Page 1 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 8.0(1) Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...
Page 3: Table Of Contents
Sending Traffic to the Content Security and Control Security Services Module Applying QoS Policies Applying Connection Limits and TCP Normalization Enabling Threat Detection Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Intrusion Prevention Services Functional Overview Security Context Overview Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 4 Management Access to Security Contexts System Administrator Access Context Administrator Access 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 5 Contents Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security C H A P T E R Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces Maximum Active VLAN Interfaces for Your License Default Interface Configuration...
Page 6 Allowing Communication Between Interfaces on the Same Security Level Configuring Basic Settings C H A P T E R Changing the Login Password Changing the Enable Password Setting the Hostname Setting the Domain Name Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 7 9-21 Enabling RIP Authentication 9-22 Monitoring RIP 9-22 Configuring EIGRP 9-23 EIGRP Routing Overview 9-23 Enabling and Configuring EIGRP Routing 9-24 Enabling and Configuring EIGRP Stub Routing 9-25 Enabling EIGRP Authentication 9-26 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 8 Configuring a DHCP Server 10-1 Enabling the DHCP Server 10-2 Configuring DHCP Options 10-3 Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Configuring Dynamic DNS 10-6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2: Client Updates Both A and PTR RRs;...
Page 9 Configuring IPv6 Default and Static Routes 12-5 Configuring IPv6 Access Lists 12-6 Configuring IPv6 Neighbor Discovery 12-7 Configuring Neighbor Solicitation Messages 12-7 Configuring Router Advertisement Messages 12-9 Configuring a Static IPv6 Neighbor 12-11 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 10 Using Certificates and User Login Credentials 13-16 Using User Login Credentials 13-16 Using certificates 13-16 Supporting a Zone Labs Integrity Server 13-17 Overview of Integrity Server and Security Appliance Interaction 13-17 Configuring Integrity Server Support 13-18 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 11 14-18 Configuring Failover 14-19 Failover Configuration Limitations 14-19 Configuring Active/Standby Failover 14-19 Prerequisites 14-20 Configuring Cable-Based Active/Standby Failover (PIX 500 Series Security Appliance Only) 14-20 Configuring LAN-Based Active/Standby Failover 14-21 Configuring Optional Active/Standby Failover Settings 14-25 Configuring Active/Active Failover 14-27...
Page 12 Passing Traffic Not Allowed in Routed Mode 15-7 MAC Address vs. Route Lookups 15-8 Using the Transparent Firewall in Your Network 15-9 Transparent Firewall Guidelines 15-9 Unsupported Features in Transparent Mode 15-10 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 13 Adding an ICMP Type Object Group 16-14 Nesting Object Groups 16-15 Using Object Groups with an Access List 16-16 Displaying Object Groups 16-17 Removing Object Groups 16-17 Adding Remarks to Access Lists 16-17 Cisco Security Appliance Command Line Configuration Guide xiii OL-12172-03...
Page 14 Using Static NAT 17-26 Using Static PAT 17-27 Bypassing NAT 17-30 Configuring Identity NAT 17-30 Configuring Static Identity NAT 17-31 Configuring NAT Exemption 17-33 NAT Examples 17-34 Overlapping Networks 17-34 Redirecting Ports 17-36 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 15 Filtering URLs and FTP Requests with an External Server 20-4 URL Filtering Overview 20-4 Identifying the Filtering Server 20-4 Buffering the Content Server Response 20-6 Caching Server Addresses 20-6 Filtering HTTP URLs 20-7 Configuring HTTP Filtering 20-7 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 16 Applying Inspection and QoS Policing to HTTP Traffic 21-19 Applying Inspection to HTTP Traffic Globally 21-20 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21-21 Applying Inspection to HTTP Traffic with NAT 21-22 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 17 Configuring TCP Normalization 23-11 Configuring Connection Limits and Timeouts 23-14 Connection Limit Overview 23-14 TCP Intercept Overview 23-14 Disabling TCP Intercept for Management Packets for WebVPN Compatibility 23-14 Dead Connection Detection Overview 23-15 Cisco Security Appliance Command Line Configuration Guide xvii OL-12172-03...
Page 18 C H A P T E R Inspection Engine Overview 25-2 When to Use Application Protocol Inspection 25-2 Inspection Limitations 25-3 Default Inspection Policy 25-3 Configuring Application Inspection 25-5 CTIQBE Inspection 25-10 CTIQBE Inspection Overview 25-10 Cisco Security Appliance Command Line Configuration Guide xviii OL-12172-03...
Page 19 Configuring H.323 and H.225 Timeout Values 25-42 Verifying and Monitoring H.323 Inspection 25-42 Monitoring H.225 Sessions 25-42 Monitoring H.245 Sessions 25-43 Monitoring H.323 RAS Sessions 25-44 HTTP Inspection 25-44 HTTP Inspection Overview 25-44 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 20 25-72 Restrictions and Limitations 25-72 Verifying and Monitoring SCCP Inspection 25-73 Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 25-73 SMTP and Extended SMTP Inspection 25-75 SNMP Inspection 25-76 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 21 ISAKMP Overview 27-2 Configuring ISAKMP Policies 27-5 Enabling ISAKMP on the Outside Interface 27-6 Disabling ISAKMP in Aggressive Mode 27-6 Determining an ID Method for ISAKMP Peers 27-6 Enabling IPSec over NAT-T 27-7 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 22 C H A P T E R Configuring VPNs in Single, Routed Mode 29-1 Configuring IPSec to Bypass ACLs 29-1 Permitting Intra-Interface Traffic 29-2 NAT Considerations for Intra-Interface Traffic 29-3 Setting Maximum Active IPSec VPN Sessions 29-3 Cisco Security Appliance Command Line Configuration Guide xxii OL-12172-03...
Page 23 Configuring Connection Profiles for Clientless SSL VPN Sessions 30-19 Specifying a Connection Profile Name and Type for Clientless SSL VPN Sessions 30-19 Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions 30-19 Cisco Security Appliance Command Line Configuration Guide xxiii OL-12172-03...
Page 24 Configuring Attributes for Specific Users 30-73 Setting a User Password and Privilege Level 30-74 Configuring User Attributes 30-74 Configuring VPN User Attributes 30-75 Configuring Clientless SSL VPN Access for Specific Users 30-79 Cisco Security Appliance Command Line Configuration Guide xxiv OL-12172-03...
Page 25 Changing Global NAC Framework Settings 33-8 Changing Clientless Authentication Settings 33-8 Enabling and Disabling Clientless Authentication 33-9 Changing the Login Credentials Used for Clientless Authentication 33-9 Changing NAC Framework Session Attributes 33-10 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 26 Contents Configuring Easy VPN Services on the ASA 5505 34-1 C H A P T E R Specifying the Client/Server Role of the Cisco ASA 5505 34-2 Specifying the Primary and Secondary Servers 34-3 Specifying the Mode 34-3 Configuring Automatic Xauth Authentication...
Page 27 Preparing the Security Appliance for a Plug-in 37-25 Providing Access to Plug-ins Redistributed By Cisco 37-25 Providing Access to Plug-ins Not Redistributed By Cisco—Example: Citrix Java Presentation Server Client Plug-in 37-27 Preparing the Citrix MetraFrame Server for Clientless SSL VPN Access...
Page 28 Viewing the Clientless SSL VPN Home Page 37-54 Viewing the Clientless SSL VPN Application Access Panel 37-55 Viewing the Floating Toolbar 37-56 Customizing Clientless SSL VPN Pages 37-56 How Customization Works 37-57 Exporting a Customization Template 37-57 Cisco Security Appliance Command Line Configuration Guide xxviii OL-12172-03...
Page 29 37-64 Customizing Help 37-65 Customizing a Help File Provided By Cisco 37-66 Creating Help Files for Languages Not Provided by Cisco 37-66 Importing a Help File to Flash Memory 37-67 Exporting a Previously Imported Help File from Flash Memory 37-67...
Page 30 The Default Local CA Server 39+\17 Customizing the Local CA Server 39+\19 Certificate Characteristics 39+\20 Defining Storage for Local CA Files 39+\22 Default Flash Memory Data Storage 39+\22 Setting up External Local CA File Storage 39+\23 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 31 Allowing HTTPS Access for ASDM 40-3 Enabling HTTPS Access 40-4 Accessing ASDM from Your PC 40-4 Managing the Security Appliance on a Different Interface from the VPN Tunnel Termination Interface 40-5 Cisco Security Appliance Command Line Configuration Guide xxxi OL-12172-03...
Page 32 41-9 Backing Up Additional Files Using the Export and Import Commands 41-9 Using a Script to Back Up and Restore Files 41-10 Prerequisites 41-10 Running the Script 41-11 Sample Script 41-11 Cisco Security Appliance Command Line Configuration Guide xxxii OL-12172-03...
Page 33 Changing the Severity Level of a System Log Message 42-22 Changing the Amount of Internal Flash Memory Available for Logs 42-23 Understanding System Log Messages 42-24 System Log Message Format 42-24 Severity Levels 42-24 Cisco Security Appliance Command Line Configuration Guide xxxiii OL-12172-03...
Page 34 Reloading the Security Appliance 43-6 Performing Password Recovery 43-6 Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance 43-7 Recovering Passwords for the PIX 500 Series Security Appliance 43-8 Disabling Password Recovery 43-9 Resetting the Password on the SSM Hardware Module 43-10...
Page 35 B-31 Example 12: Primary ctx1 Context Configuration B-32 Example 12: Secondary Unit Configuration B-32 Example 13: Dual ISP Support Using Static Route Tracking B-33 Example 14: ASA 5505 Base License B-34 Cisco Security Appliance Command Line Configuration Guide xxxv OL-12172-03...
Page 36 Subnet Masks Determining the Subnet Mask Determining the Address to Use with the Subnet Mask IPv6 Addresses IPv6 Address Format IPv6 Address Types Unicast Addresses Multicast Address Anycast Address Required Addresses D-10 Cisco Security Appliance Command Line Configuration Guide xxxvi OL-12172-03...
Page 37 Configuring an External RADIUS Server E-33 Reviewing the RADIUS Configuration Procedure E-33 Security Appliance RADIUS Authorization Attributes E-34 Security Appliance TACACS+ Attributes E-40 L O S S A R Y N D E X Cisco Security Appliance Command Line Configuration Guide xxxvii OL-12172-03...
Page 38 Contents Cisco Security Appliance Command Line Configuration Guide xxxviii OL-12172-03...
Page 39: About This Guide
Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550).
Page 40: Related Documentation
Cisco Security Appliance Command Reference • Cisco Security Appliance Logging Configuration and System Log Messages • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 • Migrating to ASA for VPN 3000 Series Concentrator Administrators •...
Page 41 Part 3: Configuring VPN Chapter 27, “Configuring IPSec Describes how to configure ISAKMP and IPSec tunneling to build and manage VPN and ISAKMP” “tunnels,” or secure connections between remote users and a private corporate network. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 42 Describes how to monitor the security appliance. Security Appliance” Chapter 43, “Troubleshooting Describes how to troubleshoot the security appliance. the Security Appliance” Part 4: Reference Appendix A, “Feature Licenses Describes the feature licenses and specifications. and Specifications” Cisco Security Appliance Command Line Configuration Guide xlii OL-12172-03...
Page 43: Document Conventions
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 44 About This Guide Obtaining Documentation, Obtaining Support, and Security Guidelines Cisco Security Appliance Command Line Configuration Guide xliv OL-12172-03...
Page 45 A R T Getting Started and General Information...
Page 47: Introduction To The Security Appliance
WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes.
Page 48: Security Policy Overview
Using AAA for Through Traffic You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 49: Applying Http, Https, Or Ftp Filtering
You can configure scanning threat detection and basic threat detection, and also how to use statistics to analyze threats. Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and automatically sends a system log message. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 50 – Performing route lookups – – Allocating NAT translations (xlates) – Establishing sessions in the “fast path” The session management path and the fast path make up the “accelerated security path.” Note Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 51: Vpn Functional Overview
• Manages data transfer across the tunnel • Manages data transfer inbound and outbound as a tunnel endpoint or router • The security appliance invokes various standard protocols to accomplish these functions. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 52: Intrusion Prevention Services Functional Overview
Intrusion Prevention Services Functional Overview Intrusion Prevention Services Functional Overview The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the system detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager.
Page 53: Chapter 2 Getting Started
• Getting Started with Your Platform Model This guide applies to multiple security appliance platforms and models: the PIX 500 series security appliances and the ASA 5500 series adaptive security appliances. There are some hardware differences between the PIX and the ASA security appliance. Moreover, the ASA 5505 includes a built-in switch, and requires some special configuration.
Page 54: Restoring The Factory Default Configuration
• All inside IP addresses are translated when accessing the outside using interface PAT. • By default, inside users can access the outside, and outside users are prevented from accessing the inside. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 55: Asa 5510 And Higher Default Configuration
The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives • an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 56: Pix 515/515E Default Configuration
If you want to use ASDM to configure the security appliance instead of the command-line interface, you Note can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 57: Setting Transparent Or Routed Firewall Mode
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 58: Working With The Configuration
Creating Text Configuration Files Offline, page 2-9 • Saving Configuration Changes This section describes how to save your configuration, and includes the following topics: Saving Configuration Changes in Single Context Mode, page 2-7 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 59: Saving Configuration Changes In Single Context Mode
Sometimes, a context is not saved because of an error. See the following information for errors: For contexts that are not saved because of low memory, the following message appears: • The context 'context a' could not be saved due to Unavailability of resources Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 60: Copying The Startup Configuration To The Running Configuration
Viewing the Configuration The following commands let you view the running and startup configurations. To view the running configuration, enter the following command: • hostname# show running-config Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 61: Clearing And Removing Configuration Settings
Alternatively, you can download a text file to the security appliance internal Flash memory. Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading the configuration file to the security appliance. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 62 In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Cisco Security Appliance Command Line Configuration Guide 2-10 OL-12172-03...
Page 63 You are a large enterprise or a college campus and want to keep departments completely separate. • You are an enterprise that wants to provide distinct security policies to different departments. • You have any network that requires more than one security appliance. • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 64: Security Context Overview
The admin context must reside on Flash memory, and not remotely. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 65: How The Security Appliance Classifies Packets
The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 66: Invalid Classifier Criteria
Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 67: Classification Examples
MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 68 (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 69 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 70: Cascading Security Contexts
Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 71: Management Access To Security Contexts
To log in with a username, enter the login command. For example, you log in to the admin context with the Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 72: Context Administrator Access
Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
Page 73: Restoring Single Context Mode
To set the mode to single mode, enter the following command in the system execution space: Step 2 hostname(config)# mode single The security appliance reboots. Cisco Security Appliance Command Line Configuration Guide 3-11 OL-12172-03...
Page 74 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode Cisco Security Appliance Command Line Configuration Guide 3-12 OL-12172-03...
Page 75: Appliance
C H A P T E R Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance.
Page 76: Understanding Asa 5505 Ports And Interfaces
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that...
Page 77 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 4-1 for an example network where the Home VLAN can communicate with the Internet, but cannot initiate contact with Business.
Page 78: Default Interface Configuration
“Configuring Switch Ports as Access Ports” section on page 4-9 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring.
Page 79: Security Level Overview
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces See the switchport monitor command in the Cisco Security Appliance Command Reference for more information. Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100.
Page 80 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces If you are using failover, do not use this procedure to name interfaces that you are reserving for failover Note communications. See Chapter 14, “Configuring Failover,”...
Page 81 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Where number is an integer between 0 (lowest) and 100 (highest). Step 5 (Routed mode only) To set the IP address, enter one of the following commands.
Page 82 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown...
Page 83: Configuring Switch Ports As Access Ports
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports Configuring Switch Ports as Access Ports By default, all switch ports are shut down. To assign a switch port to one VLAN, configure it as an access port.
Page 84 The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
Page 85: Configuring A Switch Port As A Trunk Port
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port hostname(config-if)# switchport access vlan 400 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/4 hostname(config-if)# switchport access vlan 500...
Page 86 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach.
Page 87: Allowing Communication Between Vlan Interfaces On The Same Security Level
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.1.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# failover lan faillink vlan500 hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2...
Page 88 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide 4-14 OL-12172-03...
Page 89: Configuring Ethernet Settings, Redundant Interfaces, And Subinterfaces
To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Configuring and Enabling RJ-45 Interfaces, page 5-1 •...
Page 90: Default State Of Physical Interfaces
The physical interface types include the following: • ethernet gigabitethernet • management (ASA 5500 only) • For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet0. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 91: Configuring And Enabling Fiber Interfaces
However, before traffic can pass through the context interface, you must first enable the physical interface in the system configuration according to this procedure. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 92: Configuring The Fiber Interface
This section describes how to configure redundant interfaces, and includes the following topics: Redundant Interface Overview, page 5-5 • Adding a Redundant Interface, page 5-6 • Changing the Active Interface, page 5-7 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 93: Redundant Interface Overview
Both member interfaces must be of the same physical type. For example, both must be Ethernet. • You cannot add a physical interface to the redundant interface if you configured a name for it. You • must first remove the name using the no nameif command. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 94: Adding A Redundant Interface
The following example creates two redundant interfaces: hostname(config)# interface redundant 1 hostname(config-if)# member-interface gigabitethernet 0/0 hostname(config-if)# member-interface gigabitethernet 0/1 hostname(config-if)# interface redundant 2 hostname(config-if)# member-interface gigabitethernet 0/2 hostname(config-if)# member-interface gigabitethernet 0/3 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 95: Changing The Active Interface
(see the “Configuring and Enabling RJ-45 Interfaces” section on page 5-1, “Configuring and Enabling Fiber Interfaces” section on page 5-3, or the “Configuring a Redundant Interface” section on page 5-4). Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 96: Maximum Subinterfaces
VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID. To enable the subinterface (if you previously disabled it), enter the following command: Step 3 hostname(config-subif)# no shutdown Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 97 By default, the subinterface is enabled. To disable the interface, enter the shutdown command. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 98 Chapter 5 Configuring Ethernet Settings, Redundant Interfaces, and Subinterfaces Configuring VLAN Subinterfaces and 802.1Q Trunking Cisco Security Appliance Command Line Configuration Guide 5-10 OL-12172-03...
Page 99 The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics: Resource Limits, page 6-2 • Default Class, page 6-3 • Class Members, page 6-4 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 100: Configuring Resource Management
Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 101: Default Class
By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context: Telnet sessions—5 sessions. • SSH sessions—5 sessions. • IPSec sessions—5 sessions. • • MAC addresses—65,535 entries. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 102: Class Members
To set the resource limits, see the following options: Step 2 To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command: • hostname(config-resmgmt)# limit-resource all 0 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 103 Table 6-1 lists the resource types and the limits. See also the show resource types command. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 104 For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands: hostname(config)# class default hostname(config-class)# limit-resource conns 10% All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 105: Configuring A Security Context
[visible | invisible] • To allocate one or more subinterfaces, enter the following command: hostname(config-ctx)# allocate-interface physical_interface . subinterface [- physical_interface . subinterface ] [ mapped_name [- mapped_name ]] [visible | invisible] Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 106 The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8. hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 107 “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL http:// url INFO: Creating context with default config Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 108 Cisco Security Appliance Command Line Configuration Guide 6-10 OL-12172-03...
Page 109: Automatically Assigning Mac Addresses To Context Interfaces
In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the “Configuring Interface Parameters” section on page 7-2 to manually set the MAC address. Cisco Security Appliance Command Line Configuration Guide 6-11 OL-12172-03...
Page 110: Changing Between Contexts And The System Execution Space
You might see an error message indicating that the number of interfaces on the active and standby units are not consistent; this error is temporary and can be ignored. Cisco Security Appliance Command Line Configuration Guide 6-12 OL-12172-03...
Page 111: Changing The Admin Context
If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL. Cisco Security Appliance Command Line Configuration Guide 6-13 OL-12172-03...
Page 112: Reloading A Security Context
To change to the context that you want to reload, enter the following command: hostname# changeto context name To access configuration mode, enter the following command: Step 2 hostname/ name # configure terminal To clear the running configuration, enter the following command: Step 3 Cisco Security Appliance Command Line Configuration Guide 6-14 OL-12172-03...
Page 113: Monitoring Security Contexts
The following is sample output from the show context command. The following sample display shows three contexts: hostname# show context Context Name Interfaces *admin GigabitEthernet0/1.100 disk0:/admin.cfg GigabitEthernet0/1.101 contexta GigabitEthernet0/1.200 disk0:/contexta.cfg GigabitEthernet0/1.201 contextb GigabitEthernet0/1.300 disk0:/contextb.cfg GigabitEthernet0/1.301 Cisco Security Appliance Command Line Configuration Guide 6-15 OL-12172-03...
Page 114: Viewing Resource Allocation
Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 See the Cisco Security Appliance Command Reference for more information about the detail output. The following is sample output from the show context count command: hostname# show context count Total active contexts: 2...
Page 115 All Contexts: 51000 Inspects [rate] default unlimited gold unlimited silver 10000 10000 bronze 5000 All Contexts: 10000 Syslogs [rate] default unlimited gold 6000 6000 silver 3000 3000 bronze 1500 All Contexts: 9000 Cisco Security Appliance Command Line Configuration Guide 6-17 OL-12172-03...
Page 116 D—This limit was not defined in the member class, but was derived from the • default class. For a context assigned to the default class, the value will be “C” instead of “D.” The security appliance can combine “A” with “C” or “D.” Cisco Security Appliance Command Line Configuration Guide 6-18 OL-12172-03...
Page 117: Viewing Resource Usage
If you specify all for the counter name, then the count_threshold applies to the current usage. To show all resources, set the count_threshold to 0. Note Cisco Security Appliance Command Line Configuration Guide 6-19 OL-12172-03...
Page 118: Monitoring Syn Attacks In Contexts
The security appliance prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the Cisco Security Appliance Command Line Configuration Guide 6-20 OL-12172-03...
Page 119 0 c1 chunk:fixup unlimited 0 c1 chunk:global unlimited 0 c1 chunk:hole unlimited 0 c1 chunk:ip-users unlimited 0 c1 chunk:udp-ctrl-blk unlimited 0 c1 chunk:list-elem unlimited 0 c1 chunk:list-hdr unlimited 0 c1 Cisco Security Appliance Command Line Configuration Guide 6-21 OL-12172-03...
Page 120 0 Summary tcp-intercept-rate 341306 811579 unlimited 0 Summary globals unlimited 0 Summary np-statics unlimited 0 Summary statics 0 Summary nats 0 Summary ace-rules 0 Summary console-access-rul 0 Summary fixup-rules 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-22 OL-12172-03...
Page 121: Chapter 7 Configuring Interface Parameters
To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Security Level Overview, page 7-1 •...
Page 122: Configuring Interface Parameters
Interface Parameters Overview This section describes interface parameters and includes the following topics: Default State of Interfaces, page 7-3 • Default Security Level, page 7-3 • Multiple Context Mode Guidelines, page 7-3 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 123: Default State Of Interfaces
} hostname(config-if)# The redundant number argument is the redundant interface ID, such as redundant 1. Append the subinterface ID to the physical or redundant interface ID separated by a period (.). Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 124 (ASA 5500 only) • For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet 0. For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example, gigabitethernet 0/1.
Page 125 Using a shared interface without unique MAC addresses is possible, but has some limitations. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 126 0/1.1 The following example configures parameters in multiple context mode for the context configuration: hostname/contextA(config)# interface gigabitethernet 0/1.1 hostname/contextA(config-if)# nameif inside hostname/contextA(config-if)# security-level 100 hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 127: Allowing Communication Between Interfaces On The Same Security Level
To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface To disable this setting, use the no form of this command. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 128 Chapter 7 Configuring Interface Parameters Allowing Communication Between Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 129: Chapter 8 Configuring Basic Settings
Setting the Management IP Address for a Transparent Firewall, page 8-5 Changing the Login Password The login password is used for Telnet and SSH connections. By default, the login password is “cisco.” To change the password, enter the following command: hostname(config)# {passwd | password} password You can enter passwd or password.
Page 130: Setting The Hostname
Time derived from an NTP server overrides any time set manually. This section also describes how to set the time zone and daylight saving time date range. Note In multiple context mode, set the time in the system configuration only. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 131: Setting The Time Zone And Daylight Saving Time Date Range
The week value specifies the week of the month as an integer between 1 and 4 or as the words first or last. For example, if the day might fall in the partial fifth week, then specify last. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 132: Setting The Date And Time Using An Ntp Server
3 that is preferred. You can identify multiple servers; the security appliance uses the most accurate server. Setting the Date and Time Manually To set the date time manually, enter the following command: Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 133: Setting The Management Ip Address For A Transparent Firewall
(255.255.255.255). This address must be IPv4; the transparent firewall does not support IPv6. The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 134 Chapter 8 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 135: Configuring Ip Routing
Websense or N2H2 server, or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 136: Configuring A Static Route
The security appliance distributes the traffic among the specified gateways. hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 137: Configuring A Default Static Route
IP address 192.168.2.4. hostname(config)# route outside 0 0 192.168.2.1 hostname(config)# route outside 0 0 192.168.2.2 hostname(config)# route outside 0 0 192.168.2.3 hostname(config)# route outside 0 0 192.168.2.4 tunneled Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 138: Configuring Static Route Tracking
[life {forever | seconds }] [start-time { hh : mm [: ss ] [ month day | day month ] | pending | now | after hh : mm : ss }] [ageout seconds ] [recurring] Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 139 To use a default route obtained through DHCP, enter the following commands: • hostname(config)# interface phy_if hostname(config-if)# dhcp client route track track_id hostname(config-if)# dhcp client route distance admin_distance hostname(config-if)# ip addresss dhcp setroute Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 140: Defining Route Maps
If you specify more than one ACL, then the route can match any of the ACLs. To match any routes with the specified next hop interface, enter the following command: • hostname(config-route-map)# match interface if_name Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 141: Configuring Ospf
Configuring Route Summarization Between OSPF Areas, page 9-15 • Configuring Route Summarization When Redistributing Routes into OSPF, page 9-15 Generating a Default Route, page 9-16 • Configuring Route Calculation Timers, page 9-17 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 142: Ospf Overview
To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 143: Redistributing Routes Into Ospf
[match {internal | external [1 | 2] | nssa-external [1 | 2]}] [metric metric-value ] [metric-type {type-1 | type-2}] [tag tag_value ] [subnets] [route-map map_name ] Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 144: Configuring Ospf Interface Parameters
To enter the interface configuration mode, enter the following command: Step 1 hostname(config)# interface interface_name Enter any of the following commands: Step 2 • To specify the authentication type for an interface, enter the following command: Cisco Security Appliance Command Line Configuration Guide 9-10 OL-12172-03...
Page 145 The number_value is between 0 to 255. To specify the number of seconds between LSA retransmissions for adjacencies belonging to an • OSPF interface, enter the following command: hostname(config-interface)# ospf retransmit-interval seconds Cisco Security Appliance Command Line Configuration Guide 9-11 OL-12172-03...
Page 146 Number of LSA 5. Checksum Sum 0x 209a3 Number of opaque link LSA 0. Checksum Sum 0x Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 Cisco Security Appliance Command Line Configuration Guide 9-12 OL-12172-03...
Page 147: Configuring Ospf Area Parameters
The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area. Cisco Security Appliance Command Line Configuration Guide 9-13 OL-12172-03...
Page 148 Type 7 default into the NSSA or the NSSA area boundary router. – Every router within the same area must agree that the area is NSSA; otherwise, the routers will not be able to communicate. Cisco Security Appliance Command Line Configuration Guide 9-14 OL-12172-03...
Page 149: Configuring Route Summarization Between Ospf Areas
The following example shows how to configure route summarization. The summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement: hostname(config)# router ospf 1 Cisco Security Appliance Command Line Configuration Guide 9-15 OL-12172-03...
Page 150: Defining Static Ospf Neighbors
[always] [metric metric-value ] [metric-type {1 | 2}] [route-map map-name ] The following example shows how to generate a default route: hostname(config)# router ospf 2 hostname(config-router)# default-information originate always Cisco Security Appliance Command Line Configuration Guide 9-16 OL-12172-03...
Page 151: Configuring Route Calculation Timers
To configure logging for neighbors going up or down, enter the following command: Step 2 hostname(config-router)# log-adj-changes [detail] Logging must be enabled for the the neighbor up/down messages to be sent. Note The following example shows how to log neighbors up/down messages: Cisco Security Appliance Command Line Configuration Guide 9-17 OL-12172-03...
Page 152: Displaying Ospf Update Packet Pacing
To display OSPF-related interface information, enter the following command: • hostname# show ospf interface [ if_name ] • To display OSPF neighbor information on a per-interface basis, enter the following command: Cisco Security Appliance Command Line Configuration Guide 9-18 OL-12172-03...
Page 153: Restarting The Ospf Process
By default, the security appliance sends RIP Version 1 updates and accepts RIP Version 1 and Version 2 updates. Cisco Security Appliance Command Line Configuration Guide 9-19 OL-12172-03...
Page 154 Enter the following command to apply the filter. You can specify an interface to apply the filter to only those updates sent by that interface. hostname(config-router): distribute-list acl out [interface if_name ] Cisco Security Appliance Command Line Configuration Guide 9-20 OL-12172-03...
Page 155: Redistributing Routes Into The Rip Routing Process
(Optional) To specify the version of RIP advertisements sent from an interface, perform the following Step 1 steps: Enter interface configuration mode for the interface you are configuring by entering the following command: hostname(config)# interface phy_if Cisco Security Appliance Command Line Configuration Guide 9-21 OL-12172-03...
Page 156: Enabling Rip Authentication
To display the contents of the RIP routing database, enter the following command: • hostname# show rip database To display the RIP commands in the running configuration, enter the following command: • hostname# show running-config router rip Cisco Security Appliance Command Line Configuration Guide 9-22 OL-12172-03...
Page 157: Configuring Eigrp
• EIGRP Routing Overview EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes. Neighbor discovery is the process that the security appliance uses to dynamically learn of other routers on directly attached networks.
Page 158: Enabling And Configuring Eigrp Routing
EIGRP updates. (Optional) To prevent an interface from sending or receiving EIGRP routing message, enter the Step 3 following command: Cisco Security Appliance Command Line Configuration Guide 9-24 OL-12172-03...
Page 159: Enabling And Configuring Eigrp Stub Routing
To enable and configure and EIGRP stub routing process, perform the following steps: Create the EIGRP routing process and enter router configuration mode for that process by entering the Step 1 following command: hostname(config)# router eigrp as-num Cisco Security Appliance Command Line Configuration Guide 9-25 OL-12172-03...
