Download Print this page
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990

Advertisement

Cisco ASA 5500 Series Configuration
Guide using ASDM
Software Version 6.3, for use with Cisco ASA 5500 Version 8.3
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Customer Order Number: N/A, Online only
Text Part Number: OL-20339-01

Advertisement

   Related Manuals for Cisco ASA 5505

   Summary of Contents for Cisco ASA 5505

  • Page 1

    Cisco ASA 5500 Series Configuration Guide using ASDM Software Version 6.3, for use with Cisco ASA 5500 Version 8.3 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...

  • Page 2

    OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.

  • Page 3

    Obtaining Documentation, Obtaining Support, and Security Guidelines Getting Started and General Information P A R T Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance C H A P T E R ASDM Client Operating System and Browser Requirements...

  • Page 4

    C H A P T E R Information About the ASDM User Interface Navigating in the ASDM User Interface Menus File Menu View Menu Tools Menu Wizards Menu Window Menu Help Menu Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 5

    Managing Feature Licenses C H A P T E R Supported Feature Licenses Per Model Licenses Per Model License Notes VPN License and Feature Compatibility 4-11 Information About Feature Licenses 4-11 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 6

    Configuring the Firewall Mode Information About the Firewall Mode Information About Routed Firewall Mode Information About Transparent Firewall Mode Licensing Requirements for the Firewall Mode Default Settings Guidelines and Limitations Setting the Firewall Mode Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 7

    Setting up the Adaptive Security Appliance P A R T Configuring Multiple Context Mode C H A P T E R Information About Security Contexts Common Uses for Security Contexts Context Configuration Files Context Configurations Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 8

    6-22 Feature History for Multiple Context Mode 6-23 Using the Startup Wizard C H A P T E R Information About the Startup Wizard Licensing Requirements for the Startup Wizard Cisco ASA 5500 Series Configuration Guide using ASDM viii OL-20339-01...

  • Page 9

    Prerequisites for the Startup Wizard Guidelines and Limitations Startup Wizard Screens for ASA 5500 Series Adaptive Security Appliances Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 1 - Starting Point or Welcome Step 2 - Basic Configuration...

  • Page 10

    Task Flow for Starting Interface Configuration 8-16 Configuring VLAN Interfaces 8-17 Configuring and Enabling Switch Ports as Access Ports 8-18 Configuring and Enabling Switch Ports as Trunk Ports 8-19 Completing Interface Configuration (All Models) 8-21 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 11

    Configuring the Master Passphrase Information About the Master Passphrase Licensing Requirements for the Master Passphrase Guidelines and Limitations Adding or Changing the Master Passphrase Disabling the Master Passphrase Recovering the Master Passphrase Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 12

    C H A P T E R Information about DDNS 11-1 Licensing Requirements for DDNS 11-1 Guidelines and Limitations 11-2 Configuring Dynamic DNS 11-2 DDNS Monitoring 11-4 Feature History for DDNS 11-4 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 13

    13-14 Creating a Regular Expression Class Map 13-15 Configuring Time Ranges 13-15 Add/Edit Time Range 13-16 Adding a Time Range to an Access Rule 13-16 Add/Edit Recurring Time Range 13-18 Cisco ASA 5500 Series Configuration Guide using ASDM xiii OL-20339-01...

  • Page 14

    Using Standard ACLs 17-3 Adding a Standard ACL 17-3 Adding an ACE to a Standard ACL 17-3 Editing an ACE in a Standard ACL 17-4 Feature History for Standard ACLs 17-4 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 15

    Configuring Static and Default Routes 19-2 Configuring a Static Route 19-3 Add/Edit a Static Route 19-3 Configuring Static Route Tracking 19-6 Deleting Static Routes 19-6 Configuring a Default Static Route 19-7 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 16

    Configuring OSPF Area Parameters 21-12 Configuring OSPF NSSA 21-13 Defining Static OSPF Neighbors 21-14 Configuring Route Calculation Timers 21-15 Logging Neighbors Going Up or Down 21-16 Configuring Filtering in OSPF 21-16 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 17

    23-1 C H A P T E R Overview 23-1 Licensing Requirements for EIGRP 23-2 Guidelines and Limitations 23-2 Task List to Configure an EIGRP Process 23-3 Configuring EIGRP 23-3 Cisco ASA 5500 Series Configuration Guide using ASDM xvii OL-20339-01...

  • Page 18

    Disabling IGMP on an Interface 24-6 Configuring IGMP Group Membership 24-6 Configuring a Statically Joined IGMP Group 24-7 Controlling Access to Multicast Groups 24-8 Limiting the Number of IGMP States on an Interface 24-8 Cisco ASA 5500 Series Configuration Guide using ASDM xviii OL-20339-01...

  • Page 19

    25-5 Configuring DAD Settings 25-5 Configuring IPv6 Addresses on an Interface 25-6 Configuring IPv6 Prefixes on an Interface 25-7 Feature History for Neighbor Reachable Time 25-8 Configuring Router Advertisement Messages 25-8 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 20

    Feature History for Configuring a Static IPv6 Neighbor 25-20 Configuring Network Address Translation P A R T Information About NAT 26-1 C H A P T E R Why Use NAT? 26-1 NAT Terminology 26-2 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 21

    Configuring Static NAT or Static NAT with Port Translation 27-11 Configuring Identity NAT 27-14 Configuration Examples for Network Object NAT 27-17 Providing Access to an Inside Web Server (Static NAT) 27-18 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 22

    Order in Which Multiple Feature Actions are Applied 29-4 Incompatibility of Certain Feature Actions 29-5 Feature Matching for Multiple Service Policies 29-5 Licensing Requirements for Service Policies 29-6 Guidelines and Limitations 29-6 Default Settings 29-7 Cisco ASA 5500 Series Configuration Guide using ASDM xxii OL-20339-01...

  • Page 23

    30-7 Default Settings 30-7 Configuring Access Rules 30-7 Adding an Access Rule 30-7 Adding an EtherType Rule (Transparent Mode Only) 30-8 Add/Edit EtherType Rule 30-10 Configuring Management Access Rules 30-10 Cisco ASA 5500 Series Configuration Guide using ASDM xxiii OL-20339-01...

  • Page 24

    RADIUS Server Fields 31-11 TACACS+ Server Fields 31-12 SDI Server Fields 31-13 Windows NT Domain Server Fields 31-13 Kerberos Server Fields 31-13 LDAP Server Fields 31-15 HTTP Form Server Fields 31-17 Cisco ASA 5500 Series Configuration Guide using ASDM xxiv OL-20339-01...

  • Page 25

    Limiting User CLI and ASDM Access with Management Authorization 32-12 Configuring Command Authorization 32-13 Command Authorization Overview 32-13 Configuring Local Command Authorization 32-15 Configuring TACACS+ Command Authorization 32-18 Configuring Management Access Accounting 32-22 Viewing the Current Logged-In User 32-23 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 26

    Configuring Additional URL Filtering Settings 34-4 Buffering the Content Server Response 34-5 Caching Server Addresses 34-5 Filtering HTTP URLs 34-6 Configuring Filtering Rules 34-6 Filtering the Rule Table 34-11 Defining Queries 34-12 Cisco ASA 5500 Series Configuration Guide using ASDM xxvi OL-20339-01...

