Page 1

Cisco ASA 5500 Series Configuration Guide using ASDM Software Version 6.3, for use with Cisco ASA 5500 Version 8.3 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
Page 2

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
Page 3

Obtaining Documentation, Obtaining Support, and Security Guidelines Getting Started and General Information P A R T Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance C H A P T E R ASDM Client Operating System and Browser Requirements...
Page 4

C H A P T E R Information About the ASDM User Interface Navigating in the ASDM User Interface Menus File Menu View Menu Tools Menu Wizards Menu Window Menu Help Menu Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 5

Managing Feature Licenses C H A P T E R Supported Feature Licenses Per Model Licenses Per Model License Notes VPN License and Feature Compatibility 4-11 Information About Feature Licenses 4-11 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 6

Configuring the Firewall Mode Information About the Firewall Mode Information About Routed Firewall Mode Information About Transparent Firewall Mode Licensing Requirements for the Firewall Mode Default Settings Guidelines and Limitations Setting the Firewall Mode Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 7

Setting up the Adaptive Security Appliance P A R T Configuring Multiple Context Mode C H A P T E R Information About Security Contexts Common Uses for Security Contexts Context Configuration Files Context Configurations Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 8

6-22 Feature History for Multiple Context Mode 6-23 Using the Startup Wizard C H A P T E R Information About the Startup Wizard Licensing Requirements for the Startup Wizard Cisco ASA 5500 Series Configuration Guide using ASDM viii OL-20339-01...
Page 9

Prerequisites for the Startup Wizard Guidelines and Limitations Startup Wizard Screens for ASA 5500 Series Adaptive Security Appliances Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 1 - Starting Point or Welcome Step 2 - Basic Configuration...
Page 10

Task Flow for Starting Interface Configuration 8-16 Configuring VLAN Interfaces 8-17 Configuring and Enabling Switch Ports as Access Ports 8-18 Configuring and Enabling Switch Ports as Trunk Ports 8-19 Completing Interface Configuration (All Models) 8-21 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 11

Configuring the Master Passphrase Information About the Master Passphrase Licensing Requirements for the Master Passphrase Guidelines and Limitations Adding or Changing the Master Passphrase Disabling the Master Passphrase Recovering the Master Passphrase Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 12

C H A P T E R Information about DDNS 11-1 Licensing Requirements for DDNS 11-1 Guidelines and Limitations 11-2 Configuring Dynamic DNS 11-2 DDNS Monitoring 11-4 Feature History for DDNS 11-4 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 13

13-14 Creating a Regular Expression Class Map 13-15 Configuring Time Ranges 13-15 Add/Edit Time Range 13-16 Adding a Time Range to an Access Rule 13-16 Add/Edit Recurring Time Range 13-18 Cisco ASA 5500 Series Configuration Guide using ASDM xiii OL-20339-01...
Page 14

Using Standard ACLs 17-3 Adding a Standard ACL 17-3 Adding an ACE to a Standard ACL 17-3 Editing an ACE in a Standard ACL 17-4 Feature History for Standard ACLs 17-4 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 15

Configuring Static and Default Routes 19-2 Configuring a Static Route 19-3 Add/Edit a Static Route 19-3 Configuring Static Route Tracking 19-6 Deleting Static Routes 19-6 Configuring a Default Static Route 19-7 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 16

Configuring OSPF Area Parameters 21-12 Configuring OSPF NSSA 21-13 Defining Static OSPF Neighbors 21-14 Configuring Route Calculation Timers 21-15 Logging Neighbors Going Up or Down 21-16 Configuring Filtering in OSPF 21-16 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 17

23-1 C H A P T E R Overview 23-1 Licensing Requirements for EIGRP 23-2 Guidelines and Limitations 23-2 Task List to Configure an EIGRP Process 23-3 Configuring EIGRP 23-3 Cisco ASA 5500 Series Configuration Guide using ASDM xvii OL-20339-01...
Page 18

Disabling IGMP on an Interface 24-6 Configuring IGMP Group Membership 24-6 Configuring a Statically Joined IGMP Group 24-7 Controlling Access to Multicast Groups 24-8 Limiting the Number of IGMP States on an Interface 24-8 Cisco ASA 5500 Series Configuration Guide using ASDM xviii OL-20339-01...
Page 19

25-5 Configuring DAD Settings 25-5 Configuring IPv6 Addresses on an Interface 25-6 Configuring IPv6 Prefixes on an Interface 25-7 Feature History for Neighbor Reachable Time 25-8 Configuring Router Advertisement Messages 25-8 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 20

Feature History for Configuring a Static IPv6 Neighbor 25-20 Configuring Network Address Translation P A R T Information About NAT 26-1 C H A P T E R Why Use NAT? 26-1 NAT Terminology 26-2 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 21

Configuring Static NAT or Static NAT with Port Translation 27-11 Configuring Identity NAT 27-14 Configuration Examples for Network Object NAT 27-17 Providing Access to an Inside Web Server (Static NAT) 27-18 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 22

Order in Which Multiple Feature Actions are Applied 29-4 Incompatibility of Certain Feature Actions 29-5 Feature Matching for Multiple Service Policies 29-5 Licensing Requirements for Service Policies 29-6 Guidelines and Limitations 29-6 Default Settings 29-7 Cisco ASA 5500 Series Configuration Guide using ASDM xxii OL-20339-01...
Page 23

30-7 Default Settings 30-7 Configuring Access Rules 30-7 Adding an Access Rule 30-7 Adding an EtherType Rule (Transparent Mode Only) 30-8 Add/Edit EtherType Rule 30-10 Configuring Management Access Rules 30-10 Cisco ASA 5500 Series Configuration Guide using ASDM xxiii OL-20339-01...
Page 24

RADIUS Server Fields 31-11 TACACS+ Server Fields 31-12 SDI Server Fields 31-13 Windows NT Domain Server Fields 31-13 Kerberos Server Fields 31-13 LDAP Server Fields 31-15 HTTP Form Server Fields 31-17 Cisco ASA 5500 Series Configuration Guide using ASDM xxiv OL-20339-01...
Page 25

Limiting User CLI and ASDM Access with Management Authorization 32-12 Configuring Command Authorization 32-13 Command Authorization Overview 32-13 Configuring Local Command Authorization 32-15 Configuring TACACS+ Command Authorization 32-18 Configuring Management Access Accounting 32-22 Viewing the Current Logged-In User 32-23 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 26

Configuring Additional URL Filtering Settings 34-4 Buffering the Content Server Response 34-5 Caching Server Addresses 34-5 Filtering HTTP URLs 34-6 Configuring Filtering Rules 34-6 Filtering the Rule Table 34-11 Defining Queries 34-12 Cisco ASA 5500 Series Configuration Guide using ASDM xxvi OL-20339-01...
Page 27