Page 160: Enabling Eigrp Authentication
If EIGRP is not enabled or if you enter the wrong number, the security appliance returns the following error message: % Asystem(100) specified does not exist The key argument can contain up to 16 characters. The key-id argument is a number from 0 to 255. Cisco Security Appliance Command Line Configuration Guide 9-26 OL-12172-03...
Page 161: Defining An Eigrp Neighbor
Choose one of the following options to redistribute the selected route type into the EIGRP routing Step 4 process. To redistribute connected routes into the EIGRP routing process, enter the following command: • hostname(config-router): redistribute connected [metric bandwidth delay reliability loading mtu ] [route-map map_name ] Cisco Security Appliance Command Line Configuration Guide 9-27 OL-12172-03...
Page 162: Configuring The Eigrp Hello Interval And Hold Time
Disabling Automatic Route Summarization Automatic route summarization is enabled by default. The EIGRP routing process summarizes on network number boundaries. This can cause routing problems if you have non-contiguous networks. Cisco Security Appliance Command Line Configuration Guide 9-28 OL-12172-03...
Page 163: Configuring Summary Aggregate Addresses
However, with nonbroadcast networks, there may be situations where this behavior is not desired. For these situations, including networks in which you have EIGRP configured, you may want to disable split horizon. Cisco Security Appliance Command Line Configuration Guide 9-29 OL-12172-03...
Page 164: Changing The Interface Delay Value
Monitoring EIGRP You can use the following commands to monitor the EIGRP routing process. For examples and descriptions of the command output, see the Cisco Security Appliance Command Reference. To display the EIGRP event log, enter the following command: •...
Page 165: Disabling Neighbor Change And Warning Message Logging
On the ASA 5505 adaptive security appliance, the following route is also shown. It is the internal loopback interface, which is used by the VPN hardware client feature for individual user authentication. C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback Cisco Security Appliance Command Line Configuration Guide 9-31 OL-12172-03...
Page 166: How The Routing Table Is Populated
Table 9-1 Default Administrative Distance for Supported Routing Protocols Route Source Default Administrative Distance Connected interface Static route EIGRP Summary Route Cisco Security Appliance Command Line Configuration Guide 9-32 OL-12172-03...
Page 167: Backup Routes
If a default route has not been configured, the packet is discarded. If the destination matches a single entry in the routing table, the packet is forwarded through the • interface associated with that route. Cisco Security Appliance Command Line Configuration Guide 9-33 OL-12172-03...
Page 168: Dynamic Routing And Failover
Therefore, immediately after a failover occurs, some packets received by the security appliance may be dropped because of a lack of routing information or routed to a default static route while the routing table is repopulated by the configured dynamic routing protocols. Cisco Security Appliance Command Line Configuration Guide 9-34 OL-12172-03...
Page 169: Configuring Dhcp, Ddns, And Wccp Services
This section describes how to configure DHCP server provided by the security appliance. This section includes the following topics: Enabling the DHCP Server, page 10-2 • • Configuring DHCP Options, page 10-3 Using Cisco IP Phones with a DHCP Server, page 10-4 • Cisco Security Appliance Command Line Configuration Guide 10-1 OL-12172-03...
Page 170: Enabling The Dhcp Server
To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the timeout value for those packets. Cisco Security Appliance Command Line Configuration Guide 10-2...
Page 171: Configuring Dhcp Options
46 ascii hello command and the security appliance accepts the configuration although option 46 is defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the option codes and their associated types and expected values, refer to RFC 2132. Cisco Security Appliance Command Line Configuration Guide 10-3 OL-12172-03...
Page 172: Using Cisco Ip Phones With A Dhcp Server
Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security appliance DHCP server provides values for both options in the response if they are configured on the security appliance.
Page 173: Configuring Dhcp Relay Services
To set the IP address of a DHCP server on a different interface from the DHCP client, enter the following command: hostname(config)# dhcprelay server ip_address if_name You can use this command up to 4 times to identify up to 4 servers. Cisco Security Appliance Command Line Configuration Guide 10-5 OL-12172-03...
Page 174: Configuring Dynamic Dns
FQDN to the server using a DHCP option called Client FQDN. The following examples present these common scenarios: • Example 1: Client Updates Both A and PTR RRs for Static IP Addresses, page 10-7 Cisco Security Appliance Command Line Configuration Guide 10-6 OL-12172-03...
Page 175: Example 1: Client Updates Both A And Ptr Rrs For Static Ip Addresses
To associate the method named ddns-2 with the security appliance interface named Ethernet0, and enable Step 3 DHCP on the interface, enter the following commands: hostname(DDNS-update-method)# interface Ethernet0 hostname(if-config)# ddns update ddns-2 hostname(if-config)# ddns update hostname asa.example.com hostname(if-config)# ip address dhcp Cisco Security Appliance Command Line Configuration Guide 10-7 OL-12172-03...
Page 176: Client And Updates Both Rrs
Step 1 hostname(config)# interface Ethernet0 hostname(config-if)# dhcp client update dns both hostname(config-if)# ddns update hostname asa Step 2 To configure the DHCP server, enter the following commands: hostname(config-if)# dhcpd update dns Cisco Security Appliance Command Line Configuration Guide 10-8 OL-12172-03...
Page 177: Example 5: Client Updates A Rr; Server Updates Ptr Rr
WCCP Feature Support, page 10-9 • WCCP Interaction With Other Features, page 10-10 • • Enabling WCCP Redirection, page 10-10 WCCP Feature Support The following WCCPv2 features are supported with the security appliance: Cisco Security Appliance Command Line Configuration Guide 10-9 OL-12172-03...
Page 178: Wccp Interaction With Other Features
To configure WCCP redirection, perform the following steps: To enable a WCCP service group, enter the following command: Step 1 hostname(config)# wccp {web-cache | service_number } [redirect-list access_list ] [group-list access_list ] [password password ] Cisco Security Appliance Command Line Configuration Guide 10-10 OL-12172-03...
Page 179 For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside interface to a web cache, enter the following commands: hostname(config)# wccp web-cache hostname(config)# wccp interface inside web-cache redirect in Cisco Security Appliance Command Line Configuration Guide 10-11 OL-12172-03...
Page 180 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Web Cache Services Using WCCP Cisco Security Appliance Command Line Configuration Guide 10-12 OL-12172-03...
Page 181: Configuring Multicast Routing
The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as Note the RP address. Cisco Security Appliance Command Line Configuration Guide 11-13 OL-12172-03...
Page 182: Enabling Multicast Routing
Limiting the Number of IGMP States on an Interface, page 11-16 Modifying the Query Interval and Query Timeout, page 11-16 • Changing the Query Response Time, page 11-17 • Changing the IGMP Version, page 11-17 • Cisco Security Appliance Command Line Configuration Guide 11-14 OL-12172-03...
Page 183: Disabling Igmp On An Interface
Create an access list for the multicast traffic. You can create more than one entry for a single access list. Step 1 You can use extended or standard access lists. To create a standard access list, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 11-15 OL-12172-03...
Page 184: Limiting The Number Of Igmp States On An Interface
(by default, 255 seconds), then the security appliance becomes the designated router and starts sending the query messages. To change this timeout value, enter the following command: hostname(config-if)# igmp query-timeout seconds Cisco Security Appliance Command Line Configuration Guide 11-16 OL-12172-03...
Page 185: Changing The Query Response Time
In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another. Static multicast routes are not advertised or redistributed. Cisco Security Appliance Command Line Configuration Guide 11-17 OL-12172-03...
Page 186: Configuring Pim Features
You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: hostname(config-if)# no pim To reenable PIM on an interface, enter the following command: hostname(config-if)# pim Only the no pim command appears in the interface configuration. Note Cisco Security Appliance Command Line Configuration Guide 11-18 OL-12172-03...
Page 187: Configuring A Static Rendezvous Point Address
Filtering PIM Register Messages You can configure the security appliance to filter PIM register messages. To filter PIM register messages, enter the following command: hostname(config)# pim accept-register {list acl | route-map map-name } Cisco Security Appliance Command Line Configuration Guide 11-19 OL-12172-03...
Page 188: Configuring Pim Message Intervals
Prevent unauthorized routers from becoming PIM neighbors. • Prevent attached stub routers from participating in PIM. • To define the neighbors that can become a PIM neighbor, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 11-20 OL-12172-03...
Page 189: Supporting Mixed Bidirctional/Sparse-Mode Pim Networks
Enable the pim bidir-neighbor-filter command on an interface. Step 2 The following example applies the access list created previous step to the interface GigabitEthernet0/3. hostname(config)# interface GigabitEthernet0/3 hostname(config-if)# pim bidir-neighbor-filter pim_bidir Cisco Security Appliance Command Line Configuration Guide 11-21 OL-12172-03...
Page 190: For More Information About Multicast Routing
SMR feature: RFC 2236 IGMPv2 • RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt Cisco Security Appliance Command Line Configuration Guide 11-22 OL-12172-03...
Page 191: Chapter 12 Configuring Ipv6
• configure • copy • http • name • • object-group • ping show conn • show local-host • show tcpstat • • telnet • tftp-server • • • write Cisco Security Appliance Command Line Configuration Guide 12-1 OL-12172-03...
Page 192 Configuring IPv6 Default and Static Routes, page 12-5 • Configuring IPv6 Access Lists, page 12-6 • Configuring IPv6 Neighbor Discovery, page 12-7 • Configuring a Static IPv6 Neighbor, page 12-11 • Cisco Security Appliance Command Line Configuration Guide 12-2 OL-12172-03...
Page 193: Configuring Ipv6 On An Interface
Enter the following command to add a global to the interface. Use the optional eui-64 keyword to use the Modified EUI-64 interface ID in the low order 64 bits of the address. hostname(config-if)# ipv6 address ipv6-prefix/prefix-length [eui-64] Cisco Security Appliance Command Line Configuration Guide 12-3 OL-12172-03...
Page 194: Configuring A Dual Ip Stack On An Interface
When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface. Cisco Security Appliance Command Line Configuration Guide 12-4 OL-12172-03...
Page 195: Configuring Ipv6 Default And Static Routes
%PIX|ASA-6-110001: No route to dest_address from source_address You can add a default route and static routes using the ipv6 route command. To configure an IPv6 default route and static routes, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 12-5 OL-12172-03...
Page 196: Configuring Ipv6 Access Lists
• can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr. Cisco Security Appliance Command Line Configuration Guide 12-6 OL-12172-03...
Page 197: Configuring Ipv6 Neighbor Discovery
After the source node receives the neighbor advertisement, the source node and destination node can communicate. Figure 12-1 shows the neighbor solicitation and response process. Cisco Security Appliance Command Line Configuration Guide 12-7 OL-12172-03...
Page 198 IPv6 operation. To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value Cisco Security Appliance Command Line Configuration Guide 12-8 OL-12172-03...
Page 199: Configuring Router Advertisement Messages
When a router advertisement is sent in response to a router solicitation, the destination address in the router advertisement message is the unicast address of the source of the router solicitation message. Cisco Security Appliance Command Line Configuration Guide 12-9...
Page 200 To configure which IPv6 prefixes are included in IPv6 router advertisements, enter the following command: hostname(config-if)# ipv6 nd prefix ipv6-prefix / prefix-length Note For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement messages must always be 64 bits. Cisco Security Appliance Command Line Configuration Guide 12-10 OL-12172-03...
Page 201: Configuring A Static Ipv6 Neighbor
Excluding the name from the command displays the setting for all interfaces that have IPv6 enabled on them. The output for the command shows the following: The name and status of the interface. • The link-local and global unicast addresses. • Cisco Security Appliance Command Line Configuration Guide 12-11 OL-12172-03...
Page 202: The Show Ipv6 Route Command
IPv6 Routing Table - 7 entries Codes: C - Connected, L - Local, S - Static fe80::/10 [0/0] via ::, inside fec0::a:0:0:a0a:a70/128 [0/0] via ::, inside fec0:0:0:a::/64 [0/0] via ::, inside ff00::/8 [0/0] via ::, inside Cisco Security Appliance Command Line Configuration Guide 12-12 OL-12172-03...
Page 203: Configuring Aaa Servers And The Local Database
You can use accounting alone, or with authentication and authorization. This section includes the following topics: • About Authentication, page 13-2 About Authorization, page 13-2 • About Accounting, page 13-2 • Cisco Security Appliance Command Line Configuration Guide 13-1 OL-12172-03...
Page 204: About Authentication
IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session. Cisco Security Appliance Command Line Configuration Guide 13-2 OL-12172-03...
Page 205: Aaa Server And Local Database Support
2. SDI is not supported for HTTP administrative access. 3. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified in a RADIUS authentication response. Cisco Security Appliance Command Line Configuration Guide 13-3 OL-12172-03...
Page 206: Radius Server Support
Accounting attributes defined in RFC 2139. • • RADIUS attributes for tunneled protocol support, defined in RFC 2868. • Cisco IOS VSAs, identified by RADIUS vendor ID 9. Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076. • Microsoft VSAs, defined in RFC 2548. •...
Page 207: Sdi Server Support
NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated. This is a limitation of NTLM version 1. Kerberos Server Support The security appliance supports 3DES, DES, and RC4 encryption types. Cisco Security Appliance Command Line Configuration Guide 13-5 OL-12172-03...
Page 208: Ldap Server Support
The username attributes command lets you enter the username mode. In this mode, you can add other information to a specific user profile. The information you can add includes VPN-related attributes, such as a VPN session timeout value. Cisco Security Appliance Command Line Configuration Guide 13-6 OL-12172-03...
Page 209: Fallback Support
To define a user account in the local database, perform the following steps: To create the user account, enter the following command: Step 1 hostname(config)# username name {nopassword | password password [mschap]} [privilege priv_level ] Cisco Security Appliance Command Line Configuration Guide 13-7 OL-12172-03...
Page 210 {admin | nas-prompt | remote-access} where the admin keyword allows full access to any services specified by the aaa authentication console LOCAL commands. admin is the default. Cisco Security Appliance Command Line Configuration Guide 13-8 OL-12172-03...
Page 211: Identifying Aaa Server Groups And Servers
For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers. Cisco Security Appliance Command Line Configuration Guide 13-9 OL-12172-03...
Page 212 Where a command is applicable to the server type you specified and no default value is provided (indicated by “—”), use the command to specify the value. For more information about these commands, see the Cisco Security Appliance Command Reference. Cisco Security Appliance Command Line Configuration Guide...
Page 213 Example 13-1 Multiple AAA Server Groups and Servers hostname(config)# aaa-server AuthInbound protocol tacacs+ hostname(config-aaa-server-group)# max-failed-attempts 2 hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20 hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey Cisco Security Appliance Command Line Configuration Guide 13-11 OL-12172-03...
Page 214: Configuring An Ldap Server
LDAP server in plain text. Whether using SASL or plain text, you can secure the communications between the security appliance and the LDAP server with SSL using the ldap-over-ssl command. Cisco Security Appliance Command Line Configuration Guide 13-12 OL-12172-03...
Page 215 If you do not configure SASL, we strongly recommend that you secure LDAP communications with Note SSL. See the ldap-over-ssl command in the Cisco Security Appliance Command Reference. When user LDAP authentication has succeeded, the LDAP server returns the attributes for the authenticated user.
Page 216: Authorization With Ldap For Vpn
You must create LDAP attribute maps that map your existing user-defined attribute names and values to Cisco attribute names and values that are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or remove them as needed.
Page 217 Chapter 13 Configuring AAA Servers and the Local Database Configuring an LDAP Server To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names Note and values as well as the user-defined attribute names and values.
Page 218: Using Certificates And User Login Credentials
DISABLED (set to None) by authentication server group setting – – No credentials used • Authorization Enabled by authorization server group setting – Uses the username value of the certificate primary DN field as a credential – Cisco Security Appliance Command Line Configuration Guide 13-16 OL-12172-03...
Page 219: Supporting A Zone Labs Integrity Server
Note interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure another Integrity Server on the security appliance and then reestablish the client VPN session. Cisco Security Appliance Command Line Configuration Guide 13-17 OL-12172-03...
Page 220: Configuring Integrity Server Support
“Configuring Firewall Policies” section on page 30-58. The command arguments that specify firewall policies are not used when the firewall type is zonelabs-integrity because the Integrity server determines the policies. Cisco Security Appliance Command Line Configuration Guide 13-18 OL-12172-03...
Page 221: Understanding Failover
Active/Standby failover configurations only. This section includes the following topics: Failover System Requirements, page 14-2 • The Failover and Stateful Failover Links, page 14-3 • Active/Active and Active/Standby Failover, page 14-6 • Cisco Security Appliance Command Line Configuration Guide 14-1 OL-12172-03...
Page 222: Failover System Requirements
License Requirements On the PIX 500 series security appliance, at least one of the units must have an unrestricted (UR) license. The other unit can have a Failover Only (FO) license, a Failover Only Active-Active (FO_AA) license, or another UR license.
Page 223: The Failover And Stateful Failover Links
VPN tunnels. On the PIX 500 series security appliance, the failover link can be either a LAN-based connection or a dedicated serial Failover cable. On the ASA 5500 series adaptive security appliance, the failover link can only be a LAN-based connection.
Page 224 You cannot override these designations in the PIX 500 series security appliance software. If you purchased a PIX 500 series security appliance failover bundle, this cable is included. To order a spare, use part number PIX-FO=.
Page 225: Stateful Failover Link
If you use a switch, no other hosts or routers should be on this link. Enable the PortFast option on Cisco switch ports that connect directly to the security appliance. Note If you are using the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available.
Page 226: Active/Active And Active/Standby Failover
MAC to IP address pairing, no ARP entries change or time out anywhere on the network. For multiple context mode, the security appliance can fail over the entire unit (including all contexts) Note but cannot fail over individual contexts separately. Cisco Security Appliance Command Line Configuration Guide 14-6 OL-12172-03...
Page 227 • For single context mode, enter the write memory command on the active unit. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory. Cisco Security Appliance Command Line Configuration Guide 14-7 OL-12172-03...
Page 228 If you enter the write standby command on the active unit, the standby unit clears its running configuration (except for the failover commands used to communicate with the active unit), and the active unit sends its entire configuration to the standby unit. Cisco Security Appliance Command Line Configuration Guide 14-8 OL-12172-03...
Page 229 You should restore the failover link operation interface as failed interface as failed as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Cisco Security Appliance Command Line Configuration Guide 14-9 OL-12172-03...
Page 230: Active/Active Failover
A failover group failing on a unit does not mean that the unit has failed. The unit may still have another Note failover group passing traffic on it. When creating the failover groups, you should create them on the unit that will have failover group 1 in the active state. Cisco Security Appliance Command Line Configuration Guide 14-10 OL-12172-03...
Page 231 When a unit boots while the peer unit is active (with both failover groups active on it), the booting • unit contacts the active unit to obtain the running configuration regardless of the primary or secondary designation of the booting unit. Cisco Security Appliance Command Line Configuration Guide 14-11 OL-12172-03...
Page 232 The following commands are replicated to the standby unit: all configuration commands except for the mode, firewall, and failover lan unit commands • • copy running-config startup-config • delete mkdir • rename • rmdir • write memory • Cisco Security Appliance Command Line Configuration Guide 14-12 OL-12172-03...
Page 233 Because a failover group can contain multiple contexts, and each context can contain multiple interfaces, it is possible for all interfaces in a single context to fail without causing the associated failover group to fail. Cisco Security Appliance Command Line Configuration Guide 14-13 OL-12172-03...
Page 234 Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Cisco Security Appliance Command Line Configuration Guide 14-14 OL-12172-03...
Page 235: Determining Which Type Of Failover To Use
Supported end-user applications are not required to reconnect to keep the same communication session. The state information passed to the standby unit includes the following: NAT translation table. • TCP connection states. • Cisco Security Appliance Command Line Configuration Guide 14-15 OL-12172-03...
Page 236: Failover Health Monitoring
Citrix authentication (Citrix users must reauthenticate after failover) • If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call Note session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Cisco CallManager.
Page 237: Unit Health Monitoring
Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. Cisco Security Appliance Command Line Configuration Guide 14-17 OL-12172-03...
Page 238: Failover Feature/Platform Matrix
(other than the ASA 5505) PIX 500 series security appliance Failover Times by Platform Table 14-5 shows the minimum, default, and maximum failover times for the PIX 500 series security appliance. Table 14-5 PIX 500 series security appliance failover times. Failover Condition...
Page 239: Configuring Failover
The crypto ca server command and associated commands are not synchronized or replicated to the peer unit. Configuring Active/Standby Failover This section provides step-by-step procedures for configuring Active/Standby failover. This section includes the following topics: Cisco Security Appliance Command Line Configuration Guide 14-19 OL-12172-03...
Page 240: Prerequisites
Cable-based failover is only available on the PIX 500 series security appliance. To configure cable-based Active/Standby failover, perform the following steps: Connect the Failover cable to the PIX 500 series security appliances. Make sure that you attach the end Step 1 of the cable marked “Primary”...
Page 241: Configuring Lan-Based Active/Standby Failover
This section describes how to configure Active/Standby failover using an Ethernet failover link. When configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device. Cisco Security Appliance Command Line Configuration Guide 14-21 OL-12172-03...
Page 242 , where context is the name of the current context. You must enter a hostname/ context (config-if)# management IP address for each context in transparent firewall multiple context mode. (PIX 500 series security appliance only) Enable LAN-based failover: Step 2 hostname(config)# failover lan enable...
Page 243 If the Stateful Failover link uses the failover link or data interface, skip this step. You have Note already enabled the interface. hostname(config)# interface phy_if hostname(config-if)# no shutdown Step 6 Enable failover: hostname(config)# failover Cisco Security Appliance Command Line Configuration Guide 14-23 OL-12172-03...
Page 244 For multiple context mode, all steps are performed in the system execution space unless noted otherwise. To configure the secondary unit, perform the following steps: Step 1 (PIX 500 series security appliance only) Enable LAN-based failover: hostname(config)# failover lan enable Define the failover interface. Use the same settings as you used for the primary unit.
Page 245: Configuring Optional Active/Standby Failover Settings
For units in single configuration mode, use the following commands to enable or disable health monitoring for specific interfaces: • To disable health monitoring for an interface, enter the following command in global configuration mode: hostname(config)# no monitor-interface if_name Cisco Security Appliance Command Line Configuration Guide 14-25 OL-12172-03...
Page 246 MAC addresses the failover pair uses the burned-in NIC addresses as the MAC addresses. You cannot configure a virtual MAC address for the failover or Stateful Failover links. The MAC and IP Note addresses for those links do not change during failover. Cisco Security Appliance Command Line Configuration Guide 14-26 OL-12172-03...
Page 247: Configuring Active/Active Failover
Active/Active failover is not available on the ASA 5505 adaptive security appliance. This section includes the following topics: Prerequisites, page 14-27 • Configuring Cable-Based Active/Active Failover (PIX 500 series security appliance), page 14-27 • Configuring LAN-Based Active/Active Failover, page 14-29 •...
Page 248 Step 1 Connect the failover cable to the PIX 500 series security appliances. Make sure that you attach the end of the cable marked “Primary” to the unit you use as the primary unit, and that you attach the end of the cable marked “Secondary”...
Page 249: Configuring Lan-Based Active/Active Failover
LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device. This section includes the following topics: Cisco Security Appliance Command Line Configuration Guide 14-29 OL-12172-03...
Page 250 Configure the basic failover parameters in the system execution space. Step 2 (PIX 500 series security appliance only) Enable LAN-based failover: hostname(config)# hostname(config)# failover lan enable Designate the unit as the primary unit: hostname(config)# failover lan unit primary...
Page 251 Assign each user context to a failover group using the join-failover-group command in context configuration mode. Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member of failover group 1. Cisco Security Appliance Command Line Configuration Guide 14-31 OL-12172-03...
Page 252 This allows the secondary unit to communicate with and receive the running configuration from the primary unit. To bootstrap the secondary unit in an Active/Active failover configuration, perform the following steps: (PIX 500 series security appliance only) Enable LAN-based failover: Step 1 hostname(config)# failover lan enable Step 2 Define the failover interface.
Page 253: Configuring Optional Active/Active Failover Settings
[ delay ] You can enter an optional delay value, which specifies the number of seconds the failover group remains active on the current unit before automatically becoming active on the designated unit. Cisco Security Appliance Command Line Configuration Guide 14-33 OL-12172-03...
Page 254 By default, if a single interface fails failover occurs. You can specify a specific number of interfaces or a percentage of monitored interfaces that must fail before a failover occurs. The failover criteria is specified on a failover group basis. Cisco Security Appliance Command Line Configuration Guide 14-34 OL-12172-03...
Page 255 This most commonly occurs when the two security appliances in an Active/Active failover pair are connected to different service providers and the outbound connection does not use a NAT address. Cisco Security Appliance Command Line Configuration Guide 14-35 OL-12172-03...
Page 256 You can have more than one ASR group configured on the security appliance, but only one per interface. Only members of the same ASR group are checked for session information. Cisco Security Appliance Command Line Configuration Guide 14-36 OL-12172-03...
Page 257 GigabitEthernet0/1 failover link folink failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11 failover group 1 primary failover group 2 secondary admin-context admin context admin description admin Cisco Security Appliance Command Line Configuration Guide 14-37 OL-12172-03...
Page 258 192.168.1.2, where it can then return through the interface on the unit from which it originated (192.168.1.1 on SecAppA). This forwarding continues as needed until the session ends. Cisco Security Appliance Command Line Configuration Guide 14-38 OL-12172-03...
Page 259: Configuring Unit Health Monitoring
You can encrypt and authenticate the communication between failover peers by specifying a shared secret or hexadecimal key. On the PIX 500 series security appliance, if you are using the dedicated serial failover cable to connect Note the units, then communication over the failover link is not encrypted even if a failover key is configured.
Page 260: Verifying The Failover Configuration
This host: Primary - Active Active time: 13434 (sec) Interface inside (10.130.9.3): Normal Interface outside (10.132.9.3): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface inside (10.130.9.4): Normal Interface outside (10.132.9.4): Normal Cisco Security Appliance Command Line Configuration Guide 14-40 OL-12172-03...
Page 261 Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. Stateful Obj xmit xerr rerr RPC services TCP conn UDP conn ARP tbl Xlate_Timeout GTP PDP GTP PDPMCB SIP Session Cisco Security Appliance Command Line Configuration Guide 14-41 OL-12172-03...
Page 262 The amount of time the unit has been active. This time is cumulative, so the standby unit, if it was active in the past, also shows a value. slot x Information about the module in the slot or empty. Cisco Security Appliance Command Line Configuration Guide 14-42 OL-12172-03...
Page 263 Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Cisco Security Appliance Command Line Configuration Guide 14-43 OL-12172-03...
Page 264 Interface inside (10.130.8.5): Normal admin Interface fourth (10.130.9.5): Normal ctx1 Interface outside (10.1.1.1): Normal ctx1 Interface inside (10.2.2.1): Normal ctx2 Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Secondary Cisco Security Appliance Command Line Configuration Guide 14-44 OL-12172-03...
Page 265 Interface outside (192.168.5.121): Normal admin Interface inside (192.168.0.1): Normal Other host: Primary State: Standby Active time: 0 (sec) admin Interface outside (192.168.5.131): Normal admin Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Cisco Security Appliance Command Line Configuration Guide 14-45 OL-12172-03...
Page 266 Active Time in seconds • Group 1 State Active or Standby Ready • Group 2 State Active Time in seconds • slot x Information about the module in the slot or empty. Cisco Security Appliance Command Line Configuration Guide 14-46 OL-12172-03...
Page 267 Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Cisco Security Appliance Command Line Configuration Guide 14-47 OL-12172-03...
Page 268: Viewing Monitored Interfaces
All of the failover commands are displayed. On units running multiple context mode, enter this command in the system execution space. Entering show running-config all failover displays the failover commands in the running configuration and includes commands for which you have not changed the default value. Cisco Security Appliance Command Line Configuration Guide 14-48 OL-12172-03...
Page 269: Testing The Failover Functionality
To force the standby unit or failover group to become active, enter one of the following commands: For Active/Standby failover: • Enter the following command on the standby unit: hostname# failover active Or, enter the following command on the active unit: Cisco Security Appliance Command Line Configuration Guide 14-49 OL-12172-03...
Page 270: Disabling Failover
Monitoring Failover When a failover occurs, both security appliances send out system messages. This section includes the following topics: Failover System Messages, page 14-51 • Cisco Security Appliance Command Line Configuration Guide 14-50 OL-12172-03...
Page 271: Failover System Messages
411002 messages. This is normal activity. Debug Messages To see debug messages, enter the debug fover command. See the Cisco Security Appliance Command Reference for more information. Because debugging output is assigned high priority in the CPU process, it can drastically affect system Note performance.
Page 272: Changing Command Modes
The result would be that your session to the device remains in interface configuration mode, while commands entered using failover exec active are sent to router configuration mode for the specified routing process. hostname(config-if)# failover exec active router ospf 100 hostname(config-if)# Cisco Security Appliance Command Line Configuration Guide 14-52 OL-12172-03...
Page 273: Security Considerations
• You cannot enter recursive failover exec commands, such as failover exec mate failover exec mate command. • Commands that require user input or confirmation must use the /nonconfirm option. Cisco Security Appliance Command Line Configuration Guide 14-53 OL-12172-03...
Page 274: Auto Update Server Support In Failover Configurations
If hitless upgrade cannot be performed when the standby unit boots, then both units reload at – the same time. If only the secondary (standby) unit has new image, then only the secondary unit reloads. The primary unit waits until the secondary unit finishes reloading. Cisco Security Appliance Command Line Configuration Guide 14-54 OL-12172-03...
Page 275: Monitoring The Auto Update Process
Fover copyfile, seq = 4 type = 1, pseq = 8001, len = 1024 auto-update: Fover copyfile, seq = 4 type = 1, pseq = 8501, len = 1024 auto-update: Fover copyfile, seq = 4 type = 1, pseq = 9001, len = 1024 Cisco Security Appliance Command Line Configuration Guide 14-55 OL-12172-03...
Page 276 %PIX|ASA4-612002: Auto Update failed: file version: version reason: reason The file is “image”, “asdm”, or “configuration”, depending on which update failed. The version is the version number of the update. And the reason is the reason the update failed. Cisco Security Appliance Command Line Configuration Guide 14-56 OL-12172-03...
Page 277: Configuring The Firewall
A R T Configuring the Firewall...
Page 279: Routed Mode Overview
An Inside User Visits a Web Server, page 15-2 • An Outside User Visits a Web Server on the DMZ, page 15-3 • An Inside User Visits a Web Server on the DMZ, page 15-4 • Cisco Security Appliance Command Line Configuration Guide 15-1 OL-12172-03...
Page 280: An Inside User Visits A Web Server
The security appliance translates the local source address (10.1.2.27) to the global address 209.165.201.10, which is on the outside interface subnet. The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet. Cisco Security Appliance Command Line Configuration Guide 15-2 OL-12172-03...
Page 281: An Outside User Visits A Web Server On The Dmz
In this case, the classifier “knows” that the DMZ web server address belongs to a certain context because of the server address translation. Cisco Security Appliance Command Line Configuration Guide 15-3...
Page 282: An Inside User Visits A Web Server On The Dmz
The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). Cisco Security Appliance Command Line Configuration Guide 15-4 OL-12172-03...
Page 283: An Outside User Attempts To Access An Inside Host
The security appliance receives the packet and because it is a new session, the security appliance verifies if the packet is allowed according to the security policy (access lists, filters, AAA). Cisco Security Appliance Command Line Configuration Guide 15-5 OL-12172-03...
Page 284: A Dmz User Attempts To Access An Inside Host
“stealth firewall,” and is not seen as a router hop to connected devices. This section describes transparent firewall mode, and includes the following topics: Transparent Firewall Network, page 15-7 • Allowing Layer 3 Traffic, page 15-7 • Cisco Security Appliance Command Line Configuration Guide 15-6 OL-12172-03...
Page 285: Transparent Firewall Network
The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that Note do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported. Cisco Security Appliance Command Line Configuration Guide 15-7 OL-12172-03...
Page 286: Mac Address Vs. Route Lookups
