Download  Print this page

Cisco FirePOWER ASA 5500 series Configuration Manual

Security appliance command line.
Hide thumbs
   
1
2
3
Table of Contents
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989

Advertisement

Cisco Security Appliance Command Line
Configuration Guide
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 7.2(1)
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: N/A, Online only
Text Part Number: OL-10088-01

Advertisement

Table of Contents

   Related Manuals for Cisco FirePOWER ASA 5500 series

   Summary of Contents for Cisco FirePOWER ASA 5500 series

  • Page 1 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 7.2(1) Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.;...
  • Page 3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module Sending Traffic to the Content Security and Control Security Services Module Applying QoS Policies Applying Connection Limits and TCP Normalization Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 4: Table Of Contents

    Invalid Classifier Criteria Classification Examples Cascading Security Contexts Management Access to Security Contexts System Administrator Access Context Administrator Access 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 5 Contents Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security C H A P T E R Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces...
  • Page 6 Defining Route Maps Configuring OSPF OSPF Overview Enabling OSPF Redistributing Routes Into OSPF Configuring OSPF Interface Parameters 9-10 Configuring OSPF Area Parameters 9-12 Configuring OSPF NSSA 9-13 Configuring Route Summarization Between OSPF Areas 9-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 7 Configuring a DHCP Server 10-1 Enabling the DHCP Server 10-2 Configuring DHCP Options 10-3 Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Configuring Dynamic DNS 10-6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2: Client Updates Both A and PTR RRs;...
  • Page 8 Configuring IPv6 Default and Static Routes 12-5 Configuring IPv6 Access Lists 12-6 Configuring IPv6 Neighbor Discovery 12-7 Configuring Neighbor Solicitation Messages 12-7 Configuring Router Advertisement Messages 12-9 Configuring a Static IPv6 Neighbor 12-11 Cisco Security Appliance Command Line Configuration Guide viii OL-10088-01...
  • Page 9 Using Certificates and User Login Credentials 13-15 Using User Login Credentials 13-15 Using certificates 13-16 Supporting a Zone Labs Integrity Server 13-16 Overview of Integrity Server and Security Appliance Interaction 13-17 Configuring Integrity Server Support 13-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 10 Configuring Unit Health Monitoring 14-36 Configuring Failover Communication Authentication/Encryption 14-36 Verifying the Failover Configuration 14-37 Using the show failover Command 14-37 Viewing Monitored Interfaces 14-45 Displaying the Failover Commands in the Running Configuration 14-45 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 11 C H A P T E R Access List Overview 16-1 Access List Types 16-2 Access Control Entry Order 16-2 Access Control Implicit Deny 16-3 IP Addresses Used for Access Lists When You Use NAT 16-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 12 17-3 NAT Types 17-5 Dynamic NAT 17-5 17-6 Static NAT 17-7 Static PAT 17-7 Bypassing NAT when NAT Control is Enabled 17-8 Policy NAT 17-9 NAT and Same Security Level Interfaces 17-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 13 Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-7 Configuring a RADIUS Server to Download Per-User Access Control List Names 19-11 Configuring Accounting for Network Access 19-12 Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-13 Cisco Security Appliance Command Line Configuration Guide xiii OL-10088-01...
  • Page 14 21-8 Identifying Traffic in an Inspection Class Map 21-9 Defining Actions in an Inspection Policy Map 21-10 Defining Actions Using a Layer 3/4 Policy Map 21-13 Layer 3/4 Policy Map Overview 21-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 15 Configuring IP Audit for Basic IPS Support 23-7 Applying QoS Policies 24-1 C H A P T E R Overview 24-1 QoS Concepts 24-2 Implementing QoS 24-2 Identifying Traffic for QoS 24-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 16 25-15 Using the Static Command for DNS Rewrite 25-15 Using the Alias Command for DNS Rewrite 25-16 Configuring DNS Rewrite with Two NAT Zones 25-16 DNS Rewrite with Three NAT Zones 25-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 17 ILS Inspection 25-51 MGCP Inspection 25-52 MGCP Inspection Overview 25-53 Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-54 Configuring MGCP Timeout Values 25-56 Verifying and Monitoring MGCP Inspection 25-56 Cisco Security Appliance Command Line Configuration Guide xvii OL-10088-01...