35-19 Configuring Code Signer Certificates 35-20 Showing Code Signer Certificate Details 35-20 Deleting a Code Signer Certificate 35-21 Importing a Code Signer Certificate 35-21 Exporting a Code Signer Certificate 35-21 Cisco ASA 5500 Series Configuration Guide using ASDM xxvii OL-20339-01...
Page 28

37-6 Add/Edit DNS Match Criterion 37-7 DNS Inspect Map 37-8 Add/Edit DNS Policy Map (Security Level) 37-10 Add/Edit DNS Policy Map (Details) 37-11 FTP Inspection 37-13 FTP Inspection Overview 37-13 Cisco ASA 5500 Series Configuration Guide using ASDM xxviii OL-20339-01...
Page 29

Select IPSec-Pass-Thru Map 37-45 IPSec Pass Through Inspect Map 37-45 Add/Edit IPSec Pass Thru Policy Map (Security Level) 37-46 Add/Edit IPSec Pass Thru Policy Map (Details) 37-47 NetBIOS Inspection 37-48 Cisco ASA 5500 Series Configuration Guide using ASDM xxix OL-20339-01...
Page 30

Add/Edit H.323 Policy Map (Details) 38-10 Add/Edit HSI Group 38-12 Add/Edit H.323 Map 38-12 MGCP Inspection 38-13 MGCP Inspection Overview 38-14 Select MGCP Map 38-16 MGCP Inspect Map 38-16 Gateways and Call Agents 38-17 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 31

39-1 C H A P T E R ILS Inspection 39-1 SQL*Net Inspection 39-2 Sun RPC Inspection 39-3 Sun RPC Inspection Overview 39-3 SUNRPC Server 39-3 Add/Edit SUNRPC Service 39-4 Cisco ASA 5500 Series Configuration Guide using ASDM xxxi OL-20339-01...
Page 32

P A R T Information About Cisco Unified Communications Proxy Features 41-1 C H A P T E R Information About the Adaptive Security Appliance in Cisco Unified Communications 41-1 TLS Proxy Applications in Cisco Unified Communications 41-3 Licensing for Cisco Unified Communications Proxy Features...
Page 33

42-18 Saving the Identity Certificate Request 42-19 Installing the ASA Identity Certificate on the Mobility Advantage Server 42-20 Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers 42-21 Configuring the Cisco Phone Proxy 43-1...
Page 34

Add TLS Proxy Instance Wizard – Other Steps 44-12 Edit TLS Proxy Instance – Server Configuration 44-12 Edit TLS Proxy Instance – Client Configuration 44-13 TLS Proxy 44-15 Add/Edit TLS Proxy 44-16 Cisco ASA 5500 Series Configuration Guide using ASDM xxxiv OL-20339-01...
Page 35

Licensing for Cisco Unified Presence 46-7 Configuring Cisco Unified Presence Proxy for SIP Federation 46-7 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation 46-8 Feature History for Cisco Unified Presence 46-8 Configuring Cisco Intercompany Media Engine Proxy...
Page 36

(Optional) Configuring TLS within the Local Enterprise 47-28 (Optional) Configuring Off Path Signaling 47-31 Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane 47-32 Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard 47-34 Feature History for Cisco Intercompany Media Engine Proxy...
Page 37

Enabling Traffic Classification and Actions for the Botnet Traffic Filter 50-10 Blocking Botnet Traffic Manually 50-12 Searching the Dynamic Database 50-13 Monitoring the Botnet Traffic Filter 50-13 Botnet Traffic Filter Syslog Messaging 50-13 Botnet Traffic Filter Monitor Panes 50-14 Cisco ASA 5500 Series Configuration Guide using ASDM xxxvii OL-20339-01...
Page 38

TCP Reset Settings 52-4 Configuring IP Audit for Basic IPS Support 52-5 IP Audit Policy 52-5 Add/Edit IP Audit Policy Configuration 52-6 IP Audit Signatures 52-6 IP Audit Signature List 52-7 Cisco ASA 5500 Series Configuration Guide using ASDM xxxviii OL-20339-01...
Page 39

C H A P T E R Information About the CSC SSM 55-1 Determining What Traffic to Scan 55-3 Licensing Requirements for the CSC SSM 55-5 Prerequisites for the CSC SSM 55-5 Cisco ASA 5500 Series Configuration Guide using ASDM xxxix OL-20339-01...
Page 40

CSC Setup Wizard IP Configuration 56-9 CSC Setup Wizard Host Configuration 56-9 CSC Setup Wizard Management Access Configuration 56-10 CSC Setup Wizard Password Configuration 56-10 CSC Setup Wizard Traffic Selection for CSC Scan 56-11 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 41

Auto Update Process Overview 57-8 Monitoring the Auto Update Process 57-9 Failover Health Monitoring 57-10 Unit Health Monitoring 57-11 Interface Monitoring 57-11 Failover Feature/Platform Matrix 57-12 Failover Times by Platform 57-12 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 42

Device Initialization and Configuration Synchronization 59-2 Command Replication 59-3 Failover Triggers 59-3 Failover Actions 59-4 Optional Active/Standby Failover Settings 59-5 Licensing Requirements for Active/Standby Failover 59-5 Prerequisites for Active/Standby Failover 59-5 Cisco ASA 5500 Series Configuration Guide using ASDM xlii OL-20339-01...
Page 43

Failover-Multiple Mode, Security Context 60-8 Failover - Routed 60-8 Failover - Transparent 60-9 Failover-Multiple Mode, System 60-9 Failover > Setup Tab 60-10 Failover > Criteria Tab 60-12 Failover > Active/Active Tab 60-12 Cisco ASA 5500 Series Configuration Guide using ASDM xliii OL-20339-01...
Page 44

VPN Client Authentication Method and Name 62-9 Client Authentication 62-10 New Authentication Server Group 62-11 User Accounts 62-11 Address Pool 62-12 Attributes Pushed to Client 62-13 IPsec Settings (Optional) 62-13 Summary 62-14 Cisco ASA 5500 Series Configuration Guide using ASDM xliv OL-20339-01...
Page 45

Adding or Editing a Remote Access Internal Group Policy, General Attributes 64-7 Configuring the Portal for a Group Policy 64-10 Configuring Customization for a Group Policy 64-11 Adding or Editing a Site-to-Site Internal Group Policy 64-12 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 46

Add/Edit Internal Group Policy > Client Configuration > General Client Parameters 64-29 View/Config Banner 64-31 Add/Edit Internal Group Policy > Client Configuration > Cisco Client Parameters 64-31 Add or Edit Internal Group Policy > Advanced > IE Browser Proxy 64-32...
Page 47