For example, if the real destination address is not directly-connected to the security appliance, then you need to add a static route on the security appliance for the real destination address that points to the downstream router. Cisco Security Appliance Command Line Configuration Guide 15-8 OL-12172-03...
Page 287: Using The Transparent Firewall In Your Network
The transparent security appliance uses an inside interface and an outside interface only. If your • platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only. Cisco Security Appliance Command Line Configuration Guide 15-9 OL-12172-03...
Page 288: Unsupported Features In Transparent Mode
You can pass VPN traffic through the security appliance using an extended access list, but it does not terminate non-management connections. WebVPN is also not supported. Cisco Security Appliance Command Line Configuration Guide 15-10 OL-12172-03...
Page 289: How Data Moves Through The Transparent Firewall
An Inside User Visits a Web Server Using NAT, page 15-13 • An Outside User Visits a Web Server on the Inside Network, page 15-14 • An Outside User Attempts to Access an Inside Host, page 15-15 • Cisco Security Appliance Command Line Configuration Guide 15-11 OL-12172-03...
Page 290: An Inside User Visits A Web Server
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance forwards the packet to the inside user. Cisco Security Appliance Command Line Configuration Guide 15-12 OL-12172-03...
Page 291: An Inside User Visits A Web Server Using Nat
MAC address by sending an ARP request and a ping. The first packet is dropped. The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. Cisco Security Appliance Command Line Configuration Guide 15-13 OL-12172-03...
Page 292: An Outside User Visits A Web Server On The Inside Network
If the destination MAC address is in its table, the security appliance forwards the packet out of the inside interface. The destination MAC address is that of the downstream router, 209.186.201.1. Cisco Security Appliance Command Line Configuration Guide 15-14 OL-12172-03...
Page 293: An Outside User Attempts To Access An Inside Host
The packet is denied, and the security appliance drops the packet. If the outside user is attempting to attack the inside network, the security appliance employs many technologies to determine if a packet is valid for an already established session. Cisco Security Appliance Command Line Configuration Guide 15-15 OL-12172-03...
Page 294 Chapter 15 Firewall Mode Overview Transparent Mode Overview Cisco Security Appliance Command Line Configuration Guide 15-16 OL-12172-03...
Page 295: Access List Overview
Access List Types, page 16-2 • Access Control Entry Order, page 16-2 • Access Control Implicit Deny, page 16-3 • • IP Addresses Used for Access Lists When You Use NAT, page 16-3 Cisco Security Appliance Command Line Configuration Guide 16-1 OL-12172-03...
Page 296: Access List Types
After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked. Cisco Security Appliance Command Line Configuration Guide 16-2...
Page 297: Access Control Implicit Deny
IP Addresses in Access Lists: NAT Used for Source Addresses 209.165.200.225 Outside Inside Inbound ACL Permit from 10.1.1.0/24 209.165.200.225 10.1.1.0/24 10.1.1.0/24 209.165.201.4:port See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 Cisco Security Appliance Command Line Configuration Guide 16-3 OL-12172-03...
Page 298 209.165.200.225 209.165.201.5 Outside Inside 10.1.1.34 209.165.201.5 Static NAT See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside Cisco Security Appliance Command Line Configuration Guide 16-4 OL-12172-03...
Page 299: Adding An Extended Access List
This section describes how to identify the parameters within the command. To use object groups, see the “Simplifying Access Lists with Object Grouping” section on page 16-11. Cisco Security Appliance Command Line Configuration Guide 16-5 OL-12172-03...
Page 300: Allowing Broadcast And Multicast Traffic Through The Transparent Firewall
Adding an Extended ACE When you enter the access-list command for a given access list name, the ACE is added to the end of the access list unless you specify the line number. Cisco Security Appliance Command Line Configuration Guide 16-6 OL-12172-03...
Page 301 ICMP types. When you specify a network mask, the method is different from the Cisco IOS software access-list command. The security appliance uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
Page 302: Adding An Ethertype Access List
802.3-formatted frames are not handled by the access list because they use a length field as opposed to a type field. BPDUs, which are handled by the access list, are the only exception: they are SNAP-encapsulated, and the security appliance is designed to specifically handle BPDUs. Cisco Security Appliance Command Line Configuration Guide 16-8 OL-12172-03...
Page 303: Ipv6 Unsupported
TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the security appliance.
Page 304: Adding An Ethertype Ace
The following command adds a standard ACE. To add another ACE at the end of the access list, enter another access-list command specifying the same access list name. Apply the access list using the “Defining Route Maps” section on page 9-6. Cisco Security Appliance Command Line Configuration Guide 16-10 OL-12172-03...
Page 305: Adding A Webtype Access List
TrustedHosts—Includes the host and network addresses allowed access to the greatest range of • services and servers PublicServers—Includes the host addresses of servers to which the greatest access is provided • Cisco Security Appliance Command Line Configuration Guide 16-11 OL-12172-03...
Page 306: Adding Object Groups
To include all IP protocols, use the keyword ip. For a list of protocols you can specify, see the “Protocols and Applications” section on page D-11. Cisco Security Appliance Command Line Configuration Guide 16-12 OL-12172-03...
Page 307 You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. Cisco Security Appliance Command Line Configuration Guide 16-13 OL-12172-03...
Page 308 To add an ICMP type group, enter the following command: Step 1 hostname(config)# object-group icmp-type grp_id The grp_id is a text string up to 64 characters in length. The prompt changes to ICMP type configuration mode. Cisco Security Appliance Command Line Configuration Guide 16-14 OL-12172-03...
Page 309: Nesting Object Groups
10.1.2.8 hostname(config-network)# network-object host 10.1.2.12 hostname(config-network)# object-group network finance hostname(config-network)# network-object host 10.1.4.89 hostname(config-network)# network-object host 10.1.4.100 You then nest all three groups together as follows: hostname(config)# object-group network admin Cisco Security Appliance Command Line Configuration Guide 16-15 OL-12172-03...
Page 310: Using Object Groups With An Access List
10.1.1.4 hostname(config-network)# network-object host 10.1.1.78 hostname(config-network)# network-object host 10.1.1.89 hostname(config-network)# object-group network web hostname(config-network)# network-object host 209.165.201.29 hostname(config-network)# network-object host 209.165.201.16 hostname(config-network)# network-object host 209.165.201.78 Cisco Security Appliance Command Line Configuration Guide 16-16 OL-12172-03...
Page 311: Displaying Object Groups
If you enter the remark before any access-list command, then the remark is the first line in the access list. If you delete an access list using the no access-list access_list_name command, then all the remarks are also removed. Cisco Security Appliance Command Line Configuration Guide 16-17 OL-12172-03...
Page 312: Scheduling Extended Access List Activation
The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m. The date is in the format day month year; for example, 1 january 2006. Cisco Security Appliance Command Line Configuration Guide 16-18...
Page 313: Applying The Time Range To An Ace
106023 for each denied packet, in the following form: %ASA|PIX-4-106023: Deny protocol src [ interface_name : source_address / source_port ] dst interface_name : dest_address / dest_port [type { string }, code { code }] by access_group acl_id Cisco Security Appliance Command Line Configuration Guide 16-19 OL-12172-03...
Page 314: Configuring Logging For An Access Control Entry
For connectionless protocols, such as ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed information about this system message.
Page 315: Managing Deny Flows
CPU resources. When you reach the maximum number of deny flows, the security appliance issues system message 106100: %ASA|PIX-1-106101: The number of ACL log deny-flows has reached limit (numbe r). Cisco Security Appliance Command Line Configuration Guide 16-21 OL-12172-03...
Page 316 To set the amount of time between system messages (number 106101) that identify that the • maximum number of deny flows was reached, enter the following command: hostname(config)# access-list alert-interval secs The seconds are between 1 and 3600. 300 is the default. Cisco Security Appliance Command Line Configuration Guide 16-22 OL-12172-03...
Page 317: Configuring Nat
The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control. NAT control requires that packets traversing from a higher security interface (inside) to a lower security Cisco Security Appliance Command Line Configuration Guide 17-1 OL-12172-03...
Page 318: Nat In Routed Mode
10.1.1.1.27 before sending it to the host. Figure 17-1 NAT Example: Routed Mode Web Server www.cisco.com Outside 209.165.201.2 Originating Responding Security Packet Packet Appliance Translation Undo Translation 10.1.2.27 209.165.201.10 209.165.201.10 10.1.2.27 10.1.2.1 Inside 10.1.2.27 Cisco Security Appliance Command Line Configuration Guide 17-2 OL-12172-03...
Page 319: Nat In Transparent Mode
The security appliance then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27. Because the real address is directly-connected, the security appliance sends it directly to the host. Cisco Security Appliance Command Line Configuration Guide 17-3 OL-12172-03...
Page 320: Nat Control
NAT to translate the inside host address, as shown in Figure 17-3. Figure 17-3 NAT Control and Outbound Traffic Security Appliance 10.1.1.1 209.165.201.1 No NAT 10.1.2.1 Inside Outside Cisco Security Appliance Command Line Configuration Guide 17-4 OL-12172-03...
Page 321 MAC addresses for shared interfaces. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more information about the relationship between the classifier and NAT. Cisco Security Appliance Command Line Configuration Guide 17-5 OL-12172-03...
Page 322: Nat Types
IP address after the translation times out. For an example, see the timeout xlate command in the Cisco Security Appliance Command Reference. Users on the destination network, therefore, cannot initiate a reliable connection to a host that uses dynamic NAT, although the connection is allowed by an access list, and the security appliance rejects any attempt to connect to a real host address directly.
Page 323 Note access list allows it. Because the address is unpredictable, a connection to the host is unlikely. Nevertheless, in this case, you can rely on the security of the access list. Cisco Security Appliance Command Line Configuration Guide 17-7 OL-12172-03...
Page 324: Pat
NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if an access list exists that allows it). Cisco Security Appliance Command Line Configuration Guide 17-8 OL-12172-03...
Page 325: Static Pat
See the following commands for this example: hostname(config)# static (inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask 255.255.255.255 hostname(config)# static (inside,outside) tcp 209.165.201.3 http 10.1.2.28 http netmask 255.255.255.255 hostname(config)# static (inside,outside) tcp 209.165.201.3 smtp 10.1.2.29 smtp netmask 255.255.255.255 Cisco Security Appliance Command Line Configuration Guide 17-9 OL-12172-03...
Page 326: Bypassing Nat When Nat Control Is Enabled
NAT, you can translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B. Cisco Security Appliance Command Line Configuration Guide 17-10...
Page 327 NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 hostname(config)# nat (inside) 1 access-list NET1 hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list NET2 hostname(config)# global (outside) 2 209.165.202.130 Cisco Security Appliance Command Line Configuration Guide 17-11 OL-12172-03...
Page 328 NAT access list specifies the real addresses and the destination addresses, but for traffic originated on the remote network, the access list identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using this translation. Cisco Security Appliance Command Line Configuration Guide 17-12 OL-12172-03...
Page 329: Nat And Same Security Level Interfaces
(even when NAT control is not enabled). Traffic identified for static NAT is not affected. See the “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-7 to enable same security communication. Cisco Security Appliance Command Line Configuration Guide 17-13 OL-12172-03...
Page 330: Order Of Nat Commands Used To Match Real Addresses
If the mapped interface is passive (not advertising routes) or you are using static routing, then you need to add a static route on the upstream router that sends traffic destined for the mapped addresses to the security appliance. Cisco Security Appliance Command Line Configuration Guide 17-14 OL-12172-03...
Page 331: Dns And Nat
DNS server, and not the mapped address. When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The security appliance refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14.
Page 332: Configuring Nat Control
Configuring NAT Control Note If a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though the user is not on the Inside interface referenced by the static command.
Page 333: Using Dynamic Nat And Pat
Outside Global 1: 209.165.201.3- 209.165.201.10 Translation 10.1.2.27 209.165.201.3 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Cisco Security Appliance Command Line Configuration Guide 17-17 OL-12172-03...
Page 334 209.165.201.3 10.1.1.15 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Cisco Security Appliance Command Line Configuration Guide 17-18 OL-12172-03...
Page 335 17-17). If you use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the the destination addresses and ports are unique in each access list. Cisco Security Appliance Command Line Configuration Guide 17-19 OL-12172-03...
Page 336 PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT mapped statement supports (see Figure 17-18). Cisco Security Appliance Command Line Configuration Guide 17-20 OL-12172-03...
Page 337 17-19). Note that for outside NAT (DMZ interface to Inside interface), the inside host uses a static command to allow outside access, so both the source and destination addresses are translated. Cisco Security Appliance Command Line Configuration Guide 17-21 OL-12172-03...
Page 338 If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected. Cisco Security Appliance Command Line Configuration Guide 17-22 OL-12172-03...
Page 339: Configuring Dynamic Nat Or Pat
However, clearing the translation table disconnects all current connections that use translations. To configure dynamic NAT or PAT, perform the following steps: To identify the real addresses that you want to translate, enter one of the following commands: Step 1 Cisco Security Appliance Command Line Configuration Guide 17-23 OL-12172-03...
Page 340 ( mapped_interface ) nat_id { mapped_ip [- mapped_ip ] | interface} This NAT ID should match a nat command NAT ID. The matching nat command identifies the addresses that you want to translate when they exit this interface. Cisco Security Appliance Command Line Configuration Guide 17-24 OL-12172-03...
Page 341 TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23 hostname(config)# nat (inside) 1 access-list WEB hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list TELNET hostname(config)# global (outside) 2 209.165.202.130 Cisco Security Appliance Command Line Configuration Guide 17-25 OL-12172-03...
Page 342: Using Static Nat
10.1.1.1 to the mapped address 192.168.1.1 when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are: hostname(config)# access-list TEST extended ip host 10.1.1.1 209.165.200.224 255.255.255.224 hostname(config)# static (inside,outside) 192.168.1.1 access-list TEST Cisco Security Appliance Command Line Configuration Guide 17-26 OL-12172-03...
Page 343: Using Static Pat
IP address, as well as the real port to a mapped port. You can choose to translate the real port to the same port, which lets you translate only specific types of traffic, or you can take it further by translating to a different port. Cisco Security Appliance Command Line Configuration Guide 17-27 OL-12172-03...
Page 344 10.1.1.1/Telnet to the mapped address 192.168.1.1/Telnet when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are: hostname(config)# access-list TEST extended tcp host 10.1.1.1 eq telnet 209.165.200.224 255.255.255.224 hostname(config)# static (inside,outside) tcp 192.168.1.1 telnet access-list TEST Cisco Security Appliance Command Line Configuration Guide 17-28 OL-12172-03...
Page 345 PAT for outbound connections from the server. hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 255.255.255.255 hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255 hostname(config)# global (outside) 1 10.1.2.14 Cisco Security Appliance Command Line Configuration Guide 17-29 OL-12172-03...
Page 346: Bypassing Nat
Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create NAT translations, and responding traffic is allowed back. Figure 17-24 shows a typical identity NAT scenario. Figure 17-24 Identity NAT Security Appliance 209.165.201.1 209.165.201.1 209.165.201.2 209.165.201.2 Inside Outside Cisco Security Appliance Command Line Configuration Guide 17-30 OL-12172-03...
Page 347: Configuring Static Identity Nat
Only dynamic translations created by the nat and global commands can be removed with the clear xlate command. To configure static identity NAT, enter one of the following commands: To configure policy static identity NAT, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 17-31 OL-12172-03...
Page 348 NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224 hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224 255.255.255.224 hostname(config)# static (inside,outside) 10.1.2.27 access-list NET1 hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2 Cisco Security Appliance Command Line Configuration Guide 17-32 OL-12172-03...
Page 349: Configuring Nat Exemption
To use dynamic outside NAT for a DMZ network, and exempt another DMZ network, enter the following command: hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns hostname(config)# global (inside) 1 10.1.1.45 hostname(config)# access-list EXEMPT permit ip 10.1.3.0 255.255.255.0 any hostname(config)# nat (dmz) 0 access-list EXEMPT Cisco Security Appliance Command Line Configuration Guide 17-33 OL-12172-03...
Page 350: Nat Examples
This example shows static NAT. To configure static NAT for these two interfaces, perform the following steps. The 10.1.1.0/24 network on the DMZ is not translated. Cisco Security Appliance Command Line Configuration Guide 17-34 OL-12172-03...
Page 351 When the security appliance receives this packet, the security appliance translates the source address from 192.168.100.2 to 10.1.3.2. Then the security appliance translates the destination address from 10.1.2.2 to 192.168.100.2, and the packet is forwarded. Cisco Security Appliance Command Line Configuration Guide 17-35 OL-12172-03...
Page 352: Redirecting Ports
(inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask 255.255.255.255 Redirect HTTP requests for the security appliance outside interface address to 10.1.1.5 by entering the Step 4 following command: hostname(config)# static (inside,outside) tcp interface www 10.1.1.5 www netmask 255.255.255.255 Cisco Security Appliance Command Line Configuration Guide 17-36 OL-12172-03...
Page 353 Step 5 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering the following command: hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 Cisco Security Appliance Command Line Configuration Guide 17-37 OL-12172-03...
Page 354 Chapter 17 Configuring NAT NAT Examples Cisco Security Appliance Command Line Configuration Guide 17-38 OL-12172-03...
Page 355: Chapter 18 Permitting Or Denying Network Access
Rather than creating multiple inbound access lists to restrict access, you can create a single outbound access list that allows only the specified hosts Cisco Security Appliance Command Line Configuration Guide 18-1...
Page 356: Applying An Access List To An Interface
You can apply one access list of each type (extended and EtherType) to both directions of the interface. See the “Inbound and Outbound Access List Overview” section on page 18-1 for more information about access list directions. Cisco Security Appliance Command Line Configuration Guide 18-2 OL-12172-03...
Page 357 (config-service)# service-object tcp source range 2000 3000 hostname (config-service)# service-object tcp source range 3000 3010 destinatio$ hostname (config-service)# service-object ipsec hostname (config-service)# service-object udp destination range 1002 1006 hostname (config-service)# service-object icmp echo Cisco Security Appliance Command Line Configuration Guide 18-3 OL-12172-03...
Page 358 Chapter 18 Permitting or Denying Network Access Applying an Access List to an Interface hostname(config)# access-list outsideacl extended permit object-group myaclog interface inside any Cisco Security Appliance Command Line Configuration Guide 18-4 OL-12172-03...
Page 359: Chapter 19 Applying Aaa For Network Access
This section includes the following topics: Authentication Overview, page 19-2 • Enabling Network Access Authentication, page 19-3 • Enabling Secure Authentication of Web Clients, page 19-5 • Authenticating Directly with the Security Appliance, page 19-6 • Cisco Security Appliance Command Line Configuration Guide 19-1 OL-12172-03...
Page 360: Authentication Overview
A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command in the Cisco Security Appliance Command Reference for timeout values.) For example, if you configure the security appliance to authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the authentication session exists, the user does not also have to authenticate for FTP.
Page 361: Static Pat And Http
Then users do not see the authentication page. Instead, the security appliance sends to the web browser an error message indicating that the user must be authenticated prior using the requested service. Enabling Network Access Authentication To enable network access authentication, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 19-3 OL-12172-03...
Page 362 Step You can alternatively use the aaa authentication include command (which identifies traffic within the Note command). However, you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. Step 4 (Optional) To enable the redirection method of authentication for HTTP or HTTPS connections, enter...
Page 363: Enabling Secure Authentication Of Web Clients
Secured web-client authentication has the following limitations: A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS – authentication processes are running, a new connection requiring authentication will not succeed. Cisco Security Appliance Command Line Configuration Guide 19-5 OL-12172-03...
Page 364: Authenticating Directly With The Security Appliance
HTTP server; you are not prompted separately for the HTTP server username and password. Assuming the username and password is not the same for the AAA and HTTP servers, then the HTTP authentication fails. Cisco Security Appliance Command Line Configuration Guide 19-6 OL-12172-03...
Page 365: Enabling Direct Authentication Using Telnet
Telnet IP address, even if NAT is not required (using the no nat-control command). An identity NAT command is typically used (where you translate the address to itself). Cisco Security Appliance Command Line Configuration Guide 19-7 OL-12172-03...
Page 366: Configuring Authorization For Network Access
Because a user at a given IP address only needs to authenticate one time for all rules and types, if the authentication session hasn’t expired, authorization can occur even if the traffic is matched by an authentication statement. Cisco Security Appliance Command Line Configuration Guide 19-8 OL-12172-03...
Page 367 Alternatively, you can use the aaa authorization include command (which identifies traffic Note within the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
Page 368: Configuring Radius Authorization
Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-14 • Configuring a RADIUS Server to Send Downloadable Access Control Lists This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics: •...
Page 369 Because the name of the downloadable access list includes the date and time it was last modified, matching the name sent by Cisco Secure ACS to the name of an access list previous downloaded means that the security appliance has the most recent version of the downloadable access list.
Page 370 An example of an attribute-value pair follows: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds with an access-challenge message that contains a portion of the access list, formatted as described above, and an State attribute (IETF RADIUS attribute 24), which contains control data used by Cisco Secure ACS to track the progress of the download.
Page 371 If this parameter is omitted, the sequence value is 0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used. The following example is an access list definition as it should be configured for a cisco-av-pair VSA on a RADIUS server: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0...
Page 372: Configuring Accounting For Network Access
Note In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface, omitting filter-id= and entering only acl_name. For information about making unique per user the filter-id attribute value, see the documentation for your RADIUS server.
Page 373 Alternatively, you can use the aaa accounting include command (which identifies traffic within Note the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires...
Page 374: Using Mac Addresses To Exempt Traffic From Authentication And Authorization
The following example bypasses authentication for a single MAC address: hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# aaa mac-exempt match abc The following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3: hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000...
Page 375 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000 hostname(config)# aaa mac-exempt match 1 Cisco Security Appliance Command Line Configuration Guide 19-17 OL-12172-03...
Page 376 Chapter 19 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Cisco Security Appliance Command Line Configuration Guide 19-18 OL-12172-03...
Page 377: Chapter 20 Applying Filtering Services
However, depending on the speed of your network and the capacity of your URL filtering server, the time required for the initial connection may be noticeably slower when filtering traffic with an external filtering server. Cisco Security Appliance Command Line Configuration Guide 20-1 OL-12172-03...
Page 378: Filtering Activex Objects
(or in shortened form, 0) to specify all hosts. The following example specifies that ActiveX objects are blocked on all outbound connections: hostname(config)# filter activex 80 0 0 0 0 Cisco Security Appliance Command Line Configuration Guide 20-2 OL-12172-03...
Page 379: Filtering Java Applets
This command prevents host 192.168.3.3 from downloading Java applets. To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 Cisco Security Appliance Command Line Configuration Guide 20-3 OL-12172-03...
Page 380: Filtering Urls And Ftp Requests With An External Server
You can identify up to four filtering servers per context. The security appliance uses the servers in order until a server responds. You can only configure a single type of server (Websense or Secure Computing SmartFilter ) in your configuration. Cisco Security Appliance Command Line Configuration Guide 20-4 OL-12172-03...
Page 381 To identify redundant Secure Computing SmartFilter servers, enter the following commands: hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.1 hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.2 This identifies two Sentian filtering servers, both on a perimeter interface of the security appliance. Cisco Security Appliance Command Line Configuration Guide 20-5 OL-12172-03...
Page 382: Buffering The Content Server Response
Replace size with a value for the cache size within the range 1 to 128 (KB). Use the dst keyword to cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server. Cisco Security Appliance Command Line Configuration Guide 20-6 OL-12172-03...
Page 383: Filtering Http Urls
By default, if a URL exceeds the maximum permitted size, then it is dropped. To avoid this, you can set the security appliance to truncate a long URL by entering the following command: Cisco Security Appliance Command Line Configuration Guide 20-7...
Page 384: Exempting Traffic From Filtering
Replace port[-port] with a range of port numbers if a different port than the default port for HTTPS (443) is used. Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests. Cisco Security Appliance Command Line Configuration Guide 20-8 OL-12172-03...
Page 385: Filtering Ftp Requests
Viewing Filtering Server Statistics, page 20-10 • Viewing Buffer Configuration and Statistics, page 20-11 Viewing Caching Statistics, page 20-11 • Viewing Filtering Performance Statistics, page 20-11 • Viewing Filtering Configuration, page 20-12 • Cisco Security Appliance Command Line Configuration Guide 20-9 OL-12172-03...
Page 386: Viewing Filtering Server Statistics
Response time average 60s/300s URL Packets Sent and Received Stats: ------------------------------------ Message Sent Received STATUS_REQUEST 1609 1601 LOOKUP_REQUEST 1526 1526 LOG_REQUEST Errors: ------- RFC noncompliant GET method URL buffer update failure Cisco Security Appliance Command Line Configuration Guide 20-10 OL-12172-03...
Page 387: Viewing Buffer Configuration And Statistics
The following is sample output from the show perfmon command: hostname# show perfmon PERFMON STATS: Current Average Xlates Connections TCP Conns UDP Conns URL Access URL Server Req TCP Fixup TCPIntercept HTTP Fixup Cisco Security Appliance Command Line Configuration Guide 20-11 OL-12172-03...
Page 388: Viewing Filtering Configuration
URL Access and URL Server Req rows. Viewing Filtering Configuration The following is sample output from the show running-config filter command: hostname# show running-config filter filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Cisco Security Appliance Command Line Configuration Guide 20-12 OL-12172-03...
Page 389: Chapter 21 Using Modular Policy Framework
Using a Layer 3/4 Class Map” section on page 21-2. (Application inspection only) Define special actions for application inspection traffic. See the “Configuring Special Actions for Application Inspections” section on page 21-6. Cisco Security Appliance Command Line Configuration Guide 21-1 OL-12172-03...
Page 390: Default Global Policy
You can create multiple Layer 3/4 class maps for each Layer 3/4 policy map. You can create the following types of class maps: Creating a Layer 3/4 Class Map for Through Traffic, page 21-3 • • Creating a Layer 3/4 Class Map for Management Traffic, page 21-5 Cisco Security Appliance Command Line Configuration Guide 21-2 OL-12172-03...
Page 391: Creating A Layer 3/4 Class Map For Through Traffic
Not all applications whose ports are included in the match default-inspection-traffic command are enabled by default in the policy map. Cisco Security Appliance Command Line Configuration Guide 21-3 OL-12172-03...
Page 392 "This class-map matches all HTTP traffic" hostname(config-cmap)# match port tcp eq http hostname(config-cmap)# class-map to_server hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1" hostname(config-cmap)# match access-list host_foo Cisco Security Appliance Command Line Configuration Guide 21-4 OL-12172-03...
Page 393: Creating A Layer 3/4 Class Map For Management Traffic
For a list of ports you can specify, see the “TCP and UDP Ports” section on page D-11. For example, enter the following command to match TCP packets on port 80 (HTTP): hostname(config-cmap)# match tcp eq 80 Cisco Security Appliance Command Line Configuration Guide 21-5 OL-12172-03...
Page 394: Configuring Special Actions For Application Inspections
You can use a regular expression to match the content of certain application traffic; for example, you can match a URL string inside an HTTP packet. Cisco Security Appliance Command Line Configuration Guide 21-6...
Page 395 Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For example, type d[Ctrl+V]g to enter d?g in the configuration. See the regex command in the Cisco Security Appliance Command Reference for performance impact information when matching a regular expression to packets.
Page 396 If the regular expression does not match the input text, you see the following message: INFO: Regular expression match failed. To add a regular expression after you tested it, enter the following command: Step 2 Cisco Security Appliance Command Line Configuration Guide 21-8 OL-12172-03...
Page 397: Creating A Regular Expression Class Map
Traffic matches the class map if it includes the string “example.com” or “example2.com.” hostname(config)# regex url_example example\.com hostname(config)# regex url_example2 example2\.com hostname(config)# class-map type regex match-any URLs hostname(config-cmap)# match regex url_example hostname(config-cmap)# match regex url_example2 Cisco Security Appliance Command Line Configuration Guide 21-9 OL-12172-03...
Page 398: Identifying Traffic In An Inspection Class Map
The following example creates an HTTP class map that must match all criteria: hostname(config-cmap)# class-map type inspect http match-all http-traffic hostname(config-cmap)# match req-resp content-type mismatch hostname(config-cmap)# match request body length gt 1000 hostname(config-cmap)# match not request uri regex class URLs Cisco Security Appliance Command Line Configuration Guide 21-10 OL-12172-03...
Page 399: Defining Actions In An Inspection Policy Map
The drop-connection keyword drops the packet and closes the connection. The mask keyword masks out the matching portion of the packet. The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server and/or client. Cisco Security Appliance Command Line Configuration Guide 21-11 OL-12172-03...
Page 400 Cisco Security Appliance Command Line Configuration Guide 21-12 OL-12172-03...
Page 401: Defining Actions Using A Layer 3/4 Policy Map
Adding a Layer 3/4 Policy Map, page 21-16 Layer 3/4 Policy Map Overview This section describes how Layer 3/4 policy maps work, and includes the following topics: Policy Map Guidelines, page 21-14 • Cisco Security Appliance Command Line Configuration Guide 21-13 OL-12172-03...
Page 402: Policy Map Guidelines
Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant. Cisco Security Appliance Command Line Configuration Guide 21-14 OL-12172-03...
Page 403: Feature Matching Guidelines Within A Policy Map
IPS inspection on the inside and outside interfaces, but the inside policy uses virtual sensor 1 while the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor 1 outbound, but will match virtual sensor 2 inbound. Cisco Security Appliance Command Line Configuration Guide 21-15 OL-12172-03...
Page 404: Order In Which Multiple Feature Actions Are Applied
Adding a Layer 3/4 Policy Map The maximum number of policy maps is 64. To create a Layer 3/4 policy map, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 21-16 OL-12172-03...
Page 405 The following example shows how multi-match works in a policy map: hostname(config)# class-map inspection_default hostname(config-cmap)# match default-inspection-traffic hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map outside_policy hostname(config-pmap)# class inspection_default Cisco Security Appliance Command Line Configuration Guide 21-17 OL-12172-03...
Page 406: Applying A Layer 3/4 Policy To An Interface Using A Service Policy
The default service policy includes the following command: service-policy global_policy global For example, the following command enables the inbound_policy policy map on the outside interface: Cisco Security Appliance Command Line Configuration Guide 21-18 OL-12172-03...
Page 407: Modular Policy Framework Examples
See the following commands for this example: hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config-pmap-c)# police output 250000 hostname(config)# service-policy http_traffic_policy interface outside Cisco Security Appliance Command Line Configuration Guide 21-19 OL-12172-03...
Page 408: Applying Inspection To Http Traffic Globally
Host A See the following commands for this example: hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_traffic_policy global Cisco Security Appliance Command Line Configuration Guide 21-20 OL-12172-03...
Page 409: Applying Inspection And Connection Limits To Http Traffic To Specific Servers
100 hostname(config)# policy-map policy_serverB hostname(config-pmap)# class http_serverB hostname(config-pmap-c)# inspect http hostname(config)# service-policy policy_serverB interface inside hostname(config)# service-policy policy_serverA interface outside Cisco Security Appliance Command Line Configuration Guide 21-21 OL-12172-03...
Page 410: Applying Inspection To Http Traffic With Nat
192.168.1.1 any eq 80 hostname(config)# class-map http_client hostname(config-cmap)# match access-list http_client hostname(config)# policy-map http_client hostname(config-pmap)# class http_client hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_client interface inside Cisco Security Appliance Command Line Configuration Guide 21-22 OL-12172-03...
Page 411: Chapter 22 Managing The Aip Ssm And Csc Ssm
For information about the 4GE SSM for the ASA 5000 series adaptive security appliance, see Chapter 5, “Configuring Ethernet Settings, Redundant Interfaces, and Subinterfaces”. The Cisco PIX 500 series security appliances do not support SSMs. Note This chapter includes the following sections: Managing the AIP SSM, page 22-1 •...
Page 412: How The Aip Ssm Works With The Adaptive Security Appliance
IPS inspection can continue through the adaptive security appliance without first passing through, and being inspected by, the AIP SSM. This mode is the most secure because Cisco Security Appliance Command Line Configuration Guide 22-2 OL-12172-03...
