Page 1 Cisco ASA 5500 Series Configuration Guide using ASDM Software Version 6.3, for use with Cisco ASA 5500 Version 8.3 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
Page 3 Obtaining Documentation, Obtaining Support, and Security Guidelines Getting Started and General Information P A R T Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance C H A P T E R ASDM Client Operating System and Browser Requirements...
Page 4: Table Of Contents
C H A P T E R Information About the ASDM User Interface Navigating in the ASDM User Interface Menus File Menu View Menu Tools Menu Wizards Menu Window Menu Help Menu Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 5 Managing Feature Licenses C H A P T E R Supported Feature Licenses Per Model Licenses Per Model License Notes VPN License and Feature Compatibility 4-11 Information About Feature Licenses 4-11 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 6 Configuring the Firewall Mode Information About the Firewall Mode Information About Routed Firewall Mode Information About Transparent Firewall Mode Licensing Requirements for the Firewall Mode Default Settings Guidelines and Limitations Setting the Firewall Mode Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 7 Setting up the Adaptive Security Appliance P A R T Configuring Multiple Context Mode C H A P T E R Information About Security Contexts Common Uses for Security Contexts Context Configuration Files Context Configurations Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 8 6-22 Feature History for Multiple Context Mode 6-23 Using the Startup Wizard C H A P T E R Information About the Startup Wizard Licensing Requirements for the Startup Wizard Cisco ASA 5500 Series Configuration Guide using ASDM viii OL-20339-01...
Page 9 Prerequisites for the Startup Wizard Guidelines and Limitations Startup Wizard Screens for ASA 5500 Series Adaptive Security Appliances Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 1 - Starting Point or Welcome Step 2 - Basic Configuration...
Page 10 Task Flow for Starting Interface Configuration 8-16 Configuring VLAN Interfaces 8-17 Configuring and Enabling Switch Ports as Access Ports 8-18 Configuring and Enabling Switch Ports as Trunk Ports 8-19 Completing Interface Configuration (All Models) 8-21 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 11 Configuring the Master Passphrase Information About the Master Passphrase Licensing Requirements for the Master Passphrase Guidelines and Limitations Adding or Changing the Master Passphrase Disabling the Master Passphrase Recovering the Master Passphrase Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 12 C H A P T E R Information about DDNS 11-1 Licensing Requirements for DDNS 11-1 Guidelines and Limitations 11-2 Configuring Dynamic DNS 11-2 DDNS Monitoring 11-4 Feature History for DDNS 11-4 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 13 13-14 Creating a Regular Expression Class Map 13-15 Configuring Time Ranges 13-15 Add/Edit Time Range 13-16 Adding a Time Range to an Access Rule 13-16 Add/Edit Recurring Time Range 13-18 Cisco ASA 5500 Series Configuration Guide using ASDM xiii OL-20339-01...
Page 14 Using Standard ACLs 17-3 Adding a Standard ACL 17-3 Adding an ACE to a Standard ACL 17-3 Editing an ACE in a Standard ACL 17-4 Feature History for Standard ACLs 17-4 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 15 Configuring Static and Default Routes 19-2 Configuring a Static Route 19-3 Add/Edit a Static Route 19-3 Configuring Static Route Tracking 19-6 Deleting Static Routes 19-6 Configuring a Default Static Route 19-7 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 16 Configuring OSPF Area Parameters 21-12 Configuring OSPF NSSA 21-13 Defining Static OSPF Neighbors 21-14 Configuring Route Calculation Timers 21-15 Logging Neighbors Going Up or Down 21-16 Configuring Filtering in OSPF 21-16 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 17 23-1 C H A P T E R Overview 23-1 Licensing Requirements for EIGRP 23-2 Guidelines and Limitations 23-2 Task List to Configure an EIGRP Process 23-3 Configuring EIGRP 23-3 Cisco ASA 5500 Series Configuration Guide using ASDM xvii OL-20339-01...
Page 18 Disabling IGMP on an Interface 24-6 Configuring IGMP Group Membership 24-6 Configuring a Statically Joined IGMP Group 24-7 Controlling Access to Multicast Groups 24-8 Limiting the Number of IGMP States on an Interface 24-8 Cisco ASA 5500 Series Configuration Guide using ASDM xviii OL-20339-01...
Page 19 25-5 Configuring DAD Settings 25-5 Configuring IPv6 Addresses on an Interface 25-6 Configuring IPv6 Prefixes on an Interface 25-7 Feature History for Neighbor Reachable Time 25-8 Configuring Router Advertisement Messages 25-8 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 20 Feature History for Configuring a Static IPv6 Neighbor 25-20 Configuring Network Address Translation P A R T Information About NAT 26-1 C H A P T E R Why Use NAT? 26-1 NAT Terminology 26-2 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 21 Configuring Static NAT or Static NAT with Port Translation 27-11 Configuring Identity NAT 27-14 Configuration Examples for Network Object NAT 27-17 Providing Access to an Inside Web Server (Static NAT) 27-18 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 22 Order in Which Multiple Feature Actions are Applied 29-4 Incompatibility of Certain Feature Actions 29-5 Feature Matching for Multiple Service Policies 29-5 Licensing Requirements for Service Policies 29-6 Guidelines and Limitations 29-6 Default Settings 29-7 Cisco ASA 5500 Series Configuration Guide using ASDM xxii OL-20339-01...
Page 23 30-7 Default Settings 30-7 Configuring Access Rules 30-7 Adding an Access Rule 30-7 Adding an EtherType Rule (Transparent Mode Only) 30-8 Add/Edit EtherType Rule 30-10 Configuring Management Access Rules 30-10 Cisco ASA 5500 Series Configuration Guide using ASDM xxiii OL-20339-01...
Page 24 RADIUS Server Fields 31-11 TACACS+ Server Fields 31-12 SDI Server Fields 31-13 Windows NT Domain Server Fields 31-13 Kerberos Server Fields 31-13 LDAP Server Fields 31-15 HTTP Form Server Fields 31-17 Cisco ASA 5500 Series Configuration Guide using ASDM xxiv OL-20339-01...
Page 25 Limiting User CLI and ASDM Access with Management Authorization 32-12 Configuring Command Authorization 32-13 Command Authorization Overview 32-13 Configuring Local Command Authorization 32-15 Configuring TACACS+ Command Authorization 32-18 Configuring Management Access Accounting 32-22 Viewing the Current Logged-In User 32-23 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 26 Configuring Additional URL Filtering Settings 34-4 Buffering the Content Server Response 34-5 Caching Server Addresses 34-5 Filtering HTTP URLs 34-6 Configuring Filtering Rules 34-6 Filtering the Rule Table 34-11 Defining Queries 34-12 Cisco ASA 5500 Series Configuration Guide using ASDM xxvi OL-20339-01...
Page 27 35-19 Configuring Code Signer Certificates 35-20 Showing Code Signer Certificate Details 35-20 Deleting a Code Signer Certificate 35-21 Importing a Code Signer Certificate 35-21 Exporting a Code Signer Certificate 35-21 Cisco ASA 5500 Series Configuration Guide using ASDM xxvii OL-20339-01...
Page 28 37-6 Add/Edit DNS Match Criterion 37-7 DNS Inspect Map 37-8 Add/Edit DNS Policy Map (Security Level) 37-10 Add/Edit DNS Policy Map (Details) 37-11 FTP Inspection 37-13 FTP Inspection Overview 37-13 Cisco ASA 5500 Series Configuration Guide using ASDM xxviii OL-20339-01...
Page 29 Select IPSec-Pass-Thru Map 37-45 IPSec Pass Through Inspect Map 37-45 Add/Edit IPSec Pass Thru Policy Map (Security Level) 37-46 Add/Edit IPSec Pass Thru Policy Map (Details) 37-47 NetBIOS Inspection 37-48 Cisco ASA 5500 Series Configuration Guide using ASDM xxix OL-20339-01...
Page 30 Add/Edit H.323 Policy Map (Details) 38-10 Add/Edit HSI Group 38-12 Add/Edit H.323 Map 38-12 MGCP Inspection 38-13 MGCP Inspection Overview 38-14 Select MGCP Map 38-16 MGCP Inspect Map 38-16 Gateways and Call Agents 38-17 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 31 39-1 C H A P T E R ILS Inspection 39-1 SQL*Net Inspection 39-2 Sun RPC Inspection 39-3 Sun RPC Inspection Overview 39-3 SUNRPC Server 39-3 Add/Edit SUNRPC Service 39-4 Cisco ASA 5500 Series Configuration Guide using ASDM xxxi OL-20339-01...
Page 32 P A R T Information About Cisco Unified Communications Proxy Features 41-1 C H A P T E R Information About the Adaptive Security Appliance in Cisco Unified Communications 41-1 TLS Proxy Applications in Cisco Unified Communications 41-3 Licensing for Cisco Unified Communications Proxy Features...
Page 33 42-18 Saving the Identity Certificate Request 42-19 Installing the ASA Identity Certificate on the Mobility Advantage Server 42-20 Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers 42-21 Configuring the Cisco Phone Proxy 43-1...
Page 34 Add TLS Proxy Instance Wizard – Other Steps 44-12 Edit TLS Proxy Instance – Server Configuration 44-12 Edit TLS Proxy Instance – Client Configuration 44-13 TLS Proxy 44-15 Add/Edit TLS Proxy 44-16 Cisco ASA 5500 Series Configuration Guide using ASDM xxxiv OL-20339-01...
Page 35 Licensing for Cisco Unified Presence 46-7 Configuring Cisco Unified Presence Proxy for SIP Federation 46-7 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation 46-8 Feature History for Cisco Unified Presence 46-8 Configuring Cisco Intercompany Media Engine Proxy...
Page 36 (Optional) Configuring TLS within the Local Enterprise 47-28 (Optional) Configuring Off Path Signaling 47-31 Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane 47-32 Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard 47-34 Feature History for Cisco Intercompany Media Engine Proxy...
Page 37 Enabling Traffic Classification and Actions for the Botnet Traffic Filter 50-10 Blocking Botnet Traffic Manually 50-12 Searching the Dynamic Database 50-13 Monitoring the Botnet Traffic Filter 50-13 Botnet Traffic Filter Syslog Messaging 50-13 Botnet Traffic Filter Monitor Panes 50-14 Cisco ASA 5500 Series Configuration Guide using ASDM xxxvii OL-20339-01...
Page 38 TCP Reset Settings 52-4 Configuring IP Audit for Basic IPS Support 52-5 IP Audit Policy 52-5 Add/Edit IP Audit Policy Configuration 52-6 IP Audit Signatures 52-6 IP Audit Signature List 52-7 Cisco ASA 5500 Series Configuration Guide using ASDM xxxviii OL-20339-01...
Page 39 C H A P T E R Information About the CSC SSM 55-1 Determining What Traffic to Scan 55-3 Licensing Requirements for the CSC SSM 55-5 Prerequisites for the CSC SSM 55-5 Cisco ASA 5500 Series Configuration Guide using ASDM xxxix OL-20339-01...
Page 40 CSC Setup Wizard IP Configuration 56-9 CSC Setup Wizard Host Configuration 56-9 CSC Setup Wizard Management Access Configuration 56-10 CSC Setup Wizard Password Configuration 56-10 CSC Setup Wizard Traffic Selection for CSC Scan 56-11 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 41 Auto Update Process Overview 57-8 Monitoring the Auto Update Process 57-9 Failover Health Monitoring 57-10 Unit Health Monitoring 57-11 Interface Monitoring 57-11 Failover Feature/Platform Matrix 57-12 Failover Times by Platform 57-12 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 42 Device Initialization and Configuration Synchronization 59-2 Command Replication 59-3 Failover Triggers 59-3 Failover Actions 59-4 Optional Active/Standby Failover Settings 59-5 Licensing Requirements for Active/Standby Failover 59-5 Prerequisites for Active/Standby Failover 59-5 Cisco ASA 5500 Series Configuration Guide using ASDM xlii OL-20339-01...
Page 43 Failover-Multiple Mode, Security Context 60-8 Failover - Routed 60-8 Failover - Transparent 60-9 Failover-Multiple Mode, System 60-9 Failover > Setup Tab 60-10 Failover > Criteria Tab 60-12 Failover > Active/Active Tab 60-12 Cisco ASA 5500 Series Configuration Guide using ASDM xliii OL-20339-01...
Page 44 VPN Client Authentication Method and Name 62-9 Client Authentication 62-10 New Authentication Server Group 62-11 User Accounts 62-11 Address Pool 62-12 Attributes Pushed to Client 62-13 IPsec Settings (Optional) 62-13 Summary 62-14 Cisco ASA 5500 Series Configuration Guide using ASDM xliv OL-20339-01...
Page 45 Adding or Editing a Remote Access Internal Group Policy, General Attributes 64-7 Configuring the Portal for a Group Policy 64-10 Configuring Customization for a Group Policy 64-11 Adding or Editing a Site-to-Site Internal Group Policy 64-12 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 46 Add/Edit Internal Group Policy > Client Configuration > General Client Parameters 64-29 View/Config Banner 64-31 Add/Edit Internal Group Policy > Client Configuration > Cisco Client Parameters 64-31 Add or Edit Internal Group Policy > Advanced > IE Browser Proxy 64-32...
Page 47 64-88 Add/Edit Tunnel Group > General > Client Address Assignment 64-88 Add/Edit Tunnel Group > General > Advanced 64-89 Add/Edit Tunnel Group > IPsec for Remote Access > IPsec 64-90 Cisco ASA 5500 Series Configuration Guide using ASDM xlvii OL-20339-01...
Page 48 Test Dynamic Access Policies 65-8 Add/Edit Dynamic Access Policies 65-10 Add/Edit AAA Attributes 65-15 Retrieving Active Directory Groups 65-18 Add/Edit Endpoint Attributes 65-19 Guide 65-22 Syntax for Creating Lua EVAL Expressions 65-22 Cisco ASA 5500 Series Configuration Guide using ASDM xlviii OL-20339-01...
Page 49 67-16 Java Code Signer 67-18 Encoding 67-18 Web ACLs 67-21 Configuring Port Forwarding 67-22 Why Port Forwarding? 67-22 Port Forwarding Requirements and Restrictions 67-23 Configuring DNS for Port Forwarding 67-24 Cisco ASA 5500 Series Configuration Guide using ASDM xlix OL-20339-01...
Page 50 Creating XML-Based Portal Customization Objects and URL Lists 67-52 Understanding the XML Customization File Structure 67-52 Customization Example 67-58 Using the Customization Template 67-60 The Customization Template 67-60 Help Customization 67-73 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 51 68-1 C H A P T E R Configuring E-Mail Proxy 68-1 68-2 POP3S Tab 68-2 IMAP4S Tab 68-4 SMTPS Tab 68-6 Access 68-7 Edit E-Mail Proxy Access 68-9 Authentication 68-9 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 52 Severity Levels 71-3 Message Classes and Range of Syslog IDs 71-4 Filtering Syslog Messages 71-4 Sorting in the Log Viewers 71-4 Using Custom Message Lists 71-5 Licensing Requirements for Logging 71-5 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 53 Adding or Editing the Rate Limit for a Syslog Message 71-21 Editing the Rate Limit for a Syslog Severity Level 71-21 Log Monitoring 71-22 Filtering Syslog Messages Through the Log Viewers 71-22 Cisco ASA 5500 Series Configuration Guide using ASDM liii OL-20339-01...
Page 54 73-3 Security Models 73-3 SNMP Groups 73-4 SNMP Users 73-4 SNMP Hosts 73-4 Implementation Differences Between Adaptive Security Appliances and the Cisco IOS 73-4 Licensing Requirements for SNMP 73-4 Prerequisites for SNMP 73-5 Guidelines and Limitations 73-5 Configuring SNMP 73-6...
Page 55 75-9 Configuring the Boot Image/Configuration Settings 75-9 Adding a Boot Image 75-10 Upgrading Software from Your Local Computer 75-10 Upgrading Software from the Cisco.com Wizard 75-11 Scheduling a System Restart 75-12 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 56 76-12 Common Problems 76-13 Reference P A R T Addresses, Protocols, and Ports A P P E N D I X IPv4 Addresses and Subnet Masks Classes Private Networks Subnet Masks Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 57 Configuring an External RADIUS Server B-30 Reviewing the RADIUS Configuration Procedure B-30 Security Appliance RADIUS Authorization Attributes B-30 Security Appliance IETF RADIUS Authorization Attributes B-38 Configuring an External TACACS+ Server B-39 Cisco ASA 5500 Series Configuration Guide using ASDM lvii OL-20339-01...
Page 58 Contents L O S S A R Y N D E X Cisco ASA 5500 Series Configuration Guide using ASDM lviii OL-20339-01...
Page 59: About This Guide
This guide applies to the Cisco ASA 5500 series adaptive security appliances. Throughout this guide, the term “adaptive security appliance” applies generically to all supported models, unless specified otherwise.
Page 60: Related Documentation
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 61 A R T Getting Started and General Information...
Page 63 Instead, refer to the ASDM guide in which support for your platform version was added (see Cisco ASA 5500 Series and PIX 500 Series Security Appliance Hardware and Software Compatibility for the minimum supported version of ASDM for each ASA version).
Page 64 1. Obtain Sun Java from java.sun.com ASA 5500 Model Support For a complete list of supported ASA models and ASA software versions for this release, see Cisco ASA 5500 Series and PIX 500 Series Security Appliance Hardware and Software Compatibility: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html...
Page 65 No support 1. The CSC SSM licenses support up to 1000 users while the Cisco ASA 5540 Series appliance can support significantly more users. If you deploy CSC SSM with an ASA 5540 adaptive security appliance, be sure to configure the security appliance to send the CSC SSM only the traffic that should be scanned.
Page 66 Syslog message filtering based on multiple text strings that correspond to various columns • Creation of custom filters • Column sorting of messages. For detailed information, see the Cisco ASA 5500 Series • Configuration Guide using ASDM. The following screens were modified: Monitoring >...
Page 67 Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance New Features Table 1-3 New Features for ASDM Version 6.3(2)/ASA Version 8.3(2) (Unless Otherwise Noted) (continued) Feature Description Hardware processing for This feature lets you switch large modulus operations from software to hardware. It applies large modulus operations only to the ASA models 5510, 5520, 5540, and 5550.
Page 68 Description General Features No Payload Encryption For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 image for export series. For version 8.3(2), you can now install a No Payload Encryption image (asa832-npe-k8.bin) on the following models: ASA 5505 •...
Page 69 Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance New Features Table 1-4 lists the new features for ASDM Version 6.3(1). All features apply only to ASA Version 8.3(1), unless otherwise noted. Table 1-4 New Features for ASDM Version 6.3(1)/ASA Version 8.3(1) (Unless Otherwise Noted)
Page 70 For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, LAN-to-LAN VPN the adaptive security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series connections adaptive security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).
Page 71 Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance New Features Table 1-4 New Features for ASDM Version 6.3(1)/ASA Version 8.3(1) (Unless Otherwise Noted) (continued) Feature Description Usability Improvements for ASDM provides a step-by-step guide to configuring Clientless SSL VPN, AnyConnect SSL Remote Access VPN VPN Remote Access, or IPsec Remote Access using the ASDM Assistant.
Page 72 The following screen was modified: Configuration > Firewall > Threat Detection. Unified Communication Features SCCP v19 support The IP phone support in the Cisco Phone Proxy feature was enhanced to include support for version 19 of the SCCP protocol on the list of supported IP phones. Cisco Intercompany Media...
Page 73 Failover licenses no longer need to be identical on each unit. The license used for both units is licenses the combined license from the primary and secondary units. For the ASA 5505 and 5510 adaptive security appliances, both units require the Note Security Plus license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.
Page 74 Configuration > Device Management > Device Administration > Master Passphrase ASDM Features Upgrade Software from The Upgrade Software from Cisco.com wizard has changed to allow you to automatically Cisco.com Wizard upgrade ASDM and the adaptive security appliance to more current versions. Note that this feature is only available in single mode and, in multiple context mode, in the System execution space.
Page 75 Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Unsupported Commands Unsupported Commands ASDM supports almost all commands available for the adaptive adaptive security appliance, but ASDM ignores some commands in an existing configuration. Most of these commands can remain in your configuration;...
Page 76 Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Unsupported Commands (continued) Table 1-5 List of Unsupported Commands Unsupported Commands ASDM Behavior sysopt uauth allow-http-cache Ignored. terminal Ignored. Effects of Unsupported Commands If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected.
Page 77 Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Firewall Functional Overview Firewall Functional Overview Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network.
Page 78 Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Firewall Functional Overview Permitting or Denying Traffic with Access Rules You can apply an access rule to limit traffic from inside to outside, or allow traffic from outside to inside.
Page 79: Enabling Threat Detection
Firewall Functional Overview manager. Other legitimate connections continue to operate independently without interruption. For more information, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface. Sending Traffic to the Content Security and Control Security Services Module If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic.
Page 80: Configuring Cisco Unified Communications
Configuring Cisco Unified Communications The Cisco ASA 5500 Series appliances are a strategic platform to provide proxy functions for unified communications deployments. The purpose of a proxy is to terminate and reoriginate connections between a client and server.
Page 81: Vpn Functional Overview
Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance VPN Functional Overview Performing the access list checks – Performing route lookups – Allocating NAT translations (xlates) – Establishing sessions in the “fast path” – Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path.
Page 82: Security Context Overview
Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance Security Context Overview Manages data transfer across the tunnel • Manages data transfer inbound and outbound as a tunnel endpoint or router • The adaptive security appliance invokes various standard protocols to accomplish these functions.
Page 83: Getting Started
32-1. See the following Ethernet connection guidelines when using the factory default configurations: ASA 5505—The switch port to which you connect to ASDM can be any port, except for Ethernet • 0/0. ASA 5510 and higher —The interface to which you connect to ASDM is Management 0/0.
Page 84: Chapter 2 Getting Started
Starting ASDM from the ASDM Launcher To start ASDM from the ASDM Launcher, perform the following steps: Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu. Step 1 Alternatively, from the ASDM Welcome screen, you can click Run Startup Wizard to configure ASDM.
Page 85: Using Asdm In Demo Mode
Save Running Configuration to Standby Unit Save Internal Log Buffer to Flash Clear Internal Log Buffer – Tools menu: Command Line Interface Ping File Management Update Software File Transfer Upload Image from Local PC System Reload Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 86: Starting Asdm From A Web Browser
Step 2 Double-click the installer to install the software. Step 3 Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu. Check the Run in Demo Mode check box. Step 4 The Demo Mode window appears.
Page 87: Multiple Asdm Session Support
ASDM sessions are supported per context, up to a maximum of 32 total connections for each adaptive security appliance. Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new adaptive security appliances. For the ASA 5510 and higher adaptive security appliances, the factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration.
Page 88: Asa 5505 Default Configuration
ASA 5505 Default Configuration The default factory configuration for the ASA 5505 adaptive security appliance configures the following: An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not •...
Page 89: Asa 5510 And Higher Default Configuration
The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. The configuration consists of the following commands: interface management 0/0 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 90: Getting Started With The Configuration
This section includes the following topics: Using the Command Line Interface Tool, page 2-9 • Handling Command Errors, page 2-9 • Using Interactive Commands, page 2-9 • Avoiding Conflicts with Other Administrators, page 2-10 • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 91: Using The Command Line Interface Tool
A message appears in the Response area to inform you whether or not any error occurred, as well as other related information. ASDM supports almost all CLI commands. See the Cisco ASA 5500 Series Command Reference for a Note list of commands.
Page 92: Avoiding Conflicts With Other Administrators
To display the list of unsupported commands for ASDM, perform the following steps: In the main ASDM application window, choose Tools > Show Commands Ignored by ASDM on Step 1 Device. Click OK when you are done. Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 2-10 OL-20339-01...
Page 93 To access the Configuration and Monitoring panes, you can do one of the following: Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 94: Chapter 3 Using The Asdm User Interface
In addition, the ASDM Assistant appears in this pane. Figure 3-1 on page 3-2 shows the elements of the ASDM user interface. Figure 3-1 ASDM User Interface Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 95: Navigating In The Asdm User Interface
Choose the drop-down list below the last function button to display a context menu. Step 1 Choose one of the following options: Step 2 To show more buttons, click Show More Buttons. • • To show fewer buttons, click Show Fewer Buttons. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 96: Menus
Show Running Configuration in Displays the current running configuration in a new window. New Window Save Running Configuration to Writes a copy of the running configuration to flash memory. Flash Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 97: View Menu
%ASA-1-211004 is generated, indicating what the installed memory is and what the required memory is. This message reappears every 24 hours until the memory is upgraded. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 98: Tools Menu
See the “Tracing Packets with Packet Tracer” section on page 76-7 for more information. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 99 “Upgrading Software from the Cisco.com Wizard” section on page 75-11 for more information. Backup Configurations Backs up the adaptive security appliance configuration, a Cisco Secure Desktop image, and SSL VPN Client images and profiles. See the “Backing Up Configurations” section on page 75-13 more information.
Page 100: Wizards Menu
For more information, see the “Configuring and Running Captures with the Packet Capture Wizard” section on page 76-8. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 101: Window Menu
(?) help icon. Release Notes Opens the most current version of the Release Notes for Cisco ASDM on Cisco.com. The release notes contain the most current information about ASDM software and hardware requirements, and the most current information about changes in the software.
Page 102: Toolbar
Look For field in the menu bar. From the Find drop-down list, choose How Do I? to begin the search. To use the ASDM Assistant, perform the following steps: In the main ASDM application window, choose View > ASDM Assistant. Step 1 Cisco ASA 5500 Series Configuration Guide using ASDM 3-10 OL-20339-01...
Page 103: Status Bar
This pane is available in the Home, Configuration, Monitoring, and System views. You can use this pane to switch to another Cisco ASA 5500 Series Configuration Guide using ASDM 3-11...
Page 104: Common Buttons
Remove information from a field, or remove a check from a check box. Back Returns to the previous pane. Forward Goes to the next pane. Help Displays help for the selected pane or dialog box. Cisco ASA 5500 Series Configuration Guide using ASDM 3-12 OL-20339-01...
Page 105: Keyboard Shortcuts
Previous tab (when a tab has the focus) Left Arrow Next cell in a table Previous sell in a table Shift+Tab Next pane (when multiple panes are displayed) Previous pane (when multiple panes are displayed) Shift+F6 Cisco ASA 5500 Series Configuration Guide using ASDM 3-13 OL-20339-01...
Page 106: Enabling Extended Screen Reader Support
The Preferences dialog box appears. On the General tab, check the Enable screen reader support check box. Step 2 Click OK. Step 3 Restart ASDM to activate screen reader support. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 3-14 OL-20339-01...
Page 107 You can control this behavior in Internet Explorer by choosing Tools > Internet Options > Advanced > Reuse windows for launching shortcuts. Cisco ASA 5500 Series Configuration Guide using ASDM 3-15 OL-20339-01...
Page 108: Home Pane (Single Mode And Context)
Figure 3-2 shows the elements of the Device Dashboard tab. Figure 3-2 Device Dashboard Tab Cisco ASA 5500 Series Configuration Guide using ASDM 3-16 OL-20339-01...
Page 109: Device Information Pane
Kbps displays below the table. VPN Sessions Pane This pane shows the VPN tunnel status. Click Details to go to the Monitoring > VPN > VPN Statistics > Sessions pane. Cisco ASA 5500 Series Configuration Guide using ASDM 3-17 OL-20339-01...
Page 110: Failover Status Pane
Latest ASDM Syslog Messages button in the left, bottom corner and the pane displays. Move your cursor away from the pane, and it disappears. Closes the pane. To show the pane, choose View Latest ASDM Syslog Messages. Cisco ASA 5500 Series Configuration Guide using ASDM 3-18 OL-20339-01...
Page 111: Firewall Dashboard Tab
In multiple context mode, the Firewall Dashboard is viewable within each context. Figure 3-4 shows some of the elements of the Firewall Dashboard tab. Figure 3-4 Firewall Dashboard Tab Cisco ASA 5500 Series Configuration Guide using ASDM 3-19 OL-20339-01...
Page 112: Traffic Overview Pane
Enabling statistics for hosts affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. Enabling statistics for ports, however, has a modest effect. Cisco ASA 5500 Series Configuration Guide using ASDM 3-20 OL-20339-01...
Page 113: Top Ten Protected Servers Under Syn Attack Pane
Security > CSC Setup, you cannot access the panes under Home > Content Security. Instead, a dialog box appears and lets you access the CSC Setup Wizard directly from this location. Cisco ASA 5500 Series Configuration Guide using ASDM 3-21...
Page 114: Intrusion Prevention Tab
To connect to the IPS software on the AIP SSM, perform the following steps: In the main ASDM application window, click the Intrusion Prevention tab. Step 1 In the Connecting to IPS dialog box, choose one of the following options: Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 3-22 OL-20339-01...
Page 115 Health Dashboard tab, located on the Intrusion Prevention tab. Figure 3-6 Intrusion Prevention Tab (Health Dashboard) Legend GUI Element Description Sensor Information pane. Sensor Health pane. CPU, Memory, and Load pane. Interface Status pane. Licensing pane. Cisco ASA 5500 Series Configuration Guide using ASDM 3-23 OL-20339-01...
Page 116: Home Pane (System)
Description System vs. Context selection. Interface Status pane. Choose an interface to view the total amount of traffic through the interface. Connection Status pane. CPU Status pane. Memory Status pane. Cisco ASA 5500 Series Configuration Guide using ASDM 3-24 OL-20339-01...
Page 117 This section describes the licenses available for each model as well as important notes about licenses. This section includes the following topics: Licenses Per Model, page 4-2 • License Notes, page 4-9 • • VPN License and Feature Compatibility, page 4-11 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 118: Chapter 4 Managing Feature Licenses
Security Plus license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 Clientless SSL VPN license plus the GTP/GPRS license; or all four licenses together. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 119 Chapter 4 Managing Feature Licenses Supported Feature Licenses Per Model Table 4-1 shows the licenses for the ASA 5505. Table 4-1 ASA 5505 Adaptive Security Appliance License Features ASA 5505 Base License Security Plus Firewall Licenses Botnet Traffic Filter Disabled...