64-88 Add/Edit Tunnel Group > General > Client Address Assignment 64-88 Add/Edit Tunnel Group > General > Advanced 64-89 Add/Edit Tunnel Group > IPsec for Remote Access > IPsec 64-90 Cisco ASA 5500 Series Configuration Guide using ASDM xlvii OL-20339-01...
Page 48

Test Dynamic Access Policies 65-8 Add/Edit Dynamic Access Policies 65-10 Add/Edit AAA Attributes 65-15 Retrieving Active Directory Groups 65-18 Add/Edit Endpoint Attributes 65-19 Guide 65-22 Syntax for Creating Lua EVAL Expressions 65-22 Cisco ASA 5500 Series Configuration Guide using ASDM xlviii OL-20339-01...
Page 49

67-16 Java Code Signer 67-18 Encoding 67-18 Web ACLs 67-21 Configuring Port Forwarding 67-22 Why Port Forwarding? 67-22 Port Forwarding Requirements and Restrictions 67-23 Configuring DNS for Port Forwarding 67-24 Cisco ASA 5500 Series Configuration Guide using ASDM xlix OL-20339-01...
Page 50

Creating XML-Based Portal Customization Objects and URL Lists 67-52 Understanding the XML Customization File Structure 67-52 Customization Example 67-58 Using the Customization Template 67-60 The Customization Template 67-60 Help Customization 67-73 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 51

68-1 C H A P T E R Configuring E-Mail Proxy 68-1 68-2 POP3S Tab 68-2 IMAP4S Tab 68-4 SMTPS Tab 68-6 Access 68-7 Edit E-Mail Proxy Access 68-9 Authentication 68-9 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 52

Severity Levels 71-3 Message Classes and Range of Syslog IDs 71-4 Filtering Syslog Messages 71-4 Sorting in the Log Viewers 71-4 Using Custom Message Lists 71-5 Licensing Requirements for Logging 71-5 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 53

Adding or Editing the Rate Limit for a Syslog Message 71-21 Editing the Rate Limit for a Syslog Severity Level 71-21 Log Monitoring 71-22 Filtering Syslog Messages Through the Log Viewers 71-22 Cisco ASA 5500 Series Configuration Guide using ASDM liii OL-20339-01...
Page 54

73-3 Security Models 73-3 SNMP Groups 73-4 SNMP Users 73-4 SNMP Hosts 73-4 Implementation Differences Between Adaptive Security Appliances and the Cisco IOS 73-4 Licensing Requirements for SNMP 73-4 Prerequisites for SNMP 73-5 Guidelines and Limitations 73-5 Configuring SNMP 73-6...
Page 55

75-9 Configuring the Boot Image/Configuration Settings 75-9 Adding a Boot Image 75-10 Upgrading Software from Your Local Computer 75-10 Upgrading Software from the Cisco.com Wizard 75-11 Scheduling a System Restart 75-12 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 56

76-12 Common Problems 76-13 Reference P A R T Addresses, Protocols, and Ports A P P E N D I X IPv4 Addresses and Subnet Masks Classes Private Networks Subnet Masks Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 57

Configuring an External RADIUS Server B-30 Reviewing the RADIUS Configuration Procedure B-30 Security Appliance RADIUS Authorization Attributes B-30 Security Appliance IETF RADIUS Authorization Attributes B-38 Configuring an External TACACS+ Server B-39 Cisco ASA 5500 Series Configuration Guide using ASDM lvii OL-20339-01...
Page 58

Contents L O S S A R Y N D E X Cisco ASA 5500 Series Configuration Guide using ASDM lviii OL-20339-01...
Page 59: About This Guide

This guide applies to the Cisco ASA 5500 series adaptive security appliances. Throughout this guide, the term “adaptive security appliance” applies generically to all supported models, unless specified otherwise.
Page 60: Related Documentation, Document Conventions

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 61

A R T Getting Started and General Information...
Page 63

Instead, refer to the ASDM guide in which support for your platform version was added (see Cisco ASA 5500 Series and PIX 500 Series Security Appliance Hardware and Software Compatibility for the minimum supported version of ASDM for each ASA version).
Page 64

1. Obtain Sun Java from java.sun.com ASA 5500 Model Support For a complete list of supported ASA models and ASA software versions for this release, see Cisco ASA 5500 Series and PIX 500 Series Security Appliance Hardware and Software Compatibility: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html...
Page 65

No support 1. The CSC SSM licenses support up to 1000 users while the Cisco ASA 5540 Series appliance can support significantly more users. If you deploy CSC SSM with an ASA 5540 adaptive security appliance, be sure to configure the security appliance to send the CSC SSM only the traffic that should be scanned.
Page 66

Syslog message filtering based on multiple text strings that correspond to various columns • Creation of custom filters • Column sorting of messages. For detailed information, see the Cisco ASA 5500 Series • Configuration Guide using ASDM. The following screens were modified: Monitoring >...
Page 67

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance New Features Table 1-3 New Features for ASDM Version 6.3(2)/ASA Version 8.3(2) (Unless Otherwise Noted) (continued) Feature Description Hardware processing for This feature lets you switch large modulus operations from software to hardware. It applies large modulus operations only to the ASA models 5510, 5520, 5540, and 5550.
Page 68

Description General Features No Payload Encryption For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 image for export series. For version 8.3(2), you can now install a No Payload Encryption image (asa832-npe-k8.bin) on the following models: ASA 5505 •...
Page 69

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance New Features Table 1-4 lists the new features for ASDM Version 6.3(1). All features apply only to ASA Version 8.3(1), unless otherwise noted. Table 1-4 New Features for ASDM Version 6.3(1)/ASA Version 8.3(1) (Unless Otherwise Noted)
Page 70

For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, LAN-to-LAN VPN the adaptive security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series connections adaptive security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).
Page 71

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance New Features Table 1-4 New Features for ASDM Version 6.3(1)/ASA Version 8.3(1) (Unless Otherwise Noted) (continued) Feature Description Usability Improvements for ASDM provides a step-by-step guide to configuring Clientless SSL VPN, AnyConnect SSL Remote Access VPN VPN Remote Access, or IPsec Remote Access using the ASDM Assistant.
Page 72

The following screen was modified: Configuration > Firewall > Threat Detection. Unified Communication Features SCCP v19 support The IP phone support in the Cisco Phone Proxy feature was enhanced to include support for version 19 of the SCCP protocol on the list of supported IP phones. Cisco Intercompany Media...
Page 73

Failover licenses no longer need to be identical on each unit. The license used for both units is licenses the combined license from the primary and secondary units. For the ASA 5505 and 5510 adaptive security appliances, both units require the Note Security Plus license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.
Page 74

Configuration > Device Management > Device Administration > Master Passphrase ASDM Features Upgrade Software from The Upgrade Software from Cisco.com wizard has changed to allow you to automatically Cisco.com Wizard upgrade ASDM and the adaptive security appliance to more current versions. Note that this feature is only available in single mode and, in multiple context mode, in the System execution space.
Page 75