  • Page 27

    35-19 Configuring Code Signer Certificates 35-20 Showing Code Signer Certificate Details 35-20 Deleting a Code Signer Certificate 35-21 Importing a Code Signer Certificate 35-21 Exporting a Code Signer Certificate 35-21 Cisco ASA 5500 Series Configuration Guide using ASDM xxvii OL-20339-01...

  • Page 28

    37-6 Add/Edit DNS Match Criterion 37-7 DNS Inspect Map 37-8 Add/Edit DNS Policy Map (Security Level) 37-10 Add/Edit DNS Policy Map (Details) 37-11 FTP Inspection 37-13 FTP Inspection Overview 37-13 Cisco ASA 5500 Series Configuration Guide using ASDM xxviii OL-20339-01...

  • Page 29

    Select IPSec-Pass-Thru Map 37-45 IPSec Pass Through Inspect Map 37-45 Add/Edit IPSec Pass Thru Policy Map (Security Level) 37-46 Add/Edit IPSec Pass Thru Policy Map (Details) 37-47 NetBIOS Inspection 37-48 Cisco ASA 5500 Series Configuration Guide using ASDM xxix OL-20339-01...

  • Page 30

    Add/Edit H.323 Policy Map (Details) 38-10 Add/Edit HSI Group 38-12 Add/Edit H.323 Map 38-12 MGCP Inspection 38-13 MGCP Inspection Overview 38-14 Select MGCP Map 38-16 MGCP Inspect Map 38-16 Gateways and Call Agents 38-17 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 31

    39-1 C H A P T E R ILS Inspection 39-1 SQL*Net Inspection 39-2 Sun RPC Inspection 39-3 Sun RPC Inspection Overview 39-3 SUNRPC Server 39-3 Add/Edit SUNRPC Service 39-4 Cisco ASA 5500 Series Configuration Guide using ASDM xxxi OL-20339-01...

  • Page 32

    P A R T Information About Cisco Unified Communications Proxy Features 41-1 C H A P T E R Information About the Adaptive Security Appliance in Cisco Unified Communications 41-1 TLS Proxy Applications in Cisco Unified Communications 41-3 Licensing for Cisco Unified Communications Proxy Features...

  • Page 33

    42-18 Saving the Identity Certificate Request 42-19 Installing the ASA Identity Certificate on the Mobility Advantage Server 42-20 Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers 42-21 Configuring the Cisco Phone Proxy 43-1...

  • Page 34

    Add TLS Proxy Instance Wizard – Other Steps 44-12 Edit TLS Proxy Instance – Server Configuration 44-12 Edit TLS Proxy Instance – Client Configuration 44-13 TLS Proxy 44-15 Add/Edit TLS Proxy 44-16 Cisco ASA 5500 Series Configuration Guide using ASDM xxxiv OL-20339-01...

  • Page 35

    Licensing for Cisco Unified Presence 46-7 Configuring Cisco Unified Presence Proxy for SIP Federation 46-7 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation 46-8 Feature History for Cisco Unified Presence 46-8 Configuring Cisco Intercompany Media Engine Proxy...

  • Page 36

    (Optional) Configuring TLS within the Local Enterprise 47-28 (Optional) Configuring Off Path Signaling 47-31 Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane 47-32 Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard 47-34 Feature History for Cisco Intercompany Media Engine Proxy...

  • Page 37

    Enabling Traffic Classification and Actions for the Botnet Traffic Filter 50-10 Blocking Botnet Traffic Manually 50-12 Searching the Dynamic Database 50-13 Monitoring the Botnet Traffic Filter 50-13 Botnet Traffic Filter Syslog Messaging 50-13 Botnet Traffic Filter Monitor Panes 50-14 Cisco ASA 5500 Series Configuration Guide using ASDM xxxvii OL-20339-01...

  • Page 38

    TCP Reset Settings 52-4 Configuring IP Audit for Basic IPS Support 52-5 IP Audit Policy 52-5 Add/Edit IP Audit Policy Configuration 52-6 IP Audit Signatures 52-6 IP Audit Signature List 52-7 Cisco ASA 5500 Series Configuration Guide using ASDM xxxviii OL-20339-01...

  • Page 39

    C H A P T E R Information About the CSC SSM 55-1 Determining What Traffic to Scan 55-3 Licensing Requirements for the CSC SSM 55-5 Prerequisites for the CSC SSM 55-5 Cisco ASA 5500 Series Configuration Guide using ASDM xxxix OL-20339-01...

  • Page 40

    CSC Setup Wizard IP Configuration 56-9 CSC Setup Wizard Host Configuration 56-9 CSC Setup Wizard Management Access Configuration 56-10 CSC Setup Wizard Password Configuration 56-10 CSC Setup Wizard Traffic Selection for CSC Scan 56-11 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 41

    Auto Update Process Overview 57-8 Monitoring the Auto Update Process 57-9 Failover Health Monitoring 57-10 Unit Health Monitoring 57-11 Interface Monitoring 57-11 Failover Feature/Platform Matrix 57-12 Failover Times by Platform 57-12 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 42

    Device Initialization and Configuration Synchronization 59-2 Command Replication 59-3 Failover Triggers 59-3 Failover Actions 59-4 Optional Active/Standby Failover Settings 59-5 Licensing Requirements for Active/Standby Failover 59-5 Prerequisites for Active/Standby Failover 59-5 Cisco ASA 5500 Series Configuration Guide using ASDM xlii OL-20339-01...

  • Page 43

    Failover-Multiple Mode, Security Context 60-8 Failover - Routed 60-8 Failover - Transparent 60-9 Failover-Multiple Mode, System 60-9 Failover > Setup Tab 60-10 Failover > Criteria Tab 60-12 Failover > Active/Active Tab 60-12 Cisco ASA 5500 Series Configuration Guide using ASDM xliii OL-20339-01...

  • Page 44

    VPN Client Authentication Method and Name 62-9 Client Authentication 62-10 New Authentication Server Group 62-11 User Accounts 62-11 Address Pool 62-12 Attributes Pushed to Client 62-13 IPsec Settings (Optional) 62-13 Summary 62-14 Cisco ASA 5500 Series Configuration Guide using ASDM xliv OL-20339-01...

  • Page 45

    Adding or Editing a Remote Access Internal Group Policy, General Attributes 64-7 Configuring the Portal for a Group Policy 64-10 Configuring Customization for a Group Policy 64-11 Adding or Editing a Site-to-Site Internal Group Policy 64-12 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 46

    Add/Edit Internal Group Policy > Client Configuration > General Client Parameters 64-29 View/Config Banner 64-31 Add/Edit Internal Group Policy > Client Configuration > Cisco Client Parameters 64-31 Add or Edit Internal Group Policy > Advanced > IE Browser Proxy 64-32...