Page 120 2. See the “VPN License and Feature Compatibility” section on page 4-11. 3. Although the Ethernet 0/0 and 0/1 ports are Gigabit Ethernet, they are still identified as “Ethernet” in the software. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 121 Failover Active/Standby or Active/Active Security Contexts Optional licenses: VLANs, Maximum 1. See the “License Notes” section on page 4-9. 2. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 122 Failover Active/Standby or Active/Active Security Contexts Optional licenses: VLANs, Maximum 1. See the “License Notes” section on page 4-9. 2. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 123 Failover Active/Standby or Active/Active Security Contexts Optional licenses: VLANs, Maximum 1. See the “License Notes” section on page 4-9. 2. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 124 2. With the 10,000-session license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. 3. See the “VPN License and Feature Compatibility” section on page 4-11. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 125: License Notes
This license enables AnyConnect VPN client access to the adaptive security appliance. This license does not support browser-based (clientless) SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium SSL VPN Edition license instead of the AnyConnect Essentials license.
Page 126 All of these applications are licensed under the UC Proxy umbrella, and can be mixed and matched. Some applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.
Page 127: Vpn License And Feature Compatibility
Preinstalled License, page 4-12 • Permanent License, page 4-12 • Time-Based Licenses, page 4-12 • Shared SSL VPN Licenses, page 4-14 • Failover Licenses, page 4-19 • Licenses FAQ, page 4-20 • Cisco ASA 5500 Series Configuration Guide using ASDM 4-11 OL-20339-01...
Page 128: Preinstalled License
• security appliance. If you stop using the time-based license before it times out, then the timer halts. The timer only starts • again when you reactivate the time-based license. Cisco ASA 5500 Series Configuration Guide using ASDM 4-12 OL-20339-01...
Page 129: How Permanent And Time-Based Licenses Combine
To view the combined license, see the “Viewing Your Current License” section on page 4-23. Cisco ASA 5500 Series Configuration Guide using ASDM 4-13 OL-20339-01...
Page 130: Stacking Time-Based Licenses
This section describes how a shared license works and includes the following topics: Cisco ASA 5500 Series Configuration Guide using ASDM 4-14 OL-20339-01...
Page 131: Information About The Shared Licensing Server And Participants
The participant continues to send refresh messages requesting more sessions until the server can adequately fulfill the request. When the load is reduced on a participant, it sends a message to the server to release the shared sessions. Cisco ASA 5500 Series Configuration Guide using ASDM 4-15 OL-20339-01...
Page 132: Communication Issues Between Participant And Server
10-day limit left over. The backup server “recharges” up to the maximum 30 days after 20 more days as an inactive backup. This recharging function is implemented to discourage misuse of the shared license. Cisco ASA 5500 Series Configuration Guide using ASDM 4-16 OL-20339-01...
Page 133: Failover And Shared Licenses
If Pair #1 remains down, and the primary unit in Pair #2 goes down, then the standby unit in Pair #2 comes into use as the shared licensing server (see Figure 4-1). Cisco ASA 5500 Series Configuration Guide using ASDM 4-17 OL-20339-01...
Page 134 In this case, you can increase the delay between participant refreshes, or you can create two shared networks. Cisco ASA 5500 Series Configuration Guide using ASDM 4-18...
Page 135: Failover Licenses
If you have licenses on both units, they combine into a single running failover cluster license. For the ASA 5505 and 5510 adaptive security appliances, both units require the Security Plus • license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.
Page 136: Loss Of Communication Between Failover Units
Yes. You can use one time-based license per feature at a time. Can I “stack” time-based licenses so that when the time limit runs out, it will automatically use the next license? Cisco ASA 5500 Series Configuration Guide using ASDM 4-20 OL-20339-01...
Page 137: Guidelines And Limitations
Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license. Cisco ASA 5500 Series Configuration Guide using ASDM 4-21 OL-20339-01...
Page 138 Failover units do require the same RAM on both units. Note For the ASA 5505 and 5510 adaptive security appliances, both units require the Security Plus • license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.
Page 139: Viewing Your Current License
To obtain an activation key, you need a Product Authorization Key, which you can purchase from your Cisco account representative. You need to purchase a separate Product Activation Key for each feature license. For example, if you have the Base License, you can purchase separate keys for Advanced Endpoint Assessment and for additional SSL VPN sessions.
Page 140: Activating Or Deactivating Keys
(without any of the new licenses you activated in Version 8.2 or later). – If you have a new system and do not have an earlier activation key, then you need to request a new activation key compatible with the earlier version. Cisco ASA 5500 Series Configuration Guide using ASDM 4-24 OL-20339-01...
Page 141: Configuring A Shared License
Configuring the Shared Licensing Participant and the Optional Backup Server, page 4-26 • Monitoring the Shared License, page 4-27 • Configuring the Shared Licensing Server This section describes how to configure the adaptive security appliance to be a shared licensing server. Cisco ASA 5500 Series Configuration Guide using ASDM 4-25 OL-20339-01...
Page 142: Configuring The Shared Licensing Participant And The Optional Backup Server
Choose the Configuration > Device Management > Licenses > Shared SSL VPN Licenses pane. In the Shared Secret field, enter the shared secret as a string between 4 and 128 ASCII characters. Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 4-26 OL-20339-01...
Page 143: Monitoring The Shared License
100 to 200. SSL VPN Licenses 7.1(1) SSL VPN licenses were introduced. Increased SSL VPN Licenses 7.2(1) A 5000-user SSL VPN license was introduced for the ASA 5550 and above. Cisco ASA 5500 Series Configuration Guide using ASDM 4-27 OL-20339-01...
Page 144 Increased VLANs 7.2(2) The maximum number of VLANs for the Security Plus license on the ASA 5505 adaptive security appliance was increased from 5 (3 fully functional; 1 failover; one restricted to a backup interface) to 20 fully functional interfaces. In addition, the number of trunk ports was increased from 1 to 8.
Page 145 AnyConnect VPN client access to the adaptive security appliance. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium SSL VPN Edition license instead of the AnyConnect Essentials license.
Page 146 You can now activate or deactivate time-based licenses time-based licenses. using a command. The following commands was modified: activation-key [activate | deactivate]. The following screen was modified: Configuration > Device Management > Licensing > Activation Key. Cisco ASA 5500 Series Configuration Guide using ASDM 4-30 OL-20339-01...
Page 147 Information About the Firewall Mode This section describes routed and transparent firewall mode and includes the following topics: Information About Routed Firewall Mode, page 5-2 • Information About Transparent Firewall Mode, page 5-2 • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 148: Chapter 5 Configuring The Transparent Or Routed Firewall
TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF • IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF • IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF • BPDU multicast address equal to 0100.0CCC.CCCD • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 149: Configuring The Firewall Mode
Unless the host is on a directly-connected network, then you need to add a static route on the adaptive security appliance for the real host address that is embedded in the packet. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 150: Licensing Requirements For The Firewall Mode
Licensing Requirements for the Firewall Mode The following table shows the licensing requirements for this feature. Model License Requirement All models Base License. Default Settings The default mode is routed mode. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 151: Guidelines And Limitations
In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 152 (by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the management interface from the physically-connected switch, then the adaptive security appliance updates the MAC address table to use the management interface to access the switch, instead of the data interface.
Page 153: Setting The Firewall Mode
ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration is cleared, and you will have to reconnect to the adaptive security appliance using the console port in any case. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 154: Configuring Arp Inspection For The Transparent Firewall
MAC address and the associated IP address are in the static ARP table. Licensing Requirements for ARP Inspection The following table shows the licensing requirements for this feature. Model License Requirement All models Base License. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 155: Default Settings
ARP responses are sent on the network, and if an entry is not used for a period of time, it times out. If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry times out before it can be updated. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 156: Enabling Arp Inspection
If you uncheck this check box, all non-matching packets are dropped, which restricts ARP through the adaptive security appliance to only static entries. Cisco ASA 5500 Series Configuration Guide using ASDM 5-10 OL-20339-01...
Page 157: Feature History For Arp Inspection
The ASA 5505 adaptive security appliance includes a built-in switch; the switch MAC address table maintains the MAC address-to-switch port mapping for traffic within each VLAN. This section discusses the bridge MAC address table, which maintains the MAC address-to-VLAN interface mapping for traffic that passes between VLANs.
Page 158: Licensing Requirements For The Mac Address Table
(by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the...
Page 159: Configuring The Mac Address Table
Choose the Configuration > Device Setup > Bridging > MAC Learning pane. Step 1 To disable MAC learning, choose an interface row, and click Disable. Step 2 To reenable MAC learning, click Enable. Step 3 Click Apply. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 5-13 OL-20339-01...
Page 160: Feature History For The Mac Address Table
An Inside User Visits a Web Server on the DMZ, page 5-17 An Outside User Attempts to Access an Inside Host, page 5-18 • A DMZ User Attempts to Access an Inside Host, page 5-19 • Cisco ASA 5500 Series Configuration Guide using ASDM 5-14 OL-20339-01...
Page 161: An Inside User Visits A Web Server
The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet. The adaptive security appliance then records that a session is established and forwards the packet from the outside interface. Cisco ASA 5500 Series Configuration Guide using ASDM 5-15 OL-20339-01...
Page 162: An Outside User Visits A Web Server On The Dmz
“knows” that the DMZ web server address belongs to a certain context because of the server address translation. The adaptive security appliance translates the destination address to the local address 10.1.1.3. Cisco ASA 5500 Series Configuration Guide using ASDM 5-16 OL-20339-01...
Page 163: An Inside User Visits A Web Server On The Dmz
In this case, the interface is unique; the web server IP address does not have a current address translation. Cisco ASA 5500 Series Configuration Guide using ASDM 5-17 OL-20339-01...
Page 164: An Outside User Attempts To Access An Inside Host
(access lists, filters, AAA). The packet is denied, and the adaptive security appliance drops the packet and logs the connection attempt. Cisco ASA 5500 Series Configuration Guide using ASDM 5-18 OL-20339-01...
Page 165: A Dmz User Attempts To Access An Inside Host
(access lists, filters, AAA). The packet is denied, and the adaptive security appliance drops the packet and logs the connection attempt. Cisco ASA 5500 Series Configuration Guide using ASDM 5-19 OL-20339-01...
Page 166: How Data Moves Through The Transparent Firewall
An Inside User Visits a Web Server Using NAT, page 5-22 • An Outside User Visits a Web Server on the Inside Network, page 5-23 • An Outside User Attempts to Access an Inside Host, page 5-24 • Cisco ASA 5500 Series Configuration Guide using ASDM 5-20 OL-20339-01...
Page 167: An Inside User Visits A Web Server
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The adaptive security appliance forwards the packet to the inside user. Cisco ASA 5500 Series Configuration Guide using ASDM 5-21 OL-20339-01...
Page 168: An Inside User Visits A Web Server Using Nat
If the destination MAC address is in its table, the adaptive security appliance forwards the packet out of the outside interface. The destination MAC address is that of the upstream router, 10.1.2.1. Cisco ASA 5500 Series Configuration Guide using ASDM 5-22...
Page 169: An Outside User Visits A Web Server On The Inside Network
Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the adaptive security appliance first classifies the packet according to a unique interface. Cisco ASA 5500 Series Configuration Guide using ASDM 5-23 OL-20339-01...
Page 170: An Outside User Attempts To Access An Inside Host
Because it is a new session, it verifies if the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the adaptive security appliance first classifies the packet according to a unique interface. Cisco ASA 5500 Series Configuration Guide using ASDM 5-24 OL-20339-01...
Page 171 If the outside user is attempting to attack the inside network, the adaptive security appliance employs many technologies to determine if a packet is valid for an already established session. Cisco ASA 5500 Series Configuration Guide using ASDM 5-25 OL-20339-01...
Page 172 Chapter 5 Configuring the Transparent or Routed Firewall Firewall Mode Examples Cisco ASA 5500 Series Configuration Guide using ASDM 5-26 OL-20339-01...
Page 173: Setting Up The Adaptive Security Appliance
A R T Setting up the Adaptive Security Appliance...
Page 175 How the Security Appliance Classifies Packets, page 6-3 • • Cascading Security Contexts, page 6-6 • Management Access to Security Contexts, page 6-7 • Information About Resource Management, page 6-8 Information About MAC Addresses, page 6-11 • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 176: Chapter 6 Configuring Multiple Context Mode
The admin context must reside on flash memory, and not remotely. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 177: How The Security Appliance Classifies Packets
If you do not use unique MAC addresses, then the mapped addresses in your NAT configuration are used to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 178: Classification Examples
MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 179 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 180: Cascading Security Contexts
Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 181: Management Access To Security Contexts
“enable_15” user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 182: Context Administrator Access
10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 6-5.) Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 183: Default Class
Contexts Gold Class Default Class All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 184: Class Members
You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class. Cisco ASA 5500 Series Configuration Guide using ASDM 6-10 OL-20339-01...
Page 185: Information About Mac Addresses
“MAC Address Format” section for more information. For upgrading failover units with the legacy version of the mac-address auto command before the prefix keyword was introduced, see the mac-address auto command in the Cisco ASA 5500 Series Command Reference. MAC Address Format...
Page 186: Licensing Requirements For Multiple Context Mode
Active/Active mode failover is only supported in multiple context mode. IPv6 Guidelines Supports IPv6. Model Guidelines Does not support the ASA 5505. Unsupported Features Multiple context mode does not support the following features: Cisco ASA 5500 Series Configuration Guide using ASDM 6-12 OL-20339-01...
Page 187 “Configuring a Security Context” section on page 6-17. Step 3 (Optional) Automatically assign MAC addresses to context interfaces. See the “Automatically Assigning Step 4 MAC Addresses to Context Interfaces” section on page 6-19. Cisco ASA 5500 Series Configuration Guide using ASDM 6-13 OL-20339-01...
Page 188: Configuring Multiple Contexts
Your adaptive security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section.
Page 189: Configuring A Class For Resource Management
Feature Licenses Per host and multiple other hosts. Model” section on page 4-1 for the connection limit for your platform. Rate: N/A inspects Rate Application inspections. Cisco ASA 5500 Series Configuration Guide using ASDM 6-15 OL-20339-01...
Page 190 1 and 5 and selecting Absolute from the list. The system has a maximum of 100 sessions divided between all contexts. Cisco ASA 5500 Series Configuration Guide using ASDM 6-16...
Page 191: Configuring A Security Context
Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and the system limit for your model, and selecting Absolute from the list. See the Release Notes for Cisco ASDM for the connection limit for your model. •...
Page 192 Application on the AIP SSM and SSC.” (Optional) To assign this context to a resource class, choose a class name from the Resource Assignment Step 11 > Resource Class drop-down list. Cisco ASA 5500 Series Configuration Guide using ASDM 6-18 OL-20339-01...
Page 193: Automatically Assigning Mac Addresses To Context Interfaces
For the MAC address generation method when not using a prefix (not recommended), see the • mac-address auto command in the Cisco ASA 5500 Series Command Reference. In the rare circumstance that the generated MAC address conflicts with another private MAC •...
Page 194: Monitoring Security Contexts
Peak Connections (#)—Shows the peak number of connections since the statistics were last – cleared, either using the clear resource usage command or because the device rebooted. SSH—Shows the usage of SSH connections. • Context—Shows the name of each context. – Cisco ASA 5500 Series Configuration Guide using ASDM 6-20 OL-20339-01...
Page 195: Viewing Assigned Mac Addresses
Viewing MAC Addresses in the System Configuration, page 6-21 • Viewing MAC Addresses Within a Context, page 6-22 • Viewing MAC Addresses in the System Configuration This section describes how to view MAC addresses in the system configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 6-21 OL-20339-01...
Page 196: Viewing Mac Addresses Within A Context
This table shows the MAC address in use; if you manually assign a MAC address and also have auto-generation enabled, then you can only view the unused auto-generated address from within the system configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 6-22 OL-20339-01...
Page 197: Feature History For Multiple Context Mode
MAC address, you cannot start the manual MAC address with A2. The following screen was modified: Configuration > Context Management > Security Contexts. Cisco ASA 5500 Series Configuration Guide using ASDM 6-23 OL-20339-01...
Page 198 Chapter 6 Configuring Multiple Context Mode Feature History for Multiple Context Mode Cisco ASA 5500 Series Configuration Guide using ASDM 6-24 OL-20339-01...
Page 199: Using The Startup Wizard
• • Startup Wizard Screens for ASA 5500 Series Adaptive Security Appliances, page 7-3 • Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance, page 7-3 • Configuring IPv6 Neighbor Discovery, page 7-18 Configuring IPv6 Static Neighbors, page 7-25 •...
Page 200: Prerequisites For The Startup Wizard
Supported in routed and transparent firewall modes, as noted in Table 7-1. Failover Guidelines Supports sessions in Stateful Failover. IPv6 Guidelines Supports IPv6. Model Guidelines Supports all models. Additional Guidelines Supports the AIP SSM/SSC for IPS. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 201: Startup Wizard Screens For Asa 5500 Series Adaptive Security Appliances
Appliance Table 7-2 lists all of the required Startup Wizard screens for configuring only the ASA 5505 adaptive security appliance and IPS, if you have an AIP SSC installed. The sequence of screens listed represents configuration for the single, routed mode. The Availability columns lists the mode or modes in which each screen appears and provides additional configuration information.
Page 202: Step 1 - Starting Point Or Welcome
Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Table 7-2 Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Screen Name and Sequence Availability Step 1 - Starting Point or Welcome, page 7-4 All modes.
Page 203: Step 2 - Basic Configuration
Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance If you reset the configuration to factory defaults, you cannot undo these changes by clicking Note Cancel or by closing this screen. Step 6 Click Next to continue.
Page 204: Step 4 - Auto Update Server
Step 6 - Interface Selection This screen allows you to group the eight, Fast Ethernet switch ports on the ASA 5505 into three VLANs. These VLANs function as separate, Layer 3 networks. You can then choose or create the VLANs that define your network—one for each interface: outside (Internet), inside (Business), or DMZ (Home).
Page 205: Step 7 - Switch Port Allocation
Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance To create a new outside VLAN, check the Create a VLAN check box. To enable the outside VLAN, check the Enable VLAN check box.
Page 206: Step 8 - Interface Ip Address Configuration
Click Next to continue. Step 9 - Internet Interface Configuration - PPPoE For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance Note supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.
Page 207: Step 10 - Business Interface Configuration - Pppoe
Step 5 Step 10 - Business Interface Configuration - PPPoE For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance Note supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.
Page 208: Step 11 - Home Interface Configuration - Pppoe
Step 5 Step 11 - Home Interface Configuration - PPPoE For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance Note supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.
Page 209: Step 13 - Static Routes
Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance To enable and restrict traffic between interfaces and between hosts connected to the same interface, perform the following steps: To enable traffic between two or more interfaces with the same security level, check the Enable traffic Step 1 between two or more interfaces with the same security level check box.
Page 210: Step 15 - Address Translation (Nat/Pat)
Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Enter the IP address of the DNS server. Enter the IP address of the WINS server. Enter the IP address of the alternate DNS server.
Page 211: Step 16 - Administrative Access
Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance IPSec with PAT may not work correctly, because the outside tunnel endpoint device cannot Note handle multiple tunnels from one IP address. • To use the IP address of the outside interface for PAT, click the Use the IP address on the outside interface radio button.
Page 212: Step 17 - Easy Vpn Remote Configuration
You want VPN connections to be initiated by client traffic. – You want the IP addresses of local hosts to be hidden from remote networks. You are using DHCP on the ASA 5505 to provide IP addresses to local hosts. – Use Network Extension Mode if: •...
Page 213 Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance To form a secure VPN tunnel between the adaptive security appliance and a remote Cisco VPN 3000 concentrator, Cisco router, or adaptive security appliance that is acting as an Easy VPN server, perform...
Page 214: Step 18 - Startup Wizard Summary
Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 18 - Startup Wizard Summary This screen summarizes all of the configuration settings that you have made for the adaptive security appliance. To change any of the settings in previous screens, click Back.
Page 215 Chapter 7 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance The Security Level field displays the security level of the selected interface. Change the security level Step 3 for the interface, if needed. If you change the security level of the interface to a lower level, a warning message appears.
Page 216: Configuring Ipv6 Neighbor Discovery
Query = what is your link address? ICMPv6 Type = 136 Src = B Dst = A Data = link-layer address of B A and B can now exchange packets on this link Cisco ASA 5500 Series Configuration Guide using ASDM 7-18 OL-20339-01...
Page 217: Configuring The Neighbor Solicitation Message Interval
Valid time values range from 0 to 3600000 milliseconds. The default is 0; however, when you use 0, the reachable time is sent as undetermined. It is up to the receiving devices to set and track the reachable time value. Cisco ASA 5500 Series Configuration Guide using ASDM 7-19 OL-20339-01...
Page 218: Configuring Dad Settings
To allow the generation of addresses for hosts, make sure that the Suppress RA check box is unchecked. Step 6 This is the default setting if IPv6 unicast routing is enabled. To prevent the generation of IPv6 router advertisement transmissions, check the Suppress RA check box. Cisco ASA 5500 Series Configuration Guide using ASDM 7-20 OL-20339-01...
Page 219: Configuring Ipv6 Addresses On An Interface
7-21. Step 9 Configuring IPv6 Prefixes on an Interface To configure IPv6 prefixes on an interface, perform the following steps: In the Interface IPv6 Prefixes area, click Add. Step 1 Cisco ASA 5500 Series Configuration Guide using ASDM 7-21 OL-20339-01...
Page 220 IPv6 Neighbor Discovery—Router Advertisement Message Router Router advertisement advertisement Router advertisement packet definitions: ICMPv6 Type = 134 Src = router link-local address Dst = all-nodes multicast address Data = options, prefix, lifetime, autoconfig flag Cisco ASA 5500 Series Configuration Guide using ASDM 7-22 OL-20339-01...
Page 221 IPv6 nodes, randomly adjust the actual value used to within 20 percent of the desired value. To change the interval between router advertisement transmissions on an interface, perform the following steps: Cisco ASA 5500 Series Configuration Guide using ASDM 7-23 OL-20339-01...
Page 222 Click the IPv6 tab. Step 4 In the RA Lifetime field, enter a valid lifetime value. Step 5 Click OK. Step 6 Step 7 Click Apply to save the configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 7-24 OL-20339-01...
Page 223: Configuring Ipv6 Static Neighbors
Step 1 Click Add. Step 2 The Add IPv6 Static Neighbor dialog box appears. From the Interface Name drop-down list, choose an interface on which to add the neighbor. Step 3 Cisco ASA 5500 Series Configuration Guide using ASDM 7-25 OL-20339-01...
Page 224 Click Apply to save the change to your current configuration. Step 3 Before you apply the changes and permanently delete the neighbor from your configuration, you Note can click Reset to restore the original values. Cisco ASA 5500 Series Configuration Guide using ASDM 7-26 OL-20339-01...
Page 225: Interface Configuration
Enter the name of the group. You must specify a group name to proceed. Step 1 In the User Authentication area, enter the following information: Step 2 • The PPPoE username. Cisco ASA 5500 Series Configuration Guide using ASDM 7-27 OL-20339-01...
Page 226 Outside Interface Configuration Note For all ASA 5500 series models except ASA 5505, with a full license, the adaptive security appliance supports up to five interfaces, with a maximum of three outside interfaces. In restricted mode, the adaptive security appliance supports up to three interfaces, and in transparent mode, the adaptive security appliance supports up to two interfaces.
Page 227: Feature History For The Startup Wizard
ASDM release in which support was added is not listed. Table 7-3 Feature History for the Startup Wizard Feature Name Platform Releases Feature Information Startup Wizard 7.0(1) This feature was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 7-29 OL-20339-01...
Page 228 Chapter 7 Using the Startup Wizard Feature History for the Startup Wizard Cisco ASA 5500 Series Configuration Guide using ASDM 7-30 OL-20339-01...
Page 229: Configuring Interfaces
This chapter describes how to configure interfaces, including Ethernet parameters, switch ports (for the ASA 5505), VLAN subinterfaces, and IP addressing. The procedure to configure interfaces varies depending on several factors: the ASA 5505 vs. other models; routed vs. transparent mode; and single vs. multiple mode. This chapter describes how to configure interfaces for each of these variables.
Page 230 • Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has 8 Fast Ethernet switch ports that forward •...
Page 231 You can configure trunk ports to accommodate multiple VLANs per port. The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful Failover. Note Cisco ASA 5500 Series Configuration Guide using ASDM...
Page 232 Chapter 8 Configuring Interfaces Information About Interfaces Figure 8-2 for an example network. Figure 8-2 ASA 5505 Adaptive Security Appliance with Security Plus License Backup ISP Primary ISP ASA 5505 Failover with Security Plus ASA 5505 License Failover Link Inside VLAN MAC Addresses Routed firewall mode—All VLAN interfaces share a MAC address.
Page 233 The ASA 5580 adaptive security appliance supports multiple types of Ethernet interfaces including Gigabit Ethernet and 10-Gigabit Ethernet speeds, and copper and fiber connectors. See the Cisco ASA 5580 Adaptive Security Appliance Getting Started Guide for detailed information about the interface adapters available for the ASA 5580 adaptive security appliance, and which slots support each adapter type.
Page 234 (by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the...
Page 235 “Configuring Active/Active Failover” section on page 60-8 to configure the failover and state links. In multiple context mode, failover interfaces are configured in the system configuration. IPv6 Guidelines Supports IPv6. • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 236 “Configuring the IPv6 Address” section on page 9-16. Model Guidelines Subinterfaces are not available for the ASA 5505 adaptive security appliance. Default Settings This section lists default settings for interfaces if you do not have a factory default configuration. For information about the factory default configurations, see the “Factory Default Configurations”...
Page 237 , in the Configuration > Device List pane, double-click System under the active device IP address. For ASA 5505 configuration, see the “Starting Interface Configuration (ASA 5505)” section on page 8-16. This section includes the following topics: •...
Page 238 The speeds available depend on the interface type. For SFP interfaces, you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link Cisco ASA 5500 Series Configuration Guide using ASDM 8-10 OL-20339-01...
Page 239 Assigning MAC Addresses (Multiple Context Mode)” section on page 8-16. • For single context mode, complete the interface configuration. See the “Completing Interface Configuration (All Models)” section on page 8-21. Cisco ASA 5500 Series Configuration Guide using ASDM 8-11 OL-20339-01...
Page 240 MAC address of the interface that is now listed first. Alternatively, you can assign a MAC address to the redundant interface, which is used regardless of the member interface MAC addresses (see the “Configuring Advanced Interface Parameters” section on page 8-26 or the “Assigning Interfaces to Cisco ASA 5500 Series Configuration Guide using ASDM 8-12 OL-20339-01...
