-03...
Page 463: Viewing Qos Priority Queue Statistics
“Packets Enqueued” denotes the overall number of packets that have been queued in this queue. • “Current Q Length” denotes the current depth of this queue. • “Max Q Length” denotes the maximum depth that ever occurred in this queue. • Cisco Security Appliance Command Line Configuration Guide 24-15 OL-12172-03...
Page 464 Chapter 24 Applying QoS Policies Viewing QoS Statistics Cisco Security Appliance Command Line Configuration Guide 24-16 OL-12172-03...
Page 465: Chapter 25 Configuring Application Layer Protocol Inspection
• ICMP Inspection, page 25-52 • ICMP Error Inspection, page 25-52 ILS Inspection, page 25-52 • MGCP Inspection, page 25-53 • NetBIOS Inspection, page 25-58 • PPTP Inspection, page 25-60 • Cisco Security Appliance Command Line Configuration Guide 25-1 OL-12172-03...
Page 466: Inspection Engine Overview
When you enable application inspection for a service that uses dynamically assigned ports, the security appliance monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. Cisco Security Appliance Command Line Configuration Guide 25-2 OL-12172-03...
Page 467: Inspection Limitations
ICMP ERROR — — — All ICMP traffic is matched in the default class map. ILS (LDAP) TCP/389 No PAT. — — MGCP UDP/2427, — RFC 2705bis-05 — 2727 Cisco Security Appliance Command Line Configuration Guide 25-3 OL-12172-03...
Page 468 The default policy configuration includes the following commands: class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras Cisco Security Appliance Command Line Configuration Guide 25-4 OL-12172-03...
Page 469: Configuring Application Inspection
For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter the following commands: hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 hostname(config)# class-map inspection_default hostname(config-cmap)# match access-list inspect View the entire class map using the following command: Cisco Security Appliance Command Line Configuration Guide 25-5 OL-12172-03...
Page 470 25-76. • To add or edit a Layer 3/4 policy map that sets the actions to take with the class map traffic, enter the Step 3 following command: hostname(config)# policy-map name Cisco Security Appliance Command Line Configuration Guide 25-6 OL-12172-03...
Page 471 If you added an ESMTP inspection policy map according to “Configuring an ESMTP Inspection Policy Map for Additional Inspection Control” section on page 25-24, identify the map name in this command. Cisco Security Appliance Command Line Configuration Guide 25-7 OL-12172-03...
Page 472 If you added a NetBIOS inspection policy map according to “Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control” section on page 25-58, identify the map name in this command. pptp — Cisco Security Appliance Command Line Configuration Guide 25-8 OL-12172-03...
Page 473 By default, the default policy map, “global_policy,” is applied globally. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco Security Appliance Command Line Configuration Guide 25-9 OL-12172-03...
Page 474: Ctiqbe Inspection
Cisco IP SoftPhone requires the Cisco CallManager IP address to be specified explicitly in its Cisco TSP configuration on the PC. When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP •...
Page 475: Verifying And Monitoring Ctiqbe Inspection
CTIQBE session setup across the security appliance. It is established between an internal CTI device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco CallManager at 172.29.1.77, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for the session is 120 seconds.
Page 476: Dcerpc Inspection
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. (Optional) To add a description to the policy map, enter the following command: Step 2 hostname(config-pmap)# description string Cisco Security Appliance Command Line Configuration Guide 25-12 OL-12172-03...
Page 477: Dns Inspection
This section describes DNS application inspection. This section includes the following topics: • How DNS Application Inspection Works, page 25-14 How DNS Rewrite Works, page 25-14 • Configuring DNS Rewrite, page 25-15 • Verifying and Monitoring DNS Inspection, page 25-20 • Cisco Security Appliance Command Line Configuration Guide 25-13 OL-12172-03...
Page 478: How Dns Application Inspection Works
As long as DNS inspection remains enabled, you can configure DNS rewrite using the alias, static, or nat commands. For details about the configuration required see the “Configuring DNS Rewrite” section on page 25-15. Cisco Security Appliance Command Line Configuration Guide 25-14 OL-12172-03...
Page 479: Configuring Dns Rewrite
This section includes the following topics: Using the Static Command for DNS Rewrite, page 25-16 • Using the Static Command for DNS Rewrite, page 25-16 • Cisco Security Appliance Command Line Configuration Guide 25-15 OL-12172-03...
Page 480: Using The Static Command For Dns Rewrite
• For detailed syntax and additional functions for the alias, nat, and static command, see the appropriate command page in the Cisco Security Appliance Command Reference. Using the Static Command for DNS Rewrite The static command causes addresses on an IP network residing on a specific interface to be translated into addresses on another IP network on a different interface.