  • Page 47

    64-88 Add/Edit Tunnel Group > General > Client Address Assignment 64-88 Add/Edit Tunnel Group > General > Advanced 64-89 Add/Edit Tunnel Group > IPsec for Remote Access > IPsec 64-90 Cisco ASA 5500 Series Configuration Guide using ASDM xlvii OL-20339-01...

  • Page 48

    Test Dynamic Access Policies 65-8 Add/Edit Dynamic Access Policies 65-10 Add/Edit AAA Attributes 65-15 Retrieving Active Directory Groups 65-18 Add/Edit Endpoint Attributes 65-19 Guide 65-22 Syntax for Creating Lua EVAL Expressions 65-22 Cisco ASA 5500 Series Configuration Guide using ASDM xlviii OL-20339-01...

  • Page 49

    67-16 Java Code Signer 67-18 Encoding 67-18 Web ACLs 67-21 Configuring Port Forwarding 67-22 Why Port Forwarding? 67-22 Port Forwarding Requirements and Restrictions 67-23 Configuring DNS for Port Forwarding 67-24 Cisco ASA 5500 Series Configuration Guide using ASDM xlix OL-20339-01...

  • Page 50

    Creating XML-Based Portal Customization Objects and URL Lists 67-52 Understanding the XML Customization File Structure 67-52 Customization Example 67-58 Using the Customization Template 67-60 The Customization Template 67-60 Help Customization 67-73 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 51

    68-1 C H A P T E R Configuring E-Mail Proxy 68-1 68-2 POP3S Tab 68-2 IMAP4S Tab 68-4 SMTPS Tab 68-6 Access 68-7 Edit E-Mail Proxy Access 68-9 Authentication 68-9 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 52

    Severity Levels 71-3 Message Classes and Range of Syslog IDs 71-4 Filtering Syslog Messages 71-4 Sorting in the Log Viewers 71-4 Using Custom Message Lists 71-5 Licensing Requirements for Logging 71-5 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 53

    Adding or Editing the Rate Limit for a Syslog Message 71-21 Editing the Rate Limit for a Syslog Severity Level 71-21 Log Monitoring 71-22 Filtering Syslog Messages Through the Log Viewers 71-22 Cisco ASA 5500 Series Configuration Guide using ASDM liii OL-20339-01...

  • Page 54

    73-3 Security Models 73-3 SNMP Groups 73-4 SNMP Users 73-4 SNMP Hosts 73-4 Implementation Differences Between Adaptive Security Appliances and the Cisco IOS 73-4 Licensing Requirements for SNMP 73-4 Prerequisites for SNMP 73-5 Guidelines and Limitations 73-5 Configuring SNMP 73-6...

  • Page 55

    75-9 Configuring the Boot Image/Configuration Settings 75-9 Adding a Boot Image 75-10 Upgrading Software from Your Local Computer 75-10 Upgrading Software from the Cisco.com Wizard 75-11 Scheduling a System Restart 75-12 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 56

    76-12 Common Problems 76-13 Reference P A R T Addresses, Protocols, and Ports A P P E N D I X IPv4 Addresses and Subnet Masks Classes Private Networks Subnet Masks Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 57

    Configuring an External RADIUS Server B-30 Reviewing the RADIUS Configuration Procedure B-30 Security Appliance RADIUS Authorization Attributes B-30 Security Appliance IETF RADIUS Authorization Attributes B-38 Configuring an External TACACS+ Server B-39 Cisco ASA 5500 Series Configuration Guide using ASDM lvii OL-20339-01...

  • Page 58

    Contents L O S S A R Y N D E X Cisco ASA 5500 Series Configuration Guide using ASDM lviii OL-20339-01...

  • Page 59: About This Guide

    This guide applies to the Cisco ASA 5500 series adaptive security appliances. Throughout this guide, the term “adaptive security appliance” applies generically to all supported models, unless specified otherwise.

  • Page 60: Related Documentation, Document Conventions

    For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...

  • Page 61

    A R T Getting Started and General Information...

  • Page 63

    Instead, refer to the ASDM guide in which support for your platform version was added (see Cisco ASA 5500 Series and PIX 500 Series Security Appliance Hardware and Software Compatibility for the minimum supported version of ASDM for each ASA version).

  • Page 64

    1. Obtain Sun Java from java.sun.com ASA 5500 Model Support For a complete list of supported ASA models and ASA software versions for this release, see Cisco ASA 5500 Series and PIX 500 Series Security Appliance Hardware and Software Compatibility: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html...

  • Page 65

    No support 1. The CSC SSM licenses support up to 1000 users while the Cisco ASA 5540 Series appliance can support significantly more users. If you deploy CSC SSM with an ASA 5540 adaptive security appliance, be sure to configure the security appliance to send the CSC SSM only the traffic that should be scanned.

  • Page 66

    Syslog message filtering based on multiple text strings that correspond to various columns • Creation of custom filters • Column sorting of messages. For detailed information, see the Cisco ASA 5500 Series • Configuration Guide using ASDM. The following screens were modified: Monitoring >...

  • Page 67

    Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance New Features Table 1-3 New Features for ASDM Version 6.3(2)/ASA Version 8.3(2) (Unless Otherwise Noted) (continued) Feature Description Hardware processing for This feature lets you switch large modulus operations from software to hardware. It applies large modulus operations only to the ASA models 5510, 5520, 5540, and 5550.

  • Page 68

    Description General Features No Payload Encryption For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 image for export series. For version 8.3(2), you can now install a No Payload Encryption image (asa832-npe-k8.bin) on the following models: ASA 5505 •...

  • Page 69

    Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance New Features Table 1-4 lists the new features for ASDM Version 6.3(1). All features apply only to ASA Version 8.3(1), unless otherwise noted. Table 1-4 New Features for ASDM Version 6.3(1)/ASA Version 8.3(1) (Unless Otherwise Noted)

  • Page 70

    For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, LAN-to-LAN VPN the adaptive security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series connections adaptive security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).

  • Page 71

    Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance New Features Table 1-4 New Features for ASDM Version 6.3(1)/ASA Version 8.3(1) (Unless Otherwise Noted) (continued) Feature Description Usability Improvements for ASDM provides a step-by-step guide to configuring Clientless SSL VPN, AnyConnect SSL Remote Access VPN VPN Remote Access, or IPsec Remote Access using the ASDM Assistant.

  • Page 72

    The following screen was modified: Configuration > Firewall > Threat Detection. Unified Communication Features SCCP v19 support The IP phone support in the Cisco Phone Proxy feature was enhanced to include support for version 19 of the SCCP protocol on the list of supported IP phones. Cisco Intercompany Media...

  • Page 73

    Failover licenses no longer need to be identical on each unit. The license used for both units is licenses the combined license from the primary and secondary units. For the ASA 5505 and 5510 adaptive security appliances, both units require the Note Security Plus license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.