Page 241 “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. Click OK. Step 8 You return to the Interfaces pane. Cisco ASA 5500 Series Configuration Guide using ASDM 8-13 OL-20339-01...
Page 242 If you want to let the physical or redundant interface pass untagged packets, you can configure the name as usual. See the “Completing Interface Configuration (All Models)” section on page 8-21 for more information about completing the interface configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 8-14 OL-20339-01...
Page 243 Assigning MAC Addresses (Multiple Context Mode)” section on page 8-16. For single context mode, complete the interface configuration. See the “Completing Interface • Configuration (All Models)” section on page 8-21. Cisco ASA 5500 Series Configuration Guide using ASDM 8-15 OL-20339-01...
Page 244 8-21. Starting Interface Configuration (ASA 5505) This section includes tasks for starting your interface configuration for the ASA 5505 adaptive security appliance, including creating VLAN interfaces and assigning them to switch ports. See the “Understanding ASA 5505 Ports and Interfaces” section on page 8-2 for more information.
Page 245 Chapter 8 Configuring Interfaces Starting Interface Configuration (ASA 5505) Configuring VLAN Interfaces This section describes how to configure VLAN interfaces. For more information about ASA 5505 interfaces, see the “ASA 5505 Interfaces” section on page 8-2. Detailed Steps If you enabled Easy VPN, you cannot add or delete VLAN interfaces, nor can you edit the security level Note or interface name.
Page 246 For more information about ASA 5505 interfaces, see the “ASA 5505 Interfaces” section on page 8-2. The ASA 5505 adaptive security appliance does not support Spanning Tree Protocol for loop detection Caution in the network. Therefore you must ensure that any connection with the adaptive security appliance does not end up in a network loop.
Page 247 The Auto setting is the default. If you set the duplex to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
Page 248 The Auto setting is the default. If you set the duplex to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
Page 249 “Starting Interface Configuration (ASA 5510 and Higher)” section on Step 1 page 8-9 or the “Starting Interface Configuration (ASA 5505)” section on page 8-16. Step 2 (Multiple context mode) In the Configuration > Device List pane, double-click the context name under the active device IP address.
Page 250 • VLAN subinterfaces • Redundant interfaces • For the ASA 5505, you must configure interface parameters for the following interface types: VLAN interfaces • Guidelines and Limitations • For the ASA 5550 adaptive security appliance, for maximum throughput, be sure to balance your traffic over the two interface slots;...
Page 251 Detailed Steps Step 1 Choose the Configuration > Device Setup > Interfaces pane. For the ASA 5505, the Interfaces tab shows by default. Choose the interface row, and click Edit. Step 2 The Edit Interface dialog box appears with the General tab selected.
Page 252 (ASA 5510 and higher) For information about the Configure Hardware Properties button, see the “Enabling the Physical Interface and Configuring Ethernet Parameters” section on page 8-10. Click OK. Step 9 Cisco ASA 5500 Series Configuration Guide using ASDM 8-24 OL-20339-01...
Page 253 Secondary Track—Select this option to configure the secondary PPPoE route tracking. – Secondary Track ID—A unique identifier for the route tracking process. Valid values are from – 1 to 500. Cisco ASA 5500 Series Configuration Guide using ASDM 8-25 OL-20339-01...
Page 254 Detailed Steps Choose the Configuration > Device Setup > Interfaces pane. Step 1 For the ASA 5505, the Interfaces tab shows by default. Choose the interface row, and click Edit. Step 2 The Edit Interface dialog box appears with the General tab selected.
Page 255 IPv6 addresses assigned to the interface are set to a pending state. An interface returning to an administratively up state restarts duplicate address detection for all of the unicast IPv6 addresses on the interface. Cisco ASA 5500 Series Configuration Guide using ASDM 8-27 OL-20339-01...
Page 256 If the interface identifiers do not conform to the modified EUI-64 format, an error message appears. See “Information About Modified EUI-64 Interface IDs” section on page 8-28 for more information. Step 5 Configure the global IPv6 address using one of the following methods. Cisco ASA 5500 Series Configuration Guide using ASDM 8-28 OL-20339-01...
Page 257 3 to 1800 seconds. The default is 200 seconds. To list the router advertisement transmission interval in milliseconds, check the RA Interval in Milliseconds check box. Valid values are from 500 to 1800000 milliseconds. Cisco ASA 5500 Series Configuration Guide using ASDM 8-29 OL-20339-01...
Page 258 To assign a link-local address to an interface, perform the following steps: Choose the Configuration > Device Setup > Interfaces pane. Step 1 Cisco ASA 5500 Series Configuration Guide using ASDM 8-30 OL-20339-01...
Page 259 All traffic allowed by this feature is still subject to firewall rules. Be careful not to create an asymmetric routing situation that can cause return traffic not to traverse the adaptive security appliance. Restrictions This feature is only available in routed firewall mode. Cisco ASA 5500 Series Configuration Guide using ASDM 8-31 OL-20339-01...
Page 260 DHCP, page 8-33 • • MAC Address Table, page 8-35 • Dynamic ACLs, page 8-36 • Interface Graphs, page 8-36 PPPoE Client, page 8-39 • Interface Connection, page 8-39 • Cisco ASA 5500 Series Configuration Guide using ASDM 8-32 OL-20339-01...
Page 261: Arp Table
If you obtain the adaptive security appliance interface IP address from a DHCP server, the Monitoring > Interfaces > DHCP > DHCP Server Table > DHCP Client Lease Information pane shows information about the DHCP lease. Cisco ASA 5500 Series Configuration Guide using ASDM 8-33 OL-20339-01...
Page 262 Client-ID—Display only. The client ID used in all communication with the server. – Proxy—Display only. Specifies if this interface is a proxy DHCP client for VPN clients, True – or False. Hostname—Display only. The client hostname. – Cisco ASA 5500 Series Configuration Guide using ASDM 8-34 OL-20339-01...
Page 263 See the “MAC Address Table” section on page 8-35 for more information about the MAC address table and adding static entries. Fields Interface—Shows the interface name associated with the entry. • Cisco ASA 5500 Series Configuration Guide using ASDM 8-35 OL-20339-01...
Page 264 Underruns—The number of times that the transmitter ran faster than the adaptive security appliance could handle. Cisco ASA 5500 Series Configuration Guide using ASDM 8-36 OL-20339-01...
Page 265 Input Queue—Shows the number of packets in the input queue, the current and the maximum, – including the following statistics: Hardware Input Queue—The number of packets in the hardware queue. Software Input Queue—The number of packets in the software queue. Cisco ASA 5500 Series Configuration Guide using ASDM 8-37 OL-20339-01...
Page 266 Print—Prints the graph or table. If there is more than one graph or table on the Graph window, the • Print Graph dialog box appears. Choose the graph or table you want to print from the Graph/Table Name list. Cisco ASA 5500 Series Configuration Guide using ASDM 8-38 OL-20339-01...
Page 267 SLA statistics—Display only. Displays SLA monitoring statistics, such as the last time the process • was modified, the number of operations attempted, the number of operations skipped, and so on. Cisco ASA 5500 Series Configuration Guide using ASDM 8-39 OL-20339-01...
Page 268 Ethernet 0/0 and Ethernet 0/1. Native VLAN support for the ASA 5505 7.2(4)/8.0(4) You can now include the native VLAN in an ASA 5505 trunk port. The following screen was modified: Configuration > Device Setup > Interfaces > Switch Ports > Edit Switch Port.
Page 269 Feature Information Jumbo packet support for the ASA 5580 8.1(1) The Cisco ASA 5580 supports jumbo frames. A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS), up to 9216 bytes. You can enable support for jumbo frames for all interfaces by increasing the amount of memory to process Ethernet frames.
Page 270 Chapter 8 Configuring Interfaces Feature History for Interfaces Cisco ASA 5500 Series Configuration Guide using ASDM 8-42 OL-20339-01...
Page 271: Configuring Basic Settings
“jupiter,” then the security appliance qualifies the name to “jupiter.example.com.” The Telnet Password sets the login password. By default, it is “cisco.” Although this area is called Telnet Password, this password applies to Telnet and SSH access. The login password lets you access EXEC mode if you connect to the adaptive security appliance using a Telnet or SSH session.
Page 272: Setting The Date And Time
In multiple context mode, set the time in the system configuration only. Note This section includes the following topics: Setting the Date and Time Using an NTP Server, page 9-3 • Setting the Date and Time Manually, page 9-5 • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 273 The Configuration > Device Setup > System Time > NTP > Add/Edit NTP Server Configuration dialog box lets you add or edit an NTP server. Fields IP Address—Sets the NTP server IP address. • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 274 Key Value—Sets the authentication key as a string up to 32 characters in length. – Reenter Key Value—Validates the key by ensuring that you enter the key correctly two times. – Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 275 HTTP connections to HTTPS, and the port number from which it redirects those connections. To redirect HTTP, the interface requires an access list that permits HTTP. Otherwise, the interface cannot Note listen to the HTTP port. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 276 Passwords that take advantage of this feature include: OSPF • EIGRP • VPN load balancing • • VPN (remote access and site-to-site) • Failover • AAA servers Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 277 If you later disable password encryption, all existing encrypted passwords are left unchanged, and as long as the master passphrase exists, the encrypted passwords will be decrypted as required by the application. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 278 Prerequisites You must know the current master passphrase to disable it. If you do not know the passphrase, see • “Recovering the Master Passphrase” section on page 9-9. • Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 279 Master Passphrase 8.3(1) This feature was introduced. The following screens were introduced: Configuration > Device Management > Advanced > Master Passphrase, Configuration > Device Management > Device Administration > Master Passphrase. Cisco ASA 5500 Series Configuration Guide using ASDM OL-20339-01...
Page 280 1 and 30 seconds. The default is 2 seconds. Each time the adaptive security appliance retries the list of servers, the timeout time doubles. Enter the number of seconds to wait before trying the next DNS server in the group. Step 9 Cisco ASA 5500 Series Configuration Guide using ASDM 9-10 OL-20339-01...
Page 281 Check the Enable cumulative (batch) CLI delivery check box to send multiple commands in a single group to the adaptive security appliance. Enter the minimum amount of time in seconds for a configuration to send a timeout message. The default is 60 seconds. Cisco ASA 5500 Series Configuration Guide using ASDM 9-11 OL-20339-01...
Page 282 After you have specified settings on these three tabs, click OK to save your settings and close the Step 6 Preferences dialog box. Cisco ASA 5500 Series Configuration Guide using ASDM 9-12 OL-20339-01...
Page 283 Choose Configuration > Device Management > Advanced > History Metrics. Step 1 The History Metrics pane appears. Check the ASDM History Metrics check box to enable history metrics, and then click Apply. Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 9-13 OL-20339-01...
Page 284 Licensing Requirements for the Management IP Address for a Transparent Firewall Model License Requirement All models Base License. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Cisco ASA 5500 Series Configuration Guide using ASDM 9-14 OL-20339-01...
Page 285 (255.255.255.255). The standby keyword and address is used for failover. From the Subnet Mask drop-down list, choose a subnet mask, or enter a subnet mask directly in the field. Step 3 Click Apply. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 9-15 OL-20339-01...
Page 286 “IPv6 Addresses” section on page A-5 for more information about IPv6 addressing. Click OK. Step 5 To configure additional addresses, repeat Step 2 through Step Step 6 Click Apply. Step 7 Cisco ASA 5500 Series Configuration Guide using ASDM 9-16 OL-20339-01...
Page 287 Valid values are from 1000 to 3600000 milliseconds. The default is zero. A configured time enables the detection of unavailable neighbors. Shorter times enable detection more quickly; however, very short configured times are not recommended in normal IPv6 operation. Cisco ASA 5500 Series Configuration Guide using ASDM 9-17 OL-20339-01...
Page 288 Table 9-2 Feature History for Transparent Mode Management Address Feature Name Releases Feature Information IPv6 support 8.2(1) IPv6 support was introduced for transparent firewall mode. Cisco ASA 5500 Series Configuration Guide using ASDM 9-18 OL-20339-01...
Page 289: Configuring Dhcp
License Requirement All models Base License. For the Cisco ASA 5505 adaptive security appliance, the maximum number of DHCP client addresses varies depending on the license: • If the limit is 10 hosts, the maximum available DHCP pool is 32 addresses.
Page 290 Guidelines and Limitations If the number of hosts is unlimited, the maximum available DHCP pool is 256 addresses. • By default, the Cisco ASA 5505 adaptive security appliance ships with a 10-user license. Note Guidelines and Limitations Use the following guidelines to configure the DHCP server: You can configure a DHCP server on each interface of the adaptive security appliance.
Page 291 DHCP relay agent does not modify the default router address. To change DHCP Relay Agent Settings, see the “Editing DHCP Relay Agent Settings” section on Step 10 page 10-4. Cisco ASA 5500 Series Configuration Guide using ASDM 10-3 OL-20339-01...
Page 292 Click OK to close the Add Global Relay Servers dialog box. The newly added global DHCP relay server Step 5 appears in the list. To modify global DHCP relay server settings, click Edit to display the Edit DHCP Global Relay Servers Step 6 dialog box. Cisco ASA 5500 Series Configuration Guide using ASDM 10-4 OL-20339-01...
Page 293: Configuring A Dhcp Server
To specify additional DHCP options and their parameters, click Advanced to display the Configuring Advanced DHCP Options dialog box. For more information, see the “Configuring Advanced DHCP Options” section on page 10-7. Cisco ASA 5500 Series Configuration Guide using ASDM 10-5 OL-20339-01...
Page 294 In the Optional Parameters area, modify the following settings: The DNS servers (1 and 2) configured for the interface. The WINS servers (primary and secondary) configured for the interface. The domain name of the interface. Cisco ASA 5500 Series Configuration Guide using ASDM 10-6 OL-20339-01...
Page 295 Click IP Address to indicate that an IP address is returned to the DHCP client. You can specify up to two IP addresses. IP Address 1 and IP Address 2 indicate an IP address in dotted-decimal notation. Cisco ASA 5500 Series Configuration Guide using ASDM 10-7 OL-20339-01...
Page 296 Monitoring > Interfaces > DHCP > DHCP Server Table Shows configured dynamic DHCP Client IP addreses. Monitoring > Interfaces > DHCP > DHCP Statistics Shows DHCP message types, counters, values, directions, messages received, and messages sent. Cisco ASA 5500 Series Configuration Guide using ASDM 10-8 OL-20339-01...
Page 297 Description DHCP 7.0(1) This feature was introduced. The following screens were introduced: Configuration > Device Management > DHCP > DHCP Relay Configuration > Device Management > DHCP > DHCP Server Cisco ASA 5500 Series Configuration Guide using ASDM 10-9 OL-20339-01...
Page 298 Chapter 10 Configuring DHCP Feature History for DHCP Cisco ASA 5500 Series Configuration Guide using ASDM 10-10 OL-20339-01...
Page 299: Configuring Dynamic Dns
“Configuring a DHCP Server” section on page 10-5. Licensing Requirements for DDNS Table 11-1 shows the licensing requirements for DDNS. Table 11-1 Licensing Requirements Model License Requirement All models Base License. Cisco ASA 5500 Series Configuration Guide using ASDM 11-1 OL-20339-01...
Page 300 5 minutes and 15 seconds for as long as the method is active. To store server resource record updates that the DNS client updates, choose one of the following options: Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 11-2 OL-20339-01...
Page 301 To remove configured settings, choose the settings from the list, and then click Delete. Step 18 Click Apply to save your changes, or click Reset to discard them and enter new ones. Step 19 Cisco ASA 5500 Series Configuration Guide using ASDM 11-3 OL-20339-01...
Page 302 Feature Information DDNS 7.0(1) This feature was introduced. The following screens were introduced: Configuration > Device Management> DNS > DNS Client Configuration > Device Management > DNS > Dynamic DNS. Cisco ASA 5500 Series Configuration Guide using ASDM 11-4 OL-20339-01...
Page 303 The following WCCPv2 features are supported for the adaptive security appliance: Redirection of multiple TCP and UDP port-destined traffic. • Authentication for cache engines in a service group. • Multiple Cache Engines in a service group. • Cisco ASA 5500 Series Configuration Guide using ASDM 12-1 OL-20339-01...
Page 304 Context Mode Guidelines Supported in single mode and multiple context mode. IPv6 Guidelines Supports IPv6. Licensing Requirements for WCCP Table 12-1 shows the licensing requirements for WCCP. Table 12-1 Licensing Requirements Cisco ASA 5500 Series Configuration Guide using ASDM 12-2 OL-20339-01...
Page 305 Click Manage to display the ACL Manager window, where you can create or change an ACL. Click OK to close the Add or Edit Service Group dialog box. Step 4 To continue, see the “Configuring Packet Redirection” section on page 12-4. Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 12-3 OL-20339-01...
Page 306 Type show running-config wccp interface, then click Send. Monitoring > Properties > WCCP > WCCP Service Shows configured WCCP service groups. Groups Monitoring > Properties > WCCP > WCCP Redirection Shows configured WCCP interface statistics. Cisco ASA 5500 Series Configuration Guide using ASDM 12-4 OL-20339-01...
Page 307 This feature was introduced. The following screens were introduced: Configuration > Device Management > Advanced > WCCP > Service Groups Configuration > Device Management > Advanced > WCCP > Redirection Cisco ASA 5500 Series Configuration Guide using ASDM 12-5 OL-20339-01...
Page 308 Chapter 12 Configuring Web Cache Services Using WCCP Feature History for WCCP Cisco ASA 5500 Series Configuration Guide using ASDM 12-6 OL-20339-01...
Page 309 Configuring a Network Object Group, page 13-3 • Using Network Objects and Groups in a Rule, page 13-4 • Viewing the Usage of a Network Object or Group, page 13-4 • Cisco ASA 5500 Series Configuration Guide using ASDM 13-1 OL-20339-01...
Page 310 Name—The object name. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must contain 64 characters or fewer. Type—Either Network, Host, or Range. • Cisco ASA 5500 Series Configuration Guide using ASDM 13-2 OL-20339-01...
Page 311 To add an existing network object or group to the new group, double-click the object in the Existing Network Objects/Groups pane. You can also select the object, and then click Add. The object or group is added to the right-hand Members in Group pane. Cisco ASA 5500 Series Configuration Guide using ASDM 13-3 OL-20339-01...
Page 312 Objects/Group pane, click the magnifying glass Find icon. The Usages dialog box appears, listing all the rules currently using the network object or group. This dialog box also lists any network object groups that contain the object. Cisco ASA 5500 Series Configuration Guide using ASDM 13-4 OL-20339-01...
Page 313 A service group used in an access rule cannot be made empty. For information about adding or editing a service object, see the “Adding and Editing a Service Object” section on page 13-6. Cisco ASA 5500 Series Configuration Guide using ASDM 13-5 OL-20339-01...
Page 314 Select an existing service object under the Name column. Step 2 Click Edit. Step 3 Depending upon the type of a service object you choose edit, the appropriate Edit window appears: Service Object—Edit Service Object window appears. • Cisco ASA 5500 Series Configuration Guide using ASDM 13-6 OL-20339-01...
Page 315 By default you can add a service group from an existing service/service group. Select the group from the Step 5 Name field, and click Add to add the service to the group. Optionally, you can create a new member: Cisco ASA 5500 Series Configuration Guide using ASDM 13-7 OL-20339-01...
Page 316 Service Groups—The title of this table depends on the type of service group you are adding. It includes the defined service groups. – Predefined—Lists the predefined ports, types, or protocols. • Create new member—Lets you create a new service group member. Cisco ASA 5500 Series Configuration Guide using ASDM 13-8 OL-20339-01...
Page 317 Click the minus (-) icon to collapse the item. Licensing Requirements for Objects and Groups The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Cisco ASA 5500 Series Configuration Guide using ASDM 13-9 OL-20339-01...
Page 318 You can use a regular expression to match the content of certain application traffic; for example, you can match a URL string inside an HTTP packet. Cisco ASA 5500 Series Configuration Guide using ASDM 13-10...
Page 319 Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For example, type d[Ctrl+V]?g to enter d?g in the configuration. See the regex command in the Cisco ASA 5500 Series Command Reference for performance impact information when matching a regular expression to packets.
Page 320 Test—Tests a regular expression against some sample text. • Examples The following example creates two regular expressions for use in an inspection policy map: regex url_example example\.com regex url_example2 example2\.com Cisco ASA 5500 Series Configuration Guide using ASDM 13-12 OL-20339-01...
Page 321 \t (tab). Three digit octal number—Matches an ASCII character as octal (up to three digits). For – example, the character \040 represents a space. The backslash (\) is entered automatically. Cisco ASA 5500 Series Configuration Guide using ASDM 13-13 OL-20339-01...
Page 322 Test String—Enter a text string that you expect to match the regular expression. • Test—Tests the Text String against the Regular Expression, Test Result—Display only. Shows if the test succeeded or failed. • Cisco ASA 5500 Series Configuration Guide using ASDM 13-14 OL-20339-01...
Page 323 “Adding a Time Range to an Access Rule” section on page 13-16. Note Creating a time range does not restrict access to the device. This pane defines the time range only. Cisco ASA 5500 Series Configuration Guide using ASDM 13-15 OL-20339-01...
Page 324 Allow the default settings, in which the Start Now and the Never End radio buttons are checked. Apply a specific time range by clicking the Start at and End at radio buttons and selecting the specified start and stop times from the lists. Cisco ASA 5500 Series Configuration Guide using ASDM 13-16 OL-20339-01...
Page 325 Minute—Specifies the minute, in the range of 00 through 59. • Recurring Time Ranges—Configures daily or weekly time ranges. – Add—Adds a recurring time range. Edit—Edits the selected recurring time range. – Delete—Deletes the selected recurring time range. – Cisco ASA 5500 Series Configuration Guide using ASDM 13-17 OL-20339-01...
Page 326 Through—Lists the day of the week, Monday through Sunday. – Hour—Lists the hour, in the range of 00 through 23. Minute—Lists the minute, in the range of 00 through 59. – Cisco ASA 5500 Series Configuration Guide using ASDM 13-18 OL-20339-01...
Page 327 Edit—Edits a a public server group. • Delete—Deletes a specified public server. • Apply—Applies the changes that have been made. • Reset—Resets the security appliance to the previous configuration. • Cisco ASA 5500 Series Configuration Guide using ASDM 14-1 OL-20339-01...
Page 328 To add a public server that lets you specify a real and mapped protocol (TCP or UDP) to a port, perform the following steps: In the Configuration > Firewall > Public Servers pane, click Add to add a new server. Step 1 Cisco ASA 5500 Series Configuration Guide using ASDM 14-2 OL-20339-01...
Page 329 Public Interface—The interface through which outside users can access the real server. • • Public Address.—The IP address that is seen by outside users. • Public Service—The service that is running on the translated address. Step 3 Click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 14-3 OL-20339-01...
Page 330 Chapter 14 Configuring Public Servers Editing a Public Server Cisco ASA 5500 Series Configuration Guide using ASDM 14-4 OL-20339-01...
Page 331 A R T Configuring ACLs...
Page 333 No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are • represented by a hyphen. Address—Displays the IP address or URL of the application or service to which the ACE applies. • Cisco ASA 5500 Series Configuration Guide using ASDM 15-1 OL-20339-01...
Page 334 IP address. • Service—Names the service and protocol specified by the rule. Action—Specifies whether this filter permits or denies traffic flow. • Cisco ASA 5500 Series Configuration Guide using ASDM 15-2 OL-20339-01...
Page 335 HTTP, FTP, and port numbers 5, 8, and 9, define a service group that includes all these ports. Without service groups, you would have to create a separate rule for each port. Cisco ASA 5500 Series Configuration Guide using ASDM 15-3 OL-20339-01...
Page 336 Browse (...) button to open the Browse Time Range dialog box to select or add a time range. Description—(Optional) Provides a brief description of this rule. A description line can be up – to 100 characters long, but you can break a description into multiple lines. Cisco ASA 5500 Series Configuration Guide using ASDM 15-4 OL-20339-01...
Page 337 Firewall Mode Guidelines, page 16-1 • Additional Guidelines and Limitations, page 16-2 Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Cisco ASA 5500 Series Configuration Guide using ASDM 16-1 OL-20339-01...
Page 338 “Configuring Access Rules” section on page 30-7 for more • information. Adding a Webtype ACL and ACE You must first create the webtype ACL and then add an ACE to the ACL. Cisco ASA 5500 Series Configuration Guide using ASDM 16-2 OL-20339-01...
Page 339 Square brackets [] are range operators, matching any character in the range. For example, to – match both http://www.cisco.com:80/ and http://www.cisco.com:81/, enter the following: http://www.cisco.com:8[01]/ To filter on an address and service, click the Filter address and service radio button, and enter the appropriate values.
Page 340 For more information about specific values, see the “Adding a Webtype ACL and ACE” section on page 16-2. Step 4 Click OK. Step 5 Click Apply to save the changes to your configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 16-4 OL-20339-01...
Page 341 Feature Name Releases Feature Information Webtype access lists Webtype ACLs are access lists that are added to a configuration that supports filtering for clientless SSL VPN. The feature was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 16-5 OL-20339-01...
Page 342 Chapter 16 Adding a WebtypeACL Feature History for Webtype Access Lists Cisco ASA 5500 Series Configuration Guide using ASDM 16-6 OL-20339-01...
Page 343 Chapter 16 Adding a WebtypeACL Feature History for Webtype Access Lists Cisco ASA 5500 Series Configuration Guide using ASDM 16-7 OL-20339-01...
Page 344 Chapter 16 Adding a WebtypeACL Feature History for Webtype Access Lists Cisco ASA 5500 Series Configuration Guide using ASDM 16-8 OL-20339-01...
Page 345 Chapter 16 Adding a WebtypeACL Feature History for Webtype Access Lists Cisco ASA 5500 Series Configuration Guide using ASDM 16-9 OL-20339-01...
Page 346 Chapter 16 Adding a WebtypeACL Feature History for Webtype Access Lists Cisco ASA 5500 Series Configuration Guide using ASDM 16-10 OL-20339-01...
Page 347 This section includes the guidelines and limitations for this feature: Context Mode Guidelines, page 17-2 • Firewall Mode Guidelines, page 17-2 • IPv6 Guidelines, page 17-2 • Additional Guidelines and Limitations, page 17-2 • Cisco ASA 5500 Series Configuration Guide using ASDM 17-1 OL-20339-01...
Page 348 106023 for denied packets. Deny packets must be present to log denied packets. Adding Standard ACLs This section includes the following topics: •, page 17-2 • Using Standard ACLs, page 17-3 • , page 17-4 • • Cisco ASA 5500 Series Configuration Guide using ASDM 17-2 OL-20339-01...
Page 349 ACE before the selected ACE, or click Insert After... to add the ACE after the selected ACE. Click one of the following radio buttons to choose an action: Step 5 Permit—Permits access if the conditions are matched. • Deny—Denies access if the conditions are matched. • Cisco ASA 5500 Series Configuration Guide using ASDM 17-3 OL-20339-01...
Page 350 Releases Feature Information Standard ACLs Standard ACLs identify the destination IP addresses of OSPF routes, which can be used in a route map for OSPF redistribution. The feature was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 17-4 OL-20339-01...
Page 351 A R T Configuring IP Routing...
Page 353 The next hop may be the ultimate destination host. If not, the next hop is usually another router, which executes the same switching decision process. As the packet moves through the internetwork, its physical address changes, but its protocol address remains constant. Cisco ASA 5500 Series Configuration Guide using ASDM 18-1 OL-20339-01...
Page 354 If the message indicates that a network change has occurred, the routing software recalculates routes and sends out new routing update messages. These messages permeate the network, stimulating routers to rerun their algorithms and change their routing tables accordingly. Cisco ASA 5500 Series Configuration Guide using ASDM 18-2 OL-20339-01...
Page 355 Distance vector algorithms (also known as Bellman-Ford algorithms) call for each router to send all or some portion of its routing table, but only to its neighbors. In essence, link-state Cisco ASA 5500 Series Configuration Guide using ASDM 18-3...
Page 356 Destination translated return packets may be forwarded back using the wrong egress interface. Cisco ASA 5500 Series Configuration Guide using ASDM 18-4 OL-20339-01...
Page 357: Displaying The Routing Table
Displaying the Routing Table To show all routes in ASDM that are in the routing table, choose Monitoring > Routing > Routes. In this table, each row represents one route. Cisco ASA 5500 Series Configuration Guide using ASDM 18-5 OL-20339-01...
Page 358 Table 18-1 Default Administrative Distance for Supported Routing Protocols Route Source Default Administrative Distance Connected interface Static route EIGRP Summary Route Cisco ASA 5500 Series Configuration Guide using ASDM 18-6 OL-20339-01...
Page 359 If a default route has not been configured, the packet is discarded. • If the destination matches a single entry in the routing table, the packet is forwarded through the interface associated with that route. Cisco ASA 5500 Series Configuration Guide using ASDM 18-7 OL-20339-01...
Page 360 IPv6, and includes the following topics: Features that Support IPv6, page 18-9 • IPv6-Enabled Commands, page 18-9 • Entering IPv6 Addresses in Commands, page 18-10 • Cisco ASA 5500 Series Configuration Guide using ASDM 18-8 OL-20339-01...
Page 361 The following adaptive security appliance commands can accept and display IPv6 addresses: capture • configure • copy • http • • name • object-group • ping show conn • show local-host • Cisco ASA 5500 Series Configuration Guide using ASDM 18-9 OL-20339-01...
Page 362 You need to specify a port number with the address, for example: • [fe80::2e0:b6ff:fe01:3b7a]:8080. The command uses a colon as a separator, such as the write net command and config net command, • for example: configure net [fe80::2e0:b6ff:fe01:3b7a]:/tftp/config/asaconfig. Cisco ASA 5500 Series Configuration Guide using ASDM 18-10 OL-20339-01...