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Unsupported Commands Unsupported Commands ASDM supports almost all commands available for the adaptive adaptive security appliance, but ASDM ignores some commands in an existing configuration. Most of these commands can remain in your configuration;...
Page 76

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Unsupported Commands (continued) Table 1-5 List of Unsupported Commands Unsupported Commands ASDM Behavior sysopt uauth allow-http-cache Ignored. terminal Ignored. Effects of Unsupported Commands If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected.
Page 77

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Firewall Functional Overview Firewall Functional Overview Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network.
Page 78

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Firewall Functional Overview Permitting or Denying Traffic with Access Rules You can apply an access rule to limit traffic from inside to outside, or allow traffic from outside to inside.
Page 79

Firewall Functional Overview manager. Other legitimate connections continue to operate independently without interruption. For more information, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface. Sending Traffic to the Content Security and Control Security Services Module If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic.
Page 80

Configuring Cisco Unified Communications The Cisco ASA 5500 Series appliances are a strategic platform to provide proxy functions for unified communications deployments. The purpose of a proxy is to terminate and reoriginate connections between a client and server.
Page 81

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance VPN Functional Overview Performing the access list checks – Performing route lookups – Allocating NAT translations (xlates) – Establishing sessions in the “fast path” – Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path.
Page 82

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Security Context Overview Manages data transfer across the tunnel • Manages data transfer inbound and outbound as a tunnel endpoint or router • The adaptive security appliance invokes various standard protocols to accomplish these functions.
Page 83: Getting Started

32-1. See the following Ethernet connection guidelines when using the factory default configurations: ASA 5505—The switch port to which you connect to ASDM can be any port, except for Ethernet • 0/0. ASA 5510 and higher —The interface to which you connect to ASDM is Management 0/0.
Page 84

Starting ASDM from the ASDM Launcher To start ASDM from the ASDM Launcher, perform the following steps: Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu. Step 1 Alternatively, from the ASDM Welcome screen, you can click Run Startup Wizard to configure ASDM.
Page 85

Save Running Configuration to Standby Unit Save Internal Log Buffer to Flash Clear Internal Log Buffer – Tools menu: Command Line Interface Ping File Management Update Software File Transfer Upload Image from Local PC System Reload Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 86

Step 2 Double-click the installer to install the software. Step 3 Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu. Check the Run in Demo Mode check box. Step 4 The Demo Mode window appears.
Page 87

ASDM sessions are supported per context, up to a maximum of 32 total connections for each adaptive security appliance. Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new adaptive security appliances. For the ASA 5510 and higher adaptive security appliances, the factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration.
Page 88

ASA 5505 Default Configuration The default factory configuration for the ASA 5505 adaptive security appliance configures the following: An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not •...
Page 89

The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. The configuration consists of the following commands: interface management 0/0 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 90: Using The Command Line Interface

This section includes the following topics: Using the Command Line Interface Tool, page 2-9 • Handling Command Errors, page 2-9 • Using Interactive Commands, page 2-9 • Avoiding Conflicts with Other Administrators, page 2-10 • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 91

A message appears in the Response area to inform you whether or not any error occurred, as well as other related information. ASDM supports almost all CLI commands. See the Cisco ASA 5500 Series Command Reference for a Note list of commands.
Page 92

To display the list of unsupported commands for ASDM, perform the following steps: In the main ASDM application window, choose Tools > Show Commands Ignored by ASDM on Step 1 Device. Click OK when you are done. Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 2-10 OL-20339-01...
Page 93

To access the Configuration and Monitoring panes, you can do one of the following: Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 94

In addition, the ASDM Assistant appears in this pane. Figure 3-1 on page 3-2 shows the elements of the ASDM user interface. Figure 3-1 ASDM User Interface Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 95

Choose the drop-down list below the last function button to display a context menu. Step 1 Choose one of the following options: Step 2 To show more buttons, click Show More Buttons. • • To show fewer buttons, click Show Fewer Buttons. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 96

Show Running Configuration in Displays the current running configuration in a new window. New Window Save Running Configuration to Writes a copy of the running configuration to flash memory. Flash Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 97

%ASA-1-211004 is generated, indicating what the installed memory is and what the required memory is. This message reappears every 24 hours until the memory is upgraded. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 98

See the “Tracing Packets with Packet Tracer” section on page 76-7 for more information. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 99

“Upgrading Software from the Cisco.com Wizard” section on page 75-11 for more information. Backup Configurations Backs up the adaptive security appliance configuration, a Cisco Secure Desktop image, and SSL VPN Client images and profiles. See the “Backing Up Configurations” section on page 75-13 more information.
Page 100

For more information, see the “Configuring and Running Captures with the Packet Capture Wizard” section on page 76-8. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 101

(?) help icon. Release Notes Opens the most current version of the Release Notes for Cisco ASDM on Cisco.com. The release notes contain the most current information about ASDM software and hardware requirements, and the most current information about changes in the software.
Page 102

Look For field in the menu bar. From the Find drop-down list, choose How Do I? to begin the search. To use the ASDM Assistant, perform the following steps: In the main ASDM application window, choose View > ASDM Assistant. Step 1 Cisco ASA 5500 Series Configuration Guide using ASDM 3-10 OL-20339-01...
Page 103: Status Bar

This pane is available in the Home, Configuration, Monitoring, and System views. You can use this pane to switch to another Cisco ASA 5500 Series Configuration Guide using ASDM 3-11...
Page 104

Remove information from a field, or remove a check from a check box. Back Returns to the previous pane. Forward Goes to the next pane. Help Displays help for the selected pane or dialog box. Cisco ASA 5500 Series Configuration Guide using ASDM 3-12 OL-20339-01...
Page 105

Previous tab (when a tab has the focus) Left Arrow Next cell in a table Previous sell in a table Shift+Tab Next pane (when multiple panes are displayed) Previous pane (when multiple panes are displayed) Shift+F6 Cisco ASA 5500 Series Configuration Guide using ASDM 3-13 OL-20339-01...
Page 106

The Preferences dialog box appears. On the General tab, check the Enable screen reader support check box. Step 2 Click OK. Step 3 Restart ASDM to activate screen reader support. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 3-14 OL-20339-01...
Page 107

You can control this behavior in Internet Explorer by choosing Tools > Internet Options > Advanced > Reuse windows for launching shortcuts. Cisco ASA 5500 Series Configuration Guide using ASDM 3-15 OL-20339-01...
Page 108

Figure 3-2 shows the elements of the Device Dashboard tab. Figure 3-2 Device Dashboard Tab Cisco ASA 5500 Series Configuration Guide using ASDM 3-16 OL-20339-01...
Page 109