  • Page 74

    Configuration > Device Management > Device Administration > Master Passphrase ASDM Features Upgrade Software from The Upgrade Software from Cisco.com wizard has changed to allow you to automatically Cisco.com Wizard upgrade ASDM and the adaptive security appliance to more current versions. Note that this feature is only available in single mode and, in multiple context mode, in the System execution space.

  • Page 75

    Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Unsupported Commands Unsupported Commands ASDM supports almost all commands available for the adaptive adaptive security appliance, but ASDM ignores some commands in an existing configuration. Most of these commands can remain in your configuration;...

  • Page 76

    Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Unsupported Commands (continued) Table 1-5 List of Unsupported Commands Unsupported Commands ASDM Behavior sysopt uauth allow-http-cache Ignored. terminal Ignored. Effects of Unsupported Commands If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected.

  • Page 77

    Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Firewall Functional Overview Firewall Functional Overview Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network.

  • Page 78

    Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Firewall Functional Overview Permitting or Denying Traffic with Access Rules You can apply an access rule to limit traffic from inside to outside, or allow traffic from outside to inside.

  • Page 79

    Firewall Functional Overview manager. Other legitimate connections continue to operate independently without interruption. For more information, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface. Sending Traffic to the Content Security and Control Security Services Module If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic.

  • Page 80

    Configuring Cisco Unified Communications The Cisco ASA 5500 Series appliances are a strategic platform to provide proxy functions for unified communications deployments. The purpose of a proxy is to terminate and reoriginate connections between a client and server.

  • Page 81

    Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance VPN Functional Overview Performing the access list checks – Performing route lookups – Allocating NAT translations (xlates) – Establishing sessions in the “fast path” – Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path.

  • Page 82

    Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Security Context Overview Manages data transfer across the tunnel • Manages data transfer inbound and outbound as a tunnel endpoint or router • The adaptive security appliance invokes various standard protocols to accomplish these functions.

  • Page 83: Getting Started

    32-1. See the following Ethernet connection guidelines when using the factory default configurations: ASA 5505—The switch port to which you connect to ASDM can be any port, except for Ethernet • 0/0. ASA 5510 and higher —The interface to which you connect to ASDM is Management 0/0.

  • Page 84

    Starting ASDM from the ASDM Launcher To start ASDM from the ASDM Launcher, perform the following steps: Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu. Step 1 Alternatively, from the ASDM Welcome screen, you can click Run Startup Wizard to configure ASDM.

  • Page 85

    Save Running Configuration to Standby Unit Save Internal Log Buffer to Flash Clear Internal Log Buffer – Tools menu: Command Line Interface Ping File Management Update Software File Transfer Upload Image from Local PC System Reload Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 86

    Step 2 Double-click the installer to install the software. Step 3 Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu. Check the Run in Demo Mode check box. Step 4 The Demo Mode window appears.

  • Page 87

    ASDM sessions are supported per context, up to a maximum of 32 total connections for each adaptive security appliance. Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new adaptive security appliances. For the ASA 5510 and higher adaptive security appliances, the factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration.

  • Page 88

    ASA 5505 Default Configuration The default factory configuration for the ASA 5505 adaptive security appliance configures the following: An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not •...

  • Page 89

    The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. The configuration consists of the following commands: interface management 0/0 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 90: Using The Command Line Interface

    This section includes the following topics: Using the Command Line Interface Tool, page 2-9 • Handling Command Errors, page 2-9 • Using Interactive Commands, page 2-9 • Avoiding Conflicts with Other Administrators, page 2-10 • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 91

    A message appears in the Response area to inform you whether or not any error occurred, as well as other related information. ASDM supports almost all CLI commands. See the Cisco ASA 5500 Series Command Reference for a Note list of commands.

  • Page 92

    To display the list of unsupported commands for ASDM, perform the following steps: In the main ASDM application window, choose Tools > Show Commands Ignored by ASDM on Step 1 Device. Click OK when you are done. Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 2-10 OL-20339-01...

  • Page 93

    To access the Configuration and Monitoring panes, you can do one of the following: Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 94

    In addition, the ASDM Assistant appears in this pane. Figure 3-1 on page 3-2 shows the elements of the ASDM user interface. Figure 3-1 ASDM User Interface Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 95

    Choose the drop-down list below the last function button to display a context menu. Step 1 Choose one of the following options: Step 2 To show more buttons, click Show More Buttons. • • To show fewer buttons, click Show Fewer Buttons. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 96

    Show Running Configuration in Displays the current running configuration in a new window. New Window Save Running Configuration to Writes a copy of the running configuration to flash memory. Flash Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 97

    %ASA-1-211004 is generated, indicating what the installed memory is and what the required memory is. This message reappears every 24 hours until the memory is upgraded. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 98

    See the “Tracing Packets with Packet Tracer” section on page 76-7 for more information. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 99

    “Upgrading Software from the Cisco.com Wizard” section on page 75-11 for more information. Backup Configurations Backs up the adaptive security appliance configuration, a Cisco Secure Desktop image, and SSL VPN Client images and profiles. See the “Backing Up Configurations” section on page 75-13 more information.

  • Page 100

    For more information, see the “Configuring and Running Captures with the Packet Capture Wizard” section on page 76-8. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 101

    (?) help icon. Release Notes Opens the most current version of the Release Notes for Cisco ASDM on Cisco.com. The release notes contain the most current information about ASDM software and hardware requirements, and the most current information about changes in the software.

  • Page 102

    Look For field in the menu bar. From the Find drop-down list, choose How Do I? to begin the search. To use the ASDM Assistant, perform the following steps: In the main ASDM application window, choose View > ASDM Assistant. Step 1 Cisco ASA 5500 Series Configuration Guide using ASDM 3-10 OL-20339-01...

  • Page 103: Status Bar

    This pane is available in the Home, Configuration, Monitoring, and System views. You can use this pane to switch to another Cisco ASA 5500 Series Configuration Guide using ASDM 3-11...

  • Page 104

    Remove information from a field, or remove a check from a check box. Back Returns to the previous pane. Forward Goes to the next pane. Help Displays help for the selected pane or dialog box. Cisco ASA 5500 Series Configuration Guide using ASDM 3-12 OL-20339-01...

  • Page 105

    Previous tab (when a tab has the focus) Left Arrow Next cell in a table Previous sell in a table Shift+Tab Next pane (when multiple panes are displayed) Previous pane (when multiple panes are displayed) Shift+F6 Cisco ASA 5500 Series Configuration Guide using ASDM 3-13 OL-20339-01...

  • Page 106

    The Preferences dialog box appears. On the General tab, check the Enable screen reader support check box. Step 2 Click OK. Step 3 Restart ASDM to activate screen reader support. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 3-14 OL-20339-01...

  • Page 107

    You can control this behavior in Internet Explorer by choosing Tools > Internet Options > Advanced > Reuse windows for launching shortcuts. Cisco ASA 5500 Series Configuration Guide using ASDM 3-15 OL-20339-01...

  • Page 108

    Figure 3-2 shows the elements of the Device Dashboard tab. Figure 3-2 Device Dashboard Tab Cisco ASA 5500 Series Configuration Guide using ASDM 3-16 OL-20339-01...