Page 363 Proxy ARP Enabled—Shows whether proxy ARP is enabled or disabled for NAT global addresses, • Yes or No. Enable—Enables proxy ARP for the selected interface. By default, proxy ARP is enabled for all • interfaces. Disable—Disables proxy ARP for the selected interface. • Cisco ASA 5500 Series Configuration Guide using ASDM 18-11 OL-20339-01...
Page 364 Chapter 18 Information About Routing Disabling Proxy ARPs Cisco ASA 5500 Series Configuration Guide using ASDM 18-12 OL-20339-01...
Page 365 Traffic that originates on the Cisco ASA 5500 Series Configuration Guide using ASDM 19-1...
Page 366 This section explains how to configure a static, and a static default route and includes the following topics: Configuring a Static Route, page 19-3 • Configuring a Default Static Route, page 19-7 • Configuring IPv6 Default and Static Routes, page 19-8 • Cisco ASA 5500 Series Configuration Guide using ASDM 19-2 OL-20339-01...
Page 367: Configuring A Static Route
In the main ASDM window, choose Configuration > Device Setup > Routing > Static Routes. Step 1 Choose which route to filter by clicking one of the radio buttons: Step 2 Both (filters both IPv4 and IPv6) • IPv4 only • IPv6 only • Cisco ASA 5500 Series Configuration Guide using ASDM 19-3 OL-20339-01...
Page 368 (Optional) In the Options area, choose only one of the following options for a static route. Step 9 None—No options are specified for the static route. This option is the default. • Cisco ASA 5500 Series Configuration Guide using ASDM 19-4 OL-20339-01...
Page 369 Click Apply to save the configuration. Step 12 The added or edited route information appears in the Static Routes pane. The monitoring process begins as soon as you save the newly configured route. Cisco ASA 5500 Series Configuration Guide using ASDM 19-5 OL-20339-01...
Page 370: Deleting Static Routes
Click Delete. Step 3 The deleted route is removed from list of routes on in the main Static Routes pane. Click Apply to save the changes to your configuration. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 19-6 OL-20339-01...
Page 371 On the main ASDM window, choose Configuration > Device Setup > Routing > Static Routes. Step 1 Click Add or Edit. Step 2 In the Options area, choose Tunneled. Step 3 Click OK. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 19-7 OL-20339-01...
Page 372 DHCP or PPPoE. You can only enable PPPoE clients on multiple interface with route tracking. To monitor the state of a route in ASDM, in the main ASDM window, choose Monitoring > Routing > Routes. In this table, each row represents one route. Cisco ASA 5500 Series Configuration Guide using ASDM 19-8 OL-20339-01...
Page 373 Feature Information Routing 7.0(1) The route command was introduced to enter a static or default route for the specified interface. The Configuration > Device Setup > Routing screen was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 19-9 OL-20339-01...
Page 374 Chapter 19 Configuring Static and Default Routes Feature History for Static and Default Routes Cisco ASA 5500 Series Configuration Guide using ASDM 19-10 OL-20339-01...
Page 375 Route maps are more flexible than ACLs and can verify routes based on criteria which ACLs can • not verify. For example, a route map can verify if the type of route is internal. Cisco ASA 5500 Series Configuration Guide using ASDM 20-1 OL-20339-01...
Page 376 Match Clause tab in ASDM, match the route or until the end of the route map is reached. A match or set value in each clause can be missed or repeated several times, if one of these conditions exists: Cisco ASA 5500 Series Configuration Guide using ASDM 20-2 OL-20339-01...
Page 377 This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single context mode. Firewall Mode Guidelines Supported only in routed mode. Transparent mode is not supported. IPv6 Guidelines Does not support IPv6. Cisco ASA 5500 Series Configuration Guide using ASDM 20-3 OL-20339-01...
Page 378 Choose Match IP Address to enable or disable the Match address of a route or match packet. – Choose Match Next Hop to enable or disable the Match next hop address of a route. – Cisco ASA 5500 Series Configuration Guide using ASDM 20-4 OL-20339-01...
Page 379 If you specify more than one interface, then the route can match either interface. Enter the interface name in the Interface field, or click the ellipses to display the Browse – Interface dialog box. Cisco ASA 5500 Series Configuration Guide using ASDM 20-5 OL-20339-01...
Page 380 • Select the Set Metric Type check box to enable or disable the type of metric for the destination routing protocol, and choose the metric type from the drop-down list. Cisco ASA 5500 Series Configuration Guide using ASDM 20-6 OL-20339-01...
Page 381 The Configuration > Device Setup > Routing > Route Maps screen was introduced. Enhanced support for static and dynamic route 8.0(2) Enhanced support for dynamic and static route maps was maps. added. Cisco ASA 5500 Series Configuration Guide using ASDM 20-7 OL-20339-01...
Page 382 Chapter 20 Defining Route Maps Feature History for Route Maps Cisco ASA 5500 Series Configuration Guide using ASDM 20-8 OL-20339-01...
Page 383 Chapter 20 Defining Route Maps Feature History for Route Maps Cisco ASA 5500 Series Configuration Guide using ASDM 20-9 OL-20339-01...
Page 384 Chapter 20 Defining Route Maps Feature History for Route Maps Cisco ASA 5500 Series Configuration Guide using ASDM 20-10 OL-20339-01...
Page 385 The cost can be configured to specify preferred paths. The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory. Cisco ASA 5500 Series Configuration Guide using ASDM 21-1 OL-20339-01...
Page 386 Also, you should not mix public and private networks on the same adaptive security appliance interface. You can have two OSPF routing processes, one RIP routing process, and one EIGRP routing process running on the adaptive security appliance at the same time. Cisco ASA 5500 Series Configuration Guide using ASDM 21-2 OL-20339-01...
Page 387 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup. Step 1 In the OSPF Setup pane, you can enable OSPF processes, configure OSPF areas and networks, and define OSPF route summarization. Cisco ASA 5500 Series Configuration Guide using ASDM 21-3 OL-20339-01...
Page 388 “Configuring Route Summarization Between OSPF Areas” section on page 21-8 for more information. Customizing OSPF This section explains how to customize the OSPF process and includes the following topics: Redistributing Routes Into OSPF, page 21-5 • Cisco ASA 5500 Series Configuration Guide using ASDM 21-4 OL-20339-01...
Page 389 Choose the OSPF process associated with the route redistribution entry. If you are editing an existing redistribution rule, you cannot change this setting. Step 4 Choose the source protocol from which the routes are being redistributed. You can choose one of the following options: Cisco ASA 5500 Series Configuration Guide using ASDM 21-5 OL-20339-01...
Page 390 The Configure Route Map dialog box appears. Click Add or Edit to define which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process. For more information, see the “Defining a Route Map” section on page 20-4. Cisco ASA 5500 Series Configuration Guide using ASDM 21-6 OL-20339-01...
Page 391 Step 5 Choose the network mask for the summary address from the Netmask drop-down list. You cannot change this information when editing an existing entry. Cisco ASA 5500 Series Configuration Guide using ASDM 21-7 OL-20339-01...
Page 392 The Add/Edit a Route Summarization Entry dialog box allows you to add new entries to or modify existing entries in the Summary Address table. Some of the summary address information cannot be changed when editing an existing entry. Cisco ASA 5500 Series Configuration Guide using ASDM 21-8 OL-20339-01...
Page 393 Area authentication is disabled by default. So, unless you have previously specified an area authentication type, interfaces set to area authentication have authentication disabled until you configure area authentication. Click the radio button in the Authentication Password area. Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 21-9 OL-20339-01...
Page 394 When two routers connect to a network, both attempt to become the designated router. The devices with the higher router priority becomes the designated router. If there is a tie, the router with the higher router ID becomes the designated router. Cisco ASA 5500 Series Configuration Guide using ASDM 21-10 OL-20339-01...
Page 395 Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field. Cisco ASA 5500 Series Configuration Guide using ASDM 21-11 OL-20339-01...
Page 396 When you create a NSSA, you have the option of preventing summary LSAs from being flooded into the area by unchecking the Summary check box. You can also disable route redistribution by unchecking the Redistribute check box and enabling Default Information Originate. Cisco ASA 5500 Series Configuration Guide using ASDM 21-12 OL-20339-01...
Page 397 Step 1 From the main ASDM home page, choose Configuration > Device Setup > Routing > OSPF > Setup. Step 2 Click the Area/Networks tab. Click Add. Step 3 Cisco ASA 5500 Series Configuration Guide using ASDM 21-13 OL-20339-01...
Page 398 GRE tunnel. Before you begin, you must create a static route to the OSPF neighbor. See Chapter 19, “Configuring Static and Default Routes,” for more information about creating static routes. Cisco ASA 5500 Series Configuration Guide using ASDM 21-14 OL-20339-01...
Page 399 LSA Group Pacing—Specifies the interval at which LSAs are collected into a group and refreshed, • check summed, or aged. Valid values range from 10 to 1800. The default value is 240. Click OK. Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 21-15 OL-20339-01...
Page 400 Some of the filter information cannot be changed when you edit an existing filter. Choose the OSPF process that is associated with the filter entry from the OSPF Process drop-down list. Step 3 Cisco ASA 5500 Series Configuration Guide using ASDM 21-16 OL-20339-01...
Page 401 In the Peer Router ID field, enter the router ID of the virtual link neighbor. Step 5 If you are editing an existing virtual link entry, you cannot modify this setting. Cisco ASA 5500 Series Configuration Guide using ASDM 21-17 OL-20339-01...
Page 402 Valid values range from 1 to 65535. The default value of this field is four times the interval set by the Hello Interval field. Cisco ASA 5500 Series Configuration Guide using ASDM 21-18 OL-20339-01...
Page 403 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Interface. Step 18 From the Properties tab, choose the inside interface and click Edit. The Edit OSPF Properties dialog box appears. Step 19 In the Cost field, enter 20. Cisco ASA 5500 Series Configuration Guide using ASDM 21-19 OL-20339-01...
Page 404 In the Authentication area, click on the MD5 radio button. Step 29 Step 30 In the MD5 and Key ID area, type cisco in the MD5 Key field, and type 1 in the MD5 Key ID field. Step 31 Click OK.
Page 405 Support was added for route data, perform authentication, redistribute and monitor routing information, using the Open Shortest Path First (OSPF) routing protocol. The Configuration > Device Setup > Routing > OSPF screen was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 21-21 OL-20339-01...
Page 406 Chapter 21 Configuring OSPF Feature History for OSPF Cisco ASA 5500 Series Configuration Guide using ASDM 21-22 OL-20339-01...
Page 407 RIP has advantages over static routes because the initial configuration is simple, and you do not need to update the configuration when the topology changes. The disadvantage to RIP is that there is more network and processing overhead than static routing. Cisco ASA 5500 Series Configuration Guide using ASDM 22-1 OL-20339-01...
Page 408 When the route-timeout timer expires, the route is marked invalid but is retained in the table until the route-flush timer expires. Licensing Requirements for RIP Model License Requirement All models Base License. Cisco ASA 5500 Series Configuration Guide using ASDM 22-2 OL-20339-01...
Page 409 “Configuring a Default Static Route” section on page 19-7 and then define a route map. For information, see the “Defining a Route Map” section on page 20-4. Cisco ASA 5500 Series Configuration Guide using ASDM 22-3 OL-20339-01...
Page 410 Uncheck this check box to disable RIP routing on the adaptive security appliance. Click Apply. Step 3 To customize the RIP process, see the “Configuring RIP” section on page 22-3. Cisco ASA 5500 Series Configuration Guide using ASDM 22-4 OL-20339-01...
Page 411 Any Version 2 updates received are dropped. Version 2—Specifies that the adaptive security appliance only sends and receives RIP Version 2 • updates. Any Version 1 updates received are dropped. Click Apply. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 22-5 OL-20339-01...
Page 412 (Optional) Choose the following options according to your preferences: Step 5 Override Global Send Version—Check this check box to specify the RIP version sent by the • interface. You can choose the following options: Version 1 – Cisco ASA 5500 Series Configuration Guide using ASDM 22-6 OL-20339-01...
Page 413 Step 5 sent by the interface. Choose one of the following: Version 1 • Version 2 • Version 1 & 2 • Unchecking this check box restores the global setting. Cisco ASA 5500 Series Configuration Guide using ASDM 22-7 OL-20339-01...
Page 414 Disable automatic route summarization if you must perform routing between disconnected subnets. When automatic route summarization is disabled, subnets are advertised. Click Apply. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 22-8 OL-20339-01...
Page 415 – OSPF – – EIGRP – (Optional) Add a network rule by clicking Add. Skip to the “Adding or Editing a Filter Rule” section on Step 9 page 22-10. Cisco ASA 5500 Series Configuration Guide using ASDM 22-9 OL-20339-01...
Page 416 If you clicked Edit, the Edit Route Redistribution dialog box allows you to change an existing rule. In the Protocol area, choose the routing protocol to redistribute into the RIP routing process: Step 3 • Static—Static routes. • Connected—Directly connected networks. Cisco ASA 5500 Series Configuration Guide using ASDM 22-10 OL-20339-01...
Page 417 RIP message authentication must be configured with the same authentication mode and key for adjacencies to be established. Before you can enable RIP route authentication, you must enable RIP. Note To enable RIP authentication on an interface, perform the following steps: Cisco ASA 5500 Series Configuration Guide using ASDM 22-11 OL-20339-01...
Page 418 To monitor or display various RIP routing statistics in ASDM, perform the following steps: In the main ASDM window, choose Monitoring > Routing > Routes. Step 1 From this pane, you can choose to monitor the following: Step 2 IPv4 • IPv6 • Cisco ASA 5500 Series Configuration Guide using ASDM 22-12 OL-20339-01...
Page 419 Support for routing data, performing authentication, and redistributing and monitoring routing information using the Routing Information Protocol (RIP). The Configuration > Device Setup > Routing > RIP screen was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 22-13 OL-20339-01...
Page 420 Chapter 22 Configuring RIP Feature History for RIP Cisco ASA 5500 Series Configuration Guide using ASDM 22-14 OL-20339-01...
Page 421 Feature History for EIGRP, page 23-20 Overview EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes. Key...
Page 422 This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single context mode. Firewall Mode Guidelines Supported only in routed mode. Transparent mode is not supported. Cisco ASA 5500 Series Configuration Guide using ASDM 23-2 OL-20339-01...
Page 423 This section explains how to enable the EIGRP process on your system. After you have enabled EIGRP, see the following sections to learn how to customize the EIGRP process on your system. Enabling EIGRP, page 23-4 • Enabling EIGRP Stub Routing, page 23-5 • Cisco ASA 5500 Series Configuration Guide using ASDM 23-3 OL-20339-01...
Page 424 (Optional) Click Advanced to configure the EIGRP process settings, such as the router ID, default metrics, stub routing settings, neighbor change and warning logging, and the administrative distances for the EIGRP routes. Cisco ASA 5500 Series Configuration Guide using ASDM 23-4 OL-20339-01...
Page 425 If this option is selected, you cannot select any of the other stub routing options. • Stub Connected—Advertises connected routes. Cisco ASA 5500 Series Configuration Guide using ASDM 23-5 OL-20339-01...
Page 426 • Disabling Automatic Route Summarization, page 23-15 • Configuring Default Information in EIGRP, page 23-16 • Disabling EIGRP Split Horizon, page 23-17 • • Restarting the EIGRP Process, page 23-18 Cisco ASA 5500 Series Configuration Guide using ASDM 23-6 OL-20339-01...
Page 427 In the main ASDM window, choose Configuration > Device Setup > Routing > EIGRP > Setup. Step 1 The EIGRP Setup pane appears. Check the Enable EIGRP routing check box. Step 2 Click OK. Step 3 Cisco ASA 5500 Series Configuration Guide using ASDM 23-7 OL-20339-01...
Page 428 In the main ASDM window, choose Configuration > Device Setup > Routing > EIGRP > Setup. Step 1 The EIGRP Setup pane appears. Check the Enable EIGRP routing check box. Step 2 Click OK. Step 3 Step 4 Click the Passive Interfaces tab. Cisco ASA 5500 Series Configuration Guide using ASDM 23-8 OL-20339-01...
Page 429 In the Netmask field, choose, or enter the network mask to apply to the IP address. Step 10 Enter the administrative distance for the route in the Administrative Distance field. If left blank, the route has the default administrative distance of 5. Cisco ASA 5500 Series Configuration Guide using ASDM 23-9 OL-20339-01...
Page 430 In the EIGRP Process field, enter the autonomous system (AS) number for the EIGRP process. The AS Step 3 number can be from 1 to 65535. Click the Networks tab. Step 4 Click Add to add a new network entry. Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 23-10 OL-20339-01...
Page 431 Each row of the Static Neighbor table displays the EIGRP autonomous system number for the neighbor, the neighbor IP address, and the interface through which the neighbor is available. From the Static Neighbor pane you can add or edit a static neighbor. Cisco ASA 5500 Series Configuration Guide using ASDM 23-11 OL-20339-01...
Page 432 Static—Redistributes static routes to the EIGRP routing process. Static routes that fall within the • scope of a network statement are automatically redistributed into EIGRP; you do not need to define a redistribution rule for them. Cisco ASA 5500 Series Configuration Guide using ASDM 23-12 OL-20339-01...
Page 433 In the EIGRP Process field, enter the autonomous system (AS) number for the EIGRP process. The AS Step 3 number can be from 1 to 65535. Choose Configuration > Device Setup > Routing > EIGRP > Filter Rules. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 23-13 OL-20339-01...
Page 434 From the Netmask drop-down list, choose the network mask applied to the network IP address. You can type a network mask into this field or select one of the common masks from the list. Step 15 Click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 23-14 OL-20339-01...
Page 435 192.168.10.0 and 192.168.11.0, and those networks participate in EIGRP, they will also be summarized as 192.168.0.0. To prevent the possibility of traffic being routed to the wrong location, you should disable automatic route summarization on the routers creating the conflicting summary addresses. Cisco ASA 5500 Series Configuration Guide using ASDM 23-15 OL-20339-01...
Page 436 EIGRP updates. • out—The rule filters default route information from outgoing EIGRP updates. • You can have one “in” rule and one “out” rule for each EIGRP process. Cisco ASA 5500 Series Configuration Guide using ASDM 23-16 OL-20339-01...
Page 437 This list is populated from system numbers that were set up when you enabled the EIGRP routing process. Uncheck the Split Horizon check box. Step 4 Click OK. Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 23-17 OL-20339-01...
Page 438 You can use the following commands to monitor the EIGRP routing process. For examples and descriptions of the command output, see the Cisco ASA 5500 Series Command Reference. Additionally, you can disable the logging of neighbor change messages and neighbor warning messages.
Page 439 Enter the delay value in the Delay field. The delay time is in tens of microseconds. Valid values are from Step 24 1 to 16777215. Click OK. Step 25 Cisco ASA 5500 Series Configuration Guide using ASDM 23-19 OL-20339-01...
Page 440 Support was added for routing data, performing authentication, and redistributing and monitoring routing information using the Enhanced Interior Gateway Routing Protocol (EIGRP). The Configuration > Device Setup > Routing > EIGRP screen was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 23-20 OL-20339-01...
Page 441 Chapter 23 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using ASDM 23-21 OL-20339-01...
Page 442 Chapter 23 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using ASDM 23-22 OL-20339-01...
Page 443 Chapter 23 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using ASDM 23-23 OL-20339-01...
Page 444 Chapter 23 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using ASDM 23-24 OL-20339-01...
Page 445 Chapter 23 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using ASDM 23-25 OL-20339-01...
Page 446 Chapter 23 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using ASDM 23-26 OL-20339-01...
Page 447 Chapter 23 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using ASDM 23-27 OL-20339-01...
Page 448 Chapter 23 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using ASDM 23-28 OL-20339-01...
Page 449 Chapter 23 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using ASDM 23-29 OL-20339-01...
Page 450 Chapter 23 Configuring EIGRP Feature History for EIGRP Cisco ASA 5500 Series Configuration Guide using ASDM 23-30 OL-20339-01...
Page 451 Multicast packets are replicated in the network by Cisco routers enabled with Protocol Independent Multicast (PIM) and other supporting multicast protocols resulting in the most efficient delivery of data to multiple receivers possible.
Page 452 Multicast addresses specify an arbitrary group of IP hosts that have joined the group and want to receive traffic sent to this group. Licensing Requirements for Multicast Routing Model License Requirement All models Base License. Cisco ASA 5500 Series Configuration Guide using ASDM 24-2 OL-20339-01...
Page 453 RAM on the adaptive security appliance. Once these limits are reached, any new entries are discarded. Table 24-1 Entry Limits for Multicast Tables Table 16 MB 128 MB 128+ MB MFIB 1000 3000 5000 IGMP Groups 1000 3000 5000 PIM Routes 3000 7000 12000 Cisco ASA 5500 Series Configuration Guide using ASDM 24-3 OL-20339-01...
Page 454 In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another. Static multicast routes are not advertised or redistributed. Cisco ASA 5500 Series Configuration Guide using ASDM 24-4 OL-20339-01...
Page 455 224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers on a subnet. When you enable multicast routing on the adaptive security appliance, IGMP Version 2 is automatically enabled on all interfaces. Cisco ASA 5500 Series Configuration Guide using ASDM 24-5 OL-20339-01...
Page 456 “Configuring a Statically Joined IGMP Group” section on page 24-7. To have the adaptive security appliance join a multicast group,perform the following steps: Cisco ASA 5500 Series Configuration Guide using ASDM 24-6 OL-20339-01...
Page 457 In the Multicast Group Address field, enter the address of a multicast group that the interface belongs Step 4 to. The group address must be from 224.0.0.0 to 239.255.255.255. Click OK. Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 24-7 OL-20339-01...
Page 458 Step 3 range from 0 to 500. The default value is 500. Setting this value to 0 prevents learned groups from being added, but manually defined memberships are still permitted. Cisco ASA 5500 Series Configuration Guide using ASDM 24-8 OL-20339-01...
Page 459 IGMP Version 1 and 2 hosts on the subnet works; the adaptive security appliance running IGMP Version 2 works correctly when IGMP Version 1 hosts are present. To control which version of IGMP is running on an interface,perform the following steps: Cisco ASA 5500 Series Configuration Guide using ASDM 24-9 OL-20339-01...
Page 460 Choose the interface you want to enable for PIM from the table on the Protocol pane, and click Edit. Step 2 The Edit PIM Protocol dialog box appears. Step 3 Check the Enable PIM check box. To disable PIM, uncheck this check box. Step 4 Click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 24-10 OL-20339-01...
Page 461 RP. For more information about multicast groups, see the “Configuring a Multicast Group” section on page 24-14. Click OK. Step 6 Cisco ASA 5500 Series Configuration Guide using ASDM 24-11 OL-20339-01...
Page 462 In the Destination IP Address field, type the multicast destination address. Step 6 In the Destination Netmask field, type or choose the network mask from the drop-down list for the Step 7 multicast destination address. Cisco ASA 5500 Series Configuration Guide using ASDM 24-12 OL-20339-01...
Page 463 Cisco ASA 5500 Series Configuration Guide using ASDM 24-13 OL-20339-01...
Page 464 PIM neighbor from this table. Choose the interface name from the Interface Name drop-down list. Step 3 From the Action drop-down list, choose Permit or Deny for the neighbor filter ACL entry. Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 24-14 OL-20339-01...
Page 465 Choose the PIM neighbor that you want to configure from the table, by clicking Add/Edit/Insert. Step 2 The Add/Edit/Insert Bidirectional Neighbor Filter Entry dialog box lets you create ACL entries for the PIM bidirectional neighbor filter ACL Cisco ASA 5500 Series Configuration Guide using ASDM 24-15 OL-20339-01...
Page 466 If an ACL with that name already exists, a number is appended to the name, for example inside_multicast_1. Cisco ASA 5500 Series Configuration Guide using ASDM 24-16 OL-20339-01...
Page 467 The Add IGMP Join Group dialog box allows you to configure an interface to be a member of a multicast group. The Edit IGMP Join Group dialog box to change existing membership information. Cisco ASA 5500 Series Configuration Guide using ASDM 24-17...
Page 468 The group address must be from 224.0.0.0 to 239.255.255.255. Step 14 Click OK. Additional References For additional information related to routing, see the following sections: Related Documents, page 24-19 • RFCs, page 24-19 • Cisco ASA 5500 Series Configuration Guide using ASDM 24-18 OL-20339-01...
Page 469 Support for multicast route data, perform authentication, redistribute and monitor routing information, using the multicast routing protocol was added. The Configuration > Device Setup > Routing > Multicast screen was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 24-19 OL-20339-01...
Page 470 Chapter 24 Configuring Multicast Routing Feature History for Multicast Routing Cisco ASA 5500 Series Configuration Guide using ASDM 24-20 OL-20339-01...
Page 471 Chapter 24 Configuring Multicast Routing Feature History for Multicast Routing Cisco ASA 5500 Series Configuration Guide using ASDM 24-21 OL-20339-01...
Page 472 Chapter 24 Configuring Multicast Routing Feature History for Multicast Routing Cisco ASA 5500 Series Configuration Guide using ASDM 24-22 OL-20339-01...
Page 473 Chapter 24 Configuring Multicast Routing Feature History for Multicast Routing Cisco ASA 5500 Series Configuration Guide using ASDM 24-23 OL-20339-01...
Page 474 Chapter 24 Configuring Multicast Routing Feature History for Multicast Routing Cisco ASA 5500 Series Configuration Guide using ASDM 24-24 OL-20339-01...
Page 475 For information about how to configure IPv6 Neighbor Discovery in ASDM, see the Cisco ASA 5500 Series Configuration Guide using ASDM. This chapter describes how to enable and configure IPv6 neighbor discovery on the adaptive security appliance and includes the following sections: •...
Page 476 When there is such a change, the destination address for the neighbor advertisement is the all-nodes multicast address. Licensing Requirements for Neighbor Solicitation Messages The following table shows the licensing requirements for this feature: Model License Requirement All models Base License. Cisco ASA 5500 Series Configuration Guide using ASDM 25-2 OL-20339-01...
Page 477 Step 3 Step 4 Click the IPv6 tab. Step 5 In the NS Interval field, enter the time interval. Step 6 Click OK. Step 7 Click Apply to save the configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 25-3 OL-20339-01...
Page 478 This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed mode only. Transparent mode is not supported. Cisco ASA 5500 Series Configuration Guide using ASDM 25-4 OL-20339-01...
Page 479 IPv6 addresses before they are assigned and ensures that duplicate IPv6 addresses are detected in the network on a link basis. To specify DAD settings on the interface, perform the following steps: Cisco ASA 5500 Series Configuration Guide using ASDM 25-5 OL-20339-01...
Page 480 (DAD) verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection is Cisco ASA 5500 Series Configuration Guide using ASDM 25-6 OL-20339-01...
Page 481 Choose a valid month and day from the drop-down list, and then enter a time in hh:mm format. Choose a preferred month and day from the drop-down list, and then enter a time in hh:mm format. Click OK to save your settings. Step 8 Cisco ASA 5500 Series Configuration Guide using ASDM 25-7 OL-20339-01...
Page 482: Configuring Router Advertisement Messages
IPv6 Neighbor Discovery—Router Advertisement Message Router Router advertisement advertisement Router advertisement packet definitions: ICMPv6 Type = 134 Src = router link-local address Dst = all-nodes multicast address Data = options, prefix, lifetime, autoconfig flag Cisco ASA 5500 Series Configuration Guide using ASDM 25-8 OL-20339-01...
Page 483 Configuring the Router Advertisement Transmission Interval, page 25-10 • Configuring the Router Lifetime Value, page 25-12 • Configuring the IPv6 Prefix, page 25-14 • Suppressing Router Advertisement Messages, page 25-16 • Cisco ASA 5500 Series Configuration Guide using ASDM 25-9 OL-20339-01...
Page 484: Configuring The Router Advertisement Transmission Interval
Table 25-5 lists the default settings for neighbor reachable time parameters. Table 25-5 Default Router Advertisement Transmission Interval Parameters Parameters Default value (interval between transmissions) The default is 200 seconds. Cisco ASA 5500 Series Configuration Guide using ASDM 25-10 OL-20339-01...
Page 485 Table 25-6 Feature History for Router Advertisement Transmission Interval Feature Name Releases Feature Information Router advertisement transmission interval 7.0(1) The feature was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 25-11 OL-20339-01...
Page 486: Configuring The Router Lifetime Value
Table 25-7 lists the default settings for neighbor reachable time parameters. Table 25-7 Default Router Advertisement Transmission Interval Parameters Parameters Default value (interval between transmissions) The default is 200 seconds. Cisco ASA 5500 Series Configuration Guide using ASDM 25-12 OL-20339-01...
Page 487 Table 25-8 Feature History for Router Advertisement Transmission Interval Feature Name Releases Feature Information Router advertisement transmission interval 7.0(1) The feature was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 25-13 OL-20339-01...
Page 488 This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed mode only. Transparent mode is not supported. Cisco ASA 5500 Series Configuration Guide using ASDM 25-14 OL-20339-01...
Page 489 A valid lifetime for the prefix in seconds from the drop-down list. This setting is the amount of time that the specified IPv6 prefix is advertised as being valid. The maximum value represents infinity. Valid values are from 0 to 4294967295. The default is 2592000 (30 days). Cisco ASA 5500 Series Configuration Guide using ASDM 25-15 OL-20339-01...
Page 490: Suppressing Router Advertisement Messages
This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed mode only. Transparent mode is not supported. Cisco ASA 5500 Series Configuration Guide using ASDM 25-16 OL-20339-01...