Page 413: Using Virtual Sensors
See the IPS documentation for more information about virtual sensors, including the maximum number of sensors supported. Figure 22-3 shows one security context paired with one virtual sensor (in inline mode), while two security contexts share the same virtual sensor. Cisco Security Appliance Command Line Configuration Guide 22-3 OL-12172-03...
Page 414: Aip Ssm Procedure Overview
Virtual Sensors to Security Contexts” section on page 22-6. On the ASA 5500 series adaptive security appliance, identify traffic to divert to the AIP SSM. See “Diverting Traffic to the AIP SSM” section on page 22-8. Cisco Security Appliance Command Line Configuration Guide 22-4 OL-12172-03...
Page 415: Sessioning To The Aip Ssm
If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
Page 416: Configuring The Security Policy On The Aip Ssm
Because the IPS software that runs on the AIP SSM is beyond the scope of this document, detailed configuration information is available in the following documents: Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface • Command Reference for Cisco Intrusion Prevention System •...
Page 417 A Cisco Security Appliance Command Line Configuration Guide 22-7 OL-12172-03...
Page 418: Diverting Traffic To The Aip Ssm
AIP SSM, you get an error, and the command is rejected. (Optional) To divert another class of traffic to the AIP SSM, and set the IPS policy, enter the following Step 4 commands: hostname(config-pmap-c)# class class_map_name2 Cisco Security Appliance Command Line Configuration Guide 22-8 OL-12172-03...
Page 419: Managing The Csc Ssm
Managing the CSC SSM This section includes the following topics: About the CSC SSM, page 22-10 • Cisco Security Appliance Command Line Configuration Guide 22-9 OL-12172-03...
Page 420: About The Csc Ssm
CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM. For instructions on use of the CSC SSM GUI, see the Trend Micro InterScan for Cisco CSC SSM Administrator Guide. Cisco Security Appliance Command Line Configuration Guide 22-10 OL-12172-03...
Page 421 Failover. The connections that a CSC SSM is scanning are dropped when the security appliance in which the CSC SSM is installed fails. When the standby adaptive security appliance becomes active, it will forward the scanned traffic to the CSC SSM and the connections will be reset. Cisco Security Appliance Command Line Configuration Guide 22-11 OL-12172-03...
Page 422: Getting Started With The Csc Ssm
To configure the adaptive security appliance and the CSC SSM, follow these steps: Step 1 If the CSC SSM did not come pre-installed in a Cisco ASA 5500 series adaptive security appliance, install it and connect a network cable to the management port of the SSM. For assistance with installation...
Page 423: Determining What Traffic To Scan
Before you modify them or enter advanced configuration settings, review the Trend Micro InterScan for Cisco CSC SSM Administrator Guide. You review the content security policies by viewing the enabled features in the CSC SSM GUI. The availability of features depends on the license level you have purchased.
Page 424 One approach is to define two service policies, one on the inside interface and the other on the outside interface, each with an access list that matches traffic to be scanned. The following access list can be used on the policy applied to the inside interface: Cisco Security Appliance Command Line Configuration Guide 22-14 OL-12172-03...
Page 425: Limiting Connections Through The Csc Ssm
You can use the set connection command to thwart DoS attacks. After you configure a per-client maximum that can be supported by hosts likely to be attacked, malicious clients will be unable to overwhelm hosts on protected networks. Cisco Security Appliance Command Line Configuration Guide 22-15 OL-12172-03...
Page 426: Diverting Traffic To The Csc Ssm
If you want to enforce a per-client limit for simultaneous connections that the adaptive security appliance diverts to the CSC SSM, use the set connection command, as follows: hostname(config-pmap-c)# set connection per-client-max n Cisco Security Appliance Command Line Configuration Guide 22-16 OL-12172-03...
Page 427 192.168.20.0 255.255.255.0 eq 25 hostname access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80 hostname class-map csc_inbound_class Cisco Security Appliance Command Line Configuration Guide 22-17 OL-12172-03...
Page 428: Checking Ssm Status
CSC SSM installed. hostname# show module 1 details Getting details from the Service Module, please wait... ASA 5500 Series Security Services Module-20 Model: ASA-SSM-20 Hardware version: Serial Number: Firmware version: 1.0(10)0 Cisco Security Appliance Command Line Configuration Guide 22-18 OL-12172-03...
Page 429: Transferring An Image Onto An Ssm
Image URL: tftp://10.21.18.1/ids-oldimg Port IP Address: 10.1.2.10 Port Mask: 255.255.255.0 Gateway IP Address: 10.1.2.254 To create or modify the recovery configuration, use the hw-module module recover command with the configure keyword: Cisco Security Appliance Command Line Configuration Guide 22-19 OL-12172-03...
Page 430 If the SSM supports configuration backups and you want to restore the configuration of the application Note running on the SSM, see the documentation of the specified SSM for details. Cisco Security Appliance Command Line Configuration Guide 22-20 OL-12172-03...
Page 431: Chapter 23 Preventing Network Attacks
This section includes the following topics: Basic Threat Detection Overview, page 23-2 • Configuring Basic Threat Detection, page 23-2 • Managing Basic Threat Statistics, page 23-4 • Cisco Security Appliance Command Line Configuration Guide 23-1 OL-12172-03...
Page 432: Basic Threat Detection Overview
To disable basic threat detection, enter the no threat-detection basic-threat command. Table 23-1 lists the default settings. You can view all these default settings using the show running-config all threat-detection command. Cisco Security Appliance Command Line Configuration Guide 23-2 OL-12172-03...
Page 433 The rate-interface rate_interval argument is between 600 seconds and 2592000 seconds (30 days). The rate interval is used to determine the length of time over which to average the drops. It also determines the burst threshold rate interval (see below). Cisco Security Appliance Command Line Configuration Guide 23-3 OL-12172-03...
Page 434: Managing Basic Threat Statistics
The following is sample output from the show threat-detection rate command: hostname# show threat-detection rate Average(eps) Current(eps) Trigger Total events 10-min ACL drop: 1-hour ACL drop: 1-hour SYN attck: 21438 10-min Scanning: Cisco Security Appliance Command Line Configuration Guide 23-4 OL-12172-03...
Page 435: Configuring Scanning Threat Detection
(Optional) To change the default event limit for when the security appliance identifies a host as an attacker or as a target, enter the following command: hostname(config)# threat-detection rate scanning-threat rate-interval rate_interval average-rate av_rate burst-rate burst_rate Cisco Security Appliance Command Line Configuration Guide 23-5 OL-12172-03...
Page 436: Managing Shunned Hosts
To release a host from being shunned, enter the following command: hostname# clear threat-detection shun [ ip_address [ mask ]] If you do not specify an IP address, all hosts are cleared from the shun list. Cisco Security Appliance Command Line Configuration Guide 23-6 OL-12172-03...
Page 437: Viewing Attackers And Targets
Access list statistics are only displayed using the show threat-detection top access-list command. • To enable statistics for hosts, enter the following command: hostname(config)# threat-detection statistics host Cisco Security Appliance Command Line Configuration Guide 23-7 OL-12172-03...
Page 438: Viewing Threat Statistics
UDP (protocol 17) are not included in the display for IP protocols; TCP and UDP ports are, however, included in the display for ports. If you only enable statistics for one of these types, port or protocol, then you will only view the enabled statistics. Cisco Security Appliance Command Line Configuration Guide 23-8 OL-12172-03...
Page 439 1-hour Sent pkts: 8-hour Sent pkts: 24-hour Sent pkts: 20-min Sent drop: 1-hour Sent drop: 1-hour Recv byte: 8-hour Recv byte: 24-hour Recv byte: 1-hour Recv pkts: Table 23-3 shows each field description. Cisco Security Appliance Command Line Configuration Guide 23-9 OL-12172-03...
Page 440 Shows the number of times the dropped packet rate limits were exceeded. For valid traffic identified in the sent and received bytes and packets rows, this value is always 0, because there are no rate limits to trigger for valid traffic. Cisco Security Appliance Command Line Configuration Guide 23-10 OL-12172-03...
Page 441: Configuring Tcp Normalization
Allow packets whose data length exceeds the TCP maximum segment size. The default is to drop • these packets, so use this command to allow them. hostname(config-tcp-map)# exceed-mss {allow | drop} Cisco Security Appliance Command Line Configuration Guide 23-11 OL-12172-03...
Page 442 To the endpoint host, however, it is the first packet that has been received by the attacker. In this case, an attacker is able to succeed without security preventing the attack. Cisco Security Appliance Command Line Configuration Guide 23-12 OL-12172-03...
Page 443 Cisco Security Appliance Command Line Configuration Guide 23-13 OL-12172-03...
Page 444: Configuring Connection Limits And Timeouts
3-way handshake packets to provide selective ACK and other TCP options for WebVPN connections. To disable TCP Intercept for management traffic, you can set the embryonic connection limit; only after the embryonic connection limit is reached is TCP Intercept enabled. Cisco Security Appliance Command Line Configuration Guide 23-14 OL-12172-03...
Page 445: Dead Connection Detection Overview
{[conn-max number ] [embryonic-conn-max number ] [per-client-embryonic-max number ] [per-client-max number ] [random-sequence-number {enable | disable}]} where number is an integer between 0 and 65535. The default is 0, which means no limit on connections. Cisco Security Appliance Command Line Configuration Guide 23-15 OL-12172-03...
Page 446: Preventing Ip Spoofing
Reverse Path Forwarding. For any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address. See RFC 2267 for more information. Cisco Security Appliance Command Line Configuration Guide 23-16 OL-12172-03...
Page 447: Configuring The Fragment Size
To shun a connection manually, perform the following steps: If necessary, view information about the connection by entering the following command: Step 1 hostname# show conn The security appliance shows information about each connection, such as the following: Cisco Security Appliance Command Line Configuration Guide 23-17 OL-12172-03...
Page 448: Configuring Ip Audit For Basic Ips Support
Step 3 ip audit interface interface_name policy_name To disable signatures, or for more information about signatures, see the ip audit signature command in Step 4 the Cisco Security Appliance Command Reference. Cisco Security Appliance Command Line Configuration Guide 23-18 OL-12172-03...
Page 449: Chapter 24 Applying Qos Policies
A flow can be defined in a number of ways. In the security appliance, QoS can apply to a combination of source and destination IP addresses, source and destination port number, and the TOS byte of the IP header. Cisco Security Appliance Command Line Configuration Guide 24-1 OL-12172-03...
Page 450: Qos Concepts
Associating actions with each traffic class to formulate policies. Activating the policies. The specification of a classification policy—that is, the definition of traffic classes—is separate from the specification of the policies that act on the results of the classification. Cisco Security Appliance Command Line Configuration Guide 24-2 OL-12172-03...
Page 451 (priority-queue command) on each named, physical interface transmitting prioritized traffic. The following example enables a default priority-queue with the default queue-limit and tx-ring-limit: priority-queue name-interface The following sections explain each of these uses in more detail. Cisco Security Appliance Command Line Configuration Guide 24-3 OL-12172-03...
Page 452: Identifying Traffic For Qos
By creating a class-map (named “host-specific”), you can then police the “host-specific” class before the LAN-to-LAN connection polices the tunnel. In this example, the “host-specific” traffic is rate-limited before the tunnel, then the tunnel is rate-limited: Cisco Security Appliance Command Line Configuration Guide 24-4 OL-12172-03...
Page 453: Defining A Qos Policy Map
The following table summarizes the match command criteria available and relevant to QoS. For the full list of all match commands and their syntax, see Cisco Security Appliance Command Reference: Command Description match access-list Matches, by name or number, access list traffic within a class map.
Page 454: Applying Rate Limiting
LAN-to-LAN VPN flow if there is no police command defined for tunnel-group of LAN-to-LAN VPN. In other words, the policing values of class-default are never applied to the individual flow of a LAN-to-LAN VPN that exists before encryption. Cisco Security Appliance Command Line Configuration Guide 24-6 OL-12172-03...
Page 455: Activating The Service Policy
Using the policy-map example in the previous section, the following service-policy command activates the policy-map “qos,” defined in the previous section, for traffic on the outside interface: hostname(config)# service-policy qos interface outside Cisco Security Appliance Command Line Configuration Guide 24-7 OL-12172-03...
Page 456: Applying Low Latency Queueing
The queue-limit command specifies a maximum number of packets that can be queued to a priority queue before it drops data. This limit must be in the range of 0 through 2048 packets. Cisco Security Appliance Command Line Configuration Guide 24-8...
Page 457: Reducing Queue Latency
Create a class map or modify an existing class map to identify traffic that you want to police or to identify Step 2 as priority traffic. Use the class-map command to do so, as follows: hostname(config)# class-map class_map_name hostname(config-cmap)# Cisco Security Appliance Command Line Configuration Guide 24-9 OL-12172-03...
Page 458 • command. hostname(config-pmap-c)# priority Priority queuing does not occur automatically to traffic marked as priority. To enable priority Note queuing, you must complete Step 8 also, which enables the priority queues. Cisco Security Appliance Command Line Configuration Guide 24-10 OL-12172-03...
Page 459 For details about priority queuing, see the “Applying Low Latency Queueing” section on page 24-8 and the priority command page in the Cisco Security Appliance Command Reference. If you want the security appliance to police the traffic selected by the class map, enter the police •...
Page 460: Viewing Qos Configuration
Class-map: browse police Interface outside: cir 56000 bps, bc 10500 bytes conformed 10065 packets, 12621510 bytes; actions: transmit exceeded 499 packets, 625146 bytes; actions: drop conformed 5600 bps, exceed 5016 bps Cisco Security Appliance Command Line Configuration Guide 24-12 OL-12172-03...
Page 461: Viewing Qos Policy Map Configuration
The following is sample output from the show running-config priority-queue command for the interface named “test”: hostname(config)# show running-config priority-queue test priority-queue test queue-limit 2048 tx-ring-limit 256 hostname(config)# Cisco Security Appliance Command Line Configuration Guide 24-13 OL-12172-03...
Page 462: Viewing Qos Statistics
EXEC mode: hostname# show service-policy priority This is the same command you use to view configuration of policies that include the priority keyword. Note Cisco Security Appliance Command Line Configuration Guide 24-14 OL-12172-03...
Page 463: Viewing Qos Priority Queue Statistics
“Packets Enqueued” denotes the overall number of packets that have been queued in this queue. • “Current Q Length” denotes the current depth of this queue. • “Max Q Length” denotes the maximum depth that ever occurred in this queue. • Cisco Security Appliance Command Line Configuration Guide 24-15 OL-12172-03...
Page 464 Chapter 24 Applying QoS Policies Viewing QoS Statistics Cisco Security Appliance Command Line Configuration Guide 24-16 OL-12172-03...
Page 465: Chapter 25 Configuring Application Layer Protocol Inspection
• ICMP Inspection, page 25-52 • ICMP Error Inspection, page 25-52 ILS Inspection, page 25-52 • MGCP Inspection, page 25-53 • NetBIOS Inspection, page 25-58 • PPTP Inspection, page 25-60 • Cisco Security Appliance Command Line Configuration Guide 25-1 OL-12172-03...
Page 466: Inspection Engine Overview
When you enable application inspection for a service that uses dynamically assigned ports, the security appliance monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. Cisco Security Appliance Command Line Configuration Guide 25-2 OL-12172-03...
Page 467: Inspection Limitations
ICMP ERROR — — — All ICMP traffic is matched in the default class map. ILS (LDAP) TCP/389 No PAT. — — MGCP UDP/2427, — RFC 2705bis-05 — 2727 Cisco Security Appliance Command Line Configuration Guide 25-3 OL-12172-03...
Page 468 The default policy configuration includes the following commands: class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras Cisco Security Appliance Command Line Configuration Guide 25-4 OL-12172-03...
Page 469: Configuring Application Inspection
For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter the following commands: hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 hostname(config)# class-map inspection_default hostname(config-cmap)# match access-list inspect View the entire class map using the following command: Cisco Security Appliance Command Line Configuration Guide 25-5 OL-12172-03...
Page 470 25-76. • To add or edit a Layer 3/4 policy map that sets the actions to take with the class map traffic, enter the Step 3 following command: hostname(config)# policy-map name Cisco Security Appliance Command Line Configuration Guide 25-6 OL-12172-03...
Page 471 If you added an ESMTP inspection policy map according to “Configuring an ESMTP Inspection Policy Map for Additional Inspection Control” section on page 25-24, identify the map name in this command. Cisco Security Appliance Command Line Configuration Guide 25-7 OL-12172-03...
Page 472 If you added a NetBIOS inspection policy map according to “Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control” section on page 25-58, identify the map name in this command. pptp — Cisco Security Appliance Command Line Configuration Guide 25-8 OL-12172-03...
Page 473 By default, the default policy map, “global_policy,” is applied globally. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco Security Appliance Command Line Configuration Guide 25-9 OL-12172-03...
Page 474: Ctiqbe Inspection
Cisco IP SoftPhone requires the Cisco CallManager IP address to be specified explicitly in its Cisco TSP configuration on the PC. When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP •...
Page 475: Verifying And Monitoring Ctiqbe Inspection
CTIQBE session setup across the security appliance. It is established between an internal CTI device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco CallManager at 172.29.1.77, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for the session is 120 seconds.
Page 476: Dcerpc Inspection
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. (Optional) To add a description to the policy map, enter the following command: Step 2 hostname(config-pmap)# description string Cisco Security Appliance Command Line Configuration Guide 25-12 OL-12172-03...
Page 477: Dns Inspection
This section describes DNS application inspection. This section includes the following topics: • How DNS Application Inspection Works, page 25-14 How DNS Rewrite Works, page 25-14 • Configuring DNS Rewrite, page 25-15 • Verifying and Monitoring DNS Inspection, page 25-20 • Cisco Security Appliance Command Line Configuration Guide 25-13 OL-12172-03...
Page 478: How Dns Application Inspection Works
As long as DNS inspection remains enabled, you can configure DNS rewrite using the alias, static, or nat commands. For details about the configuration required see the “Configuring DNS Rewrite” section on page 25-15. Cisco Security Appliance Command Line Configuration Guide 25-14 OL-12172-03...
Page 479: Configuring Dns Rewrite
This section includes the following topics: Using the Static Command for DNS Rewrite, page 25-16 • Using the Static Command for DNS Rewrite, page 25-16 • Cisco Security Appliance Command Line Configuration Guide 25-15 OL-12172-03...
Page 480: Using The Static Command For Dns Rewrite
• For detailed syntax and additional functions for the alias, nat, and static command, see the appropriate command page in the Cisco Security Appliance Command Reference. Using the Static Command for DNS Rewrite The static command causes addresses on an IP network residing on a specific interface to be translated into addresses on another IP network on a different interface.
Page 481: Dns Rewrite With Three Nat Zones
DNS inspection allows NAT to operate transparently with a DNS server with minimal configuration. For configuration instructions for scenarios like this one, see the “Configuring DNS Rewrite with Three NAT Zones” section on page 25-19. Cisco Security Appliance Command Line Configuration Guide 25-17 OL-12172-03...
Page 482 The host running the web client sends the DNS server a request for the IP address of server.example.com. The DNS server responds with the IP address 209.165.200.225 in the reply. Cisco Security Appliance Command Line Configuration Guide 25-18 OL-12172-03...
Page 483: Configuring Dns Rewrite With Three Nat Zones
TCP port that the web server listens to for HTTP requests. Apply the access list created in Step 2 to the outside interface. To do so, use the access-group command, Step 3 as follows: hostname(config)# access-group acl-name in interface outside Cisco Security Appliance Command Line Configuration Guide 25-19 OL-12172-03...
Page 484: Verifying And Monitoring Dns Inspection
To display the statistics for DNS application inspection, enter the show service-policy command. The following is sample output from the show service-policy command: hostname# show service-policy Interface outside: Service-policy: sample_policy Class-map: dns_port Inspect: dns maximum-length 1500, packet 0, drop 0, reset-drop 0 Cisco Security Appliance Command Line Configuration Guide 25-20 OL-12172-03...
Page 485: Configuring A Dns Inspection Policy Map For Additional Inspection Control
The CLI enters class-map configuration mode, where you can enter one or more match commands. (Optional) To add a description to the class map, enter the following command: hostname(config-cmap)# description string Cisco Security Appliance Command Line Configuration Guide 25-21 OL-12172-03...
Page 486 Specify traffic directly in the policy map using one of the match commands described in Step • If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied. Cisco Security Appliance Command Line Configuration Guide 25-22 OL-12172-03...
Page 487 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 488: Esmtp Inspection
To apply actions to matching traffic, perform the following steps. Step 5 Specify the traffic on which you want to perform actions using one of the following methods: Cisco Security Appliance Command Line Configuration Guide 25-24 OL-12172-03...
Page 489 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 490: Ftp Inspection
“Configuring an FTP Inspection Policy Map for Additional Inspection Control” section on page 25-27. After you enable the strict option on an interface, FTP inspection enforces the following behavior: Cisco Security Appliance Command Line Configuration Guide 25-26 OL-12172-03...
Page 491: Configuring An Ftp Inspection Policy Map For Additional Inspection Control
FTP commands, then create and configure an FTP map. You can then apply the FTP map when you enable FTP inspection according to the “Configuring Application Inspection” section on page 25-5. To create an FTP map, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 25-27 OL-12172-03...
Page 492 [not] request-command ftp_command [ ftp_command ...] Where ftp_command with one or more FTP commands that you want to restrict. See Table 25-3 a list of the FTP commands that you can restrict. Cisco Security Appliance Command Line Configuration Guide 25-28 OL-12172-03...
Page 493 Specify the traffic on which you want to perform actions using one of the following methods: Specify the FTP class map that you created in Step 3 by entering the following command: • hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# Cisco Security Appliance Command Line Configuration Guide 25-29 OL-12172-03...
Page 494 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 495: Verifying And Monitoring Ftp Inspection
Internet. The GGSN is the interface between the GPRS wireless data network and other networks. The SGSN performs mobility, data session management, and data compression (See Figure 25-3). Cisco Security Appliance Command Line Configuration Guide 25-31 OL-12172-03...
Page 496: Configuring A Gtp Inspection Policy Map For Additional Inspection Control
GTP map, which is preconfigured with the following default values: • request-queue 200 timeout gsn 0:30:00 • timeout pdp-context 0:30:00 • timeout request 0:01:00 • Cisco Security Appliance Command Line Configuration Guide 25-32 OL-12172-03...
Page 497 IMSI Prefix filtering. The MCC and MNC in the IMSI of the received packet is compared with the MCC/MNC configured with this command and is dropped if it does not match. Cisco Security Appliance Command Line Configuration Guide 25-33...
Page 498 Use the object-group command to define a new network object group that will represent the SGSN that sends GTP requests to the GSN pool. hostname(config)# object-group network SGSN-name hostname(config-network)# For example, the following command creates an object group named sgsn32: Cisco Security Appliance Command Line Configuration Guide 25-34 OL-12172-03...
Page 499 The gsn keyword specifies the period of inactivity after which a GSN will be removed. The pdp-context keyword specifies the maximum period of time allowed before beginning to receive the PDP context. Cisco Security Appliance Command Line Configuration Guide 25-35 OL-12172-03...
Page 500: Verifying And Monitoring Gtp Inspection
Verifying and Monitoring GTP Inspection To display GTP configuration, enter the show service-policy inspect gtp command in privileged EXEC mode. For the detailed syntax for this command, see the command page in the Cisco Security Appliance Command Reference. Use the show service-policy inspect gtp statistics command to show the statistics for GTP inspection.
Page 501: H.323 Inspection
H.323 Inspection Overview, page 25-38 • How H.323 Works, page 25-38 • Limitations and Restrictions, page 25-39 • Configuring H.323 and H.225 Timeout Values, page 25-42 • Verifying and Monitoring H.323 Inspection, page 25-42 • Cisco Security Appliance Command Line Configuration Guide 25-37 OL-12172-03...
Page 502: H.323 Inspection Overview
H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
Page 503: Limitations And Restrictions
Cisco Security Appliance Command Line Configuration Guide 25-39...
Page 504 Specify the action you want to perform on the matching traffic by entering the following command: hostname(config-pmap-c)# {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Cisco Security Appliance Command Line Configuration Guide 25-40 OL-12172-03...
Page 505 Configuring Application Layer Protocol Inspection H.323 Inspection Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available. The drop keyword drops all packets that match.
Page 506: Configuring H.323 And H.225 Timeout Values
If they are not, then there is a problem that needs to be investigated. Cisco Security Appliance Command Line Configuration Guide 25-42...
Page 507: Monitoring H.245 Sessions
The second LCN of 259 has a foreign RTP IP address/port pair of 172.30.254.203/49606 and an RTCP IP address/port pair of 172.30.254.203/49607 with a local RTP IP address/port pair of 10.130.56.3/49606 and RTCP port of 49607. Cisco Security Appliance Command Line Configuration Guide 25-43 OL-12172-03...
Page 508: Monitoring H.323 Ras Sessions
Control”), can help prevent attackers from using HTTP messages for circumventing network security policy. It verifies the following for all HTTP messages: Conformance to RFC 2616 • Use of RFC-defined methods only. • Compliance with the additional criteria. • Cisco Security Appliance Command Line Configuration Guide 25-44 OL-12172-03...
Page 509: Configuring An Http Inspection Policy Map For Additional Inspection Control
HTTP request message, enter the following command: hostname(config-cmap)# match [not] req-resp content-type mismatch (Optional) To match text found in the HTTP request message arguments, enter the following command: Cisco Security Appliance Command Line Configuration Guide 25-45 OL-12172-03...
Page 510 [not] response header {[ field ] [regex [ regex_name | class regex_class_name ]] | [length gt max_length_bytes | count gt max_count ]} Cisco Security Appliance Command Line Configuration Guide 25-46 OL-12172-03...
Page 511 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 512: Instant Messaging Inspection
This section describes the IM inspection engine. This section includes the following topics: IM Inspection Overview, page 25-49 • Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control, • page 25-49 Cisco Security Appliance Command Line Configuration Guide 25-48 OL-12172-03...
Page 513: Im Inspection Overview
Where the string is the description of the class map (up to 200 characters). (Optional) To match traffic of a specific IM protocol, such as Yahoo or MSN, enter the following command: hostname(config-cmap)# match [not] protocol {im-yahoo | im-msn} Cisco Security Appliance Command Line Configuration Guide 25-49 OL-12172-03...
Page 514 (Optional) To add a description to the policy map, enter the following command: Step 5 hostname(config-pmap)# description string Specify the traffic on which you want to perform actions using one of the following methods: Step 6 Cisco Security Appliance Command Line Configuration Guide 25-50 OL-12172-03...
Page 515 Cisco Security Appliance Command Line Configuration Guide 25-51 OL-12172-03...
Page 516: Icmp Inspection
The security appliance supports NAT for ILS, which is used to register and locate endpoints in the ILS or SiteServer Directory. PAT cannot be supported because only IP addresses are stored by an LDAP database. Cisco Security Appliance Command Line Configuration Guide 25-52 OL-12172-03...
Page 517: Mgcp Inspection
This section describes MGCP application inspection. This section includes the following topics: MGCP Inspection Overview, page 25-54 • Configuring an MGCP Inspection Policy Map for Additional Inspection Control, page 25-56 • Configuring MGCP Timeout Values, page 25-57 • Cisco Security Appliance Command Line Configuration Guide 25-53 OL-12172-03...
Page 518: Mgcp Inspection Overview
Figure 25-4 illustrates how NAT can be used with MGCP. Cisco Security Appliance Command Line Configuration Guide 25-54 OL-12172-03...
Page 519 Response header, optionally followed by a session description. The port on which the gateway receives commands from the call agent. Gateways usually listen to • UDP port 2427. Cisco Security Appliance Command Line Configuration Guide 25-55 OL-12172-03...
Page 520: Configuring An Mgcp Inspection Policy Map For Additional Inspection Control
MGCP end points to register with the call agent. To configure the gateways, enter the following command for each gateway: hostname(config-pmap-p)# gateway ip_address group_id Cisco Security Appliance Command Line Configuration Guide 25-56 OL-12172-03...
Page 521: Configuring Mgcp Timeout Values
The timeout mgcp-pat command lets you set the timeout for PAT xlates. Because MGCP does not have a keepalive mechanism, if you use non-Cisco MGCP gateways (call agents), the PAT xlates are torn down after the default timeout interval, which is 30 seconds.
Page 522: Netbios Inspection
Specify the traffic on which you want to perform actions using one of the following methods: Specify the NetBIOS class map that you created in Step 3 by entering the following command: • hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# Cisco Security Appliance Command Line Configuration Guide 25-58 OL-12172-03...
Page 523 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 524: Pptp Inspection
If the shared secret is not configured, the security appliance does not need to validate the source of the message and will only check that the source IP address is one of the configured addresses allowed to send the RADIUS messages. Cisco Security Appliance Command Line Configuration Guide 25-60 OL-12172-03...
Page 525: Configuring A Radius Inspection Policy Map For Additional Inspection Control
Restrictions and Limitations, page 25-62 • RTSP Inspection Overview The RTSP inspection engine lets the security appliance pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. Cisco Security Appliance Command Line Configuration Guide 25-61 OL-12172-03...
Page 526: Using Realplayer
SDP files as part of HTTP or RTSP messages. Packets could be fragmented and security appliance cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translates the security appliance performs on the SDP part of the •...
Page 527: Configuring An Rtsp Inspection Policy Map For Additional Inspection Control
Configuring Application Layer Protocol Inspection RTSP Inspection You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT • if the Viewer and Content Manager are on the outside network and the server is on the inside network.
Page 528 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 529: Sip Inspection
Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. The following limitations and restrictions apply when using PAT with SIP: Cisco Security Appliance Command Line Configuration Guide 25-65 OL-12172-03...
Page 530: Sip Instant Messaging
SIP application and be translated. enters class-map configuration mode, where you can enter one or more match commands. (Optional) To add a description to the class map, enter the following command: hostname(config-cmap)# description string Cisco Security Appliance Command Line Configuration Guide 25-66 OL-12172-03...
Page 531: Configuring A Sip Inspection Policy Map For Additional Inspection Control
The CLI enters class-map configuration mode, where you can enter one or more match commands. (Optional) To add a description to the class map, enter the following command: hostname(config-cmap)# description string Cisco Security Appliance Command Line Configuration Guide 25-67 OL-12172-03...
Page 532 Where length is the number of bytes the URI is greater than. 0 to 65536. Create a SIP inspection policy map, enter the following command: Step 4 hostname(config)# policy-map type inspect sip policy_map_name hostname(config-pmap)# Cisco Security Appliance Command Line Configuration Guide 25-68 OL-12172-03...
Page 533 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 534: Configuring Sip Timeout Values
SIP control connection, enter the following command: hostname(config)# timeout sip hh : mm : ss This command configures the idle timeout after which a SIP control connection is closed. Cisco Security Appliance Command Line Configuration Guide 25-70 OL-12172-03...
Page 535: Verifying And Monitoring Sip Inspection
This section describes SCCP application inspection. This section includes the following topics: SCCP Inspection Overview, page 25-72 • Supporting Cisco IP Phones, page 25-72 • Restrictions and Limitations, page 25-72 • Verifying and Monitoring SCCP Inspection, page 25-73 • Cisco Security Appliance Command Line Configuration Guide 25-71 OL-12172-03...
Page 536: Sccp Inspection Overview
The security appliance also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
Page 537: Verifying And Monitoring Sccp Inspection
MEDIA 10.0.0.22/20798 172.18.1.11/22948 The output indicates that a call has been established between two internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively. The following is sample output from the show xlate debug command for these Skinny connections:...
Page 538 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate } Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
Page 539: Smtp And Extended Smtp Inspection
SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply. Cisco Security Appliance Command Line Configuration Guide 25-75...
Page 540: Snmp Inspection
To specify the versions of SNMP to deny, enter the following command for each version: hostname(config-snmp-map)# deny version version hostname(config-snmp-map)# where version is 1, 2, 2c, or 3. The following example denies SNMP Versions 1 and 2: hostname(config)# snmp-map sample_map hostname(config-snmp-map)# deny version 1 Cisco Security Appliance Command Line Configuration Guide 25-76 OL-12172-03...
Page 541: Sql*Net Inspection
This section describes Sun RPC application inspection. This section includes the following topics: Sun RPC Inspection Overview, page 25-78 • Managing Sun RPC Services, page 25-78 • Verifying and Monitoring Sun RPC Inspection, page 25-79 • Cisco Security Appliance Command Line Configuration Guide 25-77 OL-12172-03...
Page 542: Sun Rpc Inspection Overview
To clear the active Sun RPC services, enter the following command: hostname(config)# clear sunrpc-server active This clears the pinholes that are opened by Sun RPC application inspection for specific services, such as NFS or NIS. Cisco Security Appliance Command Line Configuration Guide 25-78 OL-12172-03...
Page 543: Verifying And Monitoring Sun Rpc Inspection
100003 3 tcp 2049 nfs 100021 1 udp 32771 nlockmgr 100021 3 udp 32771 nlockmgr 100021 4 udp 32771 nlockmgr 100021 1 tcp 32852 nlockmgr 100021 3 tcp 32852 nlockmgr 100021 4 tcp 32852 nlockmgr Cisco Security Appliance Command Line Configuration Guide 25-79 OL-12172-03...
Page 544: Tftp Inspection
NAT fixup), and re-encrypts voice signaling traffic while all of the existing VoIP inspection functions for Skinny and SIP protocols are preserved. Once voice signaling is decrypted, the plaintext signaling message is passed to the existing inspection engines. Cisco Security Appliance Command Line Configuration Guide 25-80 OL-12172-03...