  • Page 109

    Kbps displays below the table. VPN Sessions Pane This pane shows the VPN tunnel status. Click Details to go to the Monitoring > VPN > VPN Statistics > Sessions pane. Cisco ASA 5500 Series Configuration Guide using ASDM 3-17 OL-20339-01...

  • Page 110

    Latest ASDM Syslog Messages button in the left, bottom corner and the pane displays. Move your cursor away from the pane, and it disappears. Closes the pane. To show the pane, choose View Latest ASDM Syslog Messages. Cisco ASA 5500 Series Configuration Guide using ASDM 3-18 OL-20339-01...

  • Page 111

    In multiple context mode, the Firewall Dashboard is viewable within each context. Figure 3-4 shows some of the elements of the Firewall Dashboard tab. Figure 3-4 Firewall Dashboard Tab Cisco ASA 5500 Series Configuration Guide using ASDM 3-19 OL-20339-01...

  • Page 112

    Enabling statistics for hosts affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. Enabling statistics for ports, however, has a modest effect. Cisco ASA 5500 Series Configuration Guide using ASDM 3-20 OL-20339-01...

  • Page 113

    Security > CSC Setup, you cannot access the panes under Home > Content Security. Instead, a dialog box appears and lets you access the CSC Setup Wizard directly from this location. Cisco ASA 5500 Series Configuration Guide using ASDM 3-21...

  • Page 114

    To connect to the IPS software on the AIP SSM, perform the following steps: In the main ASDM application window, click the Intrusion Prevention tab. Step 1 In the Connecting to IPS dialog box, choose one of the following options: Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 3-22 OL-20339-01...

  • Page 115

    Health Dashboard tab, located on the Intrusion Prevention tab. Figure 3-6 Intrusion Prevention Tab (Health Dashboard) Legend GUI Element Description Sensor Information pane. Sensor Health pane. CPU, Memory, and Load pane. Interface Status pane. Licensing pane. Cisco ASA 5500 Series Configuration Guide using ASDM 3-23 OL-20339-01...

  • Page 116

    Description System vs. Context selection. Interface Status pane. Choose an interface to view the total amount of traffic through the interface. Connection Status pane. CPU Status pane. Memory Status pane. Cisco ASA 5500 Series Configuration Guide using ASDM 3-24 OL-20339-01...

  • Page 117

    This section describes the licenses available for each model as well as important notes about licenses. This section includes the following topics: Licenses Per Model, page 4-2 • License Notes, page 4-9 • • VPN License and Feature Compatibility, page 4-11 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 118

    Security Plus license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 Clientless SSL VPN license plus the GTP/GPRS license; or all four licenses together. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 119

    Chapter 4 Managing Feature Licenses Supported Feature Licenses Per Model Table 4-1 shows the licenses for the ASA 5505. Table 4-1 ASA 5505 Adaptive Security Appliance License Features ASA 5505 Base License Security Plus Firewall Licenses Botnet Traffic Filter Disabled...

  • Page 120

    2. See the “VPN License and Feature Compatibility” section on page 4-11. 3. Although the Ethernet 0/0 and 0/1 ports are Gigabit Ethernet, they are still identified as “Ethernet” in the software. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 121

    Failover Active/Standby or Active/Active Security Contexts Optional licenses: VLANs, Maximum 1. See the “License Notes” section on page 4-9. 2. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 122

    Failover Active/Standby or Active/Active Security Contexts Optional licenses: VLANs, Maximum 1. See the “License Notes” section on page 4-9. 2. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 123

    Failover Active/Standby or Active/Active Security Contexts Optional licenses: VLANs, Maximum 1. See the “License Notes” section on page 4-9. 2. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 124

    2. With the 10,000-session license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. 3. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 125

    This license enables AnyConnect VPN client access to the adaptive security appliance. This license does not support browser-based (clientless) SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium SSL VPN Edition license instead of the AnyConnect Essentials license.

  • Page 126

    All of these applications are licensed under the UC Proxy umbrella, and can be mixed and matched. Some applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.

  • Page 127

    Preinstalled License, page 4-12 • Permanent License, page 4-12 • Time-Based Licenses, page 4-12 • Shared SSL VPN Licenses, page 4-14 • Failover Licenses, page 4-19 • Licenses FAQ, page 4-20 • Cisco ASA 5500 Series Configuration Guide using ASDM 4-11 OL-20339-01...

  • Page 128

    • security appliance. If you stop using the time-based license before it times out, then the timer halts. The timer only starts • again when you reactivate the time-based license. Cisco ASA 5500 Series Configuration Guide using ASDM 4-12 OL-20339-01...

  • Page 129

    To view the combined license, see the “Viewing Your Current License” section on page 4-23. Cisco ASA 5500 Series Configuration Guide using ASDM 4-13 OL-20339-01...

  • Page 130

    This section describes how a shared license works and includes the following topics: Cisco ASA 5500 Series Configuration Guide using ASDM 4-14 OL-20339-01...

  • Page 131

    The participant continues to send refresh messages requesting more sessions until the server can adequately fulfill the request. When the load is reduced on a participant, it sends a message to the server to release the shared sessions. Cisco ASA 5500 Series Configuration Guide using ASDM 4-15 OL-20339-01...

  • Page 132

    10-day limit left over. The backup server “recharges” up to the maximum 30 days after 20 more days as an inactive backup. This recharging function is implemented to discourage misuse of the shared license. Cisco ASA 5500 Series Configuration Guide using ASDM 4-16 OL-20339-01...

  • Page 133

    If Pair #1 remains down, and the primary unit in Pair #2 goes down, then the standby unit in Pair #2 comes into use as the shared licensing server (see Figure 4-1). Cisco ASA 5500 Series Configuration Guide using ASDM 4-17 OL-20339-01...

  • Page 134

    In this case, you can increase the delay between participant refreshes, or you can create two shared networks. Cisco ASA 5500 Series Configuration Guide using ASDM 4-18...

  • Page 135

    If you have licenses on both units, they combine into a single running failover cluster license. For the ASA 5505 and 5510 adaptive security appliances, both units require the Security Plus • license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.

  • Page 136

    Yes. You can use one time-based license per feature at a time. Can I “stack” time-based licenses so that when the time limit runs out, it will automatically use the next license? Cisco ASA 5500 Series Configuration Guide using ASDM 4-20 OL-20339-01...

  • Page 137

    Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license. Cisco ASA 5500 Series Configuration Guide using ASDM 4-21 OL-20339-01...

  • Page 138

    Failover units do require the same RAM on both units. Note For the ASA 5505 and 5510 adaptive security appliances, both units require the Security Plus • license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.

  • Page 139

    To obtain an activation key, you need a Product Authorization Key, which you can purchase from your Cisco account representative. You need to purchase a separate Product Activation Key for each feature license. For example, if you have the Base License, you can purchase separate keys for Advanced Endpoint Assessment and for additional SSL VPN sessions.