Page 491 Table 25-11 Feature History for Suppressing Router Advertisement Messages Feature Name Releases Feature Information Suppressing router advertisement messages 7.0(1) The feature was introduced. The ipv6 nd ra-lifetime command was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 25-17 OL-20339-01...
Page 492 IPv6 neighbor parameters. Table 25-12 Default Static IPv6 Neighbor Parameters Parameters Default Static IPv6 neighbor Static entries are not configured in the IPv6 neighbor discovery cache. Cisco ASA 5500 Series Configuration Guide using ASDM 25-18 OL-20339-01...
Page 493 To delete a static neighbor from your configuration, perform the following steps: Step 1 Choose Configuration > Device Management > Advanced > IPv6 Neighbor Discovery Cache. Step 2 Select the neighbor to delete from the main pane, and click Delete. Cisco ASA 5500 Series Configuration Guide using ASDM 25-19 OL-20339-01...
Page 494 Table 25-13 Feature History for Configuring a Static IPv6 Neighbor Feature Name Releases Feature Information Static IPv6 Neighbor 7.0(1) The feature was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 25-20 OL-20339-01...
Page 495 Chapter 25 Configuring IPv6 Neighbor Discovery Configuring a Static IPv6 Neighbor Cisco ASA 5500 Series Configuration Guide using ASDM 25-21 OL-20339-01...
Page 496 Chapter 25 Configuring IPv6 Neighbor Discovery Configuring a Static IPv6 Neighbor Cisco ASA 5500 Series Configuration Guide using ASDM 25-22 OL-20339-01...
Page 497 A R T Configuring Network Address Translation...
Page 499 Network Class Address Block Starting Address Ending Address Approximate Hosts Class A addresses 10.0.0.0/8 10.0.0.0 10.255.255.255 16,000,000 Class B addresses 172.16.0.0/12 172.16.0.0 172.31.255.255 1,000,000 Class C addresses 192.168.0.0/16 192.168.0.0 192.168.255.255 65,000 Cisco ASA 5500 Series Configuration Guide using ASDM 26-1 OL-20339-01...
Page 500 Identity NAT—Static NAT lets you translate a real address to itself, essentially bypassing NAT. You • might want to configure NAT this way when you want to translate a large group of addresses, but then want to exempt a smaller subset of addresses. Cisco ASA 5500 Series Configuration Guide using ASDM 26-2 OL-20339-01...
Page 501 • Static NAT with Identity Port Translation, page 26-5 • • Static NAT with Port Translation for Non-Standard Ports, page 26-5 • Static Interface NAT with Port Translation, page 26-5 Cisco ASA 5500 Series Configuration Guide using ASDM 26-3 OL-20339-01...
Page 502 10.1.1.1:23 209.165.201.1:23 10.1.1.2:8080 209.165.201.2:80 Inside Outside For applications that require application inspection for secondary channels (for example, FTP and VoIP), Note the adaptive security appliance automatically translates the secondary ports. Cisco ASA 5500 Series Configuration Guide using ASDM 26-4 OL-20339-01...
Page 503 23. (Note that Telnet is not allowed to the lowest security interface normally; static NAT with interface port translation redirects the disallowed Telnet session instead of denying it). Cisco ASA 5500 Series Configuration Guide using ASDM 26-5...
Page 504 Figure 26-4 One-to-Many Static NAT Security Appliance 10.1.2.27 209.165.201.3 10.1.2.27 209.165.201.4 10.1.2.27 209.165.201.5 Inside Outside Cisco ASA 5500 Series Configuration Guide using ASDM 26-6 OL-20339-01...
Page 505 Cisco ASA 5500 Series Configuration Guide using ASDM 26-7...
Page 506: Dynamic Nat
Dynamic NAT This section describes dynamic NAT and includes the following topics: Information About Dynamic NAT, page 26-9 • Dynamic NAT Disadvantages and Advantages, page 26-10 • Cisco ASA 5500 Series Configuration Guide using ASDM 26-8 OL-20339-01...
Page 507 Figure 26-9 Remote Host Attempts to Initiate a Connection to a Mapped Address Web Server www.example.com Outside 209.165.201.2 209.165.201.10 Security Appliance 10.1.2.1 Inside 10.1.2.27 Cisco ASA 5500 Series Configuration Guide using ASDM 26-9 OL-20339-01...
Page 508 1024. Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026. Cisco ASA 5500 Series Configuration Guide using ASDM 26-10 OL-20339-01...
Page 509 NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT. Cisco ASA 5500 Series Configuration Guide using ASDM 26-11...
Page 510 You can configure NAT in both routed and transparent firewall mode. This section describes typical usage for each firewall mode and includes the following topics: • NAT in Routed Mode, page 26-13 • NAT in Transparent Mode, page 26-13 Cisco ASA 5500 Series Configuration Guide using ASDM 26-12 OL-20339-01...
Page 511 Because the transparent firewall does not have any interface IP addresses, you cannot use interface • PAT. Cisco ASA 5500 Series Configuration Guide using ASDM 26-13 OL-20339-01...
Page 512 For host 192.168.1.2, the same process occurs, except that the adaptive security appliance looks up the route in its route table and sends the packet to the downstream router at 10.1.1.3 based on the static route. Cisco ASA 5500 Series Configuration Guide using ASDM 26-14 OL-20339-01...
Page 513 IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might see a failure in the translation of indirect addresses that do not belong to either of the objects.) Cisco ASA 5500 Series Configuration Guide using ASDM 26-15...
Page 514 209.165.200.225, the real address is translated to 209.165.202.130. (See the “Single Address for FTP, HTTP, and SMTP (Static NAT with Port Translation)” section on page 27-29 for details on how to configure this example.) Cisco ASA 5500 Series Configuration Guide using ASDM 26-16 OL-20339-01...
Page 515 Twice NAT with Different Destination Ports Web and Telnet server: 209.165.201.11 Internet Translation Translation 10.1.2.27:80 209.165.202.129 10.1.2.27:23 209.165.202.130 Inside 10.1.2.0/24 Web Packet Telnet Packet Dest. Address: Dest. Address: 209.165.201.11:80 209.165.201.11:23 10.1.2.27 Cisco ASA 5500 Series Configuration Guide using ASDM 26-17 OL-20339-01...
Page 516 Figure 26-16 Twice Static NAT with Destination Address Translation 209.165.201.11 209.165.200.225 209.165.201.0/27 209.165.200.224/27 No Translation Undo Translation 209.165.202.128 10.1.2.27 Inside 10.1.2.0/27 10.1.2.27 Cisco ASA 5500 Series Configuration Guide using ASDM 26-18 OL-20339-01...
Page 517 For section 2 rules for example, you have the following IP addresses defined within network objects: 192.168.1.0/24 (static) 192.168.1.0/24 (dynamic) 10.1.1.0/24 (static) 192.168.1.1/32 (static) 172.16.1.0/24 (dynamic) (object def) 172.16.1.0/24 (dynamic) (object abc) Cisco ASA 5500 Series Configuration Guide using ASDM 26-19 OL-20339-01...
Page 518 However, this approach does put a limit on the number of available addresses used for translations. For PAT, you can even use the IP address of the mapped interface. Cisco ASA 5500 Series Configuration Guide using ASDM 26-20 OL-20339-01...
Page 519 DNS request. For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the adaptive security appliance to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network.
Page 520 Information About NAT DNS and NAT When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The adaptive security appliance refers to the static rule for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing...
Page 521 In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation.
Page 522 Chapter 26 Information About NAT Where to Go Next Cisco ASA 5500 Series Configuration Guide using ASDM 26-24 OL-20339-01...
Page 523 26-15. Network object NAT rules are added to section 2 of the NAT rules table. For more information about NAT ordering, see the “NAT Rule Order” section on page 26-19. Cisco ASA 5500 Series Configuration Guide using ASDM 27-1 OL-20339-01...
Page 524 This safeguard ensures that the same address is not assigned to multiple hosts. Cisco ASA 5500 Series Configuration Guide using ASDM 27-2 OL-20339-01...
Page 525 To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > • Add Network Object NAT Rule. Figure 27-1 Adding a Network Object NAT Rule Cisco ASA 5500 Series Configuration Guide using ASDM 27-3 OL-20339-01...
Page 526 If the NAT section is hidden, click NAT to expand the section. Step 3 Check the Add Automatic Translation Rules check box. Step 4 From the Type drop-down list, choose Dynamic. Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 27-4 OL-20339-01...
Page 527 You can also create a new named object from the Browse Translated Addr dialog box and use this object as the mapped address: Add the new network object. Figure 27-5 Adding a New Network Object for the NAT Pool Cisco ASA 5500 Series Configuration Guide using ASDM 27-5 OL-20339-01...
Page 528 Fall through to interface PAT (dest intf) check box, and choose the interface from the drop-down list. (Optional) Click Advanced, and configure the following options in the Advanced NAT Settings dialog Step 8 box. When you are finished, click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 27-6 OL-20339-01...
Page 529 You can add NAT to a new or existing network object: Step 1 To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > • Add Network Object NAT Rule. Cisco ASA 5500 Series Configuration Guide using ASDM 27-7 OL-20339-01...
Page 530 If the NAT section is hidden, click NAT to expand the section. Step 3 Check the Add Automatic Translation Rules check box. Step 4 From the Type drop-down list, choose Dynamic PAT (Hide). Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 27-8 OL-20339-01...
Page 531 , and choose an existing host address from the Browse Translated Addr • dialog box. You can also create a new named object from the Browse Translated Addr dialog box and use this object as the mapped address. Cisco ASA 5500 Series Configuration Guide using ASDM 27-9 OL-20339-01...
Page 532 By default, the rule applies to all interfaces. You return to the Add/Edit Network Object dialog box. Click OK, and then Apply. Step 8 Cisco ASA 5500 Series Configuration Guide using ASDM 27-10 OL-20339-01...
Page 533 Address field changes to allow you to enter a Start Address and an End address. Netmask—Enter the subnet mask. Description—(Optional) The description of the network object (up to 200 characters in length). Cisco ASA 5500 Series Configuration Guide using ASDM 27-11 OL-20339-01...
Page 534 (For static NAT with port translation only) Type an interface name or click the browse button , and • choose an interface from the Browse Translated Addr dialog box. Figure 27-18 Browse Dialog Box Cisco ASA 5500 Series Configuration Guide using ASDM 27-12 OL-20339-01...
Page 535 To configure static NAT with port translation, under Service, choose the protocol type from the Protocol drop-down list (tcp or udp), and then type values for the Original Port and Translated Port. Cisco ASA 5500 Series Configuration Guide using ASDM 27-13...
Page 536 Objects/Groups, and then double-click a named network object. (Non-named network objects cannot be configured for NAT. Named network object icons have dark blue accents, and non-named network object icons have green accents and the word “IP”.) Cisco ASA 5500 Series Configuration Guide using ASDM 27-14 OL-20339-01...
Page 537 From the Type drop-down list, choose Static. Figure 27-24 Configuring NAT In the Translated Addr field, do one of the following: Step 6 Type the same IP address that you used for the real address. • Cisco ASA 5500 Series Configuration Guide using ASDM 27-15 OL-20339-01...
Page 538 Because static rules are bidirectional (allowing initiation to and from the real host), the NAT Rules table show two rows for each static rule, one for each direction (see Figure 27-21). Cisco ASA 5500 Series Configuration Guide using ASDM 27-16 OL-20339-01...
Page 539 DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS • Modification), page 27-32 DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS • Modification), page 27-35 Cisco ASA 5500 Series Configuration Guide using ASDM 27-17 OL-20339-01...
Page 540 209.165.201.10 Appliance 10.1.2.1 Inside myWebServ 10.1.2.27 Create a network object for the internal web server: Step 1 Figure 27-29 Adding a Network Object Define the web server address: Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 27-18 OL-20339-01...
Page 541 Figure 27-30 Defining the Web Server Address Configure static NAT for the object: Step 3 Figure 27-31 Configuring NAT Configure the real and mapped interfaces by clicking Advanced: Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 27-19 OL-20339-01...
Page 542 Also, when inside users connect to an outside web server, that web server address is translated to an address that appears to be on the inside network. (See Figure 27-33). Cisco ASA 5500 Series Configuration Guide using ASDM 27-20 OL-20339-01...
Page 543 10.1.2.20 10.1.2.1 Inside myInsNet 10.1.2.0/24 Step 1 Create a network object for the inside network: Figure 27-34 Adding a Network Object Define the addresses for the inside network: Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 27-21 OL-20339-01...
Page 544 Add the new network object. Figure 27-37 Adding a New Network Object for the NAT Pool Define the NAT pool addresses, and click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 27-22 OL-20339-01...
Page 545 Click OK to return to the Edit Network Object dialog box, click then click OK again to return to the Step 6 NAT Rules table. Create a network object for the outside web server: Step 7 Cisco ASA 5500 Series Configuration Guide using ASDM 27-23 OL-20339-01...
Page 546 Figure 27-42 Defining the Web Server Address Configure static NAT for the web server: Step 9 Figure 27-43 Configuring NAT Configure the real and mapped interfaces by clicking Advanced: Step 10 Cisco ASA 5500 Series Configuration Guide using ASDM 27-24 OL-20339-01...
Page 547 IP addresses, it is untranslated to the single load balancer address. Depending on the URL requested, it redirects traffic to the correct web server. (See Figure 27-45). Cisco ASA 5500 Series Configuration Guide using ASDM 27-25 OL-20339-01...
Page 548 10.1.2.27 Inside Load Balancer 10.1.2.27 Web Servers Step 1 Create a network object for the load balancer: Figure 27-46 Adding a Network Object Step 2 Define the load balancer address: Cisco ASA 5500 Series Configuration Guide using ASDM 27-26 OL-20339-01...
Page 549 Add the new network object. Figure 27-49 Adding a New Network Object for the Static NAT Group Define the static NAT group of addresses, and click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 27-27 OL-20339-01...
Page 550 Configure the real and mapped interfaces by clicking Advanced: Step 5 Figure 27-52 Configuring Interfaces Step 6 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply. Cisco ASA 5500 Series Configuration Guide using ASDM 27-28 OL-20339-01...
Page 551 Create a network object for the FTP server address: Step 1 Figure 27-54 Adding a Network Object Define the FTP server address, and configure static NAT for the FTP server: Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 27-29 OL-20339-01...
Page 552 Create a network object for the HTTP server address: Step 4 Figure 27-57 Adding a Network Object Define the HTTP server address, and configure static NAT for the HTTP server: Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 27-30 OL-20339-01...
Page 553 Create a network object for the SMTP server address: Step 7 Figure 27-60 Adding a Network Object Define the SMTP server address, and configure static NAT for the SMTP server: Step 8 Cisco ASA 5500 Series Configuration Guide using ASDM 27-31 OL-20339-01...
Page 554 DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification) For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the adaptive security appliance to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network.
Page 555 Configuring Network Object NAT Configuration Examples for Network Object NAT When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The adaptive security appliance refers to the static rule for the inside server and translates the address inside the DNS reply to 10.1.3.14.
Page 556 Defining the FTP Server Address and Configuring Static NAT Click Advanced to configure the real and mapped interfaces and DNS modification. Step 3 Figure 27-66 Setting the Interfaces and DNS Cisco ASA 5500 Series Configuration Guide using ASDM 27-34 OL-20339-01...
Page 557 In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation.
Page 558 Defining the FTP Server Address and Configuring Static NAT Click Advanced to configure the real and mapped interfaces and DNS modification. Step 3 Figure 27-70 Setting the Interfaces and DNS Cisco ASA 5500 Series Configuration Guide using ASDM 27-36 OL-20339-01...
Page 559 8.3(1) Configures NAT for a network object IP address(es). The following screens were introduced or modified: Configuration > Firewall > NAT Rules Configuration > Firewall > Objects > Network Objects/Groups Cisco ASA 5500 Series Configuration Guide using ASDM 27-37 OL-20339-01...
Page 560 Chapter 27 Configuring Network Object NAT Feature History for Network Object NAT Cisco ASA 5500 Series Configuration Guide using ASDM 27-38 OL-20339-01...
Page 561 Twice NAT rules are added to section 1 of the NAT rules table, or if specified, section 3. For more information about NAT ordering, see the “NAT Rule Order” section on page 26-19. Licensing Requirements for Twice NAT Cisco ASA 5500 Series Configuration Guide using ASDM 28-1 OL-20339-01...
Page 562 This safeguard ensures that the same address is not assigned to multiple hosts. Objects and object groups used in NAT cannot be undefined; they must include IP addresses. • Cisco ASA 5500 Series Configuration Guide using ASDM 28-2 OL-20339-01...
Page 563 If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules. Figure 28-1 Adding a NAT Rule The Add NAT Rule dialog box appears. Cisco ASA 5500 Series Configuration Guide using ASDM 28-3 OL-20339-01...
Page 564 (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group from the Browse Original Destination Address dialog box. Cisco ASA 5500 Series Configuration Guide using ASDM 28-4 OL-20339-01...
Page 565 For identity NAT for the destination address, simply use the same object or group for both the real and mapped addresses. Cisco ASA 5500 Series Configuration Guide using ASDM 28-5 OL-20339-01...
Page 566 The destination interface IP address is used. This option is only available if you configure a specific Destination Interface. Figure 28-7 Fall Through to Interface PAT (Optional) Configure NAT options in the Options area. Step 9 Cisco ASA 5500 Series Configuration Guide using ASDM 28-6 OL-20339-01...
Page 567 If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules. Figure 28-9 Adding a NAT Rule The Add NAT Rule dialog box appears. Cisco ASA 5500 Series Configuration Guide using ASDM 28-7 OL-20339-01...
Page 568 (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group from the Browse Original Destination Address dialog box. Cisco ASA 5500 Series Configuration Guide using ASDM 28-8 OL-20339-01...
Page 569 You can also create a new named object (host) from the Browse Translated Source Address dialog box and use this object as the mapped source address. For dynamic PAT, you configure a group of addresses to be mapped to a single address. Cisco ASA 5500 Series Configuration Guide using ASDM 28-9 OL-20339-01...
Page 570 Check the Enable rule check box to enable this NAT rule. The rule is enabled by default. (For a source-only rule) To rewrite the DNS A record in DNS replies, check the Translate DNS replies that match this rule check box. Cisco ASA 5500 Series Configuration Guide using ASDM 28-10 OL-20339-01...
Page 571 If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules. Figure 28-16 Adding a NAT Rule The Add NAT Rule dialog box appears. Cisco ASA 5500 Series Configuration Guide using ASDM 28-11 OL-20339-01...
Page 572 (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group from the Browse Original Destination Address dialog box. Cisco ASA 5500 Series Configuration Guide using ASDM 28-12 OL-20339-01...
Page 573 For more information, see the “Static Interface NAT with Port Translation” section on page 26-5. See the “Guidelines and Limitations” section on page 28-2 for information about disallowed mapped IP addresses. Cisco ASA 5500 Series Configuration Guide using ASDM 28-13 OL-20339-01...
Page 574 Both. Making the rule unidirectional prevents traffic from initiating connections to the real addresses. You might want to use this setting for testing purposes. In the Description field, add a description about the rule up to 200 characters in length. Cisco ASA 5500 Series Configuration Guide using ASDM 28-14 OL-20339-01...
Page 575 If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules. Figure 28-23 Adding a NAT Rule The Add NAT Rule dialog box appears. Cisco ASA 5500 Series Configuration Guide using ASDM 28-15 OL-20339-01...
Page 576 (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group from the Browse Original Destination Address dialog box. Cisco ASA 5500 Series Configuration Guide using ASDM 28-16 OL-20339-01...
Page 577 For more information, see the “Static NAT” section on page 26-3. See the “Guidelines and Limitations” section on page 28-2 for information about disallowed mapped IP addresses. Cisco ASA 5500 Series Configuration Guide using ASDM 28-17 OL-20339-01...
Page 578 DNS reply does not need modification. See the “DNS and NAT” section on page 26-21 for more information. Click OK. Step 9 Configuration Examples for Twice NAT This section includes the following configuration examples: Cisco ASA 5500 Series Configuration Guide using ASDM 28-18 OL-20339-01...
Page 579 Packet Dest. Address: Dest. Address: 209.165.201.11 209.165.200.225 10.1.2.27 Step 1 Add a NAT rule for traffic from the inside network to DMZ network 1: Figure 28-30 Adding a NAT Rule Cisco ASA 5500 Series Configuration Guide using ASDM 28-19 OL-20339-01...
Page 580 Browse Original Source Address dialog box. Add the new network object. Figure 28-33 Adding a New Network Object for the Inside Network Define the inside network addresses, and click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 28-20 OL-20339-01...
Page 581 1 in the Browse Original Destination Address dialog box. Add the new network object. Figure 28-36 Adding a New Network Object for the DMZ Network 1 Define the DMZ network 1 addresses, and click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 28-21 OL-20339-01...
Page 582 Browse Translated Source Address dialog box. Add the new network object. Figure 28-40 Adding a New Network Object for the PAT Address Define the PAT address, and click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 28-22 OL-20339-01...
Page 583 Add NAT Rule Dialog Box: Completed Step 8 Click OK to add the rule to the NAT table. Step 9 Add a NAT rule for traffic from the inside network to DMZ network 2: Cisco ASA 5500 Series Configuration Guide using ASDM 28-23 OL-20339-01...
Page 584 For the Original Destination Address, click the browse button to add a new network object for DMZ Step 12 network 2 in the Browse Original Destination Address dialog box. Add the new network object. Cisco ASA 5500 Series Configuration Guide using ASDM 28-24 OL-20339-01...
Page 585 For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box. Add the new network object. Cisco ASA 5500 Series Configuration Guide using ASDM 28-25 OL-20339-01...
Page 586 Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the Original and Translated destination addresses. Cisco ASA 5500 Series Configuration Guide using ASDM 28-26 OL-20339-01...
Page 587 Configuring Twice NAT Configuration Examples for Twice NAT Figure 28-54 Add NAT Rule Dialog Box: Completed Click OK to add the rule to the NAT table. Step 16 Click Apply. Step 17 Cisco ASA 5500 Series Configuration Guide using ASDM 28-27 OL-20339-01...
Page 588 By default, the NAT rule is added to the end of section 1. If you want to add a NAT rule to section 3, after the network object NAT rules, choose Add NAT Rule After Network Object NAT Rules. Cisco ASA 5500 Series Configuration Guide using ASDM 28-28...
Page 589 Browse Original Source Address dialog box. Add the new network object. Figure 28-59 Adding a New Network Object for the Inside Network Define the inside network addresses, and click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 28-29 OL-20339-01...
Page 590 Telnet/Web server in the Browse Original Destination Address dialog box. Add the new network object. Figure 28-62 Adding a New Network Object for the Telnet/Web Server Define the server address, and click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 28-30 OL-20339-01...
Page 591 Telnet in the Browse Step 5 Original Service dialog box. Add the new service object. Figure 28-65 Adding a New Service Object for Telnet Define the protocol and port, and click OK. Cisco ASA 5500 Series Configuration Guide using ASDM 28-31 OL-20339-01...
Page 592 PAT Step 7 address in the Browse Translated Source Address dialog box. Add the new network object. Figure 28-69 Adding a New Network Object for the PAT Address Cisco ASA 5500 Series Configuration Guide using ASDM 28-32 OL-20339-01...
Page 593 Add NAT Rule Dialog Box: Completed Click OK to add the rule to the NAT table. Step 9 Add a NAT rule for traffic from the inside network to the web server: Step 10 Cisco ASA 5500 Series Configuration Guide using ASDM 28-33 OL-20339-01...
Page 594 For the Original Destination Address, type the name of the Telnet/web server network object Step 13 (TelnetWebServer) or click the browse button to choose it. Cisco ASA 5500 Series Configuration Guide using ASDM 28-34 OL-20339-01...
Page 595 Choose the new service object by double-clicking it. Click OK to return to the NAT configuration. Figure 28-78 Choosing the New Service Object Set the NAT Type to Dynamic PAT (Hide): Step 15 Cisco ASA 5500 Series Configuration Guide using ASDM 28-35 OL-20339-01...
Page 596 Define the PAT address, and click OK. Figure 28-81 Defining the PAT Address Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. Figure 28-82 Choosing the New Network Object Cisco ASA 5500 Series Configuration Guide using ASDM 28-36 OL-20339-01...
Page 597 Feature Information Twice NAT 8.3(1) Twice NAT lets you identify both the source and destination address in a single rule. The following screen was modified: Configuration > Firewall > NAT Rules. Cisco ASA 5500 Series Configuration Guide using ASDM 28-37 OL-20339-01...
Page 598 Chapter 28 Configuring Twice NAT Feature History for Twice NAT Cisco ASA 5500 Series Configuration Guide using ASDM 28-38 OL-20339-01...
Page 599 A R T Configuring Service Policies...
Page 601 Incompatibility of Certain Feature Actions, page 29-5 • Feature Matching for Multiple Service Policies, page 29-5 • Supported Features for Through Traffic Table 29-1 lists the features supported by service policy rules. Cisco ASA 5500 Series Configuration Guide using ASDM 29-1 OL-20339-01...
Page 602 Cisco ASA 5500 Series Configuration Guide using ASDM 29-2...
Page 603 Application inspection includes multiple inspection types, and each inspection type is a separate feature Note when you consider the matching guidelines above. Cisco ASA 5500 Series Configuration Guide using ASDM 29-3 OL-20339-01...
Page 604 See the “Incompatibility of Certain Feature Actions” section on page 29-5 for more information. CTIQBE H323 HTTP ICMP ICMP error MGCP NetBIOS PPTP Sun RPC RTSP Skinny SMTP Cisco ASA 5500 Series Configuration Guide using ASDM 29-4 OL-20339-01...
Page 605 Cisco ASA 5500 Series Configuration Guide using ASDM 29-5 OL-20339-01...
Page 606 Layer 3/4 class maps (for through traffic and management traffic) • Inspection class maps • Regular expression class maps • • match commands used directly underneath an inspection policy map Cisco ASA 5500 Series Configuration Guide using ASDM 29-6 OL-20339-01...
Page 607: Default Configuration
DNS inspection for the maximum message length of 512 bytes • H323 (H225) • H323 (RAS) • • RTSP • ESMTP • SQLnet • Skinny (SCCP) • SunRPC • XDMCP • • • NetBios • TFTP Cisco ASA 5500 Series Configuration Guide using ASDM 29-7 OL-20339-01...
Page 608 When you click the Add button, and not the small arrow on the right of the Add button, you add Note a through traffic rule by default. If you click the arrow on the Add button, you can choose between a through traffic rule and a management traffic rule. Cisco ASA 5500 Series Configuration Guide using ASDM 29-8 OL-20339-01...
Page 609 Source and Destination IP Address (uses ACL)—The class matches traffic specified by an – extended access list. If the adaptive security appliance is operating in transparent firewall mode, you can use an EtherType access list. Cisco ASA 5500 Series Configuration Guide using ASDM 29-9 OL-20339-01...
Page 610 The Any Traffic option does not have a special dialog box for additional configuration. Note Default Inspections—This dialog box is informational only, and shows the applications and the ports • that are included in the traffic class. Cisco ASA 5500 Series Configuration Guide using ASDM 29-10 OL-20339-01...
Page 611 Tunnel Group—Choose a tunnel group from the Tunnel Group drop-down list, or click New to add a new tunnel group. See the “IPsec Remote Access Connection Profiles” section on page 64-70 more information. Cisco ASA 5500 Series Configuration Guide using ASDM 29-11 OL-20339-01...
Page 612 Choose an interface from the drop-down list. If you choose an interface that already has a policy, then the wizard lets you add a new service policy rule to the interface. Cisco ASA 5500 Series Configuration Guide using ASDM 29-12 OL-20339-01...
Page 613 The next dialog box depends on the traffic match criteria you chose. Source and Destination Address—This dialog box lets you set the source and destination addresses: • Click Match or Do Not Match. Cisco ASA 5500 Series Configuration Guide using ASDM 29-13 OL-20339-01...
Page 614 The Add Management Service Policy Rule - Rule Actions dialog box appears. Step 9 To configure RADIUS accounting inspection, choose an inspect map from the RADIUS Accounting Map drop-down list, or click Configure to add a map. Cisco ASA 5500 Series Configuration Guide using ASDM 29-14 OL-20339-01...
Page 615 From the Configuration > Firewall > Service Policy Rules pane, choose the rule or ACE that you want Step 1 to move up or down. Step 2 Click the Move Up or Move Down cursor (see Figure 29-1). Figure 29-1 Moving an ACE Cisco ASA 5500 Series Configuration Guide using ASDM 29-15 OL-20339-01...
Page 616 The set connection command is now available for a Layer connections for management traffic 3/4 management class map, for to-the-security appliance management traffic. Only the conn-max and embryonic-conn-max keywords are available. Cisco ASA 5500 Series Configuration Guide using ASDM 29-16 OL-20339-01...
Page 617 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-17 OL-20339-01...
Page 618 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-18 OL-20339-01...
Page 619 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-19 OL-20339-01...
Page 620 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-20 OL-20339-01...
Page 621 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-21 OL-20339-01...
Page 622 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-22 OL-20339-01...
Page 623 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-23 OL-20339-01...
Page 624 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-24 OL-20339-01...
Page 625 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-25 OL-20339-01...
Page 626 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-26 OL-20339-01...
Page 627 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-27 OL-20339-01...
Page 628 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-28 OL-20339-01...
Page 629 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-29 OL-20339-01...
Page 630 Chapter 29 Configuring a Service Policy Feature History for Service Policies Cisco ASA 5500 Series Configuration Guide using ASDM 29-30 OL-20339-01...
Page 631 A R T Configuring Access Control...
Page 633 EtherType. This section includes the following topics: General Information About Rules, page 30-2 • Information About Access Rules, page 30-4 • Information About EtherType Rules, page 30-5 • Cisco ASA 5500 Series Configuration Guide using ASDM 30-1 OL-20339-01...
Page 634 After a match is found, no more rules are checked. For example, if you create an access rule at the beginning that explicitly permits all traffic for an interface, no further rules are ever checked. You can disable a rule by making it inactive. Cisco ASA 5500 Series Configuration Guide using ASDM 30-2 OL-20339-01...