Page 481: Dns Rewrite With Three Nat Zones
DNS inspection allows NAT to operate transparently with a DNS server with minimal configuration. For configuration instructions for scenarios like this one, see the “Configuring DNS Rewrite with Three NAT Zones” section on page 25-19. Cisco Security Appliance Command Line Configuration Guide 25-17 OL-12172-03...
Page 482 The host running the web client sends the DNS server a request for the IP address of server.example.com. The DNS server responds with the IP address 209.165.200.225 in the reply. Cisco Security Appliance Command Line Configuration Guide 25-18 OL-12172-03...
Page 483: Configuring Dns Rewrite With Three Nat Zones
TCP port that the web server listens to for HTTP requests. Apply the access list created in Step 2 to the outside interface. To do so, use the access-group command, Step 3 as follows: hostname(config)# access-group acl-name in interface outside Cisco Security Appliance Command Line Configuration Guide 25-19 OL-12172-03...
Page 484: Verifying And Monitoring Dns Inspection
To display the statistics for DNS application inspection, enter the show service-policy command. The following is sample output from the show service-policy command: hostname# show service-policy Interface outside: Service-policy: sample_policy Class-map: dns_port Inspect: dns maximum-length 1500, packet 0, drop 0, reset-drop 0 Cisco Security Appliance Command Line Configuration Guide 25-20 OL-12172-03...
Page 485: Configuring A Dns Inspection Policy Map For Additional Inspection Control
The CLI enters class-map configuration mode, where you can enter one or more match commands. (Optional) To add a description to the class map, enter the following command: hostname(config-cmap)# description string Cisco Security Appliance Command Line Configuration Guide 25-21 OL-12172-03...
Page 486 Specify traffic directly in the policy map using one of the match commands described in Step • If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied. Cisco Security Appliance Command Line Configuration Guide 25-22 OL-12172-03...
Page 487 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 488: Esmtp Inspection
To apply actions to matching traffic, perform the following steps. Step 5 Specify the traffic on which you want to perform actions using one of the following methods: Cisco Security Appliance Command Line Configuration Guide 25-24 OL-12172-03...
Page 489 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 490: Ftp Inspection
“Configuring an FTP Inspection Policy Map for Additional Inspection Control” section on page 25-27. After you enable the strict option on an interface, FTP inspection enforces the following behavior: Cisco Security Appliance Command Line Configuration Guide 25-26 OL-12172-03...
Page 491: Configuring An Ftp Inspection Policy Map For Additional Inspection Control
FTP commands, then create and configure an FTP map. You can then apply the FTP map when you enable FTP inspection according to the “Configuring Application Inspection” section on page 25-5. To create an FTP map, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 25-27 OL-12172-03...
Page 492 [not] request-command ftp_command [ ftp_command ...] Where ftp_command with one or more FTP commands that you want to restrict. See Table 25-3 a list of the FTP commands that you can restrict. Cisco Security Appliance Command Line Configuration Guide 25-28 OL-12172-03...
Page 493 Specify the traffic on which you want to perform actions using one of the following methods: Specify the FTP class map that you created in Step 3 by entering the following command: • hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# Cisco Security Appliance Command Line Configuration Guide 25-29 OL-12172-03...
Page 494 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 495: Verifying And Monitoring Ftp Inspection
Internet. The GGSN is the interface between the GPRS wireless data network and other networks. The SGSN performs mobility, data session management, and data compression (See Figure 25-3). Cisco Security Appliance Command Line Configuration Guide 25-31 OL-12172-03...
Page 496: Configuring A Gtp Inspection Policy Map For Additional Inspection Control
GTP map, which is preconfigured with the following default values: • request-queue 200 timeout gsn 0:30:00 • timeout pdp-context 0:30:00 • timeout request 0:01:00 • Cisco Security Appliance Command Line Configuration Guide 25-32 OL-12172-03...
Page 497 IMSI Prefix filtering. The MCC and MNC in the IMSI of the received packet is compared with the MCC/MNC configured with this command and is dropped if it does not match. Cisco Security Appliance Command Line Configuration Guide 25-33...
Page 498 Use the object-group command to define a new network object group that will represent the SGSN that sends GTP requests to the GSN pool. hostname(config)# object-group network SGSN-name hostname(config-network)# For example, the following command creates an object group named sgsn32: Cisco Security Appliance Command Line Configuration Guide 25-34 OL-12172-03...
Page 499 The gsn keyword specifies the period of inactivity after which a GSN will be removed. The pdp-context keyword specifies the maximum period of time allowed before beginning to receive the PDP context. Cisco Security Appliance Command Line Configuration Guide 25-35 OL-12172-03...
Page 500: Verifying And Monitoring Gtp Inspection
Verifying and Monitoring GTP Inspection To display GTP configuration, enter the show service-policy inspect gtp command in privileged EXEC mode. For the detailed syntax for this command, see the command page in the Cisco Security Appliance Command Reference. Use the show service-policy inspect gtp statistics command to show the statistics for GTP inspection.