  • Page 140

    (without any of the new licenses you activated in Version 8.2 or later). – If you have a new system and do not have an earlier activation key, then you need to request a new activation key compatible with the earlier version. Cisco ASA 5500 Series Configuration Guide using ASDM 4-24 OL-20339-01...

  • Page 141

    Configuring the Shared Licensing Participant and the Optional Backup Server, page 4-26 • Monitoring the Shared License, page 4-27 • Configuring the Shared Licensing Server This section describes how to configure the adaptive security appliance to be a shared licensing server. Cisco ASA 5500 Series Configuration Guide using ASDM 4-25 OL-20339-01...

  • Page 142

    Choose the Configuration > Device Management > Licenses > Shared SSL VPN Licenses pane. In the Shared Secret field, enter the shared secret as a string between 4 and 128 ASCII characters. Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 4-26 OL-20339-01...

  • Page 143

    100 to 200. SSL VPN Licenses 7.1(1) SSL VPN licenses were introduced. Increased SSL VPN Licenses 7.2(1) A 5000-user SSL VPN license was introduced for the ASA 5550 and above. Cisco ASA 5500 Series Configuration Guide using ASDM 4-27 OL-20339-01...

  • Page 144

    Increased VLANs 7.2(2) The maximum number of VLANs for the Security Plus license on the ASA 5505 adaptive security appliance was increased from 5 (3 fully functional; 1 failover; one restricted to a backup interface) to 20 fully functional interfaces. In addition, the number of trunk ports was increased from 1 to 8.

  • Page 145

    AnyConnect VPN client access to the adaptive security appliance. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium SSL VPN Edition license instead of the AnyConnect Essentials license.

  • Page 146

    You can now activate or deactivate time-based licenses time-based licenses. using a command. The following commands was modified: activation-key [activate | deactivate]. The following screen was modified: Configuration > Device Management > Licensing > Activation Key. Cisco ASA 5500 Series Configuration Guide using ASDM 4-30 OL-20339-01...

  • Page 147

    Information About the Firewall Mode This section describes routed and transparent firewall mode and includes the following topics: Information About Routed Firewall Mode, page 5-2 • Information About Transparent Firewall Mode, page 5-2 • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 148

    TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF • IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF • IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF • BPDU multicast address equal to 0100.0CCC.CCCD • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 149

    Unless the host is on a directly-connected network, then you need to add a static route on the adaptive security appliance for the real host address that is embedded in the packet. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 150

    Licensing Requirements for the Firewall Mode The following table shows the licensing requirements for this feature. Model License Requirement All models Base License. Default Settings The default mode is routed mode. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 151

    In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 152

    (by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the management interface from the physically-connected switch, then the adaptive security appliance updates the MAC address table to use the management interface to access the switch, instead of the data interface.

  • Page 153

    ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration is cleared, and you will have to reconnect to the adaptive security appliance using the console port in any case. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 154

    MAC address and the associated IP address are in the static ARP table. Licensing Requirements for ARP Inspection The following table shows the licensing requirements for this feature. Model License Requirement All models Base License. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 155

    ARP responses are sent on the network, and if an entry is not used for a period of time, it times out. If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry times out before it can be updated. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 156

    If you uncheck this check box, all non-matching packets are dropped, which restricts ARP through the adaptive security appliance to only static entries. Cisco ASA 5500 Series Configuration Guide using ASDM 5-10 OL-20339-01...

  • Page 157

    The ASA 5505 adaptive security appliance includes a built-in switch; the switch MAC address table maintains the MAC address-to-switch port mapping for traffic within each VLAN. This section discusses the bridge MAC address table, which maintains the MAC address-to-VLAN interface mapping for traffic that passes between VLANs.

  • Page 158

    (by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the...

  • Page 159

    Choose the Configuration > Device Setup > Bridging > MAC Learning pane. Step 1 To disable MAC learning, choose an interface row, and click Disable. Step 2 To reenable MAC learning, click Enable. Step 3 Click Apply. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 5-13 OL-20339-01...

  • Page 160

    An Inside User Visits a Web Server on the DMZ, page 5-17 An Outside User Attempts to Access an Inside Host, page 5-18 • A DMZ User Attempts to Access an Inside Host, page 5-19 • Cisco ASA 5500 Series Configuration Guide using ASDM 5-14 OL-20339-01...

  • Page 161

    The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet. The adaptive security appliance then records that a session is established and forwards the packet from the outside interface. Cisco ASA 5500 Series Configuration Guide using ASDM 5-15 OL-20339-01...

  • Page 162

    “knows” that the DMZ web server address belongs to a certain context because of the server address translation. The adaptive security appliance translates the destination address to the local address 10.1.1.3. Cisco ASA 5500 Series Configuration Guide using ASDM 5-16 OL-20339-01...

  • Page 163

    In this case, the interface is unique; the web server IP address does not have a current address translation. Cisco ASA 5500 Series Configuration Guide using ASDM 5-17 OL-20339-01...

  • Page 164

    (access lists, filters, AAA). The packet is denied, and the adaptive security appliance drops the packet and logs the connection attempt. Cisco ASA 5500 Series Configuration Guide using ASDM 5-18 OL-20339-01...

  • Page 165

    (access lists, filters, AAA). The packet is denied, and the adaptive security appliance drops the packet and logs the connection attempt. Cisco ASA 5500 Series Configuration Guide using ASDM 5-19 OL-20339-01...

  • Page 166

    An Inside User Visits a Web Server Using NAT, page 5-22 • An Outside User Visits a Web Server on the Inside Network, page 5-23 • An Outside User Attempts to Access an Inside Host, page 5-24 • Cisco ASA 5500 Series Configuration Guide using ASDM 5-20 OL-20339-01...

  • Page 167

    The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The adaptive security appliance forwards the packet to the inside user. Cisco ASA 5500 Series Configuration Guide using ASDM 5-21 OL-20339-01...

  • Page 168

    If the destination MAC address is in its table, the adaptive security appliance forwards the packet out of the outside interface. The destination MAC address is that of the upstream router, 10.1.2.1. Cisco ASA 5500 Series Configuration Guide using ASDM 5-22...

  • Page 169

    Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the adaptive security appliance first classifies the packet according to a unique interface. Cisco ASA 5500 Series Configuration Guide using ASDM 5-23 OL-20339-01...

  • Page 170

    Because it is a new session, it verifies if the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the adaptive security appliance first classifies the packet according to a unique interface. Cisco ASA 5500 Series Configuration Guide using ASDM 5-24 OL-20339-01...

  • Page 171

    If the outside user is attempting to attack the inside network, the adaptive security appliance employs many technologies to determine if a packet is valid for an already established session. Cisco ASA 5500 Series Configuration Guide using ASDM 5-25 OL-20339-01...

  • Page 172

    Chapter 5 Configuring the Transparent or Routed Firewall Firewall Mode Examples Cisco ASA 5500 Series Configuration Guide using ASDM 5-26 OL-20339-01...

  • Page 173

    A R T Setting up the Adaptive Security Appliance...