Page 635 (See Figure 30-1.) The outbound access list prevents any other hosts from reaching the outside network. Cisco ASA 5500 Series Configuration Guide using ASDM 30-3 OL-20339-01...
Page 636 This section describes information about access rules and includes the following topics: • Access Rules for Returning Traffic, page 30-5 • Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules, page 30-5 Cisco ASA 5500 Series Configuration Guide using ASDM 30-4 OL-20339-01...
Page 637 Information About EtherType Rules This section describes EtherType rules and includes the following topics: Supported EtherTypes, page 30-6 • Cisco ASA 5500 Series Configuration Guide using ASDM 30-5 OL-20339-01...
Page 638 LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the adaptive security appliance.
Page 639 The management interface is for management only and cannot be used to configure an access rule. In the Action field, click one of the following radio buttons next to the desired action: Step 4 • Permit—Permits access if the conditions are matched. Cisco ASA 5500 Series Configuration Guide using ASDM 30-7 OL-20339-01...
Page 640 EtherType rules take precedence over the extended access rules. For more information about EtherType rules, see the “Information About Access Rules” section on page 30-1. To add an EtherType rule, perform the following steps: Cisco ASA 5500 Series Configuration Guide using ASDM 30-8 OL-20339-01...
Page 641 Insert and Insert After items. These items either insert a new rule before the selected rule (Insert) or after the selected rule (Insert After.) Cisco ASA 5500 Series Configuration Guide using ASDM 30-9 OL-20339-01...
Page 642 In the Source field, choose Any, or click the ellipsis (...) to browse for an address. Step 5 In the Service field, add a service name for rule traffic, or click the ellipsis (...) to browse for a service. Step 6 Cisco ASA 5500 Series Configuration Guide using ASDM 30-10 OL-20339-01...
Page 643 Restricting the number of deny-flows prevents unlimited consumption of memory and CPU resources. Cisco ASA 5500 Series Configuration Guide using ASDM 30-11 OL-20339-01...
Page 644 Click the Advanced button. Step 3 Check the Enable Object Group Search Algorithm check box. For more information about access rules, see the “Information About Access Rules” section on page 30-1. Cisco ASA 5500 Series Configuration Guide using ASDM 30-12 OL-20339-01...
Page 645 The following screen was introduced: Configuration > Firewall > Access Rules. Global access rules. 8.3(1) Global access rules were introduced. The following screen was modified: Configuration > Firewall > Access Rules. Cisco ASA 5500 Series Configuration Guide using ASDM 30-13 OL-20339-01...
Page 646 Chapter 30 Configuring Access Rules Feature History for Access Rules Cisco ASA 5500 Series Configuration Guide using ASDM 30-14 OL-20339-01...
Page 647: Aaa Overview
You can use accounting alone, or with authentication and authorization. This section includes the following topics: About Authentication, page 31-2 • About Authorization, page 31-2 • About Accounting, page 31-3 • Cisco ASA 5500 Series Configuration Guide using ASDM 31-1 OL-20339-01...
Page 648 The adaptive security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the adaptive security appliance does not resend the request to the authorization server. Cisco ASA 5500 Series Configuration Guide using ASDM 31-2 OL-20339-01...
Page 649 Database Type AAA Service Local RADIUS TACACS+ SDI (RSA) NT Kerberos LDAP HTTP Form Authentication of... VPN users Firewall sessions Administrators Authorization of... VPN users Firewall sessions Administrators Accounting of... Cisco ASA 5500 Series Configuration Guide using ASDM 31-3 OL-20339-01...
Page 650: Authentication Methods
VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the adaptive security appliance to the RADIUS server. See the description of the password-management command for details. Cisco ASA 5500 Series Configuration Guide using ASDM 31-4 OL-20339-01...
Page 651 Microsoft VSAs, defined in RFC 2548. • Cisco VSA (Cisco-Priv-Level), which provides a standard 0-15 numeric ranking of privileges, with • 1 being the lowest level and 15 being the highest level. A zero level indicates no privileges. The first level (login) allows privileged EXEC access for the commands available at this level.
Page 652 The adaptive security appliance does not support changing user passwords during tunnel negotiation. To Note avoid this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the adaptive security appliance. Cisco ASA 5500 Series Configuration Guide using ASDM 31-6 OL-20339-01...
Page 653 VPN services are unavailable. The authentication-server-group command, available in tunnel-group general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes of a tunnel group. When a VPN client of an administrator specifies a tunnel Cisco ASA 5500 Series Configuration Guide using ASDM 31-7 OL-20339-01...
Page 654 To add a server group, perform the following steps: Choose Configuration > Device Management > Users/AAA > AAA Server Groups. Step 1 In the AAA Server Groups area, click Add. Step 2 Cisco ASA 5500 Series Configuration Guide using ASDM 31-8 OL-20339-01...
Page 655 ACL received from RADIUS should be merged with a Cisco AV-pair ACL: Do not merge – Place the downloadable ACL after Cisco AV-pair ACL – Place the downloadable ACL before Cisco AV-pair ACL –...
Page 656 The following sections list the unique fields for each server type when you add a server to a server group: • RADIUS Server Fields, page 31-11 TACACS+ Server Fields, page 31-12 • SDI Server Fields, page 31-13 • Cisco ASA 5500 Series Configuration Guide using ASDM 31-10 OL-20339-01...
Page 657 Although the password is required by the RADIUS protocol and Note the RADIUS server, users do not need to know it. Cisco ASA 5500 Series Configuration Guide using ASDM 31-11 OL-20339-01...
Page 658 TACACS+ server. If you do not know the server secret, ask the RADIUS server administrator. The maximum field length is 64 characters. Cisco ASA 5500 Series Configuration Guide using ASDM 31-12 OL-20339-01...
Page 659 “Adding a Server to a Group” section on page 31-10. Field Description Server Port Server port number 88, or the UDP port number over which the adaptive security appliance communicates with the Kerberos server. Cisco ASA 5500 Series Configuration Guide using ASDM 31-13 OL-20339-01...
Page 660 Windows 2000 • Windows XP • Windows.NET • You must enter the correct realm name for the server whose IP address you entered in the Server IP Address field. Cisco ASA 5500 Series Configuration Guide using ASDM 31-14 OL-20339-01...
Page 661 Naming Attribute(s) The Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (CN), sAMAccountName, userPrincipalName, and User ID (uid). Cisco ASA 5500 Series Configuration Guide using ASDM 31-15 OL-20339-01...
Page 662 LDAP Attribute Map The LDAP attribute maps that you can apply to LDAP server. Used to map Cisco attribute names to user-defined attribute names and values. See the “Configuring LDAP Attribute Maps” section on page 31-22.
Page 663 The name of a user password parameter—not a specific password value—that must be submitted as part of the HTTP form used for SSO authentication. The maximum number of characters is 128, and there is no minimum. Cisco ASA 5500 Series Configuration Guide using ASDM 31-17 OL-20339-01...
Page 664 “Configuring the Hostname, Domain Name, and Passwords” section on page 9-1). However, if you enter a username and password at the login screen (instead of leaving the username blank), ASDM checks the local database for a match. Cisco ASA 5500 Series Configuration Guide using ASDM 31-18 OL-20339-01...
Page 665 Perform authorization for exec shell access option on the Configuration > Device Management > Users/AAA > AAA Access > Authorization tab. Choose one of the following options: Cisco ASA 5500 Series Configuration Guide using ASDM 31-19 OL-20339-01...
Page 666 Configuration > Device Management > Users/AAA > User Accounts pane, click Add. The Add User Account-Identity dialog box appears. Step 2 In the left-hand pane, click VPN Policy. Cisco ASA 5500 Series Configuration Guide using ASDM 31-20 OL-20339-01...
Page 667 NT/AD file shares (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites. The SSL VPN Client lets users connect after downloading the Cisco AnyConnect Client – application. Users use a clientless SSL VPN connection to download this application the first time.
Page 668 You must create LDAP attribute maps that map your existing user-defined attribute names and values to Cisco attribute names and values that are compatible with the adaptive security appliance. You can then bind these attribute maps to LDAP servers or remove them, as needed.
Page 669 Configuring AAA Servers and the Local Database Adding an Authentication Prompt To map the LDAP attribute names used in your organization to their Cisco counterparts on the adaptive security appliance, perform the following steps: Choose Configuration > Remote Access VPN > AAA Local Users > LDAP Attribute Map, and then Step 1 click Add.
Page 670 Shows the Zone Labs Integrity server configuration. press Send. Choose Tools > Command Line Interface, then Applies only to AD servers using LDAP, and shows groups that are listed on press Send. an AD server. Cisco ASA 5500 Series Configuration Guide using ASDM 31-24 OL-20339-01...
Page 671 Configuring AAA Servers and the Local Database Additional References Additional References For additional information related to implementing LDAP mapping, see the following sections: Related Documents, page 31-26 • RFCs, page 31-26 • Cisco ASA 5500 Series Configuration Guide using ASDM 31-25 OL-20339-01...
Page 672 List of Cisco LDAP attribute names and values Extracting data from the HTTP GET and POST Cisco ASA 5500 Series Configuration Guide using the CLI exchanges when using HTTP Form (if logging into the authenticating web server directly, instead of through...
Page 673 You can manage the adaptive security appliance using ASDM, Telnet, or SSH. SSH is an application running on top of a reliable transport layer, such as TCP/IP, that provides strong authentication and encryption capabilities. Cisco ASA 5500 Series Configuration Guide using ASDM 32-1 OL-20339-01...
Page 674 For SSH sessions, the default timeout value is 5 minutes. To change this value, type a new one in the SSH Timeout field. Click Apply. Step 11 The changes are saved to the running configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 32-2 OL-20339-01...
Page 675 Choose the Configuration > Device Management > Management Access > Command Line (CLI) > Step 1 Banner pane, add your banner text to the field for the type of banner you are creating for the CLI: Cisco ASA 5500 Series Configuration Guide using ASDM 32-3 OL-20339-01...
Page 676 • traffic. This might happen when there is an interface failure above the threshold on the standby unit. Detailed Steps Cisco ASA 5500 Series Configuration Guide using ASDM 32-4 OL-20339-01...
Page 677 Configuring the Adaptive Security Appliance as a Secure Copy Server, page 32-6 • Configuring the Adaptive Security Appliance as a TFTP Client, page 32-6 • Adding Mount Points, page 32-7 Cisco ASA 5500 Series Configuration Guide using ASDM 32-5 OL-20339-01...
Page 678 TFTP server using File > Save Running Configuration to TFTP Client or Tools > Command Line Interface. In this way, you can back up and propagate configuration files to multiple adaptive security appliances. Cisco ASA 5500 Series Configuration Guide using ASDM 32-6 OL-20339-01...
Page 679 In the Server Name or IP Address field, add the name or IP address of the server where the mount point Step 4 is located. In the Share Name field, add the name of the folder on the CIFS server. Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 32-7 OL-20339-01...
Page 680 Step 10 Click OK. The dialog box closes. Click Apply. Step 11 The mount point is added to the adaptive security appliance and the change is saved to the running configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 32-8 OL-20339-01...
Page 681 Add a specific IP address for the host or network. • Click Any Address and go to Step • From the Mask drop-down list, choose the network mask. Step 7 Cisco ASA 5500 Series Configuration Guide using ASDM 32-9 OL-20339-01...
Page 682 AAA server according to Chapter 31, “AAA Server and Local Database Support.” This section includes the following topics: Configuring Authentication for CLI, ASDM, and enable command Access, page 32-11 • Cisco ASA 5500 Series Configuration Guide using ASDM 32-10 OL-20339-01...
Page 683 HTTPS. You only need to configure HTTP authentication if you want to use a AAA server. By default, ASDM uses the local database for authentication even if you do not configure this command. Cisco ASA 5500 Series Configuration Guide using ASDM 32-11 OL-20339-01...
Page 684 RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type attribute which • maps to one of the following values. Service-Type 6 (Administrative)—Allows full access to any services specified by the – Authentication tab options Cisco ASA 5500 Series Configuration Guide using ASDM 32-12 OL-20339-01...
Page 685 This section describes command authorization and includes the following topics: Supported Command Authorization Methods, page 32-14 • About Preserving User Credentials, page 32-14 • Security Contexts and Command Authorization, page 32-15 • Cisco ASA 5500 Series Configuration Guide using ASDM 32-13 OL-20339-01...
Page 686 The following table shows how credentials are used in this case by the adaptive security appliance. Username and Privileged Mode Privileged Password Serial Command Mode Exit Credentials required Authentication Authorization Authorization Authorization Username Password Privileged Mode Password Cisco ASA 5500 Series Configuration Guide using ASDM 32-14 OL-20339-01...
Page 687 LDAP server (if you map LDAP attributes to RADIUS attributes. See the “Configuring LDAP Attribute Maps” section on page 31-22.) This section includes the following topics: Local Command Authorization Prerequisites, page 32-16 • Cisco ASA 5500 Series Configuration Guide using ASDM 32-15 OL-20339-01...
Page 688 To configure the local database, see the “Adding a User Account” section on page 31-18. RADIUS users—Configure the user with Cisco VSA CVPN3000-Privilege-Level with a value – between 0 and 15. LDAP users—Configure the user with a privilege level between 0 and 15, and then map the –...
Page 689 This option also enables management authorization for local, RADIUS, LDAP (mapped), and TACACS+ users. See the “Limiting User CLI and ASDM Access with Management Authorization” section on page 32-12 for more information. Click Apply. Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 32-17 OL-20339-01...
Page 690 If you enable TACACS+ command authorization, and a user enters a command at the CLI, the adaptive security appliance sends the command and username to the TACACS+ server to determine if the command is authorized. Cisco ASA 5500 Series Configuration Guide using ASDM 32-18 OL-20339-01...
Page 691 32-15). Configuring Commands on the TACACS+ Server You can configure commands on a Cisco Secure Access Control Server (ACS) TACACS+ server as a shared profile component, for a group, or for individual users. For third-party TACACS+ servers, see your server documentation for more information about command authorization support.
Page 692 For example, to allow enable, but not enable password, enter enable in the commands field, and deny password in the arguments field. Be sure to check the Permit Unmatched Args check box so that enable alone is still allowed (see Figure 32-3). Cisco ASA 5500 Series Configuration Guide using ASDM 32-20 OL-20339-01...
Page 693 We recommend that you allow the following basic commands for all users: • show checksum – show curpriv – enable – help – show history – – login – logout – pager Cisco ASA 5500 Series Configuration Guide using ASDM 32-21 OL-20339-01...
Page 694 For information about configuring a AAA server group, see the “Configuring AAA Server Groups” section on page 31-8. For CLI access, you can use TACACS+ or RADIUS servers. For command accounting, you can only use TACACS+ servers. Detailed Steps Cisco ASA 5500 Series Configuration Guide using ASDM 32-22 OL-20339-01...
Page 695 Table 32-1 show curpriv Command Output Description Field Description Username Username. If you are logged in as the default user, the name is enable_1 (user EXEC) or enable_15 (privileged EXEC). Cisco ASA 5500 Series Configuration Guide using ASDM 32-23 OL-20339-01...
Page 696 Configure the local database as a fallback method so you do not get locked out when the server is down. Cisco ASA 5500 Series Configuration Guide using ASDM 32-24 OL-20339-01...
Page 697 From the system cannot enter any more execution space, you can commands. change to the context and change the user level. Cisco ASA 5500 Series Configuration Guide using ASDM 32-25 OL-20339-01...
Page 698 Chapter 32 Configuring Management Access Configuring AAA for System Administrators Cisco ASA 5500 Series Configuration Guide using ASDM 32-26 OL-20339-01...
Page 699 Enabling the Redirection Method of Authentication for HTTP and HTTPS, page 33-5 • Enabling Secure Authentication of Web Clients, page 33-5 • • Authenticating Directly with the Adaptive Security Appliance, page 33-6 • Configuring the Authentication Proxy Limit, page 33-9 Cisco ASA 5500 Series Configuration Guide using ASDM 33-1 OL-20339-01...
Page 700 (configured on the Configuration > Firewall > AAA Rules > Advanced > AAA Rules Advanced Options dialog box; see the “Enabling the Redirection Method of Authentication for HTTP and HTTPS” section on page 33-5). Cisco ASA 5500 Series Configuration Guide using ASDM 33-2 OL-20339-01...
Page 701 Then users do not see the authentication page. Instead, the adaptive security appliance sends to the web browser an error message indicating that the user must be authenticated prior using the requested service. Cisco ASA 5500 Series Configuration Guide using ASDM 33-3...
Page 702 13-15. Click OK. Step 10 The dialog box closes and the rule appears in the AAA Rules table. Click Apply. Step 11 The changes are saved to the running configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 33-4 OL-20339-01...
Page 703 Enable the redirection method of authentication for HTTP—See the “Enabling the Redirection • Method of Authentication for HTTP and HTTPS” section on page 33-5. This method prevents the authentication credentials from continuing to the destination server. Cisco ASA 5500 Series Configuration Guide using ASDM 33-5 OL-20339-01...
Page 704 HTTP, HTTPS, or Telnet. Authenticating Telnet Connections with a Virtual Server, page 33-7 • Authenticating HTTP(S) Connections with a Virtual Server, page 33-7 • Cisco ASA 5500 Series Configuration Guide using ASDM 33-6 OL-20339-01...
Page 705 “Enabling the Redirection Method of Authentication for HTTP and HTTPS” section on page 33-5. However, if you continue to use basic HTTP authentication, then you might need the virtual HTTP server when you have cascading HTTP authentications. Cisco ASA 5500 Series Configuration Guide using ASDM 33-7 OL-20339-01...
Page 706 Display redirection warning check box. This enables an alert to notify users when the HTTP connection is being redirected. Click Apply. Step 4 The virtual server is added and the changes are saved to the running configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 33-8 OL-20339-01...
Page 707 The adaptive security appliance enforces the authorization rule in the response. See the documentation for your TACACS+ server for information about configuring network access authorizations for a user. Cisco ASA 5500 Series Configuration Guide using ASDM 33-9 OL-20339-01...
Page 708 When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept message sent by a RADIUS server. For more information about configuring authentication, see the “Configuring Authentication for Network Access” section on page 33-1. Cisco ASA 5500 Series Configuration Guide using ASDM 33-10 OL-20339-01...
Page 709 This approach is most useful when you have very large access list sets that you want to apply to more than one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and group management makes it useful for access lists of any size.
Page 710 Because the name of the downloadable access list includes the date and time it was last modified, matching the name sent by Cisco Secure ACS to the name of an access list previous downloaded means that the adaptive security appliance has the most recent version of the downloadable access list.
Page 711 Configuring AAA Rules for Network Access Configuring Authorization for Network Access If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds with an access-challenge message that contains a portion of the access list, formatted as described above, and an State attribute (IETF RADIUS attribute 24), which contains control data used by Cisco Secure ACS to track the progress of the download.
Page 712 If this parameter is omitted, the sequence value is 0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used. The following example is an access list definition as it should be configured for a cisco-av-pair VSA on a RADIUS server: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0...
Page 713 For information about making unique per user the filter-id attribute value, see the documentation for your RADIUS server. See the Cisco ASA 5500 Series Configuration Guide using the CLI to create an access list on the adaptive security appliance. Configuring Accounting for Network Access The adaptive security appliance can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP traffic that passes through the adaptive security appliance.
Page 714 MAC exempt rule to exempt from authentication and authorization any traffic from the server specified by the rule. This feature is particularly useful to exempt devices such as IP phones that cannot respond to authentication prompts. Cisco ASA 5500 Series Configuration Guide using ASDM 33-16 OL-20339-01...
Page 715 MAC address exactly. ffff.ffff.0000 matches only the first 8 digits. Click OK. Step 17 The dialog box closes and the rule appears in the AAA Rules table. Click Apply. Step 18 The changes are saved to the running configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 33-17 OL-20339-01...
Page 716 Chapter 33 Configuring AAA Rules for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Cisco ASA 5500 Series Configuration Guide using ASDM 33-18 OL-20339-01...
Page 717 However, depending on the speed of your network and the capacity of your web traffic filtering server, the time required for the initial connection may be noticeably slower when filtering traffic with an external filtering server. Cisco ASA 5500 Series Configuration Guide using ASDM 34-1 OL-20339-01...
Page 718 If user authentication is enabled on the adaptive security appliance, then the adaptive security appliance also sends the username to the filtering server. The filtering server can use user-specific filtering settings or provide enhanced reporting about usage. Cisco ASA 5500 Series Configuration Guide using ASDM 34-2 OL-20339-01...
Page 719 If you chose the Websense option, the Add Parameters for Websense URL Filtering dialog box appears. • Choose the interface on which the URL filtering server is connected from the drop-down list. • Enter the IP address of the URL filtering server. Cisco ASA 5500 Series Configuration Guide using ASDM 34-3 OL-20339-01...
Page 720 Requests for cached IP addresses are not passed to the filtering server and are not logged. Note As a result, this activity does not appear in any reports. This section describes how to configure additional URL filtering settings and includes the following topics: Cisco ASA 5500 Series Configuration Guide using ASDM 34-4 OL-20339-01...
Page 721 URL request and the URL destination address. Choose this setting if users do not share the same URL filtering policy on the server. Enter the cache size within the range from 1 to 128 (KB). Step 4 Cisco ASA 5500 Series Configuration Guide using ASDM 34-5 OL-20339-01...
Page 722 • Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options: – Enter any to indicate any source address. Cisco ASA 5500 Series Configuration Guide using ASDM 34-6 OL-20339-01...
Page 723 Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options: Enter any to indicate any destination address. – – Enter a hostname. Cisco ASA 5500 Series Configuration Guide using ASDM 34-7 OL-20339-01...
Page 724 1 to 65535. Additionally, you can use the following – modifiers with the TCP service: !=—Not equal to. For example, !=tcp/443. <—Less than. For example, <tcp/2000. Cisco ASA 5500 Series Configuration Guide using ASDM 34-8 OL-20339-01...
Page 725 1 to 65535. Additionally, you can use the following – modifiers with the TCP service: !=—Not equal to. For example, !=tcp/443 <—Less than. For example, <tcp/2000. >—Greater than. For example, >tcp/2000. - —Range. For example, tcp/2000-3000. Cisco ASA 5500 Series Configuration Guide using ASDM 34-9 OL-20339-01...
Page 726 Check the Block interactive FTP sessions (block if absolute FTP path is not provided) check box • to drop FTP requests if they use a relative path name to the FTP directory. Cisco ASA 5500 Series Configuration Guide using ASDM 34-10 OL-20339-01...
Page 727 To remove a filter rule and place it elsewhere, click Cut. Step 10 To copy a filter rule, click Copy. Then to move the copied filter rule elsewhere, click Paste. Step 11 Cisco ASA 5500 Series Configuration Guide using ASDM 34-11 OL-20339-01...
Page 728 ASDM release in which support was added is not listed. Table 34-2 Feature History for URL Filtering Platform Feature Name Releases Feature Information URL filtering 7.0(1) Filters URLs based on an established set of filtering criteria. Cisco ASA 5500 Series Configuration Guide using ASDM 34-12 OL-20339-01...
Page 729 Code-signer certificates are special certificates that are used to create digital signatures to sign code, • with the signed code itself revealing the certificate origin. For more information, see the “Configuring Code Signer Certificates” section on page 35-20. Cisco ASA 5500 Series Configuration Guide using ASDM 35-1 OL-20339-01...
Page 730 For example, most web browsers are configured with the root certificates of several CAs by default. For VPN, the IKE protocol, a component of IPSec, can use digital signatures to authenticate peer devices before setting up security associations. Cisco ASA 5500 Series Configuration Guide using ASDM 35-2 OL-20339-01...
Page 731 SSL uses a key for encryption but not signing. However, IKE uses a key for signing but not encryption. By using separate keys for each, exposure of the keys is minimized. Cisco ASA 5500 Series Configuration Guide using ASDM 35-3 OL-20339-01...
Page 732 The adaptive security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a configurable amount of time for each trustpoint. Cisco ASA 5500 Series Configuration Guide using ASDM 35-4 OL-20339-01...
Page 733 The OCSP URL defined in a match certificate override rule by using the match certificate command). The OCSP URL configured by using the ocsp url command. The AIA field of the client certificate. Cisco ASA 5500 Series Configuration Guide using ASDM 35-5 OL-20339-01...
Page 734 CRL inquiries coming from other certificate validating devices and adaptive security appliances. Local CA database and configuration files are maintained either on the adaptive security appliance flash memory (default storage) or on a separate storage device. Cisco ASA 5500 Series Configuration Guide using ASDM 35-6 OL-20339-01...
Page 735 For site-to-site VPNs, you must enroll each adaptive security appliance. For remote access VPNs, you must enroll each adaptive security appliance and each remote access VPN client. Cisco ASA 5500 Series Configuration Guide using ASDM 35-7 OL-20339-01...
Page 736 For adaptive security appliances that are configured as CA servers or clients, limit the validity period of the certificate to less than the recommended end date of 03:14:08 UTC, January 19, 2038. This guideline also applies to imported certificates from third-party vendors. Cisco ASA 5500 Series Configuration Guide using ASDM 35-8 OL-20339-01...
Page 737 The Install Certificate dialog box appears. The selected trustpoint name appears in read-only format. To add a certificate configuration from an existing file, click the Install from a file radio button (this is Step 3 the default setting). Cisco ASA 5500 Series Configuration Guide using ASDM 35-9 OL-20339-01...
Page 738 To remove a CA certificate configuration, select it, and then click Delete. Step 2 Note After you delete a certificate configuration, it cannot be restored. To recreate the deleted certificate, click Add to reenter all of the certificate configuration information. Cisco ASA 5500 Series Configuration Guide using ASDM 35-10 OL-20339-01...
Page 739 Configuring CRL Retrieval Policy To configure the CRL retrieval policy, perform the following steps: In the Configuration Options for CA Certificates pane, click the CRL Retrieval Policy tab. Step 1 Cisco ASA 5500 Series Configuration Guide using ASDM 35-11 OL-20339-01...
Page 740 To enable SCEP for CRL retrieval, check the Enable Simple Certificate Enrollment Protocol • (SCEP) check box. Click OK to close this tab. Alternatively, to continue, see the “Configuring OCSP Rules” section on Step 3 page 35-13. Cisco ASA 5500 Series Configuration Guide using ASDM 35-12 OL-20339-01...
Page 741 The adaptive security appliance supports two methods of checking revocation status: CRL and OCSP. To configure additional CRL and OCSP settings, perform the following steps: Step 1 In the Configuration Options for CA Certificates pane, click the Advanced tab. Cisco ASA 5500 Series Configuration Guide using ASDM 35-13 OL-20339-01...
Page 742 In the Identity Certificates Authentication pane, you can perform the following tasks: • Add or import a new identity certificate. Display details of an identity certificate. • Delete an existing identity certificate. • Export an existing identity certificate. • Cisco ASA 5500 Series Configuration Guide using ASDM 35-14 OL-20339-01...
Page 743 The modulus size (bits) of the key pairs: 512, 768, 1024, and 2048. The default is 1024. The key data, which includes the specific key data in text format. • Cisco ASA 5500 Series Configuration Guide using ASDM 35-15 OL-20339-01...
Page 744 Click the SCEP Challenge Password tab, and then enter the following information: Step 22 The SCEP password • The SCEP password confirmation • Cisco ASA 5500 Series Configuration Guide using ASDM 35-16 OL-20339-01...
Page 745 Browse to display the Export ID Certificate File dialog box to find the file to which you want to export the certificate configuration. Choose the certificate format by clicking the PKCS12 Format radio button or the PEM Format radio Step 3 button. Cisco ASA 5500 Series Configuration Guide using ASDM 35-17 OL-20339-01...
Page 746 Click Generate Request to generate the certificate signing request, which you can then send to Entrust, Step 6 or save to a file and send later. The Enroll with Entrust dialog box appears, with the CSR displayed. Cisco ASA 5500 Series Configuration Guide using ASDM 35-18 OL-20339-01...
Page 747 CSR provided and submitting it through the Entrust web form, provided at http://www.entrust.net/cisco/. Alternatively, to enroll at a later time, save the generated CSR to a file, then click the enroll with Entrust link on the Identity Certificates pane to complete the enrollment process.
Page 748 • The values apply only to available status. The Issued by tab displays the X.500 fields of the entity granting the certificate. The values apply • only to available status. Cisco ASA 5500 Series Configuration Guide using ASDM 35-20 OL-20339-01...
Page 749 Step 6 Enter the passphrase used to decrypt the PKCS12 format file for export. Confirm the decryption passphrase. Step 7 Click Export Certificate to export the certificate configuration. Step 8 Cisco ASA 5500 Series Configuration Guide using ASDM 35-21 OL-20339-01...
Page 750 CA certificate or key pair is lost and must be restored. The Enable passphrase is required to enable the local CA server. Be sure to keep a record of the Note Enable passphrase in a safe location. Cisco ASA 5500 Series Configuration Guide using ASDM 35-22 OL-20339-01...