Page 545: Maximum Tls Proxy Sessions
TLS Proxy for Encrypted Voice Inspection The security appliance acts as a TLS proxy between the Cisco IP Phone and Cisco Unified CallManager. The proxy is transparent for the voice calls between the phone and the Cisco Unified CallManager. Cisco...
Page 546: Configuring Tls Proxy
We recommend that the security appliance use the same NTP server as the Cisco Unified CallManager cluster. TLS handshake may fail due to certificate validation failure if clock is out of sync between the security appliance and the Cisco Unified CallManager server.
Page 547 CN=xxx;OU=yyy CN=xxx;O=zzz CN=xxx Step 4 Create an internal local CA to sign the LDC for Cisco IP Phones using the following commands, for example: hostname(config)# ! for the internal local LDC issuer hostname(config)# crypto ca trustpoint ldc_server hostname(config-ca-trustpoint)# enrollment self...
Page 548 The default port number listened by the CTL Provider is TCP 2444, which is the default CTL port on the Cisco Unified CallManager. Use the service port command to change the port number if a different port is used by the Cisco Unified CallManager cluster.
Page 549: Debugging Tls Proxy
For the embedded local CA server LOCAL-CA-SERVER, use the following command to export its certificate, for example: hostname(config)# show crypto ca server certificate Save the output to a file and import the certificate on the Cisco Unified CallManager. For more information, see the Cisco Unified CallManager document: http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_0/iptp_adm/504/iptpch6.htm#wp1...
Page 550 Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Cisco Security Appliance Command Line Configuration Guide 25-86 OL-12172-03...
Page 551 Certificate Usage: General Purpose Public Key Type: RSA (1024 bits) Issuer Name: cn=F1-ASA.default.domain.invalid Subject Name: cn=SEP0017593F50A8 Validity Date: start date: 23:13:47 PDT Apr 16 2007 date: 23:13:47 PDT Apr 15 2008 Associated Trustpoints: Cisco Security Appliance Command Line Configuration Guide 25-87 OL-12172-03...
Page 552: Ctl Client
Chapter 25 Configuring Application Layer Protocol Inspection TLS Proxy for Encrypted Voice Inspection CTL Client The CTL Client application supplied by Cisco Unified CallManager Release 5.1 and later supports a TLS proxy server (firewall) in the CTL file. Figure 25-6 through...
Page 553 CTL entry for the security appliance as the TLS proxy has been added. The CTL entry is added after the CTL Client connects to the CTL Provider service on the security appliance and retrieves the proxy certificate. Cisco Security Appliance Command Line Configuration Guide 25-89 OL-12172-03...
Page 554: Xdmcp Inspection
When XDMCP is used, the display is negotiated using IP addresses, which the security appliance can NAT if needed. XDCMP inspection does not support PAT. Cisco Security Appliance Command Line Configuration Guide 25-90 OL-12172-03...
Page 555: Chapter 26 Configuring Arp Inspection And Bridging Parameters
If the ARP packet does not match any entries in the static ARP table, then you can set the security appliance to either forward the packet out all interfaces (flood), or to drop the packet. Cisco Security Appliance Command Line Configuration Guide 26-1...
Page 556: Adding A Static Arp Entry
Where flood forwards non-matching ARP packets out all interfaces, and no-flood drops non-matching packets. The default setting is to flood non-matching packets. To restrict ARP through the security appliance to Note only static entries, then set this command to no-flood. Cisco Security Appliance Command Line Configuration Guide 26-2 OL-12172-03...
Page 557: Customizing The Mac Address Table
One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, Cisco Security Appliance Command Line Configuration Guide 26-3...
Page 558: Setting The Mac Address Timeout
The following is sample output from the show mac-address-table command that shows the table for the inside interface: hostname# show mac-address-table inside interface mac address type Time Left ----------------------------------------------------------------------- inside 0010.7cbe.6101 static Cisco Security Appliance Command Line Configuration Guide 26-4 OL-12172-03...
Page 559 Chapter 26 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table inside 0009.7cbe.5101 dynamic Cisco Security Appliance Command Line Configuration Guide 26-5 OL-12172-03...
Page 560 Chapter 26 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table Cisco Security Appliance Command Line Configuration Guide 26-6 OL-12172-03...
Page 561: Configuring Vpn
A R T Configuring VPN...
Page 563: Chapter 27 Configuring Ipsec And Isakmp
It can also receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network. Cisco Security Appliance Command Line Configuration Guide 27-1...
Page 564: Ipsec Overview
A remote access VPN lets remote users securely access centralized network resources. The Cisco VPN client complies with the IPSec protocol and is specifically designed to work with the security appliance. However, the security appliance can establish IPSec connections with many protocol-compliant clients.
Page 565 MD5 (HMAC variant) The default is SHA-1. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. A successful (but extremely difficult) attack against MD5 has occurred; however, the HMAC variant IKE uses prevents this attack. Cisco Security Appliance Command Line Configuration Guide 27-3 OL-12172-03...
Page 566 The higher the Diffie-Hellman group no., the greater the security. Cisco VPN Client Version 3.x or higher requires a minimum of Group 2. (If you configure DH Group 1, the Cisco VPN Client cannot connect.) AES support is available on security appliances licensed for VPN-3DES only.
Page 567: Configuring Isakmp Policies
Specify the SA lifetime. This examples sets a lifetime of 4 hours (14400 seconds). The default is 86400 seconds (24 hours). crypto isakmp policy priority lifetime seconds For example: hostname(config)# crypto isakmp policy 2 lifetime 14400 Cisco Security Appliance Command Line Configuration Guide 27-5 OL-12172-03...
Page 568: Enabling Isakmp On The Outside Interface
If you have disabled aggressive mode, and want to revert to back to it, use the no form of the command. For example: hostname(config)# no crypto isakmp am-disable Disabling aggressive mode prevents Cisco VPN clients from using preshared key authentication to Note establish tunnels to the security appliance. However, they may use certificate-based authentication (that is, ASA or RSA) to establish tunnels.
Page 569: Enabling Ipsec Over Nat-T
NAT devices, and only encapsulates IPSec traffic when necessary. This feature is disabled by default. With the exception of the home zone on the Cisco ASA 5505, the security appliance can simultaneously support standard IPSec, IPSec over TCP, NAT-T, and IPSec over UDP, depending on the client with which it is exchanging data.
Page 570: Enabling Ipsec Over Tcp
NAT devices that do support IP fragmentation. Enabling IPSec over TCP IPSec over TCP enables a Cisco VPN client to operate in an environment in which standard ESP or ISAKMP cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the ISAKMP and IPSec protocols within a TCP-like packet, and enables secure tunneling through both NAT and PAT devices and firewalls.
Page 571: Waiting For Active Sessions To Terminate Before Rebooting
The security appliance can notify qualified peers (in LAN-to-LAN configurations), Cisco VPN clients and VPN 3002 hardware clients of sessions that are about to be disconnected. The peer or client receiving the alert decodes the reason and displays it in the event log or in a pop-up pane.
Page 572: Creating A Certificate Group Matching Rule And Policy
Requiring only one criterion to match is equivalent to a logical OR operation. The following example enables mapping of certificate-based ISAKMP sessions to a tunnel group based on the content of the phase1 ISAKMP ID: hostname(config)# tunnel-group-map enable ike-id hostname(config)# Cisco Security Appliance Command Line Configuration Guide 27-10 OL-12172-03...
Page 573: Using The Tunnel-Group-Map Default-Group Command
IPSec SAs control the actual transmission of user traffic. SAs are unidirectional, but are generally established in pairs (inbound and outbound). The peers negotiate the settings to use for each SA. Each SA consists of the following: Cisco Security Appliance Command Line Configuration Guide 27-11 OL-12172-03...
Page 574: Understanding Transform Sets
The ACL assigned to a crypto map consists of all of the ACEs that have the same access-list-name, as shown in the following command syntax: access-list access-list-name {deny | permit} ip source source-netmask destination destination-netmask Cisco Security Appliance Command Line Configuration Guide 27-12 OL-12172-03...
Page 575 Each ACE contains a permit or deny statement. Table 27-2 explains the special meanings of permit and deny ACEs in ACLs applied to crypto maps. Cisco Security Appliance Command Line Configuration Guide 27-13 OL-12172-03...
Page 576 Phase 2 SA. To route inbound, unencrypted traffic as clear text, insert deny ACEs before permit ACEs. Note Figure 27-1 shows an example LAN-to-LAN network of security appliances. Cisco Security Appliance Command Line Configuration Guide 27-14 OL-12172-03...
Page 577 The sequence number assigned to the crypto ACL determines its position in the evaluation sequence within the crypto map set. Cisco Security Appliance Command Line Configuration Guide 27-15 OL-12172-03...
Page 578 Redirection to the next crypto map in the crypto map set. Response when a packet either matches an ACE or fails to match all of the permit ACEs in a crypto map set. Cisco Security Appliance Command Line Configuration Guide 27-16 OL-12172-03...
Page 579 When it matches the packet to the permit ACE in that crypto map, it applies the associated IPSec security (strong encryption and frequent rekeying). Cisco Security Appliance Command Line Configuration Guide 27-17 OL-12172-03...
Page 580 A B permit A C permit B C permit C B permit A.3 B permit A.3 C Figure 27-3 maps the conceptual addresses shown in Figure 27-1 to real IP addresses. Cisco Security Appliance Command Line Configuration Guide 27-18 OL-12172-03...
Page 581 192.168.201.0 255.255.255.224 192.168.12.0 255.255.255.248 You can apply the same reasoning shown in the example network to use cascading ACLs to assign different security settings to different hosts or subnets protected by a Cisco security appliance. Cisco Security Appliance Command Line Configuration Guide...
Page 582: Applying Crypto Maps To Interfaces
Regardless of whether the traffic is inbound or outbound, the security appliance evaluates traffic against the access lists assigned to an interface. You assign IPSec to an interface as follows: Step 1 Create the access lists to be used for IPSec. Cisco Security Appliance Command Line Configuration Guide 27-20 OL-12172-03...
Page 583 “mirror image” crypto access list at the remote peer. The crypto maps should also support common transforms and refer to the other system as a peer. This ensures correct processing of IPSec by both peers. Cisco Security Appliance Command Line Configuration Guide 27-21 OL-12172-03...
Page 584: Changing Ipsec Sa Lifetimes
To create a basic IPSec configuration using a static crypto map, perform the following steps: Step 1 To create an access list to define the traffic to protect, enter the following command: access-list access-list-name {deny | permit} ip source source-netmask destination destination-netmask For example: Cisco Security Appliance Command Line Configuration Guide 27-22 OL-12172-03...
Page 585 10 set security-association lifetime seconds 2700 This example shortens the timed lifetime for the crypto map “mymap 10” to 2700 seconds (45 minutes). The traffic volume lifetime is not changed. Cisco Security Appliance Command Line Configuration Guide 27-23 OL-12172-03...
Page 586: Using Dynamic Crypto Maps
VPN clients typically do not have static IP addresses; they require a dynamic crypto map to allow IPSec negotiation to occur. For example, the headend assigns the IP address to a Cisco VPN client during IKE negotiation, which the client then uses to negotiate IPSec SAs.
Page 587 Step 2 order of priority (highest priority first). crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 , [ transform-set-name2 , … transform-set-name9 ] For example: crypto dynamic-map dyn 10 set transform-set myset1 myset2 Cisco Security Appliance Command Line Configuration Guide 27-25 OL-12172-03...
Page 588: Providing Site-To-Site Redundancy
Viewing an IPSec Configuration Table 27-5 lists commands you can enter to view information about your IPSec configuration. Cisco Security Appliance Command Line Configuration Guide 27-26 OL-12172-03...
Page 589: Clearing Security Associations
The clear configure crypto command includes arguments that let you remove elements of the crypto configuration, including IPSec, crypto maps, dynamic crypto maps, CA trustpoints, all certificates, certificate map configurations, and ISAKMP. Cisco Security Appliance Command Line Configuration Guide 27-27 OL-12172-03...
Page 590: Supporting The Nokia Vpn Client
Be aware that if you enter the clear configure crypto command without arguments, you remove the entire crypto configuration, including all certificates. For more information, see the clear configure crypto command in the Cisco Security Appliance Command Reference. Supporting the Nokia VPN Client The security appliance supports connections from Nokia VPN Clients on Nokia 92xx Communicator series phones using the Challenge/Response for Authenticated Cryptographic Keys (CRACK) protocol.
Page 591 CN, OU, O, C, St, L. To learn more about the Nokia services required to support the CRACK protocol on Nokia clients, and to ensure they are installed and configured properly, contact your local Nokia representative. Cisco Security Appliance Command Line Configuration Guide 27-29 OL-12172-03...
Page 592 Chapter 27 Configuring IPSec and ISAKMP Supporting the Nokia VPN Client Cisco Security Appliance Command Line Configuration Guide 27-30 OL-12172-03...
Page 593: Chapter 28 Configuring L2Tp Over Ipsec
L2TP with IPSec on the security appliance allows the LNS to interoperate with the Windows 2000 L2TP client. Interoperability with LACs from Cisco and other vendors is currently not supported. Only L2TP with IPSec is supported, native L2TP itself is not supported on security appliance.
Page 594: Ipsec Transport And Tunnel Modes
IPSec in Tunnel and Transport Modes IP HDR Data Tunnel mode Encrypted New IP HDR IPSec HDR IP HDR Data IP HDR Data Transport mode IP HDR IPSec HDR Data Encrypted Cisco Security Appliance Command Line Configuration Guide 28-2 OL-12172-03...
Page 595: Configuring L2Tp Over Ipsec Connections
The security appliance does not establish an L2TP/IPSec tunnel with Windows 2000 if either the Cisco VPN Client Version 3.x or the Cisco VPN 3000 Client Version 2.5 is installed. Disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client Version 2.5 from the Services panel in Windows 2000 (click Start>Programs>Administrative...
Page 596 If the user is an L2TP client using Microsoft CHAP, Version 1 or Version 2, and the security appliance is configured to authenticate against the local database, you must include the mschap keyword. For Example: hostname(config)# username t_wmith password eu5d93h mschap Cisco Security Appliance Command Line Configuration Guide 28-4 OL-12172-03...
Page 597: Tunnel Group Switching
: 70.208.1.212 Protocol : L2TPOverIPSec Encryption : 3DES Hashing : SHA1 Bytes Tx : 418464 Bytes Rx : 424440 Client Type Client Ver Group Policy : DfltGrpPolicy Tunnel Group : DefaultRAGroup Cisco Security Appliance Command Line Configuration Guide 28-5 OL-12172-03...
Page 598 Group Policy : DfltGrpPolicy Tunnel Group : l2tpcert Login Time : 14:35:15 UTC Thu Mar 30 2006 Duration : 0h:00m:07s Filter Name NAC Result : N/A Posture Token: IKE Sessions: 1 Cisco Security Appliance Command Line Configuration Guide 28-6 OL-12172-03...
Page 599: Using L2Tp Debug Commands
The following example enables L2TP debug messages for connection events. The show debug command reveals that L2TP debug messages are enabled. hostname# debug l2tp event 1 hostname# show debug debug l2tp event enabled at level 1 hostname# Cisco Security Appliance Command Line Configuration Guide 28-7 OL-12172-03...
Page 600: Enabling Ipsec Debug
“%windir%\debug\oakley.log”. Getting Additional Information Additional information on various topics can be found at www.microsoft.com: http://support.microsoft.com/support/kb/articles/Q240/2/62.ASP How to Configure an L2TP/IPSec Connection Using Pre-Shared Keys Authentication: http://support.microsoft.com/support/kb/articles/Q253/4/98.ASP Cisco Security Appliance Command Line Configuration Guide 28-8 OL-12172-03...
Page 601 How to use a Windows 2000 Machine Certificate for L2TP over IPSec VPN Connections: http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp#heading3 How to Create a Custom MMC Console and Enabling Audit Policy for Your Computer: http://support.microsoft.com/support/kb/articles/Q259/3/35.ASP Cisco Security Appliance Command Line Configuration Guide 28-9 OL-12172-03...
Page 602 Chapter 28 Configuring L2TP over IPSec Viewing L2TP over IPSec Connection Information Cisco Security Appliance Command Line Configuration Guide 28-10 OL-12172-03...
Page 603: Chapter 29 Setting General Ipsec Vpn Parameters
Using an ACL is more secure because you can specify the exact traffic you want to allow through the security appliance. The syntax is sysopt connection permit-ipsec. The command has no keywords or arguments. The following example enables IPSec traffic through the security appliance without checking ACLs: Cisco Security Appliance Command Line Configuration Guide 29-1 OL-12172-03...
Page 604: Permitting Intra-Interface Traffic
For more information, see the “Configuring Interface Parameters” chapter of this guide. To use hairpinning, you must apply the proper NAT rules to the security appliance interface, as discussed in the following section. Cisco Security Appliance Command Line Configuration Guide 29-2 OL-12172-03...
Page 605: Nat Considerations For Intra-Interface Traffic
For Windows clients, you can provide a mechanism for users to accomplish that update. For VPN 3002 hardware client users, the update occurs automatically, with no notification. This command applies only to the IPSec remote-access tunnel-group type. Cisco Security Appliance Command Line Configuration Guide 29-3 OL-12172-03...
Page 606 “salesgrp”. It designates the revision number, 4.7 and uses the TFTP protocol for retrieving the updated software from the site with the IP address 192.168.1.1: hostname(config)# tunnel-group salesgrp type ipsec-ra hostname(config)# tunnel-group salesgrp ipsec-attributes hostname(config-tunnel-ipsec)# client-update type vpn3002 url tftp:192.168.1.1 rev-nums hostname(config-tunnel-ipsec)# Cisco Security Appliance Command Line Configuration Guide 29-4 OL-12172-03...
Page 607: Understanding Load Balancing
The virtual cluster master monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load accordingly. The role of virtual cluster master is not Cisco Security Appliance Command Line Configuration Guide 29-5...
Page 608: Implementing Load Balancing
In this way, the virtual cluster master directs traffic evenly and efficiently across resources. Note All clients other than the Cisco VPN Client or the Cisco 3002 Hardware Client should connect directly to the security appliance as usual; they do not use the virtual cluster IP address.
Page 609: Eligible Platforms
• Cisco VPN 3002 Hardware Client (Release 3.5 or later) • Cisco PIX 501/506E when acting as an Easy VPN client. • Load balancing works with both IPSec clients and WebVPN sessions. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but they cannot participate in load balancing.
Page 610: Some Typical Mixed Cluster Scenarios
If the cluster master fails, another peer assumes the role of master. The new master might be any of the eligible peers. Because of the innately unpredictability of the results, we recommend that you avoid configuring this type of cluster. Cisco Security Appliance Command Line Configuration Guide 29-8 OL-12172-03...
Page 611: Configuring Load Balancing
If you want to apply network address translation for this device, enter the nat command with the NAT Step 4 assigned address for the device: hostname(config-load-balancing)# nat ip_address hostname(config-load-balancing)# For example, to assign this device a NAT address of 192.168.30.3, enter the following command: hostname(config-load-balancing)# nat 192.168.30.3 hostname(config-load-balancing)# Cisco Security Appliance Command Line Configuration Guide 29-9 OL-12172-03...
Page 612: Configuring The Load Balancing Cluster Attributes
Load Balancing Cluster check box), and encryption is not enabled for the cluster. To use cluster encryption, you musts enable isakmp on the inside interface, using the crypto isakmp enable command with the inside interface specified. Cisco Security Appliance Command Line Configuration Guide 29-10 OL-12172-03...
Page 613: Enabling Redirection Using A Fully-Qualified Domain Name
The following is an example of a VPN load-balancing command sequence that includes an interface command that enables redirection for a fully-qualified domain name, specifies the public interface of the cluster as “test” and the private interface of the cluster as “foo”: Cisco Security Appliance Command Line Configuration Guide 29-11 OL-12172-03...
Page 614: Configuring Vpn Session Limits
The following example shows the command and the licensing information excerpted from the output of this command: hostname(config)# show version Cisco Adaptive Security Appliance Software Version 7.1(0)182 Device Manager Version 5.1(0)128 Licensed features for this platform:...
Page 615 To remove the session limit, use the no version of this command.: hostname(config)# no vpn-sessiondb max-webvpn-session-limit hostname(config)# For a complete description of the features available with each license, see Appendix A, Feature Licenses and Specifications. Cisco Security Appliance Command Line Configuration Guide 29-13 OL-12172-03...
Page 616 Chapter 29 Setting General IPSec VPN Parameters Configuring VPN Session Limits Cisco Security Appliance Command Line Configuration Guide 29-14 OL-12172-03...
Page 617: Chapter 30 Configuring Connection Profiles, Group Policies, And Users
VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, Cisco Security Appliance Command Line Configuration Guide 30-1...
Page 618: Connection Profiles
Connection profiles specify the following attributes: • General Connection Profile Connection Parameters, page 30-3 IPSec Tunnel-Group Connection Parameters, page 30-4 • Connection Profile Connection Parameters for Clientless SSL VPN Sessions, page 30-5 • Cisco Security Appliance Command Line Configuration Guide 30-2 OL-12172-03...
Page 619: General Connection Profile Connection Parameters
Authorization required—This parameter lets you require authorization before a user can connect, or • turn off that requirement. Authorization DN attributes—This parameter specifies which Distinguished Name attributes to use • when performing authorization. Cisco Security Appliance Command Line Configuration Guide 30-3 OL-12172-03...
Page 620: Ipsec Tunnel-Group Connection Parameters
Cisco Secure PIX Firewall – Non-Cisco VPN clients do not support IKE keepalives. If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.
Page 621: Connection Profile Connection Parameters For Clientless Ssl Vpn Sessions
Identifies the DNS server group that specifies the DNS server name, domain name, name server, number of retries, and timeout values for a DNS server to use for a connection profile. Cisco Security Appliance Command Line Configuration Guide 30-5 OL-12172-03...
Page 622: Configuring Connection Profiles
Connection Profile Attributes for Clientless SSL VPN Command Function hic-fail-group-policy Specifies a VPN feature policy if you use the Cisco Secure Desktop Manager to set the Group-Based Policy attribute to “Use Failure Group-Policy” or “Use Success Group-Policy, if criteria match.” override-svc-download...
Page 623: Configuring Ipsec Tunnel-Group General Attributes
SSL VPN tunnels share most of the same general attributes. IPSec LAN-to-LAN tunnels use a subset. Refer to the Cisco Security Appliance Command Reference for complete descriptions of all commands. The following sections describe, in order, how to configure IPSec remote-access connection profiles, IPSec LAN-to-LAN connection profiles, and clientless SSL VPN connection profiles.
Page 624: Configuring Ipsec Remote-Access Connection Profile General Attributes
The name of the group policy can be up to 64 characters long. The following example sets DfltGrpPolicy as the name of the default group policy: hostname(config-tunnel-general)# default-group-policy DfltGrpPolicy hostname(config-tunnel-general)# Cisco Security Appliance Command Line Configuration Guide 30-8 OL-12172-03...
Page 625 The following example inherits the authentication server group from the default remote access group. hostname(config-group-policy)# no nac-authentication-server-group hostname(config-group-policy) NAC requires a Cisco Trust Agent on the remote host. Note Specify whether to strip the group or the realm from the username before passing it on to the AAA server.
Page 626 Note The security appliance, releases 7.1 and later, generally supports password management for the AnyConnect VPN Client, the Cisco IPSec VPN Client, the SSL VPN full-tunneling client, and Clientless connections when authenticating with LDAP or with any RADIUS connection that supports MS-CHAPv2.
Page 627: Enabling Ipv6 Vpn Access
GigabitEthernet0/0 hostname(config-if)# ipv6 enable To enable IPV6 SSL VPN, do the following general actions: Enable IPv6 on the outside interface. Enable IPv6 and an IPv6 address on the inside interface. Cisco Security Appliance Command Line Configuration Guide 30-11 OL-12172-03...
Page 628: Configuring Ipsec Remote-Access Connection Profile Ipsec Attributes
To specify the attributes of an IPSec remote-access tunnel-group, enter tunnel-group ipsec-attributes mode by entering the following command. The prompt changes to indicate the mode change: hostname(config)# tunnel-group tunnel-group-name ipsec-attributes hostname(config-tunnel-ipsec)# Cisco Security Appliance Command Line Configuration Guide 30-12 OL-12172-03...
Page 629 To disable IKE keepalives, enter the no form of the isakmp command: For example, the following command sets the IKE keepalive threshold value to 15 seconds and sets the retry interval to 10 seconds: hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10 hostname(config-tunnel-ipsec)# Cisco Security Appliance Command Line Configuration Guide 30-13 OL-12172-03...
Page 630: Configuring Ipsec Remote-Access Connection Profile Ppp Attributes
Enter tunnel-group ppp-attributes configuration mode, in which you configure the remote-access Step 1 tunnel-group PPP attributes, by entering the following command. The prompt changes to indicate the mode change: hostname(config)# tunnel-group tunnel-group-name type remote-access hostname(config)# tunnel-group tunnel-group-name ppp-attributes hostname(config-tunnel-ppp)# Cisco Security Appliance Command Line Configuration Guide 30-14 OL-12172-03...
Page 631: Configuring Lan-To-Lan Connection Profiles
While many of the parameters that you configure are the same as for IPSec remote-access connection profiles, LAN-to-LAN tunnels have fewer parameters. To configure a LAN-to-LAN connection profile, follow the steps in this section. Cisco Security Appliance Command Line Configuration Guide 30-15 OL-12172-03...
Page 632: Default Lan-To-Lan Connection Profile Configuration
Specify the name of the accounting-server group, if any, to use: Step 2 hostname(config-tunnel-general)# accounting-server-group groupname hostname(config-tunnel-general)# For example, the following command specifies the use of the accounting-server group acctgserv1: hostname(config-tunnel-general)# accounting-server-group acctgserv1 hostname(config-tunnel-general)# Cisco Security Appliance Command Line Configuration Guide 30-16 OL-12172-03...
Page 633: Configuring Lan-To-Lan Ipsec Attributes
You can apply this attribute to all tunnel-group types. Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer: Step 5 hostname(config-tunnel-ipsec)# trust-point trust-point-name Cisco Security Appliance Command Line Configuration Guide 30-17 OL-12172-03...
Page 634 For example, the following commands enable hybrid XAUTH on the inside interface for a connection profile called example-group: hostname(config)# tunnel-group example-group type remote-access hostname(config)# tunnel-group example-group ipsec-attributes Cisco Security Appliance Command Line Configuration Guide 30-18 OL-12172-03...
Page 635: Configuring Connection Profiles For Clientless Ssl Vpn Sessions
For example, to configure the authentication server group named test, and to provide fallback to the LOCAL server if the authentication server group fails, enter the following command: hostname(config-tunnel-general)# authentication-server-group test LOCAL hostname(config-tunnel-general)# Cisco Security Appliance Command Line Configuration Guide 30-19 OL-12172-03...
Page 636 Step 7. Use the aaa-server command to configure accounting servers. The maximum length of the group tag is 16 characters.: hostname(config-tunnel-general)# accounting-server-group groupname hostname(config-tunnel-general)# For example, the following command specifies the use of the accounting-server group comptroller: Cisco Security Appliance Command Line Configuration Guide 30-20 OL-12172-03...
Page 637 If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration to begin warning the user about the pending expiration: hostname(config-tunnel-general)# password-management [password-expire in days n ] hostname(config-tunnel-general)# Cisco Security Appliance Command Line Configuration Guide 30-21 OL-12172-03...
Page 638: Configuring Tunnel-Group Attributes For Clientless Ssl Vpn Sessions
To specify the authentication method to use: AAA, digital certificates, or both, enter the authentication Step 2 command. You can specify either aaa or certificate or both, in any order. hostname(config-tunnel-webvpn)# authentication authentication_method hostname(config-tunnel-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-22 OL-12172-03...
Page 639 For example, to configure the server named nbnsprimary as the primary server and the server 192.168.2.2 as the secondary server, each allowing three retries and having a 5-second timeout, enter the following command: hostname(config)# name 192.168.2.1 nbnsprimary Cisco Security Appliance Command Line Configuration Guide 30-23 OL-12172-03...
Page 640 URL or alias: hostname(config-tunnel-webvpn)# group-url url [enable | disable] hostname(config-tunnel-webvpn)# For example, to enable the group URLs http://www.cisco.com and http://192.168.10.10 for the tunnel-group named RadiusServer, enter the following commands: hostname(config)# tunnel-group RadiusServer type webvpn Cisco Security Appliance Command Line Configuration Guide...
Page 641 Step 7 (Optional) To specify a VPN feature policy if you use the Cisco Secure Desktop Manager to set the Group-Based Policy attribute to “Use Failure Group-Policy” or “Use Success Group-Policy, if criteria match,” use the hic-fail-group-policy command. The default value is DfltGrpPolicy.
Page 642: Customizing Login Windows For Users Of Clientless Ssl Vpn Sessions
In global configuration mode, create a tunnel-group for clientless SSL VPN sessions named sales: Step 3 hostname# tunnel-group sales type webvpn hostname(config-tunnel-webvpn)# Step 4 Specify that you want to use the salesgui customization for this connection profile: Cisco Security Appliance Command Line Configuration Guide 30-26 OL-12172-03...
Page 643: Configuring Microsoft Active Directory Settings For Password Management
Using Active Directory to Override an Account Disabled AAA Indicator, page 30-30 • Using Active Directory to Enforce Password Complexity, page 30-32. • The following sections assume that you are using an LDAP directory server for authentication. Cisco Security Appliance Command Line Configuration Guide 30-27 OL-12172-03...
Page 644: Using Active Directory To Force The User To Change Password At Next Logon
30-1). Figure 30-1 Active Directory—Administrative Tools Menu Step 2 Right-click Username > Properties > Account. Check the check box for User must change password at next logon (Figure 30-2). Step 3 Cisco Security Appliance Command Line Configuration Guide 30-28 OL-12172-03...
Page 645: Using Active Directory To Specify Maximum Password Age
Double-click Maximum password age. This opens the Security Policy Setting dialog box. Step 2 Check the Define this policy setting check box and specify the maximum password age, in days, that you Step 3 want to allow. Cisco Security Appliance Command Line Configuration Guide 30-29 OL-12172-03...
Page 646: Using Active Directory To Override An Account Disabled Aaa Indicator
Note Step 1 Select Start > Programs > Administrative Tools > Active Directory Users and Computers. Right-click Username > Properties > Account and select Disable Account from the menu. Step 2 Cisco Security Appliance Command Line Configuration Guide 30-30 OL-12172-03...
Page 647: Using Active Directory To Enforce Minimum Password Length
Double-click Minimum Password Length. This opens the Security Policy Setting dialog box. Step 3 Check the Define this policy setting check box and specify the minimum number of characters that the Step 4 password must contain. Cisco Security Appliance Command Line Configuration Guide 30-31 OL-12172-03...
Page 648: Using Active Directory To Enforce Password Complexity
Security Settings > Account Policies > Password Policy. Step 2 Double-click Password must meet complexity requirements to open the Security Policy Setting dialog box. Step 3 Check the Define this policy setting check box and select Enable. Cisco Security Appliance Command Line Configuration Guide 30-32 OL-12172-03...
Page 649: Group Policies
You can configure internal and external group policies. Internal groups are configured on the security appliance’s internal database. External groups are configured on an external authentication server, such as RADIUS. Group policies include the following attributes: • Identity Server definitions • Cisco Security Appliance Command Line Configuration Guide 30-33 OL-12172-03...
Page 650: Default Group Policy
The default group policy, DfltGrpPolicy, that the security appliance provides is as follows: group-policy DfltGrpPolicy internal group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 2000 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage enable Cisco Security Appliance Command Line Configuration Guide 30-34 OL-12172-03...
Page 651 You can modify the default group policy, and you can also create one or more group policies specific to your environment. Cisco Security Appliance Command Line Configuration Guide 30-35 OL-12172-03...
Page 652: Configuring Group Policies
Class attribute (#25), the security appliance uses that attribute to authenticate the Group Name. On the RADIUS server, the attribute must be formatted as: OU=groupname; where groupname is identical to the Group Name configured on the security appliance—for example, OU=Finance. Cisco Security Appliance Command Line Configuration Guide 30-36 OL-12172-03...
Page 653: Configuring An Internal Group Policy
WINS server rather than overwrite previously configured servers, include the IP addresses of all WINS servers when you enter this command. The following example shows how to configure WINS servers with the IP addresses 10.10.10.15 and 10.10.10.30 for the group policy named FirstGroup: Cisco Security Appliance Command Line Configuration Guide 30-37 OL-12172-03...
Page 654: Configuring Vpn-Specific Attributes
A group policy can inherit a time-range value from a default or specified group policy. To prevent this inheritance, enter the none keyword instead of the name of a time-range in this command. This keyword sets VPN access hours to a null value, which allows no time-range policy. Cisco Security Appliance Command Line Configuration Guide 30-38 OL-12172-03...
Page 655 It sets the idle timeout to a null value, thereby disallowing an idle timeout. The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# vpn-idle-timeout 15 hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-39 OL-12172-03...
Page 656 To remove the ACL, including a null value created by entering the vpn-filter none command, enter the no form of this command. The no option allows inheritance of a value from another group policy. Cisco Security Appliance Command Line Configuration Guide 30-40...
Page 657: Configuring Security Attributes
For security reasons, password storage is disabled by default. Enable password storage only on systems that you know to be in secure sites. To remove the password-storage attribute from the running configuration, enter the no form of this command: Cisco Security Appliance Command Line Configuration Guide 30-41 OL-12172-03...
Page 658 Reauthentication fails if there is no user at the other end of the connection. Note Cisco Security Appliance Command Line Configuration Guide 30-42 OL-12172-03...
Page 659: Configuring The Banner Message
{value banner_string | none} The following example shows how to create a banner for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes Cisco Security Appliance Command Line Configuration Guide 30-43 OL-12172-03...
Page 660: Configuring Ipsec-Udp Attributes
This enables inheritance of a value for IPSec over UDP from another group policy. The Cisco VPN client must also be configured to use IPSec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPSec over UDP.
Page 661 The excludespecified keyword defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN client.
Page 662: Configuring Domain Attributes For Tunneling
When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, enter the split-dns command with the none keyword. Cisco Security Appliance Command Line Configuration Guide 30-46 OL-12172-03...
Page 663: Configuring Attributes For Vpn Hardware Clients