Kbps displays below the table. VPN Sessions Pane This pane shows the VPN tunnel status. Click Details to go to the Monitoring > VPN > VPN Statistics > Sessions pane. Cisco ASA 5500 Series Configuration Guide using ASDM 3-17 OL-20339-01...
Page 110

Latest ASDM Syslog Messages button in the left, bottom corner and the pane displays. Move your cursor away from the pane, and it disappears. Closes the pane. To show the pane, choose View Latest ASDM Syslog Messages. Cisco ASA 5500 Series Configuration Guide using ASDM 3-18 OL-20339-01...
Page 111

In multiple context mode, the Firewall Dashboard is viewable within each context. Figure 3-4 shows some of the elements of the Firewall Dashboard tab. Figure 3-4 Firewall Dashboard Tab Cisco ASA 5500 Series Configuration Guide using ASDM 3-19 OL-20339-01...
Page 112

Enabling statistics for hosts affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. Enabling statistics for ports, however, has a modest effect. Cisco ASA 5500 Series Configuration Guide using ASDM 3-20 OL-20339-01...
Page 113

Security > CSC Setup, you cannot access the panes under Home > Content Security. Instead, a dialog box appears and lets you access the CSC Setup Wizard directly from this location. Cisco ASA 5500 Series Configuration Guide using ASDM 3-21...
Page 114

To connect to the IPS software on the AIP SSM, perform the following steps: In the main ASDM application window, click the Intrusion Prevention tab. Step 1 In the Connecting to IPS dialog box, choose one of the following options: Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 3-22 OL-20339-01...
Page 115

Health Dashboard tab, located on the Intrusion Prevention tab. Figure 3-6 Intrusion Prevention Tab (Health Dashboard) Legend GUI Element Description Sensor Information pane. Sensor Health pane. CPU, Memory, and Load pane. Interface Status pane. Licensing pane. Cisco ASA 5500 Series Configuration Guide using ASDM 3-23 OL-20339-01...
Page 116

Description System vs. Context selection. Interface Status pane. Choose an interface to view the total amount of traffic through the interface. Connection Status pane. CPU Status pane. Memory Status pane. Cisco ASA 5500 Series Configuration Guide using ASDM 3-24 OL-20339-01...
Page 117

This section describes the licenses available for each model as well as important notes about licenses. This section includes the following topics: Licenses Per Model, page 4-2 • License Notes, page 4-9 • • VPN License and Feature Compatibility, page 4-11 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 118

Security Plus license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 Clientless SSL VPN license plus the GTP/GPRS license; or all four licenses together. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 119

Chapter 4 Managing Feature Licenses Supported Feature Licenses Per Model Table 4-1 shows the licenses for the ASA 5505. Table 4-1 ASA 5505 Adaptive Security Appliance License Features ASA 5505 Base License Security Plus Firewall Licenses Botnet Traffic Filter Disabled...
Page 120

2. See the “VPN License and Feature Compatibility” section on page 4-11. 3. Although the Ethernet 0/0 and 0/1 ports are Gigabit Ethernet, they are still identified as “Ethernet” in the software. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 121

Failover Active/Standby or Active/Active Security Contexts Optional licenses: VLANs, Maximum 1. See the “License Notes” section on page 4-9. 2. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 122

Failover Active/Standby or Active/Active Security Contexts Optional licenses: VLANs, Maximum 1. See the “License Notes” section on page 4-9. 2. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 123

Failover Active/Standby or Active/Active Security Contexts Optional licenses: VLANs, Maximum 1. See the “License Notes” section on page 4-9. 2. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 124

2. With the 10,000-session license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. 3. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 125

This license enables AnyConnect VPN client access to the adaptive security appliance. This license does not support browser-based (clientless) SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium SSL VPN Edition license instead of the AnyConnect Essentials license.
Page 126

All of these applications are licensed under the UC Proxy umbrella, and can be mixed and matched. Some applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.
Page 127

Preinstalled License, page 4-12 • Permanent License, page 4-12 • Time-Based Licenses, page 4-12 • Shared SSL VPN Licenses, page 4-14 • Failover Licenses, page 4-19 • Licenses FAQ, page 4-20 • Cisco ASA 5500 Series Configuration Guide using ASDM 4-11 OL-20339-01...
Page 128

• security appliance. If you stop using the time-based license before it times out, then the timer halts. The timer only starts • again when you reactivate the time-based license. Cisco ASA 5500 Series Configuration Guide using ASDM 4-12 OL-20339-01...
Page 129

To view the combined license, see the “Viewing Your Current License” section on page 4-23. Cisco ASA 5500 Series Configuration Guide using ASDM 4-13 OL-20339-01...
Page 130

This section describes how a shared license works and includes the following topics: Cisco ASA 5500 Series Configuration Guide using ASDM 4-14 OL-20339-01...
Page 131

The participant continues to send refresh messages requesting more sessions until the server can adequately fulfill the request. When the load is reduced on a participant, it sends a message to the server to release the shared sessions. Cisco ASA 5500 Series Configuration Guide using ASDM 4-15 OL-20339-01...
Page 132

10-day limit left over. The backup server “recharges” up to the maximum 30 days after 20 more days as an inactive backup. This recharging function is implemented to discourage misuse of the shared license. Cisco ASA 5500 Series Configuration Guide using ASDM 4-16 OL-20339-01...
Page 133

If Pair #1 remains down, and the primary unit in Pair #2 goes down, then the standby unit in Pair #2 comes into use as the shared licensing server (see Figure 4-1). Cisco ASA 5500 Series Configuration Guide using ASDM 4-17 OL-20339-01...
Page 134

In this case, you can increase the delay between participant refreshes, or you can create two shared networks. Cisco ASA 5500 Series Configuration Guide using ASDM 4-18...
Page 135

If you have licenses on both units, they combine into a single running failover cluster license. For the ASA 5505 and 5510 adaptive security appliances, both units require the Security Plus • license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.
Page 136

Yes. You can use one time-based license per feature at a time. Can I “stack” time-based licenses so that when the time limit runs out, it will automatically use the next license? Cisco ASA 5500 Series Configuration Guide using ASDM 4-20 OL-20339-01...
Page 137

Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license. Cisco ASA 5500 Series Configuration Guide using ASDM 4-21 OL-20339-01...
Page 138

Failover units do require the same RAM on both units. Note For the ASA 5505 and 5510 adaptive security appliances, both units require the Security Plus • license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.
Page 139

To obtain an activation key, you need a Product Authorization Key, which you can purchase from your Cisco account representative. You need to purchase a separate Product Activation Key for each feature license. For example, if you have the Base License, you can purchase separate keys for Advanced Endpoint Assessment and for additional SSL VPN sessions.
Page 140