Page 501: H.323 Inspection
H.323 Inspection Overview, page 25-38 • How H.323 Works, page 25-38 • Limitations and Restrictions, page 25-39 • Configuring H.323 and H.225 Timeout Values, page 25-42 • Verifying and Monitoring H.323 Inspection, page 25-42 • Cisco Security Appliance Command Line Configuration Guide 25-37 OL-12172-03...
Page 502: H.323 Inspection Overview
H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
Page 503: Limitations And Restrictions
Cisco Security Appliance Command Line Configuration Guide 25-39...
Page 504 Specify the action you want to perform on the matching traffic by entering the following command: hostname(config-pmap-c)# {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Cisco Security Appliance Command Line Configuration Guide 25-40 OL-12172-03...
Page 505 Configuring Application Layer Protocol Inspection H.323 Inspection Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available. The drop keyword drops all packets that match.
Page 506: Configuring H.323 And H.225 Timeout Values
If they are not, then there is a problem that needs to be investigated. Cisco Security Appliance Command Line Configuration Guide 25-42...
Page 507: Monitoring H.245 Sessions
The second LCN of 259 has a foreign RTP IP address/port pair of 172.30.254.203/49606 and an RTCP IP address/port pair of 172.30.254.203/49607 with a local RTP IP address/port pair of 10.130.56.3/49606 and RTCP port of 49607. Cisco Security Appliance Command Line Configuration Guide 25-43 OL-12172-03...
Page 508: Monitoring H.323 Ras Sessions
Control”), can help prevent attackers from using HTTP messages for circumventing network security policy. It verifies the following for all HTTP messages: Conformance to RFC 2616 • Use of RFC-defined methods only. • Compliance with the additional criteria. • Cisco Security Appliance Command Line Configuration Guide 25-44 OL-12172-03...
Page 509: Configuring An Http Inspection Policy Map For Additional Inspection Control
HTTP request message, enter the following command: hostname(config-cmap)# match [not] req-resp content-type mismatch (Optional) To match text found in the HTTP request message arguments, enter the following command: Cisco Security Appliance Command Line Configuration Guide 25-45 OL-12172-03...
Page 510 [not] response header {[ field ] [regex [ regex_name | class regex_class_name ]] | [length gt max_length_bytes | count gt max_count ]} Cisco Security Appliance Command Line Configuration Guide 25-46 OL-12172-03...
Page 511 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 512: Instant Messaging Inspection
This section describes the IM inspection engine. This section includes the following topics: IM Inspection Overview, page 25-49 • Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control, • page 25-49 Cisco Security Appliance Command Line Configuration Guide 25-48 OL-12172-03...
Page 513: Im Inspection Overview
Where the string is the description of the class map (up to 200 characters). (Optional) To match traffic of a specific IM protocol, such as Yahoo or MSN, enter the following command: hostname(config-cmap)# match [not] protocol {im-yahoo | im-msn} Cisco Security Appliance Command Line Configuration Guide 25-49 OL-12172-03...
Page 514 (Optional) To add a description to the policy map, enter the following command: Step 5 hostname(config-pmap)# description string Specify the traffic on which you want to perform actions using one of the following methods: Step 6 Cisco Security Appliance Command Line Configuration Guide 25-50 OL-12172-03...
Page 515 Cisco Security Appliance Command Line Configuration Guide 25-51 OL-12172-03...
Page 516: Icmp Inspection
The security appliance supports NAT for ILS, which is used to register and locate endpoints in the ILS or SiteServer Directory. PAT cannot be supported because only IP addresses are stored by an LDAP database. Cisco Security Appliance Command Line Configuration Guide 25-52 OL-12172-03...
Page 517: Mgcp Inspection
This section describes MGCP application inspection. This section includes the following topics: MGCP Inspection Overview, page 25-54 • Configuring an MGCP Inspection Policy Map for Additional Inspection Control, page 25-56 • Configuring MGCP Timeout Values, page 25-57 • Cisco Security Appliance Command Line Configuration Guide 25-53 OL-12172-03...
Page 518: Mgcp Inspection Overview
Figure 25-4 illustrates how NAT can be used with MGCP. Cisco Security Appliance Command Line Configuration Guide 25-54 OL-12172-03...
Page 519 Response header, optionally followed by a session description. The port on which the gateway receives commands from the call agent. Gateways usually listen to • UDP port 2427. Cisco Security Appliance Command Line Configuration Guide 25-55 OL-12172-03...
Page 520: Configuring An Mgcp Inspection Policy Map For Additional Inspection Control
MGCP end points to register with the call agent. To configure the gateways, enter the following command for each gateway: hostname(config-pmap-p)# gateway ip_address group_id Cisco Security Appliance Command Line Configuration Guide 25-56 OL-12172-03...