The commands in this section enable or disable secure unit authentication and user authentication, and set a user authentication timeout value for VPN hardware clients. They also let you allow Cisco IP phones and LEAP packets to bypass individual user authentication and allow hardware clients using Network Extension Mode to connect.
Page 664 If you require user authentication on the primary security appliance, be sure to configure it on any backup servers as well. The following example shows how to enable user authentication for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# user-authentication enable Cisco Security Appliance Command Line Configuration Guide 30-48 OL-12172-03...
Page 665 45 Configuring IP Phone Bypass You can allow Cisco IP phones to bypass individual user authentication behind a hardware client. To enable IP Phone Bypass, enter the ip-phone-bypass command with the enable keyword in group-policy configuration mode. IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes.
Page 666 Configuring Connection Profiles, Group Policies, and Users Group Policies To allow LEAP packets from Cisco wireless access points to bypass individual users authentication, enter the leap-bypass command with the enable keyword in group-policy configuration mode. To disable LEAP Bypass, enter the disable keyword. To remove the LEAP Bypass attribute from the running configuration, enter the no form of this command.
Page 667: Configuring Backup Server Attributes
IP address or hostname. The list can be 500 characters long, and it can contain up to10 entries. The following example shows how to configure backup servers with IP addresses 10.10.10.1 and 192.168.10.14, for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# backup-servers 10.10.10.1 192.168.10.14 Cisco Security Appliance Command Line Configuration Guide 30-51 OL-12172-03...
Page 668: Configuring Microsoft Internet Explorer Client Parameters
The following example shows how to configure auto-detect as the Microsoft Internet Explorer proxy setting for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# msie-proxy method auto-detect hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-52 OL-12172-03...
Page 669 By default, msie-proxy local-bypass is disabled. The following example shows how to enable Microsoft Internet Explorer proxy local-bypass for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# msie-proxy local-bypass enable hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-53 OL-12172-03...
Page 670: Configuring Network Admission Control Parameters
86400. The default setting is 36000. To specify the interval between each successful posture validation in a Network Admission Control session, use the nac-reval-period command in group-policy configuration mode: hostname(config-group-policy)# nac-reval-period seconds hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-54 OL-12172-03...
Page 671 Configure NAC exemptions for VPN. By default, the exemption list is empty.The default value of the Step 4 filter attribute is none. Enter the vpn-nac-exempt once for each operating system (and ACL) to be matched to exempt remote hosts from posture validation. Cisco Security Appliance Command Line Configuration Guide 30-55 OL-12172-03...
Page 672 "Windows 98" filter acl-1 disable hostname(config-group-policy) The following example removes the same entry from the exemption list, regardless of whether it is disabled: hostname(config-group-policy)# no vpn-nac-exempt os "Windows 98" filter acl-1 hostname(config-group-policy) Cisco Security Appliance Command Line Configuration Guide 30-56 OL-12172-03...
Page 673: Configuring Address Pools
[... address_pool6 ] hostname(config-group-policy)# The command address-pools none disables this attribute from being inherited from other sources of policy, such as the DefaultGrpPolicy: hostname(config-group-policy)# address-pools none hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-57 OL-12172-03...
Page 674: Configuring Firewall Policies
VPN client drops the connection to the security appliance. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by Cisco Security Appliance Command Line Configuration Guide 30-58...
Page 675 Table 30-2, following this set of commands, explains the syntax elements of these commands: Cisco Integrated Firewall hostname(config-group-policy)# client-firewall {opt | req} cisco-integrated acl-in ACL acl-out ACL Cisco Security Agent hostname(config-group-policy)# client-firewall {opt | req} cisco-security-agent No Firewall...
Page 676 It asks, “Are You There?” If there is no response, the security appliance tears down the tunnel. cisco-integrated Specifies Cisco Integrated firewall type. cisco-security-agent Specifies Cisco Intrusion Prevention Security Agent firewall type. Specifies Policy Pushed as source of the VPN client firewall policy. custom Specifies Custom firewall type. description string Describes the firewall.
Page 677: Configuring Client Access Rules
Chapter 30 Configuring Connection Profiles, Group Policies, and Users Group Policies The following example shows how to set a client firewall policy that requires Cisco Intrusion Prevention Security Agent for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# client-firewall req cisco-security-agent...
Page 678: Configuring Group-Policy Attributes For Clientless Ssl Vpn Sessions
* character as a wildcard. The following example shows how to create client access rules for the group policy named FirstGroup. These rules permit Cisco VPN clients running software version 4.x, while denying all Windows NT clients:...
Page 679 For example, to use the customization named blueborder, enter the following command: hostname(config-group-webvpn)# customization blueborder hostname(config-group-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-63 OL-12172-03...
Page 680 Specify whether to filter Java, ActiveX, images, scripts, and cookies from clientless SSL VPN sessions for this group policy by using the html-content-filter command in webvpn mode. HTML filtering is disabled by default. Cisco Security Appliance Command Line Configuration Guide 30-64 OL-12172-03...
Page 681 The url-string variable following the keyword value provides a URL for the home page. The string must begin with either http:// or https://. url-string hostname(config-group-webvpn)# homepage {value | none} hostname(config-group-webvpn)# no homepage hostname(config-group-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-65 OL-12172-03...
Page 682 The none keyword indicates that there is no webvpntype access list. It sets a null value, thereby disallowing an access list and prevents inheriting an access list from another group policy. The ACLname string following the keyword value provides the name of the previously configured access list. Cisco Security Appliance Command Line Configuration Guide 30-66 OL-12172-03...
Page 683 The ActiveX relay remains in force until the Clientless SSL VPN session closes. To enable or disable ActiveX controls on Clientless SSL VPN sessions, enter the following command in group-policy webvpn configuration mode: Cisco Security Appliance Command Line Configuration Guide 30-67 OL-12172-03...
Page 684 The no option restores the default name, Application Access. To prevent a display name, enter the port-forward none command. The syntax of the command is as follows: name hostname(config-group-webvpn)# port-forward-name {value | none} hostname(config-group-webvpn)# no port-forward-name Cisco Security Appliance Command Line Configuration Guide 30-68 OL-12172-03...
Page 685 In the following example, compression is disabled for the group-policy sales: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# http-comp none hostname(config-group-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-69 OL-12172-03...
Page 686 For complete information about installing and using SVC, see Chapter 38, “Configuring AnyConnect VPN Client Connections”. Cisco Security Appliance Command Line Configuration Guide 30-70 OL-12172-03...
Page 687 In the following example, the user configures the DPD frequency performed by the security appliance (gateway) to 3000 seconds, and the DPD frequency performed by the client to 1000 seconds for the existing group policy named sales: hostname(config)# group-policy sales attributes Cisco Security Appliance Command Line Configuration Guide 30-71 OL-12172-03...
Page 688 1 through 10080 (1 week). For the no form of the command, only the minimum is necessary, as the following example shows: Cisco Security Appliance Command Line Configuration Guide 30-72 OL-12172-03...
Page 689: Configuring User Attributes
To configure specific users, you assign a password (or no password) and attributes to a user using the username command, which enters username mode. Any attributes that you do not specify are inherited from the group policy. Cisco Security Appliance Command Line Configuration Guide 30-73 OL-12172-03...
Page 690: Setting A User Password And Privilege Level
Enter username mode by entering the username command with the attributes keyword: hostname(config)# username name attributes hostname(config-username)# The prompt changes to indicate the new mode. You can now configure the attributes. Cisco Security Appliance Command Line Configuration Guide 30-74 OL-12172-03...
Page 691: Configuring Vpn User Attributes
Enter 0 to disable login and prevent user access. hostname(config-username)# vpn-simultaneous-logins integer hostname(config-username)# no vpn-simultaneous-logins hostname(config-username)# While the maximum limit for the number of simultaneous logins is very large, allowing several could Note compromise security and affect performance. Cisco Security Appliance Command Line Configuration Guide 30-75 OL-12172-03...
Page 692 The no option allows inheritance of a value from the group policy. There are no default behaviors or values for this command. Cisco Security Appliance Command Line Configuration Guide 30-76...
Page 693 IPSec. To remove the attribute from the running configuration, enter the no form of this command. hostname(config-username)# vpn-tunnel-protocol {webvpn | IPSec} hostname(config-username)# no vpn-tunnel-protocol [webvpn | IPSec] hostname(config-username) Cisco Security Appliance Command Line Configuration Guide 30-77 OL-12172-03...
Page 694 This command has no bearing on interactive hardware client authentication or individual user authentication for hardware clients. The following example shows how to enable password storage for the user named anyuser: Cisco Security Appliance Command Line Configuration Guide 30-78 OL-12172-03...
Page 695: Configuring Clientless Ssl Vpn Access For Specific Users
In username webvpn configuration mode, you can customize the following parameters, each of which is described in the subsequent steps: customizations • • deny message • html-content-filter homepage • filter • url-list • Cisco Security Appliance Command Line Configuration Guide 30-79 OL-12172-03...
Page 696 The following example shows how to set filtering of JAVA and ActiveX, cookies, and images for the user named anyuser: hostname(config)# username anyuser attributes hostname(config-username)# webvpn hostname(config-username-webvpn)# html-content-filter java cookies images hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-80 OL-12172-03...
Page 697 123: hostname(config)# webvpn hostname(config-webvpn)# customization 123 hostname(config-webvpn-custom)# password-prompt Enter password hostname(config-webvpn)# exit hostname(config)# username testuser nopassword hostname(config)# username testuser attributes hostname(config-username-webvpn)# webvpn hostname(config-username-webvpn)# customization value 123 hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-81 OL-12172-03...
Page 698 The none keyword indicates that there is no webvpntype access list. It sets a null value, thereby disallowing an access list and prevents inheriting an access list from another group policy. The ACLname string following the keyword value provides the name of the previously configured access list. Cisco Security Appliance Command Line Configuration Guide 30-82 OL-12172-03...
Page 699 To enable or disable ActiveX controls on Clientless SSL VPN sessions, enter the following command in username webvpn configuration mode: activex-relay {enable | disable} To inherit the activex-relay command from the group policy, enter the following command: Cisco Security Appliance Command Line Configuration Guide 30-83 OL-12172-03...
Page 700 {value name | none} hostname(config-username-webvpn)# no port-forward-name The following example shows how to configure the port-forward name test: hostname(config-group-policy)# webvpn hostname(config-username-webvpn)# port-forward-name value test hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-84 OL-12172-03...
Page 701 NTLM authentication, to the server with the IP address 10.1.1.0, using subnet mask 255.255.255.0: hostname(config)# username anyuser attributes hostname(config-username)# webvpn hostname(config-username-webvpn)# auto-signon allow ip 10.1.1.0 255.255.255.0 auth-type hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-85 OL-12172-03...
Page 702 The default policy assigned to the SSO server is DfltGrpPolicy. The following example assigns the SSO server named example to the user named anyuser: hostname(config)# username anyuser attributes hostname(config-username)# webvpn hostname(config-username-webvpn)# sso-server value example hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-86 OL-12172-03...
Page 703 {deflate | none} hostname(config-username-webvpn)# The following example disables SVC compression for the user named sales: hostname(config)# username sales attributes Cisco Security Appliance Command Line Configuration Guide 30-87 OL-12172-03...
Page 704 To remove the command from the configuration, use the no form of this command: hostname(config-username-webvpn)# svc keep-installer {installed | none} hostname(config-username-webvpn)# no svc keep-installer {installed | none} Cisco Security Appliance Command Line Configuration Guide 30-88 OL-12172-03...
Page 705 In the following example, the user configures the SVC to renegotiate with SSL during rekey and configures the rekey to occur 30 minutes after the session begins: hostname(config-username-webvpn)# svc rekey method ssl hostname(config-username-webvpn)# svc rekey time 30 hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-89 OL-12172-03...
Page 706 Chapter 30 Configuring Connection Profiles, Group Policies, and Users Configuring User Attributes Cisco Security Appliance Command Line Configuration Guide 30-90 OL-12172-03...
Page 707: Chapter 31 Configuring Ip Addresses For Vpns
IP addresses to use. To specify a method for assigning IP addresses to remote access clients, enter the vpn-addr-assign command in global configuration mode. The syntax is vpn-addr-assign {aaa | dhcp | local}. Cisco Security Appliance Command Line Configuration Guide 31-1 OL-12172-03...
Page 708: Configuring Local Ip Address Pools
Configuring AAA Addressing To use a AAA server to assign addresses for VPN remote access clients, you must first configure a AAA server or server group. See the aaa-server protocol command in the Cisco Security Appliance Command Reference and “Identifying AAA Server Groups and Servers,”...
Page 709: Configuring Dhcp Addressing
RAD2 hostname(config-general)# This command has more arguments that this example includes. For more information, see the Cisco Security Appliance Command Reference. Configuring DHCP Addressing To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use.
Page 710 (Optional) To specify the range of IP addresses the DHCP server should use to assign addresses to users of the group policy called remotegroup, enter the dhcp-network-scope command. The following example configures at network scope of 192.86.0.0. hostname(config-group-policy)# dhcp-network-scope 192.86.0.0 hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 31-4 OL-12172-03...
Page 711: Chapter 32 Configuring Remote Access Ipsec Vpns
FirstSet esp-3des esp-md5-hmac hostname(config)# tunnel-group testgroup type ipsec-ra hostname(config)# tunnel-group testgroup general-attributes hostname(config-general)# address-pool testpool hostname(config)# tunnel-group testgroup ipsec-attributes hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet Cisco Security Appliance Command Line Configuration Guide 32-1 OL-12172-03...
Page 712: Configuring Interfaces
To save your changes, enter the write memory command. Step 5 hostname(config-if)# write memory hostname(config-if)# Step 6 To configure a second interface, use the same procedure. Cisco Security Appliance Command Line Configuration Guide 32-2 OL-12172-03...
Page 713: Configuring Isakmp Policy And Enabling Isakmp On The Outside Interface
Set the encryption key lifetime. The following example configures 43,200 seconds (12 hours). Step 5 hostname(config)# isakmp policy 1 lifetime 43200 hostname(config)# Step 6 Enable ISAKMP on the interface named outside. hostname(config)# isakmp enable outside hostname(config)# Cisco Security Appliance Command Line Configuration Guide 32-3 OL-12172-03...
Page 714: Configuring An Address Pool
For more overview information, including a table that lists valid encryption and authentication methods, see Creating a Transform Set Chapter 36, “Configuring LAN-to-LAN IPSec VPNs” of this guide. Cisco Security Appliance Command Line Configuration Guide 32-4 OL-12172-03...
Page 715: Defining A Tunnel Group
In the following example the name of the group is testgroup and the name of the address pool is testpool. hostname(config)# tunnel-group testgroup general-attributes hostname(config-general)# address-pool testpool Cisco Security Appliance Command Line Configuration Guide 32-5 OL-12172-03...
Page 716: Creating A Dynamic Crypto Map
You need to use the same preshared key on both the security appliance and the client. The preshared key must be no larger than that used by the VPN client. If a Cisco VPN Client with a Note different preshared key size tries to connect to a security appliance, the client logs an error message indicating it failed to authenticate the peer.
Page 717: Creating A Crypto Map Entry To Use The Dynamic Crypto Map
Step 2 To apply the crypto map to the outside interface, enter the crypto map interface command. The syntax is crypto map map-name interface interface-name hostname(config)# crypto map mymap interface outside hostname(config)# Cisco Security Appliance Command Line Configuration Guide 32-7 OL-12172-03...
Page 718 Chapter 32 Configuring Remote Access IPSec VPNs Creating a Crypto Map Entry to Use the Dynamic Crypto Map Cisco Security Appliance Command Line Configuration Guide 32-8 OL-12172-03...
Page 719: Chapter 33 Configuring Network Admission Control
Following successful posture validation or the reception of a token indicating the remote host is healthy, the posture validation server sends a network access policy to the security appliance for application to the traffic on the tunnel. Cisco Security Appliance Command Line Configuration Guide 33-1 OL-12172-03...
Page 720: Uses, Requirements, And Limitations
In a NAC Framework configuration involving the security appliance, only a Cisco Trust Agent running on the client can fulfill the role of posture agent, and only a Cisco Access Control Server (ACS) can fulfill the role of posture validation server. The ACS uses dynamic ACLs to determine the access policy for each client.
Page 721 Otherwise, the CLI displays the policy name and type on the first line and the usage data for the group policies in subsequent lines. Table 2 explains the fields in the command. show nac-policy Cisco Security Appliance Command Line Configuration Guide 33-3 OL-12172-03...
Page 722: Adding, Accessing, Or Removing A Nac Policy
NAC Framework configuration will provide a network access policy for nac-framework remote hosts. A Cisco Access Control Server must be present on the network to provide NAC Framework services for the security appliance. When you specify this type, the prompt indicates you are in configuration mode.
Page 723: Configuring A Nac Policy
Specifying the Access Control Server Group You must configure at least one Cisco Access Control Server to support NAC. Use the aaa-server host command to name the Access Control Server group even if the group contains only one server.
Page 724: Setting The Revalidation Timer
Use the no form of the command if you want to remove the command from the NAC Framework policy. In that case, specifying the acl-name is optional. acl-name is the name of the access control list to be applied to the session. Cisco Security Appliance Command Line Configuration Guide 33-6 OL-12172-03...
Page 725: Configuring Exemptions From Nac
The following example exempts all hosts running Windows XP and applies the ACL acl-2 to traffic from those hosts: hostname(config-nac-policy-nac-framework)# exempt-list os "Windows XP" filter acl-2 hostname(config-nac-policy-nac-framework) The following example removes the same entry from the exemption list: hostname(config-nac-policy-nac-framework)# no exempt-list os "Windows XP" filter acl-2 hostname(config-nac-policy-nac-framework) Cisco Security Appliance Command Line Configuration Guide 33-7 OL-12172-03...
Page 726: Assigning A Nac Policy To A Group Policy
NAC Framework support for clientless authentication is configurable. It applies to hosts that do not have a Cisco Trust Agent to fulfill the role of posture agent. The security appliance applies the default access policy, sends the EAP over UDP request for posture validation, and the request times out. If the security appliance is not configured to request a policy for clientless hosts from the Access Control Server, it retains the default access policy already in use for the clientless host.
Page 727: Enabling And Disabling Clientless Authentication
Framework configuration: [no] eou allow {audit | clientless | none} audit uses an audit server to perform clientless authentication. clientless uses a Cisco Access Control Server to perform clientless authentication. no removes the command from the configuration. none disables clientless authentication.
Page 728: Changing Nac Framework Session Attributes
62445 hostname(config)# To change the port number to its default value, use the no form of this command, as follows: no eou port For example: hostname(config)# no eou port hostname(config)# Cisco Security Appliance Command Line Configuration Guide 33-10 OL-12172-03...
Page 729 By default, the maximum number of seconds to wait before establishing a new session is 180 seconds. To change this value, enter the following command in global configuration mode: eou timeout hold-period seconds seconds is a value in the range 60 to 86400. Cisco Security Appliance Command Line Configuration Guide 33-11 OL-12172-03...
Page 730 To change the session reinitialization to its default value, use the no form of this command, as follows: no eou timeout hold-period For example: hostname(config)# no eou timeout hold-period hostname(config)# Cisco Security Appliance Command Line Configuration Guide 33-12 OL-12172-03...
Page 731: Chapter 34 Configuring Easy Vpn Services On The Asa
VLAN interfaces of the ASA 5505 (see Chapter 4, “Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance”). The Easy VPN hardware client configuration specifies the IP address of its primary and secondary Note (backup) Easy VPN servers.
Page 732: Specifying The Client/Server Role Of The Cisco Asa 5505
Specifying the Client/Server Role of the Cisco ASA 5505 The Cisco ASA 5505 can function as a Cisco Easy VPN hardware client (also called “Easy VPN Remote”) or as a server (also called a “headend”), but not both at the same time. It does not have a default role.
Page 733: Specifying The Primary And Secondary Servers
DHCP) pre-configured with static IP addresses. PAT does not apply to VPN traffic in NEM. This mode does not require a VPN configuration for each client. The Cisco ASA 5505 configured for NEM mode supports automatic tunnel initiation. The configuration must store the group name, user name, and password.
Page 734: Configuring Automatic Xauth Authentication
If you configure an ASA 5505 to use TCP-encapsulated IPSec, enter the following command to let it send large packets over the outside interface: hostname(config)# crypto ipsec df-bit clear-df outside hostname(config)# Cisco Security Appliance Command Line Configuration Guide 34-4 OL-12172-03...
Page 735: Comparing Tunneling Options
Comparing Tunneling Options The tunnel types the Cisco ASA 5505 configured as an Easy VPN hardware client sets up depends on a combination of the following factors: Use of the split-tunnel-network-list and the split-tunnel-policy commands on the headend to •...
Page 736: Specifying The Tunnel Group Or Trustpoint
Specifying the Tunnel Group or Trustpoint When configuring the Cisco ASA 5505 as an Easy VPN hardware client, you can specify a tunnel group or trustpoint configured on the Easy VPN server, depending on the Easy VPN server configuration. See...
Page 737: Specifying The Trustpoint
To remove the attribute from the running configuration, enter the following command: no vpnclient trustpoint For example: hostname(config)# no vpnclient trustpoint hostname(config)# Cisco Security Appliance Command Line Configuration Guide 34-7 OL-12172-03...
Page 738: Configuring Split Tunneling
Only the first six characters of the specific MAC address are required if you use the MAC mask ffff.ff00.0000 to specify all devices by the same manufacturer. For example, Cisco IP phones have the Manufacturer ID 00036b, so the following command exempts any Cisco IP phone, including Cisco IP phones, you might add in the future: hostname(config)# vpnclient mac-exempt 0003.6b00.0000 ffff.ff00.0000...
Page 739: Configuring Remote Management
The Cisco ASA 5505, operating as an Easy VPN hardware client, supports management access using SSH or HTTPS, with or without a second layer of additional encryption. You can configure the Cisco ASA 5505 to require IPSec encryption within the SSH or HTTPS encryption.
Page 740: Group Policy And User Attributes Pushed To The Client
Table 34-2 as a guide for determining which commands to enter to modify the group policy or user attributes. Table 34-2 Group Policy and User Attributes Pushed to the Cisco ASA 5505 Configured as an EasyVPN Hardware Client Command Description...
Page 741 Specifies the IP address of the primary and secondary WINS servers, or prohibits the use of WINS servers. IPSec NAT-T connections are the only IPSec connection types supported on the home VLAN of a Cisco Note ASA 5505. IPSec over TCP and native IPSec connections are not supported.
Page 742: Authentication Options
IUA. See Configuring User Authentication, page 30-48. Do not configure IUA on a Cisco ASA 5505 configured as an Easy VPN server if a NAT device Caution is operating between the server and the Easy VPN hardware client. Use the user-authentication-idle-timeout command to set or remove the idle timeout period after which the Easy VPN Server terminates the client’s access.
Page 743: Chapter 35 Configuring The Pppoe Client
Once the session is established, a PPP link is set up, which includes authentication using Password Authentication protocol (PAP). Once the PPP session is established, each packet is encapsulated in the PPPoE and PPP headers. Cisco Security Appliance Command Line Configuration Guide 35-1 OL-12172-03...
Page 744: Configuring The Pppoe Client Username And Password
If an Auto Update Server sends a clear config command to the security appliance and the connection is then interrupted, the security appliance can read the username and password from NVRAM and re-authenticate to the Access Concentrator. Cisco Security Appliance Command Line Configuration Guide 35-2 OL-12172-03...
Page 745: Enabling Pppoe
Using PPPoE with a Fixed IP Address You can also enable PPPoE by manually entering the IP address, using the ip address command from interface configuration mode in the following format: hostname(config-if)# ip address ipaddress mask pppoe Cisco Security Appliance Command Line Configuration Guide 35-3 OL-12172-03...
Page 746: Monitoring And Debugging The Pppoe Client
6 packets sent, 6 received, 84 bytes sent, 0 received hostname# hostname# show vpdn tunnel PPPoE Tunnel Information (Total tunnels=1 sessions=1) Tunnel id 0, 1 active sessions time since change 65901 secs Remote Internet Address 10.0.0.1 Cisco Security Appliance Command Line Configuration Guide 35-4 OL-12172-03...
Page 747: Clearing The Configuration
RFC 1877. The client_ifx_name parameter identifies the interface supported by the DHCP auto_config option. At this time, this keyword is not required because the PPPoE client is only supported on a single outside interface. Cisco Security Appliance Command Line Configuration Guide 35-5 OL-12172-03...
Page 748 Chapter 35 Configuring the PPPoE Client Using Related Commands Cisco Security Appliance Command Line Configuration Guide 35-6 OL-12172-03...
Page 749: Chapter 36 Configuring Lan-To-Lan Ipsec Vpns
1 match address l2l_list hostname(config)# crypto map abcmap 1 set peer 10.10.4.108 hostname(config)# crypto map abcmap 1 set transform-set FirstSet hostname(config)# crypto map abcmap interface outside hostname(config)# write memory Cisco Security Appliance Command Line Configuration Guide 36-1 OL-12172-03...
Page 750: Configuring Interfaces
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data travelling across the secure connection. To set the terms of the ISAKMP negotiations, you create an ISAKMP policy, which includes the following: Cisco Security Appliance Command Line Configuration Guide 36-2 OL-12172-03...
Page 751 1 lifetime 43200 hostname(config)# Step 6 Enable ISAKMP on the interface named outside. hostname(config)# isakmp enable outside hostname(config)# To save your changes, enter the write memory command. Step 7 hostname(config)# write memory hostname(config)# Cisco Security Appliance Command Line Configuration Guide 36-3 OL-12172-03...
Page 752: Creating A Transform Set
The ACLs that you configure for this LAN-to-LAN VPN control connections are based on the source and destination IP addresses. Configure ACLs that mirror each other on both sides of the connection. To configure an ACL, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 36-4 OL-12172-03...
Page 753: Defining A Tunnel Group
You need to use the same preshared key on both security appliances for this LAN-to-LAN connection. The key is an alphanumeric string of 1-128 characters. In the following example the preshared key is 44kkaol59636jnfx. hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes Cisco Security Appliance Command Line Configuration Guide 36-5 OL-12172-03...
Page 754: Creating A Crypto Map And Applying It To An Interface
The syntax is crypto map map-name seq-num match address aclname. In the following example the map name is abcmap, the sequence number is 1, and the access list name is l2l_list hostname(config)# crypto map abcmap 1 match address l2l_list hostname(config)# Cisco Security Appliance Command Line Configuration Guide 36-6 OL-12172-03...
Page 755: Applying Crypto Maps To Interfaces
To apply the configured crypto map to the outside interface, enter the crypto map interface command. Step 1 The syntax is crypto map map-name interface interface-name. hostname(config)# crypto map abcmap interface outside hostname(config)# Step 2 Save your changes. hostname(config)# write memory hostname(config)# Cisco Security Appliance Command Line Configuration Guide 36-7 OL-12172-03...
Page 756 Chapter 36 Configuring LAN-to-LAN IPSec VPNs Creating a Crypto Map and Applying It To an Interface Cisco Security Appliance Command Line Configuration Guide 36-8 OL-12172-03...
Page 757: Chapter 37 Configuring Clientless Ssl Vpn
NT/Active Directory file shares • E-mail proxies, including POP3S, IMAP4S, and SMTPS • MS Outlook Web Access • Application Access (that is, port forwarding or smart tunnel access to other TCP-based applications) • Cisco Security Appliance Command Line Configuration Guide 37-1 OL-12172-03...
Page 758: Observing Clientless Ssl Vpn Security Precautions
Educate users. If an SSL-enabled site is not inside the private network, users should not visit this site over a clientless SSL VPN connection. They should open a separate browser window to visit such sites, and use that browser to view the presented certificate. Cisco Security Appliance Command Line Configuration Guide 37-2 OL-12172-03...
Page 759: Understanding Features Not Supported In Clientless Ssl Vpn
Enter the enable command with the name of the interface that you want to use for clientless SSL VPN sessions. For example, to enable clientless SSL VPN sessions on the interface called outside, enter the following: hostname(config)# webvpn hostname(config-webvpn)# enable outside Cisco Security Appliance Command Line Configuration Guide 37-3 OL-12172-03...
Page 760 JavaScript function to identify a proxy for each URL. password—(Optional, and available only if you specify a username) Enter this keyword to accompany each proxy request with a password to provide basic, proxy authentication. Cisco Security Appliance Command Line Configuration Guide 37-4 OL-12172-03...
Page 761: Configuring Ssl/Tls Encryption Protocols
Make sure that the security appliance and the browser you use allow the same SSL/TLS encryption • protocols. If you configure e-mail proxy, do not set the security appliance SSL version to TLSv1 Only. • MS Outlook and MS Outlook Express do not support TLS. Cisco Security Appliance Command Line Configuration Guide 37-5 OL-12172-03...
Page 762: Authenticating With Digital Certificates
The security appliance supports password management for the RADIUS and LDAP protocols. It supports the “password-expire-in-days” option for LDAP only. You can configure password management for IPSec remote access and SSL VPN tunnel-groups. Cisco Security Appliance Command Line Configuration Guide 37-6 OL-12172-03...
Page 763 Password management is not supported for any of these connection types for Kerberos/Active Directory (Windows password) or NT 4.0 Domain. The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another authentication server. However, from the security appliance perspective, it is talking only to a RADIUS server.
Page 764: Using Single Sign-On With Clientless Ssl Vpn
All clientless SSL VPN users globally webvpn group-policy A subset of clientless SSL VPN users defined by a group policy configuration webvpn username configuration An individual user of clientless SSL VPN Cisco Security Appliance Command Line Configuration Guide 37-8 OL-12172-03...
Page 765: Configuring Sso Authentication Using Siteminder
Task Overview: Configuring SSO with SiteMinder • Detailed Tasks: Configuring SSO with SiteMinder Adding the Cisco Authentication Scheme to SiteMinder • Task Overview: Configuring SSO with SiteMinder This section presents an overview of the tasks necessary to configure SSO with SiteMinder SSO. These...
Page 766 This key is similar to a password: you create it, save it, and enter it on both the security appliance and the SiteMinder Policy Server using the Cisco Java plug-in authentication scheme. Optionally, you can do the following configuration tasks in addition to the required tasks: Configuring the authentication request timeout.
Page 767 Adding the Cisco Authentication Scheme to SiteMinder In addition to configuring the security appliance for SSO with SiteMinder, you must also configure your CA SiteMinder Policy Server with the Cisco authentication scheme, a Java plug-in you download from the Cisco web site.
Page 768: Configuring Sso Authentication Using Saml Browser Post Profile
Configure the authentication request timeout (the request-timeout command) • Configure the number of authentication request retries (the max-retry-attempts command) • After completing the configuration tasks, you assign an SSO server to a user or group policy. Cisco Security Appliance Command Line Configuration Guide 37-12 OL-12172-03...
Page 769 For example, to assign the SSO server named Example to the user named Anyuser, enter the following: hostname(config)# username Anyuser attributes hostname(config-username)# webvpn Cisco Security Appliance Command Line Configuration Guide 37-13 OL-12172-03...
Page 770: Configuring Sso With The Http Form Protocol
VPN server on the security appliance. The clientless SSL VPN server acts as a proxy for the user and forwards the form data (username and password) to an authenticating web server using a POST authentication request. Cisco Security Appliance Command Line Configuration Guide 37-14 OL-12172-03...
Page 771 These steps require a browser and an HTTP header analyzer. Note Cisco Security Appliance Command Line Configuration Guide 37-15 OL-12172-03...
Page 772 SMENC=ISO-8859-1&SMLOCALE=US-EN&target=https%3A%2F%2Fwww.example.com%2Fe mco%2Fmyemco%2F&smauthreason=0 Figure 37-3 highlights the action URI, hidden, username and password parameters within sample output from an HTTP analyzer. This is only an example; output varies widely across different websites. Cisco Security Appliance Command Line Configuration Guide 37-16 OL-12172-03...
Page 773 In the following server response header, the name of the session cookie is SMSESSION. You just need the name, not the value. Set-Cookie: SMSESSION=yN4Yp5hHVNDgs4FT8dn7+Rwev41hsE49XlKc+1twie0gqnjbhkTkUnR8XWP3hvDH6PZPbHIHtWLDKTa8 ngDB/lbYTjIxrbDx8WPWwaG3CxVa3adOxHFR8yjD55GevK3ZF4ujgU1lhO6fta0dSSOSepWvnsCb7IFxCw+MGiw0o8 8uHa2t4l+SillqfJvcpuXfiIAO06D/gtDF40Ow5YKHEl2KhDEvv+yQzxwfEz2cl7Ef5iMr8LgGcDK7qvMcvrgUqx68 JQOK2+RSwtHQ15bCZmsDU5vQVCvSQWC8OMHNGwpS253XwRLvd/h6S/tM0k98QMv+i3N8oOdj1V7flBqecH7+kVrU01 F6oFzr0zM1kMyLr5HhlVDh7B0k9wp0dUFZiAzaf43jupD5f6CEkuLeudYW1xgNzsR8eqtPK6t1gFJyOn0s7QdNQ7q9 knsPJsekRAH9hrLBhWBLTU/3B1QS94wEGD2YTuiW36TiP14hYwOlCAYRj2/bY3+lYzVu7EmzMQ+UefYxh4cF2gYD8R ZL2RwmP9JV5l48I3XBFPNUw/3V5jf7nRuLr/CdfK3OO8+Pa3V6/nNhokErSgyxjzMd88DVzM41LxxaUDhbcmkoHT9I mzBvKzJX0J+o7FoUDFOxEdIqlAN4GNqk49cpi2sXDbIarALp6Bl3+tbB4MlHGH+0CPscZXqoi/kon9YmGauHyRs+0m Cisco Security Appliance Command Line Configuration Guide 37-17 OL-12172-03...
Page 774 Configure the uniform resource identifier on the authenticating web server to receive and process • the form data (action-uri). Configure the username parameter (user-parameter). • Configure the user password parameter (password-parameter). • Cisco Security Appliance Command Line Configuration Guide 37-18 OL-12172-03...
Page 775 To configure a username parameter for the HTTP POST request, enter the user-parameter command in Step 3 aaa-server-host configuration mode. For example, the following command configures the username parameter userid: hostname(config-aaa-server-host)# user-parameter userid hostname(config-aaa-server-host)# Cisco Security Appliance Command Line Configuration Guide 37-19 OL-12172-03...