Page 751 To configure additional options, click the More Options drop-down arrow. Step 9 Enter the CRL distribution point, which is the CRL location on the adaptive security appliance. The default location is http://hostname.domain/+CSCOCA+/asa_ca.crl. Cisco ASA 5500 Series Configuration Guide using ASDM 35-23 OL-20339-01...
Page 752 HTML. Enter the length of time that a one-time password e-mailed to an enrolling user is valid. The default is Step 16 72 hours. Cisco ASA 5500 Series Configuration Guide using ASDM 35-24 OL-20339-01...
Page 753 • Editing a Local CA User, page 35-26 Deleting a Local CA User, page 35-27 • Allowing User Enrollment, page 35-27 • Viewing or Regenerating an OTP, page 35-27 • Cisco ASA 5500 Series Configuration Guide using ASDM 35-25 OL-20339-01...
Page 754 Enter a valid username. Step 2 Enter an existing valid e-mail address. Step 3 Enter the subject (DN string). Alternatively, click Select to display the Certificate Subject DN dialog Step 4 box. Cisco ASA 5500 Series Configuration Guide using ASDM 35-26 OL-20339-01...
Page 755 After you are done, click OK to close the View & Regenerate OTP dialog box. Step 2 Step 3 To regenerate the OTP, click Regenerate OTP. The newly generated OTP appears. Cisco ASA 5500 Series Configuration Guide using ASDM 35-27 OL-20339-01...
Page 756 NextUpdate: 15:58:34 UTC Nov 11 2009 Cached Until: 15:58:34 UTC Nov 11 2009 Retrieved from CRL Distribution Point: ** CDP Not Published - Retrieved via SCEP Size (bytes): 224 Associated Trustpoints: LOCAL-CA-SERVER Cisco ASA 5500 Series Configuration Guide using ASDM 35-28 OL-20339-01...
Page 757 The following paths were introduced, based on the type of VPN connection being used: Configuration > Remote Access VPN > Certificate Management Configuration > Site-to-Site VPN > Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-29 OL-20339-01...
Page 758 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-30 OL-20339-01...
Page 759 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-31 OL-20339-01...
Page 760 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-32 OL-20339-01...
Page 761 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-33 OL-20339-01...
Page 762 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-34 OL-20339-01...
Page 763 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-35 OL-20339-01...
Page 764 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-36 OL-20339-01...
Page 765 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-37 OL-20339-01...
Page 766 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-38 OL-20339-01...
Page 767 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-39 OL-20339-01...
Page 768 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-40 OL-20339-01...
Page 769 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-41 OL-20339-01...
Page 770 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-42 OL-20339-01...
Page 771 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-43 OL-20339-01...
Page 772 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-44 OL-20339-01...
Page 773 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-45 OL-20339-01...
Page 774 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-46 OL-20339-01...
Page 775 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-47 OL-20339-01...
Page 776 Chapter 35 Configuring Digital Certificates Feature History for Certificate Management Cisco ASA 5500 Series Configuration Guide using ASDM 35-48 OL-20339-01...
Page 777 A R T Configuring Application Inspection...
Page 779 Connections (XLATE and CONN tables)—Maintains state and other information about each established connection. This information is used by the Adaptive Security Algorithm and cut-through proxy to efficiently forward traffic within established sessions. Cisco ASA 5500 Series Configuration Guide using ASDM 36-1 OL-20339-01...
Page 780 Other applications embed an IP address in the packet that needs to match the source address that is normally translated when it goes through the adaptive security appliance. Cisco ASA 5500 Series Configuration Guide using ASDM 36-2 OL-20339-01...
Page 781 (a global policy). Default application inspection traffic includes traffic to the default ports for each protocol. You can only apply one global policy, so if you Cisco ASA 5500 Series Configuration Guide using ASDM 36-3...
Page 782 NAT of the packets for NBNS UDP port ports) 137 and NBDS UDP port 138. PPTP TCP/1723 — RFC 2637 — RADIUS 1646 — RFC 2865 — Accounting TCP/514 No PAT Berkeley UNIX — Cisco ASA 5500 Series Configuration Guide using ASDM 36-4 OL-20339-01...
Page 783 Choose Configuration > Firewall > Service Policy Rules. Step 1 Add or edit a service policy rule according to the “Adding a Service Policy Rule for Through Traffic” Step 2 section on page 29-8. Cisco ASA 5500 Series Configuration Guide using ASDM 36-5 OL-20339-01...
Page 784 Configuration > Firewall > Objects > Inspect Maps pane. You can configure other features for this rule if desired using the other Rule Actions tabs. Step 6 Click OK (or Finish from the wizard). Step 7 Cisco ASA 5500 Series Configuration Guide using ASDM 36-6 OL-20339-01...
Page 785 How DNS Application Inspection Works, page 37-2 • How DNS Rewrite Works, page 37-3 • Configuring DNS Rewrite, page 37-3 • Select DNS Inspect Map, page 37-5 • • DNS Class Map, page 37-6 Cisco ASA 5500 Series Configuration Guide using ASDM 37-1 OL-20339-01...
Page 786 DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design. Cisco ASA 5500 Series Configuration Guide using ASDM 37-2...
Page 787 You configure DNS rewrite using the NAT configuration. Figure 37-2 provides a more complex scenario to illustrate how DNS inspection allows NAT to operate transparently with a DNS server with minimal configuration. Cisco ASA 5500 Series Configuration Guide using ASDM 37-3 OL-20339-01...
Page 788 The host running the web client sends the DNS server a request for the IP address of server.example.com. The DNS server responds with the IP address 209.165.200.225 in the reply. Cisco ASA 5500 Series Configuration Guide using ASDM 37-4 OL-20339-01...
Page 789 For example, if the DNS server is on the outside interface, you should enable DNS inspection with snooping for all UDP DNS traffic on the outside interface. • Add—Opens the Add Policy Map dialog box for the inspection. Cisco ASA 5500 Series Configuration Guide using ASDM 37-5 OL-20339-01...
Page 790 Name—Enter the name of the DNS class map, up to 40 characters in length. • Description—Enter the description of the DNS class map. • • Add—Adds a DNS class map. • Edit—Edits a DNS class map. Cisco ASA 5500 Series Configuration Guide using ASDM 37-6 OL-20339-01...
Page 791 Header Flag Value—Lets you enter an arbitrary 16-bit value in hex to match. Type Criterion Values—Specifies the value details for the DNS type match. • DNS Type Field Name—Lists the DNS types to select. – A—IPv4 address NS—Authoritative name server Cisco ASA 5500 Series Configuration Guide using ASDM 37-7 OL-20339-01...
Page 792 The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System — • • • • DNS Inspect Map The DNS Inspect Map dialog box is accessible as follows: Cisco ASA 5500 Series Configuration Guide using ASDM 37-8 OL-20339-01...
Page 793 DNS Guard: enabled NAT rewrite: enabled Protocol enforcement: enabled ID randomization: enabled Message length check: enabled Message length maximum: 512 Mismatch rate logging: enabled TSIG resource record: not enforced – High Cisco ASA 5500 Series Configuration Guide using ASDM 37-9 OL-20339-01...
Page 794 – DNS Guard: enabled NAT rewrite: enabled Protocol enforcement: enabled ID randomization: disabled Message length check: enabled Message length maximum: 512 Mismatch rate logging: disabled TSIG resource record: not enforced Cisco ASA 5500 Series Configuration Guide using ASDM 37-10 OL-20339-01...
Page 795 DNS map is shown. Description—Enter the description of the DNS map, up to 200 characters in length. • Security Level—Shows the security level to configure. • Cisco ASA 5500 Series Configuration Guide using ASDM 37-11 OL-20339-01...
Page 796 Match Type—Shows the match type, which can be a positive or negative match. – Criterion—Shows the criterion of the DNS inspection. – Value—Shows the value to match in the DNS inspection. – Cisco ASA 5500 Series Configuration Guide using ASDM 37-12 OL-20339-01...
Page 797 FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels are negotiated through PORT or PASV commands. The channels are allocated in response to a file upload, a file download, or a directory listing event. Cisco ASA 5500 Series Configuration Guide using ASDM 37-13 OL-20339-01...
Page 798 • series of Xs. to prevent the server from revealing its system type to FTP clients. To override this default behavior, use the no mask-syst-reply command in the FTP map. Cisco ASA 5500 Series Configuration Guide using ASDM 37-14 OL-20339-01...
Page 799 Match Type—Shows the match type, which can be a positive or negative match. – Criterion—Shows the criterion of the FTP class map. – Value—Shows the value to match in the FTP class map. Cisco ASA 5500 Series Configuration Guide using ASDM 37-15 OL-20339-01...
Page 800 Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map > Add/Edit FTP Match Criterion The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP class map. Cisco ASA 5500 Series Configuration Guide using ASDM 37-16 OL-20339-01...
Page 801 – expressions. Regular Expression Class—Lists the defined regular expression classes to match. – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure – regular expression class maps. Cisco ASA 5500 Series Configuration Guide using ASDM 37-17 OL-20339-01...
Page 802 Add—Configures a new FTP inspect map. To edit an FTP inspect map, choose the FTP entry in the • FTP Inspect Maps table and click Customize. Delete—Deletes the inspect map selected in the FTP Inspect Maps table. • Cisco ASA 5500 Series Configuration Guide using ASDM 37-18 OL-20339-01...
Page 803 Move Up—Moves an entry up in the list. • • Move Down—Moves an entry down in the list. Modes The following table shows the modes in which this feature is available: Cisco ASA 5500 Series Configuration Guide using ASDM 37-19 OL-20339-01...
Page 804 Add/Edit FTP Policy Map (Details) The Add/Edit FTP Policy Map (Details) dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Advanced View Cisco ASA 5500 Series Configuration Guide using ASDM 37-20 OL-20339-01...
Page 805 Configuration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Advanced View > Add/Edit FTP Inspect The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the FTP inspect map. Cisco ASA 5500 Series Configuration Guide using ASDM 37-21 OL-20339-01...
Page 806 Regular Expression—Lists the defined regular expressions to match. – Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular – expressions. Regular Expression Class—Lists the defined regular expression classes to match. – Cisco ASA 5500 Series Configuration Guide using ASDM 37-22 OL-20339-01...
Page 807 Select HTTP Map, page 37-24 • HTTP Class Map, page 37-25 • Add/Edit HTTP Traffic Class Map, page 37-26 • Add/Edit HTTP Match Criterion, page 37-26 • HTTP Inspect Map, page 37-30 • Cisco ASA 5500 Series Configuration Guide using ASDM 37-23 OL-20339-01...
Page 808 Add—Opens the Add Policy Map dialog box for the inspection. • Modes The following table shows the modes in which this feature is available: Cisco ASA 5500 Series Configuration Guide using ASDM 37-24 OL-20339-01...
Page 809 Delete—Deletes an HTTP class map. • Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System — • • • • Cisco ASA 5500 Series Configuration Guide using ASDM 37-25 OL-20339-01...
Page 810 Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Cisco ASA 5500 Series Configuration Guide using ASDM 37-26 OL-20339-01...
Page 811 Cisco ASA 5500 Series Configuration Guide using ASDM 37-27 OL-20339-01...
Page 812 – ActiveX—Specifies to match on ActiveX. Java Applet—Specifies to match on a Java Applet. Regular Expression—Specifies to match on a regular expression. Regular Expression—Lists the defined regular expressions to match. Cisco ASA 5500 Series Configuration Guide using ASDM 37-28 OL-20339-01...
Page 813 Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Cisco ASA 5500 Series Configuration Guide using ASDM 37-29 OL-20339-01...
Page 814 Add—Configures a new HTTP inspect map. To edit an HTTP inspect map, choose the HTTP entry • in the HTTP Inspect Maps table and click Customize. Delete—Deletes the inspect map selected in the HTTP Inspect Maps table. • Cisco ASA 5500 Series Configuration Guide using ASDM 37-30 OL-20339-01...
Page 815 Configuration > Global Objects > Inspect Maps > HTTP > URI Filtering The URI Filtering dialog box lets you configure the settings for an URI filter. Fields • Match Type—Shows the match type, which can be a positive or negative match. Cisco ASA 5500 Series Configuration Guide using ASDM 37-31 OL-20339-01...
Page 816 Advanced inspections: Not configured Medium – Protocol violation action: Drop connection Drop connections for unsafe methods: Allow only GET, HEAD, and POST Drop connections for requests with non-ASCII headers: Disabled Cisco ASA 5500 Series Configuration Guide using ASDM 37-32 OL-20339-01...
Page 817 Log—Enable or disable. Spoof server string—Replaces the server HTTP header value with the specified string. – Spoof String—Enter a string to substitute for the server header field. Maximum is 82 characters. Cisco ASA 5500 Series Configuration Guide using ASDM 37-33 OL-20339-01...
Page 818 MIME types in the accept field of the request. Request Arguments—Applies the regular expression match to the arguments of the request. – Regular Expression—Lists the defined regular expressions to match. Cisco ASA 5500 Series Configuration Guide using ASDM 37-34 OL-20339-01...
Page 819 Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against. Request Header Field—Applies the regular expression match to the header of the request. – Cisco ASA 5500 Series Configuration Guide using ASDM 37-35 OL-20339-01...
Page 820 Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Response Body—Applies the regex match to the body of the response. – Cisco ASA 5500 Series Configuration Guide using ASDM 37-36 OL-20339-01...
Page 821 Regular Expression—Lists the defined regular expressions to match. Cisco ASA 5500 Series Configuration Guide using ASDM 37-37 OL-20339-01...
Page 822 Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct. Cisco ASA 5500 Series Configuration Guide using ASDM 37-38 OL-20339-01...
Page 823 The Select IM Map dialog box lets you select or create a new IM map. An IM map lets you change the configuration values used for IM application inspection. The Select IM Map table provides a list of previously configured maps that you can select for application inspection. Cisco ASA 5500 Series Configuration Guide using ASDM 37-39 OL-20339-01...
Page 824 This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packets delivery path. Cisco ASA 5500 Series Configuration Guide using ASDM 37-40 OL-20339-01...
Page 825 (Optional) If you clicked Add to create a new inspection map, define the following values for IP Options Step 5 Inspection: Enter a name for the inspection map. Enter a description for the inspection map, up to 200 characters long. Cisco ASA 5500 Series Configuration Guide using ASDM 37-41 OL-20339-01...
Page 826 Add—Opens the Add IP Options Inspect Map dialog box for the inspection. • Modes The following table shows the modes in which this feature is available: Cisco ASA 5500 Series Configuration Guide using ASDM 37-42 OL-20339-01...
Page 827 Name—When adding an IP Options inspection map, enter the name of the map. When editing a map, • the name of the previously configured map is shown. • Description—Enter the description of the IP Options inspection map, up to 200 characters in length. Cisco ASA 5500 Series Configuration Guide using ASDM 37-43 OL-20339-01...
Page 828 IP packet of a data stream. IPSec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to Cisco ASA 5500 Series Configuration Guide using ASDM 37-44...
Page 829 An IPSec Pass Through map lets you change the default configuration values used for IPSec Pass Through application inspection. You can use an IPSec Pass Through map to permit certain flows without using an access list. Cisco ASA 5500 Series Configuration Guide using ASDM 37-45 OL-20339-01...
Page 830 Name—When adding an IPSec Pass Thru map, enter the name of the IPSec Pass Thru map. When • editing an IPSec Pass Thru map, the name of the previously configured IPSec Pass Thru map is shown. Security Level—Select the security level (high or low). • Cisco ASA 5500 Series Configuration Guide using ASDM 37-46 OL-20339-01...
Page 831 Parameters—Configures ESP and AH parameter settings. • – Limit ESP flows per client—Limits ESP flows per client. Maximum—Specify maximum limit. – Apply ESP idle timeout—Applies ESP idle timeout. Timeout—Specify timeout. Cisco ASA 5500 Series Configuration Guide using ASDM 37-47 OL-20339-01...
Page 832 Select a NetBIOS map for fine control over inspection—Lets you select a defined application • inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection. • Cisco ASA 5500 Series Configuration Guide using ASDM 37-48 OL-20339-01...
Page 833 Fields Name—When adding a NetBIOS map, enter the name of the NetBIOS map. When editing an • NetBIOS map, the name of the previously configured NetBIOS map is shown. Cisco ASA 5500 Series Configuration Guide using ASDM 37-49 OL-20339-01...
Page 834 PC that initiates connection to the head-end PAC to gain access to a central network. SMTP and Extended SMTP Inspection This section describes the IM inspection engine. This section includes the following topics: SMTP and ESMTP Inspection Overview, page 37-51 • Cisco ASA 5500 Series Configuration Guide using ASDM 37-50 OL-20339-01...
Page 835 For more information, see RFC 821. SMTP inspection monitors the command and response sequence for the following anomalous signatures: • Truncated commands. • Incorrect command termination (not terminated with <CR><LR>). Cisco ASA 5500 Series Configuration Guide using ASDM 37-51 OL-20339-01...
Page 836 Configuration > Global Objects > Inspect Maps > ESMTP The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP map lets you change the default configuration values used for ESMTP application inspection. Cisco ASA 5500 Series Configuration Guide using ASDM 37-52 OL-20339-01...
Page 837 Customize—Opens the Add/Edit ESMTP Policy Map dialog box for additional settings. – Default Level—Sets the security level back to the default level of Low. – Modes The following table shows the modes in which this feature is available: Cisco ASA 5500 Series Configuration Guide using ASDM 37-53 OL-20339-01...
Page 838 Configuration > Global Objects > Inspect Maps > ESMTP > ESMTP Inspect Map > Basic View The Add/Edit ESMTP Policy Map pane lets you configure the security level and additional settings for ESMTP application inspection maps. Cisco ASA 5500 Series Configuration Guide using ASDM 37-54 OL-20339-01...
Page 839 Details—Shows the Parameters and Inspections tabs to configure additional settings. • Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System — • • • • Cisco ASA 5500 Series Configuration Guide using ASDM 37-55 OL-20339-01...
Page 840 Move Down—Moves an inspection down in the list. – Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System — • • • • Cisco ASA 5500 Series Configuration Guide using ASDM 37-56 OL-20339-01...
Page 841 Greater Than Length—Body line length in bytes. – Action—Reset, drop connection, log. – Log—Enable or disable. – Commands Criterion Values—Specifies the value details for command match. • Available Commands Table: – AUTH DATA Cisco ASA 5500 Series Configuration Guide using ASDM 37-57 OL-20339-01...
Page 842 – Log—Enable or disable. – EHLO Reply Parameters Criterion Values—Specifies the value details for EHLO reply parameters • match. Available Parameters Table: – 8bitmime auth binarymime checkpoint ecode etrn others Cisco ASA 5500 Series Configuration Guide using ASDM 37-58 OL-20339-01...
Page 843 Greater Than Length—MIME filename length in bytes. Action—Reset, Drop Connection, Log. – Log—Enable or disable. – MIME Encoding Criterion Values—Specifies the value details for MIME encoding match. • Available Encodings table – 7bit Cisco ASA 5500 Series Configuration Guide using ASDM 37-59 OL-20339-01...
Page 844 • — TFTP Inspection TFTP inspection is enabled by default. TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and client. Cisco ASA 5500 Series Configuration Guide using ASDM 37-60 OL-20339-01...
Page 845 TFTP client and server. An error notification from the server closes the secondary channel. TFTP inspection must be enabled if static PAT is used to redirect TFTP traffic. Cisco ASA 5500 Series Configuration Guide using ASDM 37-61 OL-20339-01...
Page 846 Chapter 37 Configuring Inspection of Basic Internet Protocols TFTP Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 37-62 OL-20339-01...
Page 847 SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the adaptive security appliance. TAPI and JTAPI are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco CallManager.
Page 848 Cisco TSP configuration on the PC. • When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP SoftPhone registrations to succeed.
Page 849 H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The adaptive security appliance supports H.323 through Version 6, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
Page 850 The decoding and encoding of of the telepresentation session is enabled by default. H.239 encoding and decoding is preformed by ASN.1 coder. Limitations and Restrictions The following are some of the known issues and limitations when using H.323 application inspection: Cisco ASA 5500 Series Configuration Guide using ASDM 38-4 OL-20339-01...
Page 851 Match Conditions—Shows the type, match criterion, and value in the class map. • Match Type—Shows the match type, which can be a positive or negative match. – Criterion—Shows the criterion of the H.323 class map. – Cisco ASA 5500 Series Configuration Guide using ASDM 38-5 OL-20339-01...
Page 852 The Add/Edit H.323 Match Criterion dialog box lets you define the match criterion and value for the H.323 class map. Fields • Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. Cisco ASA 5500 Series Configuration Guide using ASDM 38-6 OL-20339-01...
Page 853 It performs state tracking and filtering and can do a cascade of inspect function activation. H.323 inspection supports phone number filtering, dynamic T.120 control, H.245 tunneling control, HSI groups, protocol state tracking, H.323 call duration enforcement, and audio/video control. Cisco ASA 5500 Series Configuration Guide using ASDM 38-7 OL-20339-01...
Page 854 Default Level—Sets the security level back to the default level of Medium. – Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System — • • • • Cisco ASA 5500 Series Configuration Guide using ASDM 38-8 OL-20339-01...
Page 855 Security Level—Select the security level (low, medium, or high). – Low—Default. State Checking h225 Disabled State Checking ras Disabled Call Party Number Disabled Call duration Limit Disabled RTP conformance not enforced Medium – Cisco ASA 5500 Series Configuration Guide using ASDM 38-9 OL-20339-01...
Page 856 State Checking—Tab that lets you configure state checking parameters for the H.323 inspect map. – Check state transition of H.225 messages—Enforces H.323 state checking on H.225 messages. Check state transition of RAS messages—Enforces H.323 state checking on RAS messages. – Cisco ASA 5500 Series Configuration Guide using ASDM 38-10 OL-20339-01...
Page 857 Edit—Opens the Edit H.323 Inspect dialog box to edit an H.323 inspection. – Delete—Deletes an H.323 inspection. – Move Up—Moves an inspection up in the list. – Move Down—Moves an inspection down in the list. – Cisco ASA 5500 Series Configuration Guide using ASDM 38-11 OL-20339-01...
Page 858 For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. Criterion—Specifies which criterion of H.323 traffic to match. • Called Party—Match the called party. – Cisco ASA 5500 Series Configuration Guide using ASDM 38-12 OL-20339-01...
Page 859 This section describes MGCP application inspection. This section includes the following topics: • MGCP Inspection Overview, page 38-14 • Select MGCP Map, page 38-16 • MGCP Inspect Map, page 38-16 Cisco ASA 5500 Series Configuration Guide using ASDM 38-13 OL-20339-01...
Page 860 Figure 38-1 illustrates how NAT can be used with MGCP. Cisco ASA 5500 Series Configuration Guide using ASDM 38-14 OL-20339-01...
Page 861 Response header, optionally followed by a session description. The port on which the gateway receives commands from the call agent. Gateways usually listen to • UDP port 2427. Cisco ASA 5500 Series Configuration Guide using ASDM 38-15 OL-20339-01...
Page 862 Edit—Edits the selected MGCP entry in the MGCP Inspect Maps table. • Delete—Deletes the inspect map selected in the MGCP Inspect Maps table. • Modes The following table shows the modes in which this feature is available: Cisco ASA 5500 Series Configuration Guide using ASDM 38-16 OL-20339-01...
Page 863 • • • • Add/Edit MGCP Policy Map The Add/Edit MGCP Policy Map pane lets you configure the command queue, gateway, and call agent settings for MGCP application inspection maps. Cisco ASA 5500 Series Configuration Guide using ASDM 38-17 OL-20339-01...
Page 864 Group ID—Specifies the ID of the call agent group. A call agent group associates one or more call • agents with one or more MGCP media gateways. The valid range is from 0 to 2147483647. Cisco ASA 5500 Series Configuration Guide using ASDM 38-18 OL-20339-01...
Page 865 • RTSP Inspection Overview The RTSP inspection engine lets the adaptive security appliance pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. Cisco ASA 5500 Series Configuration Guide using ASDM 38-19 OL-20339-01...
Page 866 SDP files as part of HTTP or RTSP messages. Packets could be fragmented and adaptive security appliance cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translates the adaptive security appliance performs on the SDP part •...
Page 867 Configuring Inspection for Voice and Video Protocols RTSP Inspection You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT • if the Viewer and Content Manager are on the outside network and the server is on the inside network.
Page 868 The Add/Edit RTSP Inspect dialog box lets you define the match criterion, values, and actions for the RTSP inspect map. Fields Match Type—Specifies whether traffic should match or not match the values. • Cisco ASA 5500 Series Configuration Guide using ASDM 38-22 OL-20339-01...
Page 869 Select SIP Map, page 38-25 • SIP Class Map, page 38-26 • • Add/Edit SIP Traffic Class Map, page 38-27 • Add/Edit SIP Match Criterion, page 38-27 • SIP Inspect Map, page 38-29 Cisco ASA 5500 Series Configuration Guide using ASDM 38-23 OL-20339-01...
Page 870 SIP timeout value. This value must be configured at least five minutes longer than the subscription duration. The subscription duration is defined in the Contact Expires value and is typically 30 minutes. Cisco ASA 5500 Series Configuration Guide using ASDM 38-24 OL-20339-01...
Page 871 Enable encrypted traffic inspection check box—Select to enable the radio buttons to select a proxy type. Proxy Type • – TLS Proxy radio button—Use TLS Proxy to enable inspection of encrypted traffic. Cisco ASA 5500 Series Configuration Guide using ASDM 38-25 OL-20339-01...
Page 872 Phone Proxy configuration settings. – UC-IME Proxy ratio button—Specifies to associate the UC-IME Proxy (Cisco Intercompany Media Engine proxy) with the TLS Proxy that you select from the TLS Proxy Name field. Configure button—Opens the Configure the UC-IME Proxy dialog box so that you can specify or edit UC-IME Proxy configuration settings.
Page 873 Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. Cisco ASA 5500 Series Configuration Guide using ASDM 38-27 OL-20339-01...
Page 874 Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. IM Subscriber Criterion Values—Specifies to match the IM subscriber. Applies the regular • expression match. Cisco ASA 5500 Series Configuration Guide using ASDM 38-28 OL-20339-01...
Page 875 SIP Inspect Map The SIP pane lets you view previously configured SIP application inspection maps. A SIP map lets you change the default configuration values used for SIP application inspection. Cisco ASA 5500 Series Configuration Guide using ASDM 38-29 OL-20339-01...
Page 876 Limit payload to audio or video, based on the signaling exchange: Yes SIP conformance: Drop packets that fail state checking and packets that fail header validation. Customize—Opens the Add/Edit SIP Policy Map dialog box for additional settings. – Cisco ASA 5500 Series Configuration Guide using ASDM 38-30 OL-20339-01...
Page 877 Limit payload to audio or video, based on the signaling exchange: No SIP conformance: Drop packets that fail state checking. High – SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Denied. Cisco ASA 5500 Series Configuration Guide using ASDM 38-31 OL-20339-01...
Page 878 Ensure that number of hops to destination is greater than 0—Enables check for the value of – Max-Forwards header is zero. Action—Drop packet, Drop Connection, Reset, Log. Log—Enable or Disable. RTP Conformance—Tab that lets you configure the RTP conformance settings for SIP. • Cisco ASA 5500 Series Configuration Guide using ASDM 38-32 OL-20339-01...
Page 879 Move Down—Moves an inspection down in the list. – Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System — • • • • Cisco ASA 5500 Series Configuration Guide using ASDM 38-33 OL-20339-01...
Page 880 Greater Than Length—Enter a header length value in bytes. – Content Type Criterion Values—Specifies to match a SIP content header type. • SDP—Match an SDP SIP content header type. – Cisco ASA 5500 Series Configuration Guide using ASDM 38-34 OL-20339-01...
Page 881 Multiple Matches—Specifies multiple matches for the SIP inspection. • SIP Traffic Class—Specifies the SIP traffic class match. – Manage—Opens the Manage SIP Class Maps dialog box to add, edit, or delete SIP Class Maps. – Cisco ASA 5500 Series Configuration Guide using ASDM 38-35 OL-20339-01...
Page 882 Chapter 43, “Configuring the Cisco Phone Proxy.”. Skinny (SCCP) is a simplified protocol used in VoIP networks. Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323 compliant terminals.
Page 883 The adaptive security appliance also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
Page 884 Add—Configures a new SCCP (Skinny) inspect map. To edit an SCCP (Skinny) inspect map, choose • the SCCP (Skinny) entry in the SCCP (Skinny) Inspect Maps table and click Customize. • Delete—Deletes the inspect map selected in the SCCP (Skinny) Inspect Maps table. Cisco ASA 5500 Series Configuration Guide using ASDM 38-38 OL-20339-01...
Page 885 Default Level—Sets the security level back to the default level of Low. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System • • • • — Cisco ASA 5500 Series Configuration Guide using ASDM 38-39 OL-20339-01...
Page 886 Security Level—Select the security level (high or low). – Low—Default. Registration: Not enforced. Maximum message ID: 0x181. Minimum prefix length: 4 Media timeout: 00:05:00 Signaling timeout: 01:00:00. RTP conformance: Not enforced. Cisco ASA 5500 Series Configuration Guide using ASDM 38-40 OL-20339-01...
Page 887 SCCP (Skinny) map, the name of the previously configured SCCP (Skinny) map is shown. Description—Enter the description of the DNS map, up to 200 characters in length. • Cisco ASA 5500 Series Configuration Guide using ASDM 38-41 OL-20339-01...
Page 888 Security Context Multiple Routed Transparent Single Context System — • • • • Add/Edit Message ID Filter The Add Message ID Filter dialog box lets you configure message ID filters. Cisco ASA 5500 Series Configuration Guide using ASDM 38-42 OL-20339-01...
Page 889 Message ID Range—Match specified message ID range. – Lower Message ID—Specify lower value of SCCP message ID allowed. Upper Message ID—Specify upper value of SCCP message ID allowed. Action—Drop packet. • Log—Enable or disable. • Cisco ASA 5500 Series Configuration Guide using ASDM 38-43 OL-20339-01...
Page 890 Chapter 38 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 38-44 OL-20339-01...
Page 891 TCP inactivity interval. By default, this interval is 60 minutes and can be adjusted using the timeout command. ILS/LDAP follows a client/server model with sessions handled over a single TCP connection. Depending on the client's actions, several of these sessions may be created. Cisco ASA 5500 Series Configuration Guide using ASDM 39-1 OL-20339-01...