(without any of the new licenses you activated in Version 8.2 or later). – If you have a new system and do not have an earlier activation key, then you need to request a new activation key compatible with the earlier version. Cisco ASA 5500 Series Configuration Guide using ASDM 4-24 OL-20339-01...
Page 141

Configuring the Shared Licensing Participant and the Optional Backup Server, page 4-26 • Monitoring the Shared License, page 4-27 • Configuring the Shared Licensing Server This section describes how to configure the adaptive security appliance to be a shared licensing server. Cisco ASA 5500 Series Configuration Guide using ASDM 4-25 OL-20339-01...
Page 142

Choose the Configuration > Device Management > Licenses > Shared SSL VPN Licenses pane. In the Shared Secret field, enter the shared secret as a string between 4 and 128 ASCII characters. Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 4-26 OL-20339-01...
Page 143

100 to 200. SSL VPN Licenses 7.1(1) SSL VPN licenses were introduced. Increased SSL VPN Licenses 7.2(1) A 5000-user SSL VPN license was introduced for the ASA 5550 and above. Cisco ASA 5500 Series Configuration Guide using ASDM 4-27 OL-20339-01...
Page 144

Increased VLANs 7.2(2) The maximum number of VLANs for the Security Plus license on the ASA 5505 adaptive security appliance was increased from 5 (3 fully functional; 1 failover; one restricted to a backup interface) to 20 fully functional interfaces. In addition, the number of trunk ports was increased from 1 to 8.
Page 145

AnyConnect VPN client access to the adaptive security appliance. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium SSL VPN Edition license instead of the AnyConnect Essentials license.
Page 146

You can now activate or deactivate time-based licenses time-based licenses. using a command. The following commands was modified: activation-key [activate | deactivate]. The following screen was modified: Configuration > Device Management > Licensing > Activation Key. Cisco ASA 5500 Series Configuration Guide using ASDM 4-30 OL-20339-01...
Page 147

Information About the Firewall Mode This section describes routed and transparent firewall mode and includes the following topics: Information About Routed Firewall Mode, page 5-2 • Information About Transparent Firewall Mode, page 5-2 • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 148

TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF • IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF • IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF • BPDU multicast address equal to 0100.0CCC.CCCD • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 149

Unless the host is on a directly-connected network, then you need to add a static route on the adaptive security appliance for the real host address that is embedded in the packet. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 150

Licensing Requirements for the Firewall Mode The following table shows the licensing requirements for this feature. Model License Requirement All models Base License. Default Settings The default mode is routed mode. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 151

In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 152

(by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the management interface from the physically-connected switch, then the adaptive security appliance updates the MAC address table to use the management interface to access the switch, instead of the data interface.
Page 153

ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration is cleared, and you will have to reconnect to the adaptive security appliance using the console port in any case. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 154

MAC address and the associated IP address are in the static ARP table. Licensing Requirements for ARP Inspection The following table shows the licensing requirements for this feature. Model License Requirement All models Base License. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 155

ARP responses are sent on the network, and if an entry is not used for a period of time, it times out. If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry times out before it can be updated. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 156

If you uncheck this check box, all non-matching packets are dropped, which restricts ARP through the adaptive security appliance to only static entries. Cisco ASA 5500 Series Configuration Guide using ASDM 5-10 OL-20339-01...
Page 157

The ASA 5505 adaptive security appliance includes a built-in switch; the switch MAC address table maintains the MAC address-to-switch port mapping for traffic within each VLAN. This section discusses the bridge MAC address table, which maintains the MAC address-to-VLAN interface mapping for traffic that passes between VLANs.
Page 158

(by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the...
Page 159

Choose the Configuration > Device Setup > Bridging > MAC Learning pane. Step 1 To disable MAC learning, choose an interface row, and click Disable. Step 2 To reenable MAC learning, click Enable. Step 3 Click Apply. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 5-13 OL-20339-01...
Page 160

An Inside User Visits a Web Server on the DMZ, page 5-17 An Outside User Attempts to Access an Inside Host, page 5-18 • A DMZ User Attempts to Access an Inside Host, page 5-19 • Cisco ASA 5500 Series Configuration Guide using ASDM 5-14 OL-20339-01...
Page 161

The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet. The adaptive security appliance then records that a session is established and forwards the packet from the outside interface. Cisco ASA 5500 Series Configuration Guide using ASDM 5-15 OL-20339-01...
Page 162

“knows” that the DMZ web server address belongs to a certain context because of the server address translation. The adaptive security appliance translates the destination address to the local address 10.1.1.3. Cisco ASA 5500 Series Configuration Guide using ASDM 5-16 OL-20339-01...
Page 163

In this case, the interface is unique; the web server IP address does not have a current address translation. Cisco ASA 5500 Series Configuration Guide using ASDM 5-17 OL-20339-01...
Page 164

(access lists, filters, AAA). The packet is denied, and the adaptive security appliance drops the packet and logs the connection attempt. Cisco ASA 5500 Series Configuration Guide using ASDM 5-18 OL-20339-01...
Page 165

(access lists, filters, AAA). The packet is denied, and the adaptive security appliance drops the packet and logs the connection attempt. Cisco ASA 5500 Series Configuration Guide using ASDM 5-19 OL-20339-01...
Page 166

An Inside User Visits a Web Server Using NAT, page 5-22 • An Outside User Visits a Web Server on the Inside Network, page 5-23 • An Outside User Attempts to Access an Inside Host, page 5-24 • Cisco ASA 5500 Series Configuration Guide using ASDM 5-20 OL-20339-01...
Page 167

The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The adaptive security appliance forwards the packet to the inside user. Cisco ASA 5500 Series Configuration Guide using ASDM 5-21 OL-20339-01...
Page 168

If the destination MAC address is in its table, the adaptive security appliance forwards the packet out of the outside interface. The destination MAC address is that of the upstream router, 10.1.2.1. Cisco ASA 5500 Series Configuration Guide using ASDM 5-22...
Page 169

Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the adaptive security appliance first classifies the packet according to a unique interface. Cisco ASA 5500 Series Configuration Guide using ASDM 5-23 OL-20339-01...
Page 170

Because it is a new session, it verifies if the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the adaptive security appliance first classifies the packet according to a unique interface. Cisco ASA 5500 Series Configuration Guide using ASDM 5-24 OL-20339-01...
Page 171

If the outside user is attempting to attack the inside network, the adaptive security appliance employs many technologies to determine if a packet is valid for an already established session. Cisco ASA 5500 Series Configuration Guide using ASDM 5-25 OL-20339-01...
Page 172

Chapter 5 Configuring the Transparent or Routed Firewall Firewall Mode Examples Cisco ASA 5500 Series Configuration Guide using ASDM 5-26 OL-20339-01...
Page 173