  • Page 175

    How the Security Appliance Classifies Packets, page 6-3 • • Cascading Security Contexts, page 6-6 • Management Access to Security Contexts, page 6-7 • Information About Resource Management, page 6-8 Information About MAC Addresses, page 6-11 • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 176

    The admin context must reside on flash memory, and not remotely. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 177

    If you do not use unique MAC addresses, then the mapped addresses in your NAT configuration are used to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 178

    MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 179

    Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 180

    Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 181

    “enable_15” user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 182

    10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 6-5.) Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 183

    Contexts Gold Class Default Class All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 184

    You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class. Cisco ASA 5500 Series Configuration Guide using ASDM 6-10 OL-20339-01...

  • Page 185

    “MAC Address Format” section for more information. For upgrading failover units with the legacy version of the mac-address auto command before the prefix keyword was introduced, see the mac-address auto command in the Cisco ASA 5500 Series Command Reference. MAC Address Format...

  • Page 186

    Active/Active mode failover is only supported in multiple context mode. IPv6 Guidelines Supports IPv6. Model Guidelines Does not support the ASA 5505. Unsupported Features Multiple context mode does not support the following features: Cisco ASA 5500 Series Configuration Guide using ASDM 6-12 OL-20339-01...

  • Page 187

    “Configuring a Security Context” section on page 6-17. Step 3 (Optional) Automatically assign MAC addresses to context interfaces. See the “Automatically Assigning Step 4 MAC Addresses to Context Interfaces” section on page 6-19. Cisco ASA 5500 Series Configuration Guide using ASDM 6-13 OL-20339-01...

  • Page 188

    Your adaptive security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section.

  • Page 189

    Feature Licenses Per host and multiple other hosts. Model” section on page 4-1 for the connection limit for your platform. Rate: N/A inspects Rate Application inspections. Cisco ASA 5500 Series Configuration Guide using ASDM 6-15 OL-20339-01...

  • Page 190

    1 and 5 and selecting Absolute from the list. The system has a maximum of 100 sessions divided between all contexts. Cisco ASA 5500 Series Configuration Guide using ASDM 6-16...

  • Page 191

    Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and the system limit for your model, and selecting Absolute from the list. See the Release Notes for Cisco ASDM for the connection limit for your model. •...

  • Page 192

    Application on the AIP SSM and SSC.” (Optional) To assign this context to a resource class, choose a class name from the Resource Assignment Step 11 > Resource Class drop-down list. Cisco ASA 5500 Series Configuration Guide using ASDM 6-18 OL-20339-01...

  • Page 193

    For the MAC address generation method when not using a prefix (not recommended), see the • mac-address auto command in the Cisco ASA 5500 Series Command Reference. In the rare circumstance that the generated MAC address conflicts with another private MAC •...

  • Page 194

    Peak Connections (#)—Shows the peak number of connections since the statistics were last – cleared, either using the clear resource usage command or because the device rebooted. SSH—Shows the usage of SSH connections. • Context—Shows the name of each context. – Cisco ASA 5500 Series Configuration Guide using ASDM 6-20 OL-20339-01...

  • Page 195

    Viewing MAC Addresses in the System Configuration, page 6-21 • Viewing MAC Addresses Within a Context, page 6-22 • Viewing MAC Addresses in the System Configuration This section describes how to view MAC addresses in the system configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 6-21 OL-20339-01...

  • Page 196

    This table shows the MAC address in use; if you manually assign a MAC address and also have auto-generation enabled, then you can only view the unused auto-generated address from within the system configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 6-22 OL-20339-01...

  • Page 197

    MAC address, you cannot start the manual MAC address with A2. The following screen was modified: Configuration > Context Management > Security Contexts. Cisco ASA 5500 Series Configuration Guide using ASDM 6-23 OL-20339-01...

  • Page 198

    Chapter 6 Configuring Multiple Context Mode Feature History for Multiple Context Mode Cisco ASA 5500 Series Configuration Guide using ASDM 6-24 OL-20339-01...

  • Page 199

    • • Startup Wizard Screens for ASA 5500 Series Adaptive Security Appliances, page 7-3 • Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance, page 7-3 • Configuring IPv6 Neighbor Discovery, page 7-18 Configuring IPv6 Static Neighbors, page 7-25 •...

  • Page 200

    Supported in routed and transparent firewall modes, as noted in Table 7-1. Failover Guidelines Supports sessions in Stateful Failover. IPv6 Guidelines Supports IPv6. Model Guidelines Supports all models. Additional Guidelines Supports the AIP SSM/SSC for IPS. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 201

    Appliance Table 7-2 lists all of the required Startup Wizard screens for configuring only the ASA 5505 adaptive security appliance and IPS, if you have an AIP SSC installed. The sequence of screens listed represents configuration for the single, routed mode. The Availability columns lists the mode or modes in which each screen appears and provides additional configuration information.

  • Page 202

    Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Table 7-2 Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Screen Name and Sequence Availability Step 1 - Starting Point or Welcome, page 7-4 All modes.

  • Page 203

    Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance If you reset the configuration to factory defaults, you cannot undo these changes by clicking Note Cancel or by closing this screen. Step 6 Click Next to continue.

  • Page 204

    Step 6 - Interface Selection This screen allows you to group the eight, Fast Ethernet switch ports on the ASA 5505 into three VLANs. These VLANs function as separate, Layer 3 networks. You can then choose or create the VLANs that define your network—one for each interface: outside (Internet), inside (Business), or DMZ (Home).

  • Page 205

    Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance To create a new outside VLAN, check the Create a VLAN check box. To enable the outside VLAN, check the Enable VLAN check box.

  • Page 206

    Click Next to continue. Step 9 - Internet Interface Configuration - PPPoE For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance Note supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.

  • Page 207

    Step 5 Step 10 - Business Interface Configuration - PPPoE For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance Note supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.

  • Page 208

    Step 5 Step 11 - Home Interface Configuration - PPPoE For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance Note supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.

  • Page 209

    Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance To enable and restrict traffic between interfaces and between hosts connected to the same interface, perform the following steps: To enable traffic between two or more interfaces with the same security level, check the Enable traffic Step 1 between two or more interfaces with the same security level check box.

  • Page 210

    Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Enter the IP address of the DNS server. Enter the IP address of the WINS server. Enter the IP address of the alternate DNS server.

  • Page 211

    Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance IPSec with PAT may not work correctly, because the outside tunnel endpoint device cannot Note handle multiple tunnels from one IP address. • To use the IP address of the outside interface for PAT, click the Use the IP address on the outside interface radio button.

  • Page 212

    You want VPN connections to be initiated by client traffic. – You want the IP addresses of local hosts to be hidden from remote networks. You are using DHCP on the ASA 5505 to provide IP addresses to local hosts. – Use Network Extension Mode if: •...

  • Page 213

    Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance To form a secure VPN tunnel between the adaptive security appliance and a remote Cisco VPN 3000 concentrator, Cisco router, or adaptive security appliance that is acting as an Easy VPN server, perform...