Page 892 For SQL*Net Version 2, all DATA or REDIRECT packets that immediately follow REDIRECT packets with a zero data length will be fixed up. The packets that need fix-up contain embedded host/port addresses in the following format: (ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a)) Cisco ASA 5500 Series Configuration Guide using ASDM 39-2 OL-20339-01...
Page 893 The Configuration > Firewall > Advanced > SUNRPC Server pane shows which SunRPC services can traverse the adaptive security appliance and their specific timeout, on a per server basis. Fields Interface—Displays the interface on which the SunRPC server resides. • Cisco ASA 5500 Series Configuration Guide using ASDM 39-3 OL-20339-01...
Page 894 Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System — • • • • Cisco ASA 5500 Series Configuration Guide using ASDM 39-4 OL-20339-01...
Page 895 “Add/Edit DCERPC Policy Map” section on page 40-4 • DCERPC Overview DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely. Cisco ASA 5500 Series Configuration Guide using ASDM 40-1 OL-20339-01...
Page 896 DCERPC map lets you change the default configuration values used for DCERPC application inspection. DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely. Cisco ASA 5500 Series Configuration Guide using ASDM 40-2 OL-20339-01...
Page 897 Default Level—Sets the security level back to the default level of Medium. – Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System — • • • • Cisco ASA 5500 Series Configuration Guide using ASDM 40-3 OL-20339-01...
Page 898 Enforce Service Lookup Timeout—Enforces the service lookup timeout specified. Service Lookup Timeout—Sets the timeout for pinholes from lookup operation. Modes The following table shows the modes in which this feature is available: Cisco ASA 5500 Series Configuration Guide using ASDM 40-4 OL-20339-01...
Page 899 Internet. The GGSN is the interface between the GPRS wireless data network and other networks. The SGSN performs mobility, data session management, and data compression (See Figure 40-1). Cisco ASA 5500 Series Configuration Guide using ASDM 40-5 OL-20339-01...
Page 900 GTP inspection requires a special license. If you try to enable GTP application inspection on a Note adaptive security appliance without the required license, the adaptive security appliance displays an error message. Cisco ASA 5500 Series Configuration Guide using ASDM 40-6 OL-20339-01...
Page 901 Drop and log unknown message IDs. – IMSI Prefix Filtering—Opens the IMSI Prefix Filtering dialog box to configure IMSI prefix filters. • Customize—Opens the Add/Edit GTP Policy Map dialog box for additional settings. • Cisco ASA 5500 Series Configuration Guide using ASDM 40-7 OL-20339-01...
Page 902 Description—Enter the description of the GTP map, up to 200 characters in length. • Security Level—Security level low only. • Do not Permit Errors Maximum Number of Tunnels: 500 GSN timeout: 00:30:00 Cisco ASA 5500 Series Configuration Guide using ASDM 40-8 OL-20339-01...
Page 903 By default, all invalid packets or packets that failed during parsing are dropped. General Parameters—Tab that lets you configure the general parameters for the GTP inspect map. • Cisco ASA 5500 Series Configuration Guide using ASDM 40-9 OL-20339-01...
Page 904 Log—Shows the log state. – Add—Opens the Add GTP Inspect dialog box to add an GTP inspection. – Edit—Opens the Edit GTP Inspect dialog box to edit an GTP inspection. – Cisco ASA 5500 Series Configuration Guide using ASDM 40-10 OL-20339-01...
Page 905 The valid range is 1 to 255. By default, all valid message IDs are allowed. Value—Specifies whether value is an exact match or a range. – Equals—Enter a value. Range—Enter a range of values. Cisco ASA 5500 Series Configuration Guide using ASDM 40-11 OL-20339-01...
Page 906 Select RADIUS Accounting Map, page 40-13 • Add RADIUS Accounting Policy Map, page 40-14 • RADIUS Inspect Map, page 40-14 • RADIUS Inspect Map Host, page 40-15 • RADIUS Inspect Map Other, page 40-15 • Cisco ASA 5500 Series Configuration Guide using ASDM 40-12 OL-20339-01...
Page 907 Add—Lets you add a new RADIUS accounting map. • Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System — • • • • Cisco ASA 5500 Series Configuration Guide using ASDM 40-13 OL-20339-01...
Page 908 You can use a RADIUS map to protect against an overbilling attack. Fields Name—Enter the name of the inspect map, up to 40 characters in length. • Description—Enter the description of the inspect map, up to 200 characters in length. • Cisco ASA 5500 Series Configuration Guide using ASDM 40-14 OL-20339-01...
Page 909 Transparent Single Context System — • • • • RADIUS Inspect Map Other The RADIUS Inspect Map Other Parameters pane lets you configure additional parameter settings for the inspect map. Cisco ASA 5500 Series Configuration Guide using ASDM 40-15 OL-20339-01...
Page 910 This section describes the IM inspection engine. This section includes the following topics: SNMP Inspection Overview, page 40-17 • “Select SNMP Map” section on page 40-17 • “SNMP Inspect Map” section on page 40-17 • Cisco ASA 5500 Series Configuration Guide using ASDM 40-16 OL-20339-01...
Page 911 Edit—Edits the selected SNMP entry in the SNMP Inspect Maps table. • Delete—Deletes the inspect map selected in the SNMP Inspect Maps table. • Modes The following table shows the modes in which this feature is available: Cisco ASA 5500 Series Configuration Guide using ASDM 40-17 OL-20339-01...
Page 912 When XDMCP is used, the display is negotiated using IP addresses, which the adaptive security appliance can NAT if needed. XDCMP inspection does not support PAT. Cisco ASA 5500 Series Configuration Guide using ASDM 40-18 OL-20339-01...
Page 913 Chapter 40 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 40-19 OL-20339-01...
Page 914 Chapter 40 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 40-20 OL-20339-01...
Page 915 Chapter 40 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 40-21 OL-20339-01...
Page 916 Chapter 40 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 40-22 OL-20339-01...
Page 917 Chapter 40 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 40-23 OL-20339-01...
Page 918 Chapter 40 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 40-24 OL-20339-01...
Page 919 Chapter 40 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 40-25 OL-20339-01...
Page 920 Chapter 40 Configuring Inspection for Management Application Protocols XDMCP Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 40-26 OL-20339-01...
Page 921 A R T Configuring Unified Communications...
Page 923 Information About the Adaptive Security Appliance in Cisco Unified Communications This section describes the Cisco UC Proxy features on the Cisco ASA 5500 series appliances. The purpose of a proxy is to terminate and reoriginate connections between a client and server. The proxy delivers a range of security functions such as traffic inspection, protocol conformance, and policy control to ensure security for the internal network.
Page 924 The security appliance acts as a proxy, terminating and reoriginating the TLS signaling between the Cisco UMC and Cisco UMA. As part of the proxy security functionality, inspection is enabled for the Cisco UMA Mobile Multiplexing Protocol (MMP), the protocol between Cisco UMC and Cisco UMA.
Page 925 An adaptive security appliance running the Cisco Intercompany Media Engine Proxy can either be deployed as an Internet firewall or be designated as a Cisco Intercompany Media Engine Proxy and placed in the DMZ, off the path of the regular Internet traffic.
Page 926 TLS client, the proxy (the adaptive security appliance), and the TLS server. For the Cisco Unified Mobility solution, the TLS client is a Cisco UMA client and the TLS server is a Cisco UMA server. The adaptive security appliance is between a Cisco UMA client and a Cisco UMA server.
Page 927 UC license limit. All of these applications are licensed under the UC Proxy umbrella, and can be mixed and matched. Some applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.
Page 928 SRTP, they do not count towards the limit. For more information about licensing, see Chapter 4, “Managing Feature Licenses.” Cisco ASA 5500 Series Configuration Guide using ASDM 41-6 OL-20339-01...
Page 929 C H A P T E R Using the Cisco Unified Communication Wizard This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features. This chapter includes the following sections: Information the Cisco Unified Communication Wizard, page 42-1 •...
Page 930 The security appliance acts as a proxy, terminating and reoriginating the TLS signaling between the Cisco UMC and Cisco UMA. As part of the proxy security functionality, inspection is enabled for the Cisco UMA Mobile Multiplexing Protocol (MMP), the protocol between Cisco UMC and Cisco UMA.
Page 931 An adaptive security appliance running the Cisco Intercompany Media Engine Proxy can either be deployed as an Internet firewall or be designated as a Cisco Intercompany Media Engine Proxy and placed in the DMZ, off the path of the regular Internet traffic.
Page 932 For all Unified Communications proxies to function correctly, you must synchronize the clock on the adaptive security appliance and all servers associated with each proxy, such as the Cisco Unified Communication Manager server, the Cisco Mobility Advantage server, the Cisco Unified Presence server, and the Cisco Intercompany Media Engine server.
Page 933 Step 1 Step 2 In the Unified MA Server area, enter the private and public IP address for the Cisco Mobility Advantage server. Entering ports for these IP addresses is optional. By default port number 5443 is entered, which is the default TCP port for MMP inspection.
Page 934 • this area appears as Export ASA’s Identity Certificate and the Export certificate dialog box immediately appears. When using the wizard to configure the Cisco Mobility Advantage proxy, the wizard only supports • installing self-signed certificates. Export the identity certificate generated by the wizard for the adaptive security appliance. See...
Page 935 Cisco Unified Presence Proxy option under the Business-to-Business section. When using the wizard to create the Cisco Presence Federation proxy, ASDM automatically creates the necessary TLS proxies, enables SIP inspection for the Presence Federation traffic, generates address translation (static PAT) statements for the local Cisco Unified Presence server, and creates access lists to allow traffic between the local Cisco Unified Presence server and remote servers.
Page 936 In the Public Network area, choose the interface of the public network from the drop-down list. The proxy uses this interface for configuring static PAT for the local Cisco Unified Presence server and for configuring access lists to allow remote servers to access the Cisco Unified Presence server.
Page 937 To establish a trusted relationship between the security appliance and the remote entity, the security appliance can enroll with the CA on behalf of the Cisco Unified Presence server for the local entity. In the enrollment request, the local entity identity (domain name) is used.
Page 938 Topology for the Cisco Intercompany Media Engine Proxy, page 42-11. Step 2 Specify private network settings such as the Cisco UCM IP addresses and the ticket settings. See Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy, page 42-12.
Page 939 IP address of the called party on the Internet. Cisco UCM sends all outbound calls directly to the mapped internal IP address on the adaptive security appliance instead of the global IP address of the called party on the Internet. The adaptive security appliance then forwards the calls to the global IP address of the called party.
Page 940 Cisco Unified Communications server configured on the adaptive security appliance. If necessary, click Add to add a Cisco Unified Communications server. You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine that has a SIP trunk enabled.
Page 941 Step 7 Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine Proxy that has a SIP trunk enabled. Enter the private IP address and port number (in the range 5000-6000) for the Cisco UCM server.
Page 942 Engine Proxy, the adaptive security appliance creates dynamic mappings for external addresses to the internal IP address. The values that you specify in this page generate the following configuration settings for the Cisco Intercompany Media Engine Proxy: Static PAT for the Cisco Unified Communications servers •...
Page 943 The wizard supports using self-signed certificates only. A trusted relationship between the adaptive security appliance and the Cisco UMA server can be established with self-signed certificates. The certificates are used by the security appliance and the Cisco UCMs to authenticate each other, respectively, during TLS handshakes.
Page 944 Cisco UCM identity (domain name) is used. To establish the trust relationship, the adaptive security appliance enrolls with the third party CA by using the Cisco Unified Communications Manager server FQDN as if the security appliance is the Cisco UCM.
Page 945 Chapter 42 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard The wizard completes by displaying a summary of the configuration created for the Cisco Intercompany Media Engine. Working with Certificates in the Unified Communication Wizard...
Page 946: Installing A Certificate
Installing a Certificate When configuring certificates for the Cisco Mobility Advantage Proxy, the Cisco Presence Federation Proxy, and Cisco Intercompany Media Engine Proxy, you must install the certificates from the Cisco Mobility Advantage server, Cisco Presence Federation server, and Cisco Unified Communications Manager servers, respectively, on the adaptive security appliance.
Page 947 The domain name that you configure for the Cisco Intercompany Media Engine Proxy must Note match the domain name that set in the local Cisco Unified Communications Manager server; for example, cisco.com. The fully-qualified domain name (FQDN) that you configure for the Cisco Mobility Advantage Proxy and Cisco Presence Federation Proxy must match the FQDN name set in the Cisco Mobility Advantage server and Cisco Unified Presence server, respectively;...
Page 948 If the certificate authority provided an intermediate certificate, you must enter the certificate text in the Intermediate Certificate (If Applicable) area of the Install ASA’s Identity Certificate dialog box. For the Cisco Mobility Advantage Proxy, you install the root certificate in another dialog box. See Installing a Certificate, page 42-18 for the steps to install the root certificate.
Page 949 Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers When configuring certificates for the Cisco Presence Federation Proxy and Cisco Intercompany Media Engine Proxy, you must install the adaptive security appliance identity certificate and the root certificate on the Cisco Presence Federation server and Cisco Intercompany Media Engine server, respectively.
Page 950 Chapter 42 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Cisco ASA 5500 Series Configuration Guide using ASDM 42-22 OL-20339-01...
Page 951 C H A P T E R Configuring the Cisco Phone Proxy This chapter describes how to configure the adaptive security appliance for Cisco Phone Proxy feature. This chapter includes the following sections: Information About the Cisco Phone Proxy, page 43-1 •...
Page 952 TCP to the Cisco UCM but the SRTP is converted to RTP. In a mixed mode cluster where the internal IP phone is configured as encrypted, the TLS connection remains a TLS connection to the Cisco UCM and the SRTP from the remote phone remains SRTP to the internal IP phone.
Page 953 Even though the lock icon is not displayed on the screen, the IP phone call is still encrypted because the phone proxy encrypts calls by default. The following IP phones in the Cisco Unified IP Phones 7900 Series are supported with the phone proxy: Cisco Unified IP Phone 7975 •...
Page 954 • Note To support Cisco Unified Wireless IP Phone 7925, you must also configure MIC or LSC on the IP phone so that it properly works with the phone proxy. CIPC for softphones ( CIPC versions with Authenticated mode only) •...
Page 955 UC license limit. All of these applications are licensed under the UC Proxy umbrella, and can be mixed and matched. Some applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.
Page 956 If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF certificate from the Cisco UCM. If the Cisco UCM has more than one CAPF certificate, you must import all of them to the adaptive security appliance.
Page 957 The TFTP server must reside on the same interface as the Cisco UCM. • The Cisco UCM can be on a private network on the inside but you need to have a static mapping for • the Cisco UCM on the adaptive security appliance to a public routable address.
Page 958 The Cisco UCM is mapped with different global IP addresses from DMZ > outside and inside interfaces > outside interface. In the CTL file, the Cisco UCM must have two entries because of the two different IP addresses. For example, if the static statements for the Cisco UCM are as follows: static (inside,outside) 128.106.254.2 10.0.0.5...
Page 959 See the following document for the steps to install an LSC on IP phones: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_0_1/secugd/secucapf.html#w p1093518 If an IP phone already has an LSC installed on it from a different Cisco UCM cluster, delete the Note LSC from the different cluster and install an LSC from the current Cisco UCM cluster.
Page 960 The phone proxy is a transparent proxy with respect to the TFTP and signaling transactions. If NAT is not configured for the Cisco UCM TFTP server, then the IP phones need to be configured with the Cisco UCM cluster TFTP server address.
Page 961 The phones register inside the network. IT ensures there are no issues with the phone configurations, • image downloads, and registration. If Cisco UCM cluster was in mixed mode, the CTL file should be erased before sending the phone • to the end user.
Page 962 When a remote IP phone calls an invalid internal or external extension, the phone proxy does not support playing the annunciator message from the Cisco UCM. Instead, the remote IP phone plays a fast busy signal instead of the annunciator message "Your call cannot be completed ..." However, when an internal IP phone dials in invalid extension, the annunciator messages plays "Your call...
Page 963 Cisco UMC. If the Cisco UMC and the internal IP phones must be on different network interfaces, you must add routes for the internal IP phones to access the network interface of the media-termination address where Cisco UMC resides.
Page 964 To modify a CTL File that is assigned to the Phone Proxy, go to the Phone Proxy pane (Configuration > Firewall > Unified Communications > Phone Proxy), and deselect the Use the Certificate Trust List File generated by the CTL instance check box. Cisco ASA 5500 Series Configuration Guide using ASDM 43-14 OL-20339-01...
Page 965 Add additional record-entry configurations for each entity that is required in the CTL file. Step 1 Open the Configuration > Firewall > Unified Communications > CTL File pane. Step 2 Check the Enable Certificate Trust List File check box to enable the feature. Cisco ASA 5500 Series Configuration Guide using ASDM 43-15 OL-20339-01...
Page 966 In versions before 8.2(1), you configured one media-termination address (MTA) on the outside interface of the adaptive security appliance where the remote Cisco IP phones were located. In Version 8.2(1) and later, you can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces.
Page 967 Check the Apply MTA instance to Phone Proxy check box to add the media termination address to the Phone Proxy instance. You must have a media termination address instance configured. The configured address is added to the Phone Proxy instance. Cisco ASA 5500 Series Configuration Guide using ASDM 43-17 OL-20339-01...
Page 968 Adding or Editing the TFTP Server for a Phone Proxy, page 43-19. The TFTP server must reside on the same interface as the Cisco Unified Call Manager. Additionally, If Note NAT is configured for the TFTP server, the NAT configuration must be configured prior to configuring the specifying the TFTP server while creating the Phone Proxy instance.
Page 969 Configuring the Cisco Phone Proxy Configuring the Phone Proxy To force Cisco IP Communicator (CIPC) softphones to operate in authenticated mode when CIPC Step 9 softphones are deployed in a voice and data VLAN scenario, check the Enable CIPC security mode authentication check box.
Page 970 This should be configured if it is not the default TFTP port 69. In the Interface field, specify the interface on which the TFTP server resides. The TFTP server must Step 6 reside on the same interface as the Cisco Unified Call Manager (CUCM). Click OK to apply the settings. Step 7...
Page 971 The Media Termination fields were removed from the Phone Proxy pane and added to the Media Termination pane: Configuration > Firewall > Advanced > Encrypted Traffic Inspection > Media Termination Address pane Cisco ASA 5500 Series Configuration Guide using ASDM 43-21 OL-20339-01...
Page 972 Chapter 43 Configuring the Cisco Phone Proxy Feature History for the Phone Proxy Cisco ASA 5500 Series Configuration Guide using ASDM 43-22 OL-20339-01...
Page 973 The adaptive security appliance is able to intercept and decrypt encrypted signaling from Cisco encrypted endpoints to the Cisco Unified Communications Manager (Cisco UCM), and apply the required threat protection and access control.
Page 974 The security appliance acts as a TLS proxy between the Cisco IP Phone and Cisco UCM. The proxy is transparent for the voice calls between the phone and theCisco UCM. Cisco IP Phones download a Certificate Trust List from the Cisco UCM before registration which contains identities (certificates) of the devices that the phone should trust, such as TFTP servers and Cisco UCM servers.
Page 975 CTL file must contain the certificate that the security appliance creates for the Cisco UCMs. To proxy calls on behalf of the Cisco IP Phone, the security appliance presents a certificate that the Cisco UCM can verify, which is a Local Dynamic Certificate for the phone, issued by the certificate authority on the security appliance.
Page 976 UC license limit. All of these applications are licensed under the UC Proxy umbrella, and can be mixed and matched. Some applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.
Page 977 If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF certificate from the Cisco UCM. If the Cisco UCM has more than one CAPF certificate, you must import all of them to the adaptive security appliance.
Page 978 Authentication—Specifies the username and password that the client authenticates with the – provider. Username—Client username. Password—Client password. Confirm Password—Client password. Modes The following table shows the modes in which this feature is available: Cisco ASA 5500 Series Configuration Guide using ASDM 44-6 OL-20339-01...
Page 979 Proxy pane. Configuring a TLS Proxy lets you use the TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and enable the adaptive security appliance for the Cisco Unified Communications features: TLS Proxy for the Cisco Unified Presence Server (CUPS), part of Presence Federation •...
Page 980 Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the adaptive security appliance.
Page 981 Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the adaptive security appliance.
Page 982 When you are configuring the TLS Proxy for the Phone Proxy, click Install TLS Server’s Certificate and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP phones on behalf of the CUCM server.
Page 983 Call Manager may be NULL cipher to offload the Call Manager. Move Up—Moves an algorithm up in the list. Move Down—Moves an algorithm down in the list. Click Next. Step 5 Cisco ASA 5500 Series Configuration Guide using ASDM 44-11 OL-20339-01...
Page 984 Issuer for TLS clients, perform the following: – Use the Cisco CTL Client to add the server proxy certificate to the CTL file and install the CTL file on the adaptive security appliance. For information on the Cisco CTL Client, see “Configuring the Cisco CTL Client” in Cisco Unified CallManager Security Guide.
Page 985 When you are configuring the TLS Proxy for the Phone Proxy, click Install TLS Server’s Certificate and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP phones on behalf of the CUCM server.
Page 986 The fields in the Edit TLS Proxy dialog box are identical to the fields displayed when you add a TLS Proxy instance. Use the Edit TLS Proxy – Client Configuration tab to edit the client proxy parameters for the original TLS Client, such as IP phones, CUMA clients, the Cisco Unified Presence Server (CUPS), or the Microsoft OCS server.
Page 987 • dynamic certificates. Local Dynamic Certificate Key Pair—Lists the RSA key pair used by client or server dynamic • certificates. Add—Adds a TLS Proxy. • Edit—Edits a TLS Proxy. • Cisco ASA 5500 Series Configuration Guide using ASDM 44-15 OL-20339-01...
Page 988 Show—Shows the key pair details, including generation time, usage, modulus size, and key data. New—Lets you define a new key pair. • More Options—Specifies the available and active algorithms to be announced or matched during the TLS handshake. Cisco ASA 5500 Series Configuration Guide using ASDM 44-16 OL-20339-01...
Page 989 Table 44-2 lists the release history for this feature. Table 44-2 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information TLS Proxy 8.0(2) The TLS proxy feature was introduced. Cisco ASA 5500 Series Configuration Guide using ASDM 44-17 OL-20339-01...
Page 990 Chapter 44 Configuring the TLS Proxy for Encrypted Voice Inspection Feature History for the TLS Proxy for Encrypted Voice Inspection Cisco ASA 5500 Series Configuration Guide using ASDM 44-18 OL-20339-01...
Page 991 • The adaptive security appliance includes an inspection engine to validate the Cisco UMA Mobile Multiplexing Protocol (MMP). MMP is a data transport protocol for transmitting data entities between Cisco UMA clients and servers. As shown in Figure 45-1, MMP must be run on top of a connection-oriented protocol (the underlying transport) and is intended to be run on top of a secure transport protocol such as TLS.
Page 992 Internet. In the scenario 1 deployment, the adaptive security appliance is between a Cisco UMA client and a Cisco UMA server. The Cisco UMA client is an executable that is downloaded to each smartphone. The Cisco UMA client applications establishes a data connection, which is a TLS connection, to the corporate Cisco UMA server.
Page 993 Set up an interface PAT rule for inbound traffic translating the source IP address of every packet so • that the corporate firewall does not need to open up a wildcard pinhole. The Cisco UMA server receives packets with the source IP address 192.0.12.183.
Page 994 Mobility Advantage Proxy Using NAT/PAT In both scenarios (Figure 45-2 Figure 45-3), NAT can be used to hide the private address of the Cisco UMA servers. In scenario 2 (Figure 45-3), PAT can be used to converge all client traffic into one source IP, so that the firewall does not have to open up a wildcard pinhole for inbound traffic.
Page 995 Then, the adaptive security appliance has the full credentials of the Cisco UMA server. When a Cisco UMA client connects to the Cisco UMA server, the adaptive security appliance intercepts the handshake and uses the Cisco UMA server certificate to perform the handshake with the client.
Page 996 The adaptive security appliance's identity certificate is exported, and then uploaded on the Cisco UMA server truststore. The Cisco UMA server certificate is downloaded, and then uploaded on the adaptive security appliance truststore by creating a trustpoint and using the crypto ca authenticate command.
Page 997 Figure 45-2 Figure 45-3, perform the following tasks. It is assumed that self-signed certificates are used between the adaptive security appliance and the Cisco UMA server. To configure the Cisco Mobility Advantage Proxy by using ASDM, choose Wizards > Unified Communications Wizard from the menu.
Page 998 Chapter 45 Configuring Cisco Mobility Advantage Feature History for Cisco Mobility Advantage Cisco ASA 5500 Series Configuration Guide using ASDM 45-8 OL-20339-01...
Page 999 “Routing Proxy” (a dedicated Cisco UP) in Enterprise X and the Microsoft Access Proxy in Enterprise Y. However, the deployment is not limited to this scenario. Any Cisco UP or Cisco UP cluster could be deployed on the left side of the adaptive security appliance; the remote entity could be any server (an LCS, an OCS, or another Cisco UP).
Page 1000 (inside,outside) tcp 192.0.2.1 5060 10.0.0.2 5060 netmask 255.255.255.255 For another Cisco UP with the address 10.0.0.3, you must use a different set of PAT ports, such as 45062 or 45070: hostname(config)# static (inside,outside) tcp 192.0.2.1 45061 10.0.0.3 5061 netmask 255.255.255.255...
Page 1001 Entity X public address for which the adaptive security appliance provides proxy service. For further information about configuring Cisco Unified Presence Federation for SIP Federation, see the Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation.: http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht...
Page 1002 Figure 46-3 shows the way to establish the trust relationship. The adaptive security appliance enrolls with the third party CA by using the Cisco UP FQDN as if the adaptive security appliance is the Cisco Figure 46-3 How the Security Appliance Represents Cisco Unified Presence – Certificate...
Page 1003 There are two DNS servers within the internal Cisco Unified Presence enterprise deployment. One DNS server hosts the Cisco Unified Presence private address. The other DNS server hosts the Cisco Unified Presence public address and a DNS SRV records for SIP federation (_sipfederationtle), and XMPP federation (_xmpp-server) with Cisco Unified Presence.
Page 1004 (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup3 IP> service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup IP> service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 Cisco ASA 5500 Series Configuration Guide using ASDM 46-6 OL-20339-01...
Page 1005 UC license limit. All of these applications are licensed under the UC Proxy umbrella, and can be mixed and matched. Some applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.
Page 1006 To configure a Cisco Unified Presence/LCS Federation scenario with the adaptive security appliance as the TLS proxy where there is a single Cisco UP that is in the local domain and self-signed certificates are used between the Cisco UP and the adaptive security appliance (like the scenario shown in Figure 46-1), perform the following tasks.
Page 1007 C H A P T E R Configuring Cisco Intercompany Media Engine Proxy This chapter describes how to configure the adaptive security appliance for Cisco Intercompany Media Engine Proxy. This chapter includes the following sections: Information About Cisco Intercompany Media Engine Proxy, page 47-1 •...
Page 1008 Provides a full Cisco Unified Communications experience: Because Cisco Intercompany Media Engine creates inter-cluster SIP trunks between enterprises, any Unified Communication features that work over the SIP trunk and only require a SIP trunk work with the Cisco Intercompany Media Engine, thus providing a Unified Communication experience across enterprises.
Page 1009 The Cisco Intercompany Media Engine server creates tickets and the adaptive security appliance validates them. The adaptive security appliance and Cisco Intercompany Media Engine server share a password that is configured so that the adaptive security appliance detects the ticket was created by a trusted Cisco Intercompany Media Engine server.

This manual is also suitable for:

Asa 5510 Asa 5540 Asa 5520 Asa 5550 Asa 5580

Cisco ASA 5505 Configuration Manual

Table of Contents

Using the Asdm User Interface

Managing Feature Licenses

Configuring the Transparent or Routed Firewall

How Data Moves through the Transparent Firewall

Using the Startup Wizard

Quick Links

Chapters

Related Manuals for Cisco ASA 5505

Summary of Contents for Cisco ASA 5505

This manual is also suitable for:

Table of Contents