Page 521: Configuring Mgcp Timeout Values
The timeout mgcp-pat command lets you set the timeout for PAT xlates. Because MGCP does not have a keepalive mechanism, if you use non-Cisco MGCP gateways (call agents), the PAT xlates are torn down after the default timeout interval, which is 30 seconds.
Page 522: Netbios Inspection
Specify the traffic on which you want to perform actions using one of the following methods: Specify the NetBIOS class map that you created in Step 3 by entering the following command: • hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# Cisco Security Appliance Command Line Configuration Guide 25-58 OL-12172-03...
Page 523 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 524: Pptp Inspection
If the shared secret is not configured, the security appliance does not need to validate the source of the message and will only check that the source IP address is one of the configured addresses allowed to send the RADIUS messages. Cisco Security Appliance Command Line Configuration Guide 25-60 OL-12172-03...
Page 525: Configuring A Radius Inspection Policy Map For Additional Inspection Control
Restrictions and Limitations, page 25-62 • RTSP Inspection Overview The RTSP inspection engine lets the security appliance pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. Cisco Security Appliance Command Line Configuration Guide 25-61 OL-12172-03...
Page 526: Using Realplayer
SDP files as part of HTTP or RTSP messages. Packets could be fragmented and security appliance cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translates the security appliance performs on the SDP part of the •...
Page 527: Configuring An Rtsp Inspection Policy Map For Additional Inspection Control
Configuring Application Layer Protocol Inspection RTSP Inspection You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT • if the Viewer and Content Manager are on the outside network and the server is on the inside network.
Page 528 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 529: Sip Inspection
Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. The following limitations and restrictions apply when using PAT with SIP: Cisco Security Appliance Command Line Configuration Guide 25-65 OL-12172-03...
Page 530: Sip Instant Messaging
SIP application and be translated. enters class-map configuration mode, where you can enter one or more match commands. (Optional) To add a description to the class map, enter the following command: hostname(config-cmap)# description string Cisco Security Appliance Command Line Configuration Guide 25-66 OL-12172-03...
Page 531: Configuring A Sip Inspection Policy Map For Additional Inspection Control
The CLI enters class-map configuration mode, where you can enter one or more match commands. (Optional) To add a description to the class map, enter the following command: hostname(config-cmap)# description string Cisco Security Appliance Command Line Configuration Guide 25-67 OL-12172-03...
Page 532 Where length is the number of bytes the URI is greater than. 0 to 65536. Create a SIP inspection policy map, enter the following command: Step 4 hostname(config)# policy-map type inspect sip policy_map_name hostname(config-pmap)# Cisco Security Appliance Command Line Configuration Guide 25-68 OL-12172-03...
Page 533 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 534: Configuring Sip Timeout Values
SIP control connection, enter the following command: hostname(config)# timeout sip hh : mm : ss This command configures the idle timeout after which a SIP control connection is closed. Cisco Security Appliance Command Line Configuration Guide 25-70 OL-12172-03...
Page 535: Verifying And Monitoring Sip Inspection
This section describes SCCP application inspection. This section includes the following topics: SCCP Inspection Overview, page 25-72 • Supporting Cisco IP Phones, page 25-72 • Restrictions and Limitations, page 25-72 • Verifying and Monitoring SCCP Inspection, page 25-73 • Cisco Security Appliance Command Line Configuration Guide 25-71 OL-12172-03...
Page 536: Sccp Inspection Overview
The security appliance also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
Page 537: Verifying And Monitoring Sccp Inspection
MEDIA 10.0.0.22/20798 172.18.1.11/22948 The output indicates that a call has been established between two internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively. The following is sample output from the show xlate debug command for these Skinny connections:...
Page 538 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 539: Smtp And Extended Smtp Inspection
SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply. Cisco Security Appliance Command Line Configuration Guide 25-75...
Page 540: Snmp Inspection
To specify the versions of SNMP to deny, enter the following command for each version: hostname(config-snmp-map)# deny version version hostname(config-snmp-map)# where version is 1, 2, 2c, or 3. The following example denies SNMP Versions 1 and 2: hostname(config)# snmp-map sample_map hostname(config-snmp-map)# deny version 1 Cisco Security Appliance Command Line Configuration Guide 25-76 OL-12172-03...
Page 541: Sql*Net Inspection
This section describes Sun RPC application inspection. This section includes the following topics: Sun RPC Inspection Overview, page 25-78 • Managing Sun RPC Services, page 25-78 • Verifying and Monitoring Sun RPC Inspection, page 25-79 • Cisco Security Appliance Command Line Configuration Guide 25-77 OL-12172-03...
Page 542: Sun Rpc Inspection Overview
To clear the active Sun RPC services, enter the following command: hostname(config)# clear sunrpc-server active This clears the pinholes that are opened by Sun RPC application inspec