Page 776: Authenticating With Digital Certificates
Instead, they use an authorization server to authenticate once the certificate validation occurs. For more information on authentication and authorization using digital certificates, “Using Certificates and User Login Credentials” in the “Configuring AAA Servers and the Local Database” chapter. Cisco Security Appliance Command Line Configuration Guide 37-20 OL-12172-03...
Page 777: Creating And Applying Clientless Ssl Vpn Resources
Chapter 30, “Configuring Connection Profiles, Group Policies, and Users.” In earlier releases, “connection profiles” were known as “tunnel groups.” You configure a connection Note profile with tunnel-group commands. This chapter often uses these terms interchangeably. Cisco Security Appliance Command Line Configuration Guide 37-21 OL-12172-03...
Page 778: Configuring Group Policy And User Attributes For Clientless Ssl Vpn
Identifies the DNS server group that specifies the DNS server name, domain name, name server, number of retries, and timeout values hic-fail-group-policy Specifies a VPN feature policy if you use the Cisco Secure Desktop Manager to set the Group-Based Policy attribute to “Use Failure Group-Policy” or “Use Success Group-Policy, if criteria match.”...
Page 779: Configuring Browser Access To Client-Server Plug-Ins
• Providing Access to Plug-ins Redistributed By Cisco, page 37-25 • • Providing Access to Plug-ins Not Redistributed By Cisco—Example: Citrix Java Presentation Server Client Plug-in, page 37-27 • Viewing the Plug-ins Installed on the Security Appliance, page 37-30 Cisco Security Appliance Command Line Configuration Guide...
Page 780: About Installing Browser Plug-Ins
The security appliance lets you import plug-ins for download to remote browsers in clientless SSL VPN sessions. Of course, Cisco tests the plug-ins it redistributes, and in some cases, tests the connectivity of plug-ins we cannot redistribute.
Page 781: Preparing The Security Appliance For A Plug-In
Virtual Network Computing plug-in lets the remote user use a monitor, • keyboard, and mouse to view and control a computer with remote desktop sharing turned on. Cisco redistributes this plug-in without any changes to it per the GNU General Public License. The web site containing the source of the redistributed plug-in is http://www.tightvnc.com/.
Page 782 “local_tftp_server”), and download the plug-ins from the Cisco web site to the “plugins” directory. To provide clientless SSL VPN browser access to a plug-in redistributed by Cisco, install the plug-in onto the flash device of the security appliance by entering the following command in privileged EXEC mode.
Page 783 The open framework that the security appliance provides lets you add plug-ins to support third-party Java client/server applications. As an example of how to provide clientless SSL VPN browser access to plug-ins that are not redistributed by Cisco, this section describes how to add clientless SSL VPN support for the Citrix Presentation Server Client.
Page 784: Preparing The Citrix Metraframe Server For Clientless Ssl Vpn Access
Download the ica-plugin.zip file from the Cisco web site to your workstation. Step 1 This zip file contains files that Cisco customized for use with the Citrix plug-in. After you import the Citrix plug-in into the security appliance, and the remote browser downloads it, the portal page displays the icon.gif image contained in the ica-plugin.zip file.
Page 785: Providing A Bookmark And Optional Sso Support For Citrix Sessions
Users of clientless SSL VPN sessions cannot enter a URL in the Address box to get SSO support for Note Citrix sessions. You must insert a bookmark if you want to provide SSO support for the Citrix plug-in. Cisco Security Appliance Command Line Configuration Guide 37-29 OL-12172-03...
Page 786: Viewing The Plug-Ins Installed On The Security Appliance
Port forwarding lets users access TCP-based applications over a clientless SSL VPN connection. Such applications include the following: Lotus Notes • Microsoft Outlook • • Microsoft Outlook Express • Perforce Sametime • Secure FTP (FTP over SSH) • • Cisco Security Appliance Command Line Configuration Guide 37-30 OL-12172-03...
Page 787: Why Port Forwarding
SSL VPN connection. With port forwarding, remote users may need administrator privileges to connect the local application to the local port. With Release 8.0(2), Cisco introduced two alternative technologies for supporting Winsock 2, TCP-based applications: plug-ins and smart tunnels. Plug-ins offer better performance and do not require the client application to be installed on the remote computer, however, a plug-in may not be available for the application you want to support.
Page 788: Adding Applications To Be Eligible For Port Forwarding
SalesGroupPorts 20143 IMAP4Sserver 143 Get Mail hostname(config-webvpn)# port-forward SalesGroupPorts 20025 SMTPSserver 25 Send Mail hostname(config-webvpn)# port-forward SalesGroupPorts 20022 DDTSserver 22 DDTS over SSH hostname(config-webvpn)# port-forward SalesGroupPorts 20023 Telnetserver 23 Telnet Cisco Security Appliance Command Line Configuration Guide 37-32 OL-12172-03...
Page 789: Assigning A Port Forwarding List
EXEC mode. To remove the port-forward command from the group policy or username and inherit the [no] port-forward command from the default group-policy, use the no form of the command. Cisco Security Appliance Command Line Configuration Guide 37-33 OL-12172-03...
Page 790: Enabling And Disabling Port Forwarding
Smart Tunnel Requirements and Restrictions • Adding Applications to Be Eligible for Smart Tunnel Access • Assigning a Smart Tunnel List • • Automating Smart Tunnel Access • Enabling and Disabling Smart Tunnel Access Cisco Security Appliance Command Line Configuration Guide 37-34 OL-12172-03...
Page 791: About Smart Tunnels
Why Smart Tunnels? With Release 8.0(2), Cisco added two alternative technologies for supporting Winsock 2, TCP-based applications: smart tunnel access and plug-ins. Plug-ins offer better performance and do not require the client application to be installed on the remote computer.
Page 792: Adding Applications To Be Eligible For Smart Tunnel Access
A sudden problem with smart tunnel access may be an indication that a path value is not Note up-to-date with an application upgrade. For example, the default path to an application typically changes following the acquisition of the company that produces the application and the next upgrade. Cisco Security Appliance Command Line Configuration Guide 37-36 OL-12172-03...
Page 793 OutlookExpress msimn.exe 4739647b255d3ea865554e27c3f96b9476e75061 Following the configuration of a smart tunnel list, assign the list to group policies or usernames, as described in the next section. Cisco Security Appliance Command Line Configuration Guide 37-37 OL-12172-03...
Page 794: Assigning A Smart Tunnel List
The following commands assign the smart tunnel list named apps1 to the group policy: hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# smart-tunnel auto-start apps1 Cisco Security Appliance Command Line Configuration Guide 37-38 OL-12172-03...
Page 795: Enabling And Disabling Smart Tunnel Access
Closing Application Access to Prevent hosts File Errors To prevent hosts file errors that can interfere with Application Access, close the Application Access window properly when you finish using Application Access. To do so, click the close icon. Cisco Security Appliance Command Line Configuration Guide 37-39 OL-12172-03...
Page 796 Microsoft anti-spyware software blocks changes that the port forwarding Java applet makes to the hosts file. See www.microsoft.com for information on how to allow hosts file changes when using anti-spyware software. Cisco Security Appliance Command Line Configuration Guide 37-40 OL-12172-03...
Page 797 If you or a program you use might have edited the hosts file after Application Access has shut down improperly, choose one of the other options, or edit the hosts file manually. (See “Reconfiguring hosts File Manually.”) Cisco Security Appliance Command Line Configuration Guide 37-41 OL-12172-03...
Page 798 Step 4 Start clientless SSL VPN and log in. Step 5 The home page appears. Click the Application Access link. Step 6 The Application Access window appears. Application Access is now enabled. Cisco Security Appliance Command Line Configuration Guide 37-42 OL-12172-03...
Page 799: Configuring File Access
Windows Internet Naming Server (WINS). Specify the master browser first, then specify the WINS servers. You can specify up to three servers, including the master browser, for a connection profile. Cisco Security Appliance Command Line Configuration Guide 37-43 OL-12172-03...
Page 800 The following example sets the file-encoding attribute of the CIFS server 10.86.5.174 to support IBM860 (alias “CP860”) characters: hostname(config-webvpn)# file-encoding 10.86.5.174 cp860 For a complete description of these commands, see the Cisco Security Appliance Command Reference. Cisco Security Appliance Command Line Configuration Guide 37-44...
Page 801: Using Clientless Ssl Vpn With Pdas
Application Access and other Java-dependent features. – – HTTP proxy. Cisco Secure Desktop provides limited support for Microsoft Windows CE. – Microsoft Outlook Web Access (OWA) 5.5. – The Citrix Metaframe feature (if the PDA does not have the corresponding Citrix ICA client –...
Page 802: Configuring E-Mail Proxies
Certificate authentication for e-mail proxy connections works with Netscape 7x e-mail clients. Other e-mail clients such as MS Outlook, MS Outlook Express, and Eudora lack the ability to access the certificate store. Cisco Security Appliance Command Line Configuration Guide 37-46 OL-12172-03...
Page 803: Configuring Web E-Mail: Ms Outlook Web Access
Sets a maximum size for objects to cache. min-object-size Sets a minimum size for objects to cache. cache-static-content Caches all cacheable web objects, content not subject to rewriting. Examples include images and PDF files. Cisco Security Appliance Command Line Configuration Guide 37-47 OL-12172-03...
Page 804: Configuring Content Transformation
You can use the rewrite command multiple times. The order number of rules is important because the security appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that matches. Cisco Security Appliance Command Line Configuration Guide 37-48 OL-12172-03...
Page 805: Using Proxy Bypass
Use the apcf command in webvpn mode to identify and locate an APCF profile that you want to load on the security appliance. We recommend that you configure an APCF profile only with the assistance of Cisco personnel. Note The following example shows how to enable an APCF profile named apcf1.xml, located on flash...
Page 806: Apcf Syntax
Misuse of an APCF profile can result in reduced performance and undesired rendering of content. In Caution most cases, Cisco Engineering supplies APCF profiles to solve specific application rendering issues. APCF profiles use XML format, and sed script syntax, with the XML tags in Table 37-7.
Page 807: Apcf Example
<conditions> tag defined before it. APCF Example The following example shows what an APCF profile looks like. <APCF> <version>1.0</version> <application> <id>Do not compress content from notsogood.com</id> <apcf-entities> <process-request-header> <conditions> <server-fnmatch>*.notsogood.com</server-fnmatch> </conditions> <action> <do><no-gzip/></do> </action> Cisco Security Appliance Command Line Configuration Guide 37-51 OL-12172-03...
Page 808: Clientless Ssl Vpn End User Setup
Customizing Help, page 37-65 • Requiring Usernames and Passwords • • Communicating Security Tips • Configuring Remote Systems to Use Clientless SSL VPN Features Translating the Language of User Messages • Cisco Security Appliance Command Line Configuration Guide 37-52 OL-12172-03...
Page 809: Defining The End User Interface
Clientless SSL VPN by entering the IP address of a security appliance interface in the format https://address. The first panel that displays is the login screen (Figure 37-6). Figure 37-6 Clientless SSL VPN Login Screen Cisco Security Appliance Command Line Configuration Guide 37-53 OL-12172-03...
Page 810: Viewing The Clientless Ssl Vpn Home Page
Clientless SSL VPN features with the exception of identifying specific file shares. It lets users browse the network, enter URLs, access specific websites, and use Application Access (port forwarding and smart tunnels) to access TCP applications. Cisco Security Appliance Command Line Configuration Guide 37-54 OL-12172-03...
Page 811: Viewing The Clientless Ssl Vpn Application Access Panel
Note A stateful failover does not retain sessions established using Application Access. Users must reconnect following a failover. Cisco Security Appliance Command Line Configuration Guide 37-55 OL-12172-03...
Page 812: Viewing The Floating Toolbar
This section contains the following topics and tasks: How Customization Works, page 37-57 • Exporting a Customization Template, page 37-57 • • Editing the Customization Template, page 37-58 Cisco Security Appliance Command Line Configuration Guide 37-56 OL-12172-03...
Page 813: How Customization Works
The following example exports the default customization object (DfltCustomization) and creates the XML file named dflt_custom: hostname# export webvpn customization DfltCustomization tftp://209.165.200.225/dflt_custom !!!!!!!!!!!!!!!!INFO: Customization object 'DfltCustomization' was exported to tftp://10.86.240.197/dflt_custom hostname# Cisco Security Appliance Command Line Configuration Guide 37-57 OL-12172-03...
Page 814: Editing The Customization Template
</language> </language-selector> <logon-form> <title-text l10n="yes"><![CDATA[Login]]></title-text> <title-background-color><![CDATA[#666666]]></title-background-color> <title-font-color><![CDATA[#ffffff]]></title-font-color> <message-text l10n="yes"><![CDATA[Please enter your username and password.]]></message-text> <username-prompt-text l10n="yes"><![CDATA[USERNAME:]]></username-prompt-text> <password-prompt-text l10n="yes"><![CDATA[PASSWORD:]]></password-prompt-text> <internal-password-prompt-text l10n="yes">Internal Password:</internal-password-prompt-text> <internal-password-first>no</internal-password-first> <group-prompt-text l10n="yes"><![CDATA[GROUP:]]></group-prompt-text> <submit-button-text l10n="yes"><![CDATA[Login]]></submit-button-text> <title-font-color><![CDATA[#ffffff]]></title-font-color> <title-background-color><![CDATA[#666666]]></title-background-color> <font-color>#000000</font-color> <background-color>#ffffff</background-color> <border-color>#858A91</border-color> Cisco Security Appliance Command Line Configuration Guide 37-58 OL-12172-03...
Page 815 </auth-page> <portal> <title-panel> <mode>enable</mode> <text l10n="yes"><![CDATA[SSL VPN Service]]></text> <logo-url l10n="yes">/+CSCOU+/csco_logo.gif</logo-url> <gradient>yes</gradient> <style></style> <background-color><![CDATA[#ffffff]]></background-color> <font-size><![CDATA[larger]]></font-size> <font-color><![CDATA[#800000]]></font-color> <font-weight><![CDATA[bold]]></font-weight> </title-panel> <browse-network-title l10n="yes">Browse Entire Network</browse-network-title> <access-network-title l10n="yes">Start AnyConnect</access-network-title> <application> <mode>enable</mode> <id>home</id> <tab-title l10n="yes">Home</tab-title> <order>1</order> </application> Cisco Security Appliance Command Line Configuration Guide 37-59 OL-12172-03...
Page 816 <prompt-box-title l10n="yes">Address</prompt-box-title> <browse-button-text l10n="yes">Browse</browse-button-text> </toolbar> <column> <width>100%</width> <order>1</order> </column> <pane> <type>TEXT</type> <mode>disable</mode> <title></title> <text></text> <notitle></notitle> <column></column> <row></row> <height></height> </pane> <pane> <type>IMAGE</type> <mode>disable</mode> <title></title> <url l10n="yes"></url> <notitle></notitle> <column></column> <row></row> <height></height> </pane> <pane> <type>HTML</type> Cisco Security Appliance Command Line Configuration Guide 37-60 OL-12172-03...
Page 817 Language Selector drop-down list that is available on the Logon page, and the XML tags for customizing this feature. All these tags are nested within the higher-level <auth-page> tag. Cisco Security Appliance Command Line Configuration Guide 37-61 OL-12172-03...
Page 818 Information Panel on Logon Screen and Associated XML Tags <info-panel> <image-url> <image-position> <info-panel> <text> <info-panel> <mode> Figure 37-13 shows the Portal page and the XML tags for customizing this feature. These tags are nested within the higher-level <auth-page> tag. Cisco Security Appliance Command Line Configuration Guide 37-62 OL-12172-03...
Page 819: Importing A Customization Object
The following example imports the customization object General.xml from the URL 209.165.201.22/customization and names it custom1. hostname# import webvpn customization custom1 tftp://209.165.201.22/customization /General.xml Accessing tftp://209.165.201.22/customization/General.xml...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:/csco_config/97/custom1... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 329994 bytes copied in 5.350 secs (65998 bytes/sec) Cisco Security Appliance Command Line Configuration Guide 37-63 OL-12172-03...
Page 820: Applying Customizations To Connection Profiles, Group Policies And Users
Enter the customization value command followed by a question mark (?) to view a list of existing customizations. In the following example, the user enters group policy webvpn mode, queries the security appliance for a list of customizations, and enables the customization cisco for the group policy cisco_sales: hostname(config)# group-policy cisco_sales attributes hostname(config-group-policy)# webvpn...
Page 821: Customizing Help
The security appliance displays help content on the application panels during clientless SSL VPN sessions. You can customize the help files provided by Cisco or create help files in other languages. You then import them to flash memory for display during subsequent clientless sessions. You can also retrieve previously imported help content files, modify them, and reimport them to flash memory.
Page 822 Clientless SSL VPN End User Setup Customizing a Help File Provided By Cisco To customize a help file provided by Cisco, you need to get a copy of the file from the flash memory card first. Get the copy and customize it as follows: Use your browser to establish a clientless SSL VPN session with the security appliance.
Page 823: Requiring Usernames And Passwords
Entered When Computer Access the computer Starting the computer Internet Service Provider Access the Internet Connecting to an Internet service provider Clientless SSL VPN Access remote network Starting clientless SSL VPN Cisco Security Appliance Command Line Configuration Guide 37-67 OL-12172-03...
Page 824: Communicating Security Tips
Applications supported by clientless SSL VPN • Client application installation and configuration requirements • Information you might need to provide end users • Tips and use suggestions for end users • Cisco Security Appliance Command Line Configuration Guide 37-68 OL-12172-03...
Page 825 Clientless SSL VPN username and password — [Optional] Local printer Clientless SSL VPN does not support printing from a web browser to a network printer. Printing to a local printer is supported. Cisco Security Appliance Command Line Configuration Guide 37-69 OL-12172-03...
Page 826 Also, depending on how you configured a particular account, it might be that: Some websites are blocked • Only the websites that appear as links on the • clientless SSL VPN Home page are available Cisco Security Appliance Command Line Configuration Guide 37-70 OL-12172-03...
Page 827 Do not interrupt the Copy File to Server command or navigate to a different screen while the copying is in progress. Interrupting the operation can cause an incomplete file to be saved on the server. Cisco Security Appliance Command Line Configuration Guide 37-71 OL-12172-03...
Page 828 SSL VPN session does not open the site over that session. To open a site over the session, paste the URL into the Enter Clientless SSL VPN (URL) Address field. Cisco Security Appliance Command Line Configuration Guide 37-72 OL-12172-03...
Page 829: Translating The Language Of User Messages
Translating the Language of User Messages The security appliance provides language translation for the portal and screens displayed to users that initiate browser-based, clientless SSL VPN connections, as well as the interface displayed to Cisco AnyConnect VPN Client users. This section describes how to configure the security appliance to translate these user messages and...
Page 830: Understanding Language Translation
Translation Domains and Functional Areas Affected Translation Domain Functional Areas Translated AnyConnect Messages displayed on the user interface of the Cisco AnyConnect VPN Client. Messages for Cisco Secure Desktop. customization Messages on the logon and logout pages, portal page, and all the messages customizable by the user.
Page 831: Creating Translation Tables
ID field (msgid) and a message string field (msgstr) for the message SSL VPN, which is displayed on the portal page when a user establishes a clientless SSL VPN session. The complete template contains many pairs of message fields: # Copyright (C) 2006 by Cisco Systems, Inc. #, fuzzy msgid ""...
Page 832: Referencing The Language In A Customization Object
The <default-language> tag specifies the language that the remote user first encounters when connecting to the security appliance. In the example code above, the language is English. Cisco Security Appliance Command Line Configuration Guide 37-76 OL-12172-03...
Page 833 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The output of the show import webvpn customization command shows the new customization object sales: hostname(config)# show import webvpn customization Template sales hostname(config)# Cisco Security Appliance Command Line Configuration Guide 37-77 OL-12172-03...
Page 834: Changing A Group Policy Or User Attributes To Use The Customization Object
Stop the capture by using the no version of the command. no capture capture_name The capture utility creates a capture_name.zip file, which is encrypted with the password koleso. Send the .zip file to Cisco Systems, or attach it to a Cisco TAC service request. Step 3 Step 4 To look at the contents of the .zip file, unzip it using the password koleso.
Page 835: Using A Browser To Display Capture Data
The following example command displays the capture named hr: https://192.0.2.1:60000/admin/capture/hr/pcap The captured content displays in a sniffer format. Step 4 When you finish examining the capture content, stop the capture by using the no version of the command. Cisco Security Appliance Command Line Configuration Guide 37-79 OL-12172-03...
Page 836 Chapter 37 Configuring Clientless SSL VPN Capturing Data Cisco Security Appliance Command Line Configuration Guide 37-80 OL-12172-03...
Page 837: Chapter 38 Configuring Anyconnect Vpn Client Connections
C H A P T E R Configuring AnyConnect VPN Client Connections The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for remote users. Without a previously-installed client, remote users enter the IP address in their browser of an interface configured to accept SSL VPN connections.
Page 838: Installing The Anyconnect Ssl Vpn Client
Installing the AnyConnect SSL VPN Client This section presents the platform requirements and the procedure for installing an SSL VPN client, either the Cisco AnyConnect VPN Client or the legacy Cisco SSL VPN Client (SVC) on the security appliance. Remote PC System Requirements...
Page 839: Enabling Anyconnect Client Connections
Assign IP addresses to a tunnel group. One method you can use to do this is to assign a local IP address pool with the address-pool command from general-attributes mode: address-pool poolname Cisco Security Appliance Command Line Configuration Guide 38-3 OL-12172-03...
Page 840 Specify SSL as a permitted VPN tunneling protocol for the group or user with the vpn-tunnel-protocol svc command in group-policy mode or username mode. You can also specify additional protocols. For more information, see the vpn-tunnel-protocol command in the Cisco ASA 5500 Series Command Reference.
Page 841: Enabling Permanent Client Installation
[no] svc dtls enable If you need to disable DTLS, use the no form of the command. For example: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# no svc dtls enable Cisco Security Appliance Command Line Configuration Guide 38-5 OL-12172-03...
Page 842: Ensuring Reliable Dtls Connections Through Third-Party Firewalls
[no] svc ask {none | enable [default {webvpn | svc} timeout value]} svc ask enable prompts the remote user to download the client or go to the WebVPN portal page and waits indefinitely for user response. Cisco Security Appliance Command Line Configuration Guide 38-6 OL-12172-03...
Page 843: Enabling Anyconnect Client Profile Downloads
After creating a profile, you must load the file on the security appliance and configure the security appliance to download it to remote client PCs. Follow these steps to edit a profile and enable the security appliance to download it to remote clients: Cisco Security Appliance Command Line Configuration Guide 38-7 OL-12172-03...
Page 844 Load the profile file into flash memory on the security appliance and then use the svc profiles command Step 3 from webvpn configuration mode to identify the file as a client profile to load into cache memory: Cisco Security Appliance Command Line Configuration Guide 38-8 OL-12172-03...
Page 845: Enabling Additional Anyconnect Client Features
[no] svc modules {none | value string} Separate multiple strings with commas. For a list of values to enter for each client feature, see the release notes for the Cisco AnyConnect VPN Client. Cisco Security Appliance Command Line Configuration Guide 38-9 OL-12172-03...
Page 846: Enabling Start Before Logon
Translating Languages for AnyConnect User Messages The security appliance provides language translation for the portal and screens displayed to users that initiate browser-based, Clientless SSL VPN connections, as well as the interface displayed to Cisco AnyConnect VPN Client users. This section describes how to configure the security appliance to translate these user messages and...
Page 847: Creating Translation Tables
Understanding Language Translation Functional areas and their messages that are visible to remote users are organized into translation domains. All messages displayed on the user interface of the Cisco AnyConnect VPN Client are located in the AnyConnect domain. The software image package for the security appliance includes a translation table template for the AnyConnect domain.
Page 848 AnyConnect language es-us tftp://209.165.200.225/client hostname# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! hostname# show import webvpn translation-table Translation Tables' Templates: AnyConnect PortForwarder customization keepout url-list webvpn Citrix-plugin RPC-plugin Telnet-SSH-plugin VNC-plugin Translation Tables: es-us AnyConnect Cisco Security Appliance Command Line Configuration Guide 38-12 OL-12172-03...
Page 849: Configuring Advanced Ssl Vpn Features
DPD, use the svc dpd-interval command from group-policy or username webvpn mode: svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]} no svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]} Where: Cisco Security Appliance Command Line Configuration Guide 38-13 OL-12172-03...
Page 850: Enabling Keepalive
In the following example, the security appliance is configured to enable the client to send keepalive messages with a frequency of 300 seconds (5 minutes), for the existing group-policy sales: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# svc keepalive 300 Cisco Security Appliance Command Line Configuration Guide 38-14 OL-12172-03...
Page 851: Using Compression
[no] svc mtu size This command affects only the AnyConnect client. The legacy Cisco SSL VPN Client (SVC) is not capable of adjusting to different MTU sizes.
Page 852: Viewing Ssl Vpn Sessions
The following example shows the username lee and index number 1. hostname# show vpn-sessiondb svc Session Type: SSL VPN Client Username : lee Index IP Addr : 209.165.200.232 Protocol : SSL VPN Client Encryption : 3DES Cisco Security Appliance Command Line Configuration Guide 38-16 OL-12172-03...
Page 853: Updating Ssl Vpn Client Images
If the new filenames are different, uninstall the old files using the no svc image command. Then use the svc image command to assign an order to the images and cause the security appliance to load the new images. Cisco Security Appliance Command Line Configuration Guide 38-17 OL-12172-03...
Page 854 Chapter 38 Configuring AnyConnect VPN Client Connections Configuring Advanced SSL VPN Features Cisco Security Appliance Command Line Configuration Guide 38-18 OL-12172-03...
Page 855: Configuring Certificates
The receiver applies the public key of the sender to the data. If the signature sent with the data matches the result of applying the public key to the data, the validity of the message is established. Cisco Security Appliance Command Line Configuration Guide 39-1 OL-12172-03...
Page 856: Certificate Scalability 39+\2
Separate signing and encryption keys helps reduce exposure of the keys. This is because SSL uses a key for encryption but not signing but IKE uses a key for signing but not encryption. By using separate keys for each, exposure of the keys is minimized. Cisco Security Appliance Command Line Configuration Guide 39-2 OL-12172-03...
Page 857: About Trustpoints 39+\3
CA is unavailable to provide updated CRL data. The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a length of time configurable for each trustpoint. Cisco Security Appliance Command Line Configuration Guide 39-3 OL-12172-03...
Page 858: About Ocsp 39+\4
OCSP responder certificate to validate the responder certificate. The same applies for configuring validating responder certificates external to the validation path of the client certificate. Cisco Security Appliance Command Line Configuration Guide 39-4 OL-12172-03...
Page 859: Supported Ca Servers 39+\5
Before you configure a security appliance with certificates, ensure that the security appliance is configured properly to support certificates. An improperly configured security appliance can cause enrollment to fail or for enrollment to request a certificate containing inaccurate information. Cisco Security Appliance Command Line Configuration Guide 39-5 OL-12172-03...
Page 860: Configuring Key Pairs 39+\6
RSA general-purpose key: hostname/contexta(config)# show crypto key mypubkey Key pair was generated at: 16:39:47 central Feb 10 2005 Key name: <Default-RSA-Key> Usage: General Purpose Key Modulus Size (bits): 1024 Key Data: Cisco Security Appliance Command Line Configuration Guide 39-6 OL-12172-03...
Page 861: Removing Key Pairs 39+\7
To specify manual enrollment, use the enrollment terminal command to indicate that you will paste • the certificate received from the CA into the terminal. Cisco Security Appliance Command Line Configuration Guide 39-7 OL-12172-03...
Page 862 As needed, specify other characteristics for the trustpoint. The characteristics you need to define depend Step 3 upon your CA and its configuration. You can specify characteristics for the trustpoint using the following commands. Refer to the Cisco Security Appliance Command Reference for complete descriptions and usage guidelines of these commands. •...
Page 863: Obtaining Certificates 39+\9
To obtain certificates with SCEP, perform the following steps: Obtain the CA certificate for the trustpoint you configured. Step 1 hostname/contexta(config)# crypto ca authenticate trustpoint For example, using trustpoint named Main, which represents a subordinate CA: Cisco Security Appliance Command Line Configuration Guide 39-9 OL-12172-03...
Page 864 If your security appliance reboots after you issued the crypto ca enroll command but before you Note received the certificate, reissue the crypto ca enroll command and notify the CA administrator. Cisco Security Appliance Command Line Configuration Guide 39-10 OL-12172-03...
Page 865 Main, which is configured to use manual enrollment and general-purpose RSA keys for signing and encryption. hostname (config)# crypto ca enroll Main % Start certificate enrollment .. Cisco Security Appliance Command Line Configuration Guide 39-11 OL-12172-03...
Page 866 The output of this command shows the details of the certificate issued for the security appliance and the CA certificate for the trustpoint. Save the configuration using the write memory command: Step 7 hostname/contexta(config)# write memory Cisco Security Appliance Command Line Configuration Guide 39-12 OL-12172-03...
Page 867: Configuring Crls For A Trustpoint
Configure how long the security appliance caches CRLs for the current trustpoint. To specify the number Step 7 of minutes the security appliance waits before considering a CRL stale, enter the following command. hostname/contexta(config-ca-crl)# cache-time n Cisco Security Appliance Command Line Configuration Guide 39-13 OL-12172-03...
Page 868: Exporting A Trustpoint Configuration 39+\15
Note configured the security appliance to use DNS. For information about configuring DNS, see the dns commands in the Cisco Security Appliance Command Reference. If LDAP server requires credentials to permit CRL retrieval, enter the following command: hostname/contexta(config-ca-crl)# ldap-dn admin-DN password...
Page 869 CA certificate map, which can contain many rules. For more information about using CA certificate map rules with tunnel groups, see the “Creating a Certificate Group Matching Rule and Policy” section on page 27-10. Cisco Security Appliance Command Line Configuration Guide 39-15 OL-12172-03...
Page 870: The Local Ca
Part or all of the field or attribute must match the value given. No part of the field or attribute can match the value given. For more information about the issuer-name and subject-name commands, see the Cisco Security Appliance Command Reference.
Page 871: Configuring The Local Ca Server
Step 1 command. This command provides a valid e-mail address the Local CA uses as a from: address when sending e-mails that deliver one-time passwords for an enrollment invitation to users. Cisco Security Appliance Command Line Configuration Guide 39-17 OL-12172-03...
Page 872 A+/asa_ca.crl * E-mail address issuing Local CA e-mail Required. You must supply an smtp from-address notices e-mail address as the default, admin@FQDN, might not be an actual address. Cisco Security Appliance Command Line Configuration Guide 39-18 OL-12172-03...
Page 873: Customizing The Local Ca Server
To customize the text that appears in the subject field of all e-mails sent from the Local CA server, use Step 3 the smtp subject subject-line command as follows: hostname (config-ca-server) # smtp subject Priority E-Mail: Enclosed Confidential Information is Required for Enrollment hostname (config-ca-server)# Cisco Security Appliance Command Line Configuration Guide 39-19 OL-12172-03...
Page 874: Certificate Characteristics
CRL. The default issuer name in the Local CA is hostname.domainname. Use the issuer-name command to specify the Local CA certificate subject-name as shown in the following example: hostname(config-ca-server)# issuer-name CN=xx5520,CN=30.132.0.25,ou=DevTest,ou=QA,O=ABC Systems hostname(config-ca-server)# Cisco Security Appliance Command Line Configuration Guide 39-20 OL-12172-03...
Page 875 CRL lifetime, the default time period is six hours. Use the lifetime crl command to set the number of hours that you want the certificate revocation list to remain valid as shown in the following example: Cisco Security Appliance Command Line Configuration Guide 39-21 OL-12172-03...
Page 876: Defining Storage For Local Ca Files 39+\22
CA could be disabled until the storage problems are solved. Flash memory can store a database with 3500 users or less, but a database of more than 3500 users requires off-box storage. Cisco Security Appliance Command Line Configuration Guide 39-22...
Page 877: Setting Up External Local Ca File Storage 39+\23
Local CA configuration. An example follows: If you do not specify a CRL lifetime, the default time period is six hours. hostname(config)# crypto ca server Cisco Security Appliance Command Line Configuration Guide 39-23 OL-12172-03...
Page 878: Crl Downloading
Local CA Server e-mails a one-time-password and username to the new user to enable enrollment. The e-mail, an automatically generated message, contains the enrollment URL of the security appliance. Figure 39-2 shows a sample e-mail to a new user. Cisco Security Appliance Command Line Configuration Guide 39-24 OL-12172-03...
Page 879: Setting Up Enrollment Parameters
In order to complete enrollment and receive a certificate, the user must enter the OTP in the enrollment interlace along with a username in order to complete enrollment. Cisco Security Appliance Command Line Configuration Guide 39-25 OL-12172-03...
Page 880: Enrollment Requirements 39+\26
The user’s private keypair is generated by the Local CA and is issued to the user as part of the PKCS12 file. The PKCS12 file includes a keypair and the certificate issued to the user and the Local CA certificate. Cisco Security Appliance Command Line Configuration Guide 39-26 OL-12172-03...
Page 881: Starting And Stopping The Local Ca Server 39+\27
% Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password: caserver Cisco Security Appliance Command Line Configuration Guide 39-27 OL-12172-03...
Page 882: Debugging The Local Ca Server 39+\28
Permits a specific user or subset of users in the Local CA server database to enroll and generates OTPs for users. crypto ca server user-db remove Removes a user from the Local CA server user database by user name. Cisco Security Appliance Command Line Configuration Guide 39-28 OL-12172-03...
Page 883: Adding And Enrolling Users 39+\29
Once a user is added with a valid e-mail address, the administrator has choice of crypto ca server user-db allow username email-otp, or crypto ca server user-db allow username and crypto ca server user-db email-otp username. Cisco Security Appliance Command Line Configuration Guide 39-29 OL-12172-03...