A R T Setting up the Adaptive Security Appliance...
Page 175

How the Security Appliance Classifies Packets, page 6-3 • • Cascading Security Contexts, page 6-6 • Management Access to Security Contexts, page 6-7 • Information About Resource Management, page 6-8 Information About MAC Addresses, page 6-11 • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 176

The admin context must reside on flash memory, and not remotely. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 177

If you do not use unique MAC addresses, then the mapped addresses in your NAT configuration are used to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 178

MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 179

Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 180

Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 181

“enable_15” user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 182

10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 6-5.) Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 183

Contexts Gold Class Default Class All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 184

You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class. Cisco ASA 5500 Series Configuration Guide using ASDM 6-10 OL-20339-01...
Page 185

“MAC Address Format” section for more information. For upgrading failover units with the legacy version of the mac-address auto command before the prefix keyword was introduced, see the mac-address auto command in the Cisco ASA 5500 Series Command Reference. MAC Address Format...
Page 186

Active/Active mode failover is only supported in multiple context mode. IPv6 Guidelines Supports IPv6. Model Guidelines Does not support the ASA 5505. Unsupported Features Multiple context mode does not support the following features: Cisco ASA 5500 Series Configuration Guide using ASDM 6-12 OL-20339-01...
Page 187

“Configuring a Security Context” section on page 6-17. Step 3 (Optional) Automatically assign MAC addresses to context interfaces. See the “Automatically Assigning Step 4 MAC Addresses to Context Interfaces” section on page 6-19. Cisco ASA 5500 Series Configuration Guide using ASDM 6-13 OL-20339-01...
Page 188

Your adaptive security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section.
Page 189

Feature Licenses Per host and multiple other hosts. Model” section on page 4-1 for the connection limit for your platform. Rate: N/A inspects Rate Application inspections. Cisco ASA 5500 Series Configuration Guide using ASDM 6-15 OL-20339-01...
Page 190

1 and 5 and selecting Absolute from the list. The system has a maximum of 100 sessions divided between all contexts. Cisco ASA 5500 Series Configuration Guide using ASDM 6-16...
Page 191

Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and the system limit for your model, and selecting Absolute from the list. See the Release Notes for Cisco ASDM for the connection limit for your model. •...
Page 192

Application on the AIP SSM and SSC.” (Optional) To assign this context to a resource class, choose a class name from the Resource Assignment Step 11 > Resource Class drop-down list. Cisco ASA 5500 Series Configuration Guide using ASDM 6-18 OL-20339-01...
Page 193

For the MAC address generation method when not using a prefix (not recommended), see the • mac-address auto command in the Cisco ASA 5500 Series Command Reference. In the rare circumstance that the generated MAC address conflicts with another private MAC •...
Page 194

Peak Connections (#)—Shows the peak number of connections since the statistics were last – cleared, either using the clear resource usage command or because the device rebooted. SSH—Shows the usage of SSH connections. • Context—Shows the name of each context. – Cisco ASA 5500 Series Configuration Guide using ASDM 6-20 OL-20339-01...
Page 195

Viewing MAC Addresses in the System Configuration, page 6-21 • Viewing MAC Addresses Within a Context, page 6-22 • Viewing MAC Addresses in the System Configuration This section describes how to view MAC addresses in the system configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 6-21 OL-20339-01...
Page 196

This table shows the MAC address in use; if you manually assign a MAC address and also have auto-generation enabled, then you can only view the unused auto-generated address from within the system configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 6-22 OL-20339-01...
Page 197

MAC address, you cannot start the manual MAC address with A2. The following screen was modified: Configuration > Context Management > Security Contexts. Cisco ASA 5500 Series Configuration Guide using ASDM 6-23 OL-20339-01...
Page 198

Chapter 6 Configuring Multiple Context Mode Feature History for Multiple Context Mode Cisco ASA 5500 Series Configuration Guide using ASDM 6-24 OL-20339-01...
Page 199

• • Startup Wizard Screens for ASA 5500 Series Adaptive Security Appliances, page 7-3 • Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance, page 7-3 • Configuring IPv6 Neighbor Discovery, page 7-18 Configuring IPv6 Static Neighbors, page 7-25 •...
Page 200

Supported in routed and transparent firewall modes, as noted in Table 7-1. Failover Guidelines Supports sessions in Stateful Failover. IPv6 Guidelines Supports IPv6. Model Guidelines Supports all models. Additional Guidelines Supports the AIP SSM/SSC for IPS. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 201

Appliance Table 7-2 lists all of the required Startup Wizard screens for configuring only the ASA 5505 adaptive security appliance and IPS, if you have an AIP SSC installed. The sequence of screens listed represents configuration for the single, routed mode. The Availability columns lists the mode or modes in which each screen appears and provides additional configuration information.
Page 202

Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Table 7-2 Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Screen Name and Sequence Availability Step 1 - Starting Point or Welcome, page 7-4 All modes.
Page 203

Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance If you reset the configuration to factory defaults, you cannot undo these changes by clicking Note Cancel or by closing this screen. Step 6 Click Next to continue.
Page 204

Step 6 - Interface Selection This screen allows you to group the eight, Fast Ethernet switch ports on the ASA 5505 into three VLANs. These VLANs function as separate, Layer 3 networks. You can then choose or create the VLANs that define your network—one for each interface: outside (Internet), inside (Business), or DMZ (Home).
Page 205

Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance To create a new outside VLAN, check the Create a VLAN check box. To enable the outside VLAN, check the Enable VLAN check box.
Page 206

Click Next to continue. Step 9 - Internet Interface Configuration - PPPoE For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance Note supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.
Page 207

Step 5 Step 10 - Business Interface Configuration - PPPoE For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance Note supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.
Page 208

Step 5 Step 11 - Home Interface Configuration - PPPoE For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance Note supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.
Page 209

Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance To enable and restrict traffic between interfaces and between hosts connected to the same interface, perform the following steps: To enable traffic between two or more interfaces with the same security level, check the Enable traffic Step 1 between two or more interfaces with the same security level check box.
Page 210

Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Enter the IP address of the DNS server. Enter the IP address of the WINS server. Enter the IP address of the alternate DNS server.
Page 211

Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance IPSec with PAT may not work correctly, because the outside tunnel endpoint device cannot Note handle multiple tunnels from one IP address. • To use the IP address of the outside interface for PAT, click the Use the IP address on the outside interface radio button.
Page 212

You want VPN connections to be initiated by client traffic. – You want the IP addresses of local hosts to be hidden from remote networks. You are using DHCP on the ASA 5505 to provide IP addresses to local hosts. – Use Network Extension Mode if: •...
Page 213

Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance To form a secure VPN tunnel between the adaptive security appliance and a remote Cisco VPN 3000 concentrator, Cisco router, or adaptive security appliance that is acting as an Easy VPN server, perform...
Page 214

Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 18 - Startup Wizard Summary This screen summarizes all of the configuration settings that you have made for the adaptive security appliance. To change any of the settings in previous screens, click Back.
Page 215

Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance The Security Level field displays the security level of the selected interface. Change the security level Step 3 for the interface, if needed. If you change the security level of the interface to a lower level, a warning message appears.
Page 216

Query = what is your link address? ICMPv6 Type = 136 Src = B Dst = A Data = link-layer address of B A and B can now exchange packets on this link Cisco ASA 5500 Series Configuration Guide using ASDM 7-18 OL-20339-01...
Page 217

Valid time values range from 0 to 3600000 milliseconds. The default is 0; however, when you use 0, the reachable time is sent as undetermined. It is up to the receiving devices to set and track the reachable time value. Cisco ASA 5500 Series Configuration Guide using ASDM 7-19 OL-20339-01...
Page 218

To allow the generation of addresses for hosts, make sure that the Suppress RA check box is unchecked. Step 6 This is the default setting if IPv6 unicast routing is enabled. To prevent the generation of IPv6 router advertisement transmissions, check the Suppress RA check box. Cisco ASA 5500 Series Configuration Guide using ASDM 7-20 OL-20339-01...
Page 219

7-21. Step 9 Configuring IPv6 Prefixes on an Interface To configure IPv6 prefixes on an interface, perform the following steps: In the Interface IPv6 Prefixes area, click Add. Step 1 Cisco ASA 5500 Series Configuration Guide using ASDM 7-21 OL-20339-01...
Page 220

IPv6 Neighbor Discovery—Router Advertisement Message Router Router advertisement advertisement Router advertisement packet definitions: ICMPv6 Type = 134 Src = router link-local address Dst = all-nodes multicast address Data = options, prefix, lifetime, autoconfig flag Cisco ASA 5500 Series Configuration Guide using ASDM 7-22 OL-20339-01...
Page 221

IPv6 nodes, randomly adjust the actual value used to within 20 percent of the desired value. To change the interval between router advertisement transmissions on an interface, perform the following steps: Cisco ASA 5500 Series Configuration Guide using ASDM 7-23 OL-20339-01...
Page 222

Click the IPv6 tab. Step 4 In the RA Lifetime field, enter a valid lifetime value. Step 5 Click OK. Step 6 Step 7 Click Apply to save the configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 7-24 OL-20339-01...
Page 223

Step 1 Click Add. Step 2 The Add IPv6 Static Neighbor dialog box appears. From the Interface Name drop-down list, choose an interface on which to add the neighbor. Step 3 Cisco ASA 5500 Series Configuration Guide using ASDM 7-25 OL-20339-01...
Page 224

Click Apply to save the change to your current configuration. Step 3 Before you apply the changes and permanently delete the neighbor from your configuration, you Note can click Reset to restore the original values. Cisco ASA 5500 Series Configuration Guide using ASDM 7-26 OL-20339-01...
Page 225: Interface Configuration

Enter the name of the group. You must specify a group name to proceed. Step 1 In the User Authentication area, enter the following information: Step 2 • The PPPoE username. Cisco ASA 5500 Series Configuration Guide using ASDM 7-27 OL-20339-01...
Page 226

Outside Interface Configuration Note For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.
Page 227

ASDM release in which support was added is not listed. Table 7-3 Feature History for the Startup Wizard Feature Name Platform Releases Feature Information Startup Wizard 7.0(1) This feature was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 7-29 OL-20339-01...
Page 228

Chapter 7 Using the Startup Wizard Feature History for the Startup Wizard Cisco ASA 5500 Series Configuration Guide using ASDM 7-30 OL-20339-01...
Page 229: Configuring Interfaces

This chapter describes how to configure interfaces, including Ethernet parameters, switch ports (for the ASA 5505), VLAN subinterfaces, and IP addressing. The procedure to configure interfaces varies depending on several factors: the ASA 5505 vs. other models; routed vs. transparent mode; and single vs. multiple mode. This chapter describes how to configure interfaces for each of these variables.
Page 230

• Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has 8 Fast Ethernet switch ports that forward •...
Page 231

You can configure trunk ports to accommodate multiple VLANs per port. The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful Failover. Note Cisco ASA 5500 Series Configuration Guide using ASDM...
Page 232

Chapter 8 Configuring Interfaces Information About Interfaces Figure 8-2 for an example network. Figure 8-2 ASA 5505 Adaptive Security Appliance with Security Plus License Backup ISP Primary ISP ASA 5505 Failover with Security Plus ASA 5505 License Failover Link Inside VLAN MAC Addresses Routed firewall mode—All VLAN interfaces share a MAC address.
Page 233

The ASA 5580 adaptive security appliance supports multiple types of Ethernet interfaces including Gigabit Ethernet and 10-Gigabit Ethernet speeds, and copper and fiber connectors. See the Cisco ASA 5580 Adaptive Security Appliance Getting Started Guide for detailed information about the interface adapters available for the ASA 5580 adaptive security appliance, and which slots support each adapter type.
Page 234

(by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the...
Page 235

“Configuring Active/Active Failover” section on page 60-8 to configure the failover and state links. In multiple context mode, failover interfaces are configured in the system configuration. IPv6 Guidelines Supports IPv6. • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 236

“Configuring the IPv6 Address” section on page 9-16. Model Guidelines Subinterfaces are not available for the ASA 5505 adaptive security appliance. Default Settings This section lists default settings for interfaces if you do not have a factory default configuration. For information about the factory default configurations, see the “Factory Default Configurations”...
Page 237

, in the Configuration > Device List pane, double-click System under the active device IP address. For ASA 5505 configuration, see the “Starting Interface Configuration (ASA 5505)” section on page 8-16. This section includes the following topics: •...
Page 238

The speeds available depend on the interface type. For SFP interfaces, you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link Cisco ASA 5500 Series Configuration Guide using ASDM 8-10 OL-20339-01...
Page 239

Assigning MAC Addresses (Multiple Context Mode)” section on page 8-16. • For single context mode, complete the interface configuration. See the “Completing Interface Configuration (All Models)” section on page 8-21. Cisco ASA 5500 Series Configuration Guide using ASDM 8-11 OL-20339-01...
Page 240

MAC address of the interface that is now listed first. Alternatively, you can assign a MAC address to the redundant interface, which is used regardless of the member interface MAC addresses (see the “Configuring Advanced Interface Parameters” section on page 8-26 or the “Assigning Interfaces to Cisco ASA 5500 Series Configuration Guide using ASDM 8-12 OL-20339-01...
Page 241

“LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. Click OK. Step 8 You return to the Interfaces pane. Cisco ASA 5500 Series Configuration Guide using ASDM 8-13 OL-20339-01...