  • Page 214

    Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 18 - Startup Wizard Summary This screen summarizes all of the configuration settings that you have made for the adaptive security appliance. To change any of the settings in previous screens, click Back.

  • Page 215

    Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance The Security Level field displays the security level of the selected interface. Change the security level Step 3 for the interface, if needed. If you change the security level of the interface to a lower level, a warning message appears.

  • Page 216

    Query = what is your link address? ICMPv6 Type = 136 Src = B Dst = A Data = link-layer address of B A and B can now exchange packets on this link Cisco ASA 5500 Series Configuration Guide using ASDM 7-18 OL-20339-01...

  • Page 217

    Valid time values range from 0 to 3600000 milliseconds. The default is 0; however, when you use 0, the reachable time is sent as undetermined. It is up to the receiving devices to set and track the reachable time value. Cisco ASA 5500 Series Configuration Guide using ASDM 7-19 OL-20339-01...

  • Page 218

    To allow the generation of addresses for hosts, make sure that the Suppress RA check box is unchecked. Step 6 This is the default setting if IPv6 unicast routing is enabled. To prevent the generation of IPv6 router advertisement transmissions, check the Suppress RA check box. Cisco ASA 5500 Series Configuration Guide using ASDM 7-20 OL-20339-01...

  • Page 219

    7-21. Step 9 Configuring IPv6 Prefixes on an Interface To configure IPv6 prefixes on an interface, perform the following steps: In the Interface IPv6 Prefixes area, click Add. Step 1 Cisco ASA 5500 Series Configuration Guide using ASDM 7-21 OL-20339-01...

  • Page 220

    IPv6 Neighbor Discovery—Router Advertisement Message Router Router advertisement advertisement Router advertisement packet definitions: ICMPv6 Type = 134 Src = router link-local address Dst = all-nodes multicast address Data = options, prefix, lifetime, autoconfig flag Cisco ASA 5500 Series Configuration Guide using ASDM 7-22 OL-20339-01...

  • Page 221

    IPv6 nodes, randomly adjust the actual value used to within 20 percent of the desired value. To change the interval between router advertisement transmissions on an interface, perform the following steps: Cisco ASA 5500 Series Configuration Guide using ASDM 7-23 OL-20339-01...

  • Page 222

    Click the IPv6 tab. Step 4 In the RA Lifetime field, enter a valid lifetime value. Step 5 Click OK. Step 6 Step 7 Click Apply to save the configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 7-24 OL-20339-01...

  • Page 223

    Step 1 Click Add. Step 2 The Add IPv6 Static Neighbor dialog box appears. From the Interface Name drop-down list, choose an interface on which to add the neighbor. Step 3 Cisco ASA 5500 Series Configuration Guide using ASDM 7-25 OL-20339-01...

  • Page 224

    Click Apply to save the change to your current configuration. Step 3 Before you apply the changes and permanently delete the neighbor from your configuration, you Note can click Reset to restore the original values. Cisco ASA 5500 Series Configuration Guide using ASDM 7-26 OL-20339-01...

  • Page 225: Interface Configuration

    Enter the name of the group. You must specify a group name to proceed. Step 1 In the User Authentication area, enter the following information: Step 2 • The PPPoE username. Cisco ASA 5500 Series Configuration Guide using ASDM 7-27 OL-20339-01...

  • Page 226

    Outside Interface Configuration Note For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.

  • Page 227

    ASDM release in which support was added is not listed. Table 7-3 Feature History for the Startup Wizard Feature Name Platform Releases Feature Information Startup Wizard 7.0(1) This feature was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 7-29 OL-20339-01...

  • Page 228

    Chapter 7 Using the Startup Wizard Feature History for the Startup Wizard Cisco ASA 5500 Series Configuration Guide using ASDM 7-30 OL-20339-01...

  • Page 229: Configuring Interfaces

    This chapter describes how to configure interfaces, including Ethernet parameters, switch ports (for the ASA 5505), VLAN subinterfaces, and IP addressing. The procedure to configure interfaces varies depending on several factors: the ASA 5505 vs. other models; routed vs. transparent mode; and single vs. multiple mode. This chapter describes how to configure interfaces for each of these variables.

  • Page 230

    • Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has 8 Fast Ethernet switch ports that forward •...

  • Page 231

    You can configure trunk ports to accommodate multiple VLANs per port. The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful Failover. Note Cisco ASA 5500 Series Configuration Guide using ASDM...

  • Page 232

    Chapter 8 Configuring Interfaces Information About Interfaces Figure 8-2 for an example network. Figure 8-2 ASA 5505 Adaptive Security Appliance with Security Plus License Backup ISP Primary ISP ASA 5505 Failover with Security Plus ASA 5505 License Failover Link Inside VLAN MAC Addresses Routed firewall mode—All VLAN interfaces share a MAC address.

  • Page 233

    The ASA 5580 adaptive security appliance supports multiple types of Ethernet interfaces including Gigabit Ethernet and 10-Gigabit Ethernet speeds, and copper and fiber connectors. See the Cisco ASA 5580 Adaptive Security Appliance Getting Started Guide for detailed information about the interface adapters available for the ASA 5580 adaptive security appliance, and which slots support each adapter type.

  • Page 234

    (by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the...

  • Page 235

    “Configuring Active/Active Failover” section on page 60-8 to configure the failover and state links. In multiple context mode, failover interfaces are configured in the system configuration. IPv6 Guidelines Supports IPv6. • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...

  • Page 236

    “Configuring the IPv6 Address” section on page 9-16. Model Guidelines Subinterfaces are not available for the ASA 5505 adaptive security appliance. Default Settings This section lists default settings for interfaces if you do not have a factory default configuration. For information about the factory default configurations, see the “Factory Default Configurations”...

  • Page 237

    , in the Configuration > Device List pane, double-click System under the active device IP address. For ASA 5505 configuration, see the “Starting Interface Configuration (ASA 5505)” section on page 8-16. This section includes the following topics: •...

  • Page 238

    The speeds available depend on the interface type. For SFP interfaces, you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link Cisco ASA 5500 Series Configuration Guide using ASDM 8-10 OL-20339-01...

  • Page 239

    Assigning MAC Addresses (Multiple Context Mode)” section on page 8-16. • For single context mode, complete the interface configuration. See the “Completing Interface Configuration (All Models)” section on page 8-21. Cisco ASA 5500 Series Configuration Guide using ASDM 8-11 OL-20339-01...

  • Page 240

    MAC address of the interface that is now listed first. Alternatively, you can assign a MAC address to the redundant interface, which is used regardless of the member interface MAC addresses (see the “Configuring Advanced Interface Parameters” section on page 8-26 or the “Assigning Interfaces to Cisco ASA 5500 Series Configuration Guide using ASDM 8-12 OL-20339-01...

  • Page 241

    “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. Click OK. Step 8 You return to the Interfaces pane. Cisco ASA 5500 Series Configuration Guide using ASDM 8-13 OL-20339-01...