Page 884: Renewing Users
If you delete a user from the user database by username with the crypto ca server user-db remove command, you are prompted to permit revocation of any valid certificates issued to the user. Cisco Security Appliance Command Line Configuration Guide 39-30...
Page 885: Revocation Checking
To display a list with all of the certificates issued by the Local CA, use the show crypto ca server cert-db command in Privileged EXEC mode. The following is a sample show crypto ca server cert-db command display showing just two of the user certificates in the database. Cisco Security Appliance Command Line Configuration Guide 39-31 OL-12172-03...
Page 886: Display The Local Ca Certificate 39+\32
Certificate Revocation List: Issuer: cn=xx5520-1-3-2007-1 This Update: 13:32:53 UTC Jan 4 2008 Next Update: 13:32:53 UTC Feb 3 2008 Number of CRL entries: 2 CRL size: 270 bytes Revoked Certificates: Cisco Security Appliance Command Line Configuration Guide 39-32 OL-12172-03...
Page 887: Display The User Database 39+\33
The following example shows the display of the show crypto ca server user-db command when the on-hold qualifier is used yielding just one user on-hold: hostname (config)# show crypto ca server user-db on-hold username: wilma101 email: <None> Cisco Security Appliance Command Line Configuration Guide 39-33 OL-12172-03...
Page 888: Local Ca Server Maintenance And Backup Procedures 39+\34
13:07:49 Jan 20 2007 LOCAL-CA-SERVER.cdb -rwx 0 01:09:28 Jan 20 2007 LOCAL-CA-SERVER.udb -rwx 232 19:09:10 Jan 20 2007 LOCAL-CA-SERVER.crl -rwx 1603 01:09:28 Jan 20 2007 LOCAL-CA-SERVER.p12 127119360 bytes total (79693824 bytes free) hostname (config-ca-server)# Cisco Security Appliance Command Line Configuration Guide 39-34 OL-12172-03...
Page 889: Local Ca Certificate Rollover 39+\35
To delete the existing Local CA server, whether it is enabled or disabled, you must issue a no crypto ca server command or a clear config crypto ca server command in Global Configuration mode, and then delete the associated database and configuration files (all files with the wildcard name, LOCAL-CA-SERVER.*). Cisco Security Appliance Command Line Configuration Guide 39-35 OL-12172-03...
Page 890 Chapter 39 Configuring Certificates The Local CA Cisco Security Appliance Command Line Configuration Guide 39-36 OL-12172-03...
Page 891: System Administration
A R T System Administration...
Page 893: Managing System Access
100. (Optional) To set the duration for how long a Telnet session can be idle before the security appliance Step 2 disconnects the session, enter the following command: Cisco Security Appliance Command Line Configuration Guide 40-1 OL-12172-03...
Page 894: Allowing Ssh Access
To save the RSA keys to persistent Flash memory, enter the following command: hostname(config)# write mem To identify the IP addresses from which the security appliance accepts connections, enter the following Step 3 command for each address or subnet: Cisco Security Appliance Command Line Configuration Guide 40-2 OL-12172-03...
Page 895: Using An Ssh Client
To use ASDM, you need to enable the HTTPS server, and allow HTTPS connections to the security appliance. All of these tasks are completed if you use the setup command. This section describes how to manually configure ASDM access and how to login to ASDM. Cisco Security Appliance Command Line Configuration Guide 40-3 OL-12172-03...
Page 896: Enabling Https Access
Accessing ASDM from Your PC From a supported web browser on the security appliance network, enter the following URL: https:// interface_ip_address [: port ] In transparent firewall mode, enter the management IP address. Cisco Security Appliance Command Line Configuration Guide 40-4 OL-12172-03...
Page 897: Interface
To maintain your username, use enable authentication. For authentication using the local database, you can use the login command, which maintains the username but requires no configuration to turn on authentication. Cisco Security Appliance Command Line Configuration Guide 40-5 OL-12172-03...
Page 898: Configuring Authentication To Access Privileged Exec Mode (The Enable Command)
To authenticate users who enter the enable command, enter the following command: hostname(config)# aaa authentication enable console {LOCAL | server_group [LOCAL]} The user is prompted for the username and password. Cisco Security Appliance Command Line Configuration Guide 40-6 OL-12172-03...
Page 899: Authenticating Users Using The Login Command
To configure management authorization, perform the following steps: Step 1 To enable management authorization, enter the following command: hostname(config)# aaa authorization exec authentication-server Cisco Security Appliance Command Line Configuration Guide 40-7 OL-12172-03...
Page 900: Configuring Command Authorization
EXEC mode and advanced commands, including configuration commands. This section includes the following topics: Command Authorization Overview, page 40-9 • Configuring Local Command Authorization, page 40-10 • Configuring TACACS+ Command Authorization, page 40-13 • Cisco Security Appliance Command Line Configuration Guide 40-8 OL-12172-03...
Page 901: Command Authorization Overview
This behavior can lead to confusion if command authorization is not configured for the enable_15 user or if authorizations are different for the enable_15 user than for the user in the previous context session. Cisco Security Appliance Command Line Configuration Guide 40-9 OL-12172-03...
Page 902: Configuring Local Command Authorization
You can also use CLI authentication, but it is not required. See the following prerequisites for each user type: • – Local database users—Configure each user in the local database at a privilege level from 0 to 15. Cisco Security Appliance Command Line Configuration Guide 40-10 OL-12172-03...
Page 903 To configure the local database, see the “Configuring the Local Database” section on page 13-7. RADIUS users—Configure the user with Cisco VSA CVPN3000-Privilege-Level with a value – between 0 and 15. LDAP users—Configure the user with a privilege level between 0 and 15, and then map the –...
Page 904 15 mode cmd command enable This example shows an additional command, the configure command, that uses the mode keyword: hostname(config)# privilege show level 5 mode cmd command configure Cisco Security Appliance Command Line Configuration Guide 40-12 OL-12172-03...
Page 905: Configuring Tacacs+ Command Authorization
If you enable TACACS+ command authorization, and a user enters a command at the CLI, the security appliance sends the command and username to the TACACS+ server to determine if the command is authorized. Cisco Security Appliance Command Line Configuration Guide 40-13 OL-12172-03...
Page 906 40-6). Configuring Commands on the TACACS+ Server You can configure commands on a Cisco Secure Access Control Server (ACS) TACACS+ server as a shared profile component, for a group, or for individual users. For third-party TACACS+ servers, see your server documentation for more information about command authorization support.
Page 907 For example, to allow enable, but not enable password, enter enable in the commands box, and deny password in the arguments box. Be sure to select the Permit Unmatched Args check box so that enable alone is still allowed (see Figure 40-3). Cisco Security Appliance Command Line Configuration Guide 40-15 OL-12172-03...
Page 908 We recommend that you allow the following basic commands for all users: show checksum – show curpriv – enable – help – show history – login – – logout – pager Cisco Security Appliance Command Line Configuration Guide 40-16 OL-12172-03...
Page 909: Configuring Command Accounting
See the following sample show curpriv command output. A description of each field follows. hostname# show curpriv Username : admin Current privilege level : 15 Current Mode/s : P_PRIV Cisco Security Appliance Command Line Configuration Guide 40-17 OL-12172-03...
Page 910: Recovering From A Lockout
Configure the local database as a fallback method so you do not get locked out when the server is down. Cisco Security Appliance Command Line Configuration Guide 40-18 OL-12172-03...
Page 911: Configuring A Login Banner
To add more than one line, precede each line by the banner command. For example, to add a message-of-the-day banner, enter: hostname(config)# banner motd Welcome to $(hostname). hostname(config)# banner motd Contact me at admin@example.com for any hostname(config)# banner motd issues. Cisco Security Appliance Command Line Configuration Guide 40-19 OL-12172-03...
Page 912 Chapter 40 Managing System Access Configuring a Login Banner Cisco Security Appliance Command Line Configuration Guide 40-20 OL-12172-03...
Page 913: Managing Licenses
To obtain an activation key, you will need a Product Authorization Key, which you can purchase from your Cisco account representative. After obtaining the Product Authorization Key, register it on the Web to obtain an activation key by performing the following steps:...
Page 914: Entering A New Activation Key
• hostname# dir [flash: | disk0: | disk1:] The flash: keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash: or disk0: for the internal Flash memory on the ASA 5500 series adaptive security appliance.
Page 915: Downloading Software Or Configuration Files To Flash Memory
38-2. For information about installing Cisco Secure Desktop on the security appliance, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators. To configure the security appliance to use a specific application image or ASDM image if you have more than one installed, or have installed them in external Flash memory see the “Configuring the Application...
Page 916: Downloading A File To The Startup Or Running Configuration
[/ path ]/ filename {flash:/ | disk0:/ | disk1:/}[ path /] filename The flash:/ keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash:/ or disk0:/ for the internal Flash memory on the ASA 5500 series adaptive security appliance.
Page 917: Configuring The Application Image And Asdm Image To Boot
{flash:/ | disk0:/ | disk1:/}[path/]filename – The flash:/ keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash:/ or disk0:/ for the internal Flash memory on the ASA 5500 series adaptive security appliance. The disk1:/ keyword represents the external Flash memory on the ASA.
Page 918: Configuring The File To Boot As The Startup Configuration
{flash:/ | disk0:/ | disk1:/}[ path /] filename The flash:/ keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash:/ or disk0:/ for the internal Flash memory on the ASA 5500 series adaptive security appliance.
Page 919: Upgrading An Active/Standby Failover Configuration
Use the show failover command to verify that both failover groups are in the Standby Ready Note state on the secondary unit. Cisco Security Appliance Command Line Configuration Guide 41-7 OL-12172-03...
Page 920: Backing Up Configuration Files
{startup-config | running-config} {flash:/ | disk0:/ | disk1:/}[ path /] filename Be sure the destination directory exists. If it does not exist, first create the directory using the mkdir command. Backing up Cisco Security Appliance Command Line Configuration Guide 41-8 OL-12172-03...
Page 921: Backing Up A Context Configuration In Flash Memory
• URL lists, web contents, plug-ins, and language translations. DAP policies (dap.xml) • CSD configurations (data.xml) • Digital keys and certificates • • Local CA user database and certificate status files Cisco Security Appliance Command Line Configuration Guide 41-9 OL-12172-03...
Page 922: Using A Script To Back Up And Restore Files
Install a TFTP server to send files from the ASA to the backup site. • Another option is to use a commercially available tool. You can put the logic of this script into such a tool. Cisco Security Appliance Command Line Configuration Guide 41-10 OL-12172-03...
Page 923: Running The Script
-r: Restore with an argument that specifies the the file name. This file is produced during backup. #If you don't enter an option, the script will prompt for it prior to backup. #Make sure that you can SSH to the ASA. use Expect; use Getopt::Std; #global variables Cisco Security Appliance Command Line Configuration Guide 41-11 OL-12172-03...
Page 924 "Can't open $restore_file\n"; do running_config($exp); do lang_trans($exp); do customization($exp); do plugin($exp); do url_list($exp); do webcontent($exp); do dap($exp); do csd($exp); close(OUT); do finish($exp); sub enable { $obj = shift; Cisco Security Appliance Command Line Configuration Guide 41-12 OL-12172-03...
Page 925 $cli = "export webvpn translation-table $transtable language $lang $storage/$prompt-$date-$transtable-$lang.po"; $ocli = $cli; $ocli =~ s/^export/import/; print "$cli\n"; print OUT "$ocli\n"; $obj->send("$cli\n"); $obj->expect(15, "$prompt#" ); sub running_config { $obj = shift; $obj->clear_accum(); Cisco Security Appliance Command Line Configuration Guide 41-13 OL-12172-03...
Page 926 OUT "$ocli\n"; $obj->send("$cli\n"); $obj->expect(15, "$prompt#" ); sub plugin { $obj = shift; $obj->clear_accum(); $obj->send("show import webvpn plug-in\n"); $obj->expect(15, "$prompt#" ); $output = $obj->before(); @items = split(/\n+/, $output); for (@items) { chop; Cisco Security Appliance Command Line Configuration Guide 41-14 OL-12172-03...
Page 927 $cli="export webvpn url-list $_ $storage/$prompt-$date-urllist-$_.xml"; $ocli = $cli; $ocli =~ s/^export/import/; print "$cli\n"; print OUT "$ocli\n"; $obj->send("$cli\n"); $obj->expect(15, "$prompt#" ); sub dap { $obj = shift; $obj->clear_accum(); $obj->send("dir dap.xml\n"); $obj->expect(15, "$prompt#" ); Cisco Security Appliance Command Line Configuration Guide 41-15 OL-12172-03...
Page 928 OUT "$ocli\n"; $obj->send("$cli\n"); $obj->expect(15, "$prompt#" ); sub webcontent { $obj = shift; $obj->clear_accum(); $obj->send("show import webvpn webcontent\n"); $obj->expect(15, "$prompt#" ); $output = $obj->before(); @items = split(/\n+/, $output); for (@items) { s/^\s+//; Cisco Security Appliance Command Line Configuration Guide 41-16 OL-12172-03...
Page 929 $obj->spawn("/usr/bin/ssh $user\@$asa") or die "can't spawn ssh\n"; unless ($obj->expect(15, "password:" )) { die "timeout waiting for password:\n"; $obj->send("$password\n"); unless ($obj->expect(15, "$prompt>" )) { die "timeout waiting for $prompt>\n"; sub finish { $obj = shift; $obj->hard_close(); print "\n\n"; Cisco Security Appliance Command Line Configuration Guide 41-17 OL-12172-03...
Page 930 "Enter TFTP host name or IP address:"; chop($tstr=<>); $storage = "tftp://$tstr"; if (defined($options{h})) { $asa = $options{h}; else { print "Enter ASA host name or IP address:"; chop($asa=<>); if (defined ($options{u})) { $user= $options{u}; else { Cisco Security Appliance Command Line Configuration Guide 41-18 OL-12172-03...
Page 931: Configuring Auto Update Support
Auto Update is a protocol specification that allows an Auto Update server to download configurations and software images to many security appliances, and can provide basic monitoring of the security appliances from a central location. Cisco Security Appliance Command Line Configuration Guide 41-19 OL-12172-03...
Page 932: Configuring Communication With An Auto Update Server
MAC address of the interface used to communicate with the AUS. string—Use the specified text identifier, which cannot contain white space or the characters ‘, “, , • >, & and ?. Cisco Security Appliance Command Line Configuration Guide 41-20 OL-12172-03...
Page 933 AUS 10 times, and wait 3 minutes between attempts at reconnecting. hostname(config)# auto-update server https://jcrichton:farscape@209.165.200.224:1742/management source outside verify-certificate hostname(config)# auto-update device-id hostname hostname(config)# auto-update poll-at Friday Saturday 22:00 randomize 60 2 10 Cisco Security Appliance Command Line Configuration Guide 41-21 OL-12172-03...
Page 934: Configuring Client Updates As An Auto Update Server
The following example configures a client update for Cisco 5520 Adaptive Security Appliances: Cisco Security Appliance Command Line Configuration Guide...
Page 935: Viewing Auto Update Status
Poll period: 720 minutes, retry count: 2, retry period: 5 minutes Timeout: none Device ID: host name [corporate] Next poll in 4.93 minutes Last poll: 11:36:46 PST Tue Nov 13 2004 Last PDM update: 23:36:46 PST Tue Nov 12 2004 Cisco Security Appliance Command Line Configuration Guide 41-23 OL-12172-03...
Page 936 Chapter 41 Managing Software, Licenses, and Configurations Configuring Auto Update Support Cisco Security Appliance Command Line Configuration Guide 41-24 OL-12172-03...
Page 937: Monitoring The Security Appliance
SNMP V1, MIB-II-compliant browser to receive SNMP traps and browse a MIB. Table 42-1 lists supported MIBs and traps for the adaptive security appliance and, in multiple mode, for each context. You can download Cisco MIBs from the following website. http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml After you download the MIBs, compile them for your NMS.
Page 938 The adaptive security appliance supports browsing of the following traps: • session-threshold-exceeded CISCO-CRYPTO-ACCELERATOR-MIB The adaptive security appliance supports browsing of the MIB. ALTIGA-GLOBAL-REG The adaptive security appliance supports browsing of the MIB. Cisco Security Appliance Command Line Configuration Guide 42-2 OL-12172-03...
Page 939: Enabling Snmp
SNMP traps are sent on UDP port 162 by default. You can change the port number using the udp-port keyword. To specify the community string, enter the following command: Step 3 hostname(config)# snmp-server community key Cisco Security Appliance Command Line Configuration Guide 42-3 OL-12172-03...
Page 940 You must also enable syslog traps using the snmp-server enable traps command. To enable logging, so that system messages are generated and can then be sent to an NMS, enter the Step 7 following command: hostname(config)# logging enable Cisco Security Appliance Command Line Configuration Guide 42-4 OL-12172-03...
Page 941: Configuring And Managing Logs
System log messages that are generated in the system execution space, including failover messages, are viewed in the admin context along with messages generated in the admin context. You cannot configure logging or view any logging information in the system execution space. Cisco Security Appliance Command Line Configuration Guide 42-5 OL-12172-03...
Page 942: Enabling And Disabling Logging
Deny Conn when Queue Full: disabled Console logging: disabled Monitor logging: disabled Buffer logging: disabled Trap logging: level errors, facility 16, 3607 messages logged Logging to infrastructure 10.1.2.3 History logging: disabled Cisco Security Appliance Command Line Configuration Guide 42-6 OL-12172-03...
Page 943: Configuring Log Output Destinations
Where the format emblem keyword enables EMBLEM format logging for the syslog server (UDP only). The interface_name argument specifies the interface through which you access the syslog server. The ip_address argument specifies the IP address of the syslog server. Cisco Security Appliance Command Line Configuration Guide 42-7 OL-12172-03...
Page 944 “Disabling Logging to All Configured Output Destinations” section on page 42-6. To specify which system log messages should be sent to the console port, enter the following command: Cisco Security Appliance Command Line Configuration Guide 42-8 OL-12172-03...
Page 945 To specify the source e-mail address to be used when sending system log messages to an e-mail address, Step 2 enter the following command: hostname(config)# logging from-address email_address Cisco Security Appliance Command Line Configuration Guide 42-9 OL-12172-03...
Page 946: Sending System Log Messages To Asdm
To specify ASDM as an output destination, perform the following steps: Step 1 To specify which system log messages should go to ASDM, enter the following command: hostname(config)# logging asdm { severity_level | message_list } Cisco Security Appliance Command Line Configuration Guide 42-10 OL-12172-03...
Page 947 The following example shows how to set up secure logging: hostname(config)# logging host inside 10.0.0.1 TCP/1500 secure Clearing the ASDM Log Buffer To erase the current contents of the ASDM log buffer, enter the following command: hostname(config)# clear logging asdm Cisco Security Appliance Command Line Configuration Guide 42-11 OL-12172-03...
Page 948: Sending System Log Messages To A Telnet Or Ssh Session
This command enables logging only for the current session. If you log out, and then log in again, you need to reenter this command. To disable logging to the current session, enter the following command: Step 2 hostname(config)# terminal no monitor Cisco Security Appliance Command Line Configuration Guide 42-12 OL-12172-03...
Page 949: Sending System Log Messages To The Log Buffer
For the message_list option, specify the name of a message list containing criteria for selecting messages to be saved in the log buffer. hostname(config)# logging buffered notif-list Viewing the Log Buffer To view the log buffer, enter the following command: hostname(config)# show logging Cisco Security Appliance Command Line Configuration Guide 42-13 OL-12172-03...
Page 950 To identify the FTP server, entering the following command: Step 2 hostname(config)# logging ftp-server server path username password Where the server argument specifies the IP address of the external FTP server Cisco Security Appliance Command Line Configuration Guide 42-14 OL-12172-03...
Page 951: Filtering System Log Messages
System log message ID number • System log message severity level • • System log message class (equivalent to a functional area of the adaptive security appliance) Cisco Security Appliance Command Line Configuration Guide 42-15 OL-12172-03...
Page 952 | trap} [ Where the message_class argument specifies a class of system log messages to be sent to the specified output destination. See Table 42-2 for a list of system log message classes. Cisco Security Appliance Command Line Configuration Guide 42-16 OL-12172-03...
Page 953 Network Processor Resource Manager Intrusion Protection Service 400, 401, 415 vpnc VPN Client webvpn Web-based VPN PKI Certification Authority e-mail E-mail Proxy vpnlb VPN Load Balancing vpnfo VPN Failover npssl NP SSL Cisco Security Appliance Command Line Configuration Guide 42-17 OL-12172-03...
Page 954: Filtering System Log Messages With Custom Message Lists
The following example adds criteria to the message list—a range of message ID numbers and the message class ha (high availability or failover): hostname(config)# logging list notif-list 104024-105999 hostname(config)# logging list notif-list level critical hostname(config)# logging list notif-list level warning class ha Cisco Security Appliance Command Line Configuration Guide 42-18 OL-12172-03...
Page 955: Customizing The Log Configuration
0 (zero) indicates unlimited system log messages, that is, the queue size is limited only by block memory availability. To view the queue and queue statistics, enter the following command: hostname(config)# show logging queue Cisco Security Appliance Command Line Configuration Guide 42-19 OL-12172-03...
Page 956 The following example enables the logging device ID for the adaptive security appliance: hostname(config)# logging device-id hostname The following example enables the logging device ID for a security context on the adaptive security appliance: hostname(config)# logging device-id context-name Cisco Security Appliance Command Line Configuration Guide 42-20 OL-12172-03...
Page 957: Generating System Log Messages In Emblem Format
To see a list of disabled system log messages, enter the following command: hostname(config)# show logging message To reenable logging of all disabled system log messages, enter the following command: hostname(config)# clear config logging disabled Cisco Security Appliance Command Line Configuration Guide 42-21 OL-12172-03...
Page 958: Changing The Severity Level Of A System Log Message
403503 hostname(config)# show logging message 403503 syslog 403503: default-level errors, current-level alerts (enabled) hostname(config)# no logging message 403503 level 3 hostname(config)# show logging message 403503 syslog 403503: default-level errors (enabled) Cisco Security Appliance Command Line Configuration Guide 42-22 OL-12172-03...
Page 959: Changing The Amount Of Internal Flash Memory Available For Logs
The following example specifies that the minimum amount of free internal Flash memory must be 4000 KB before the adaptive security appliance can save a new log file: hostname(config)# logging flash-minimum-free 4000 Cisco Security Appliance Command Line Configuration Guide 42-23 OL-12172-03...
Page 960: Understanding System Log Messages
The adaptive security appliance does not generate system log messages with a severity level of 0 Note (emergencies). This level is provided in the logging command for compatibility with the UNIX system log feature, but is not used by the adaptive security appliance. Cisco Security Appliance Command Line Configuration Guide 42-24 OL-12172-03...
Page 961: Troubleshooting The Security Appliance
The security appliance only shows ICMP debug messages for pings to the security appliance interfaces, and not for pings through the security appliance to other hosts. To enable debugging and system log messages, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 43-1 OL-12172-03...
Page 962: Pinging Security Appliance Interfaces
You will use this information in this procedure and in the procedure in “Pinging Through the Security Appliance” section on page 43-4. For example: Cisco Security Appliance Command Line Configuration Guide 43-2 OL-12172-03...
Page 963 ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1 If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist (see Figure 43-3). Cisco Security Appliance Command Line Configuration Guide 43-3 OL-12172-03...
Page 964: Pinging Through The Security Appliance
For transparent mode, which does not use NAT, this test confirms that the security appliance is operating correctly. If the ping fails in transparent mode, contact Cisco TAC. To ping between hosts on different interfaces, perform the following steps:...
Page 965: Disabling The Test Configuration
(305009 or 305011) and that an ICMP connection was established (302020). You can also enter either the show xlate or show conns command to view this information. If the ping fails for transparent mode, contact Cisco TAC. For routed mode, the ping might fail because NAT is not configured correctly (see Figure 43-5).
Page 966: Traceroute
AAA settings, and how to disable password recovery for extra security. This section includes the following topics: Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance, page 43-7 • Recovering Passwords for the PIX 500 Series Security Appliance, page 43-8 • Disabling Password Recovery, page 43-9 •...
Page 967: Recovering Passwords For The Asa 5500 Series Adaptive Security Appliance
Access the global configuration mode by entering the following command: Step 12 hostname# configure terminal Change the passwords, as required, in the default configuration by entering the following commands: Step 13 hostname(config)# password password Cisco Security Appliance Command Line Configuration Guide 43-7 OL-12172-03...
Page 968: Recovering Passwords For The Pix 500 Series Security Appliance
Step 7 You can log in with the default login password of “cisco” and the blank enable password. The following example shows password recovery on a PIX 500 Series security appliance with the TFTP server on the outside interface: monitor> interface 0...
Page 969: Disabling Password Recovery
Success rate is 100 percent (5/5) monitor> tftp tftp np52.bin@172.18.125.3 via 10.21.1.1 Received 73728 bytes Cisco PIX password tool (4.0) #0: Tue Aug 22 23:22:19 PDT 2005 Flash=i28F640J5 @ 0x300 BIOS Flash=AT29C257 @ 0xd8000 Do you wish to erase the passwords? [yn] y Passwords have been erased.
Page 970: Resetting The Password On The Ssm Hardware Module
Resetting the Password on the SSM Hardware Module To reset the password to the default of “cisco” on the SSM hardware module, perform the following steps: Make sure that the SSM hardware module is in the Up state and supports password reset.
Page 971 RETRY=20 tftp f1/asa800-232-k8.bin@10.129.0.30 via 10.132.44.1 Received 14450688 bytes Launching TFTP Image... Cisco PIX Security Appliance admin loader (3.0) #0: Mon Mar 5 16:00:07 MST 2007 Loading... After the software image is successfully loaded, the adaptive security appliance automatically exits ROMMOM mode.
Page 972: Erasing The Flash File System
Reference. Capturing Packets Capturing packets is sometimes useful when troubleshooting connectivity problems or monitoring suspicious activity. We recommend contacting Cisco TAC if you want to use the packet capture feature. See the capture command in the Cisco Security Appliance Command Reference.
Page 973: Viewing The Crash Dump
Viewing the Crash Dump If the security appliance crashes, you can view the crash dump information. We recommend contacting Cisco TAC if you want to interpret the crash dump. See the show crashdump command in the Cisco Security Appliance Command Reference.
Page 974 You did not enable the feature that allows traffic to pass between interfaces at the Possible Cause same security level. Recommended Action Enable this feature according to the instructions in “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-7. Cisco Security Appliance Command Line Configuration Guide 43-14 OL-12172-03...
Page 975 A R T Reference...
Page 977: Appendix
Items that are in italics are separate, optional licenses that you can replace the base license. You can mix Note and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 WebVPN license plus the GTP/GPRS license; or all four licenses together. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 978 If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 3. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 979 If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 980 If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 981 If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 982 If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 983 1. This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 984 1. This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 985 1. This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 986: Security Services Module Support
No support 1. The CSC SSM licenses support up to 1000 users while the Cisco ASA 5540 Series appliance can support significantly more users. If you deploy CSC SSM with an ASA 5540 adaptive security appliance, be sure to configure the security appliance to send the CSC SSM only the traffic that should be scanned.
Page 987 Appendix A Feature Licenses and Specifications VPN Specifications Cisco VPN Client Support The security appliance supports a wide variety of software and hardware-based Cisco VPN clients, as shown in Table A-10. Table A-10 Cisco VPN Client Support Client Type Client Versions SSL VPN clients Cisco SSL VPN client, Version 1.1 or higher...
Page 988 MD5—128 bits SHA-1—160 bits X.509 certificate authorities Cisco IOS software Baltimore UniCERT Entrust Authority iPlanet/Netscape CMS Microsoft Certificate Services RSA Keon VeriSign OnSite X.509 certificate enrollment methods SCEP PKCS #7 and #10 Cisco Security Appliance Command Line Configuration Guide A-12 OL-12172-03...
Page 989: Appendix
The admin context allows SSH sessions to the security appliance from one host. Although inside IP addresses can be the same across contexts when the interfaces are unique, keeping them unique is easier to manage. Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 990: Example 1: System Configuration
You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode. hostname Farscape password passw0rd enable password chr1cht0n mac-address auto Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 991 This is the context for customer B allocate-interface gigabitethernet 0/0.3 allocate-interface gigabitethernet 0/1.6 config-url disk0://contextb.cfg member silver context customerC description This is the context for customer C allocate-interface gigabitethernet 0/0.3 allocate-interface gigabitethernet 0/1.7-gigabitethernet 0/1.8 config-url disk0://contextc.cfg member bronze Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 992: Example 1: Admin Context Configuration
! This context uses dynamic PAT for inside users that access that outside. The outside ! interface address is used for the PAT address global (outside) 1 interface Example 1: Customer B Context Configuration interface gigabitethernet 0/0.3 nameif outside security-level 0 ip address 209.165.201.4 255.255.255.224 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 993: Example 1: Customer C Context Configuration
MANAGE remark Allows the management host to use pcAnywhere on the Websense server access-list MANAGE extended permit tcp host 209.165.201.30 host 209.165.201.6 eq pcanywhere-data access-list MANAGE extended permit udp host 209.165.201.30 host 209.165.201.6 eq pcanywhere-status access-group MANAGE in interface outside Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 994: Example 2: Single Mode Firewall Using Same Security Level
Syslog Server 192.168.2.2 dept2 10.1.2.1 Department 2 10.1.2.2 192.168.1.1 Department 2 Network 2 passwd g00fba11 enable password gen1u$ hostname Buster asdm image disk0:/asdm.bin boot system disk0:/image.bin interface gigabitethernet 0/0 nameif outside security-level 0 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 995 1 ipsec-isakmp dynamic vpn_client crypto map telnet_tunnel interface outside ip local pool client_pool 10.1.1.2 access-list VPN_SPLIT extended permit ip host 209.165.201.3 host 10.1.1.2 telnet 10.1.1.2 255.255.255.255 outside telnet timeout 30 logging trap 5 Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 996: Example 3: Shared Resources For Multiple Contexts
Mail Server Syslog Server 10.1.1.6 10.1.1.7 10.1.1.8 See the following sections for the configurations for this scenario: Example 3: System Configuration, page B-9 • Example 3: Admin Context Configuration, page B-9 • Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 997: Example 3: System Configuration
0/1.203 allocate-interface gigabitethernet 0/1.300 config-url ftp://admin:passw0rd@10.1.0.16/dept2.cfg Example 3: Admin Context Configuration hostname Admin interface gigabitethernet 0/0.200 nameif outside security-level 0 ip address 209.165.201.3 255.255.255.224 no shutdown interface gigabitethernet 0/0.201 nameif inside Cisco Security Appliance Command Line Configuration Guide OL-12172-03...
Page 998 209.165.201.4 255.255.255.224 no shutdown interface gigabitethernet 0/0.202 nameif inside security-level 100 ip address 10.1.2.1 255.255.255.0 no shutdown interface gigabitethernet 0/0.300 nameif shared security-level 50 ip address 10.1.1.2 255.255.255.0 no shutdown Cisco Security Appliance Command Line Configuration Guide B-10 OL-12172-03...
Page 999 (inside) 1 10.1.3.0 255.255.255.0 ! The inside network uses PAT when accessing the outside global (outside) 1 209.165.201.10 netmask 255.255.255.255 ! The inside network uses PAT when accessing the shared network Cisco Security Appliance Command Line Configuration Guide B-11 OL-12172-03...
Page 1000: Example 4: Multiple Mode, Transparent Firewall With Outside Access
An out-of-band management host is connected to the Management 0/0 interface. The admin context allows SSH sessions to the security appliance from one host. Although inside IP addresses can be the same across contexts, keeping them unique is easier to manage. Cisco Security Appliance Command Line Configuration Guide B-12 OL-12172-03...
Page 1001: Example 4: System Configuration
Enter the show mode command to view the current mode. firewall transparent hostname Farscape password passw0rd enable password chr1cht0n asdm image disk0:/asdm.bin boot system disk0:/image.bin admin-context admin interface gigabitethernet 0/0 Cisco Security Appliance Command Line Configuration Guide B-13 OL-12172-03...
Page 1002: Example 4: Admin Context Configuration
The host at 10.1.1.75 can access the context using SSH, which requires a key pair to be generated using the crypto key generate command. hostname Admin domain isp interface gigabitethernet 0/0.150 nameif outside security-level 0 no shutdown Cisco Security Appliance Command Line Configuration Guide B-14 OL-12172-03...
Page 1003: Example 4: Customer A Context Configuration
10.1.3.1 255.255.255.0 route outside 0 0 10.1.3.2 1 access-list OSPF remark -Allows OSPF access-list OSPF extended permit 89 any any access-group OSPF in interface outside Cisco Security Appliance Command Line Configuration Guide B-15 OL-12172-03...
Page 1004: Example 4: Customer C Context Configuration
-containing the hit-count (how many times the url was accessed) access-list maia2 webtype deny url https://sales.example.com log informational interval access-list maia2 remark -Permits access to the URL. access-list maia2 webtype permit url http://employee-connection.example.com Cisco Security Appliance Command Line Configuration Guide B-16 OL-12172-03...
Page 1005 Next, allow HTTPS ASDM and clientless SSL VPN sessions to terminate on the security appliance using Step 7 the 3DES-sha1 cipher. Requires that a proper 3DES activation-key be previously installed. ssl encryption 3des-sha1 ssl trust-point CA-MS inside Finally, configure the email proxy settings. Step 8 imap4s Cisco Security Appliance Command Line Configuration Guide B-17 OL-12172-03...

This manual is also suitable for:

Asa 5500 series

Cisco PIX 500 Series Configuration Manual

About this Guide

CHAPTER 1 Introduction to the Security Appliance

Chapter 2 Getting Started

CHAPTER 3 Enabling Multiple Context Mode

CHAPTER 4 Configuring Switch Ports and Vlan Interfaces for the Cisco Asa 5505 Adaptive Security

Appliance

CHAPTER 5 Configuring Ethernet Settings, Redundant Interfaces, and Subinterfaces

CHAPTER 6 Adding and Managing Security Contexts6-1

Chapter 7 Configuring Interface Parameters

Chapter 8 Configuring Basic Settings

CHAPTER 9 Configuring Ip Routing

CHAPTER 10 Configuring Dhcp, Ddns, and Wccp Services

CHAPTER 11 Configuring Multicast Routing

Chapter 12 Configuring Ipv6

CHAPTER 13 Configuring Aaa Servers and the Local Database

CHAPTER 14 Configuring Failover14-1

Quick Links

Troubleshooting

Related Manuals for Cisco PIX 500 Series

Summary of Contents for Cisco PIX 500 Series