  • Page 18 C H A P T E R Configuring ARP Inspection 26-1 ARP Inspection Overview 26-1 Adding a Static ARP Entry 26-2 Enabling ARP Inspection 26-2 Customizing the MAC Address Table 26-3 Cisco Security Appliance Command Line Configuration Guide xviii OL-10088-01...
  • Page 19 Creating a Basic IPSec Configuration 27-22 Using Dynamic Crypto Maps 27-24 Providing Site-to-Site Redundancy 27-26 Viewing an IPSec Configuration 27-26 Clearing Security Associations 27-27 Clearing Crypto Map Configurations 27-27 Supporting the Nokia VPN Client 27-28 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 20 C H A P T E R Overview of Tunnel Groups, Group Policies, and Users 30-1 Tunnel Groups 30-2 General Tunnel-Group Connection Parameters 30-2 IPSec Tunnel-Group Connection Parameters 30-3 WebVPN Tunnel-Group Connection Parameters 30-4 Configuring Tunnel Groups 30-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 21 30-41 Configuring Domain Attributes for Tunneling 30-42 Configuring Attributes for VPN Hardware Clients 30-44 Configuring Backup Server Attributes 30-47 Configuring Microsoft Internet Explorer Client Parameters 30-48 Configuring Network Admission Control Parameters 30-50 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 22 Specifying the Access Control Server Group 33-2 Enabling NAC 33-2 Configuring the Default ACL for NAC 33-3 Configuring Exemptions from NAC 33-4 Changing Advanced Settings 33-5 Changing Clientless Authentication Settings 33-5 Cisco Security Appliance Command Line Configuration Guide xxii OL-10088-01...
  • Page 23 Setting the Revalidation Timer 33-9 Configuring Easy VPN Services on the ASA 5505 34-1 C H A P T E R Specifying the Client/Server Role of the Cisco ASA 5505 34-2 Specifying the Primary and Secondary Servers 34-3 Specifying the Mode...
  • Page 24 Closing Application Access to Prevent hosts File Errors 37-17 Recovering from hosts File Errors When Using Application Access 37-18 Understanding the hosts File 37-18 Stopping Application Access Improperly 37-19 Reconfiguring a hosts File 37-19 Configuring File Access 37-21 Cisco Security Appliance Command Line Configuration Guide xxiv OL-10088-01...
  • Page 25 37-49 Creating a Capture File 37-50 Using a Browser to Display Capture Data 37-50 Configuring SSL VPN Client 38-1 C H A P T E R Installing SVC 38-1 Platform Requirements 38-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 26 Exporting a Trustpoint Configuration 39-15 Importing a Trustpoint Configuration 39-15 Configuring CA Certificate Map Rules 39-15 Managing System Access 40-1 C H A P T E R Allowing Telnet Access 40-1 Cisco Security Appliance Command Line Configuration Guide xxvi OL-10088-01...
  • Page 27 41-8 Backing Up a Context Configuration within a Context 41-9 Copying the Configuration from the Terminal Display 41-9 Configuring Auto Update Support 41-9 Configuring Communication with an Auto Update Server 41-9 Cisco Security Appliance Command Line Configuration Guide xxvii OL-10088-01...
  • Page 28 Changing the Severity Level of a System Log Message 42-21 Changing the Amount of Internal Flash Memory Available for Logs 42-22 Understanding System Log Messages 42-23 System Log Message Format 42-23 Severity Levels 42-23 Cisco Security Appliance Command Line Configuration Guide xxviii OL-10088-01...
  • Page 29 Example 1: Customer B Context Configuration Example 1: Customer C Context Configuration Example 2: Single Mode Firewall Using Same Security Level Example 3: Shared Resources for Multiple Contexts Example 3: System Configuration Cisco Security Appliance Command Line Configuration Guide xxix OL-10088-01...
  • Page 30 Example 14: ASA 5505 Base License B-34 Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-36 Example 15: Primary Unit Configuration B-36 Example 15: Secondary Unit Configuration B-38 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 31 Determining the Address to Use with the Subnet Mask IPv6 Addresses IPv6 Address Format IPv6 Address Types Unicast Addresses Multicast Address Anycast Address Required Addresses D-10 IPv6 Address Prefixes D-10 Protocols and Applications D-11 TCP and UDP Ports D-11 Cisco Security Appliance Command Line Configuration Guide xxxi OL-10088-01...
  • Page 32 Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22 Configuring an External RADIUS Server E-24 Reviewing the RADIUS Configuration Procedure E-24 Security Appliance RADIUS Authorization Attributes E-25 L O S S A R Y N D E X Cisco Security Appliance Command Line Configuration Guide xxxii OL-10088-01...
  • Page 33: About This Guide

    Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550).
  • Page 34: Related Documentation

    Cisco ASDM Release Notes • Cisco PIX 515E Quick Start Guide • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 • • Migrating to ASA for VPN 3000 Series Concentrator Administrators Cisco Security Appliance Command Reference •...
  • Page 35 Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP routed networks. Chapter 25, “Configuring Describes how to use and configure application inspection. Application Layer Protocol Inspection” Cisco Security Appliance Command Line Configuration Guide xxxv OL-10088-01...
  • Page 36 Chapter 41, “Managing Describes how to enter license keys and download software and configurations files. Software, Licenses, and Configurations” Chapter 42, “Monitoring the Describes how to monitor the security appliance. Security Appliance” Cisco Security Appliance Command Line Configuration Guide xxxvi OL-10088-01...
  • Page 37: Document Conventions

    Variables for which you must supply a value are shown in font. • italic screen Means reader take note. Notes contain helpful suggestions or references to material not covered in the Note manual. Cisco Security Appliance Command Line Configuration Guide xxxvii OL-10088-01...
  • Page 38: Documentation Feedback

    The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet.
  • Page 39 We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
  • Page 40 Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &...
  • Page 41 Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
  • Page 42 Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com...
  • Page 43 A R T Getting Started and General Information...
  • Page 45 WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes.
  • Page 46 Using AAA for Through Traffic You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 47 TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal. Firewall Mode Overview The security appliance runs in two different firewall modes: • Routed Transparent • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 48 The fast path is responsible for the following tasks: – IP checksum verification – Session lookup TCP sequence number check – NAT translations based on existing sessions – Layer 3 and Layer 4 header adjustments – Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 49: Intrusion Prevention Services Functional Overview

    The security appliance invokes various standard protocols to accomplish these functions. Intrusion Prevention Services Functional Overview The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
  • Page 50: Security Context Overview

    You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one Note mode and others in another. Multiple context mode supports static routing only. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 51: Chapter 2 Getting Started

    Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security appliances.
  • Page 52: Restoring The Factory Default Configuration

    All inside IP addresses are translated when accessing the outside using interface PAT. By default, inside users can access the outside with an access list, and outside users are prevented • from accessing the inside. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 53: Asa 5510 And Higher Default Configuration

    The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives • an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 54: Pix 515/515e Default Configuration

    If you want to use ASDM to configure the security appliance instead of the command-line interface, you Note can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 55: Setting Transparent Or Routed Firewall Mode

    You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 56: Working With The Configuration

    Creating Text Configuration Files Offline, page 2-9 • Saving Configuration Changes This section describes how to save your configuration, and includes the following topics: Saving Configuration Changes in Single Context Mode, page 2-7 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 57: Saving Configuration Changes In Single Context Mode

    Sometimes, a context is not saved because of an error. See the following information for errors: For contexts that are not saved because of low memory, the following message appears: • The context 'context a' could not be saved due to Unavailability of resources Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 58: Copying The Startup Configuration To The Running Configuration

    Viewing the Configuration The following commands let you view the running and startup configurations. • To view the running configuration, enter the following command: hostname# show running-config Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 59: Clearing And Removing Configuration Settings

    Alternatively, you can download a text file to the security appliance internal Flash memory. Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading the configuration file to the security appliance. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 60 In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Cisco Security Appliance Command Line Configuration Guide 2-10 OL-10088-01...
  • Page 61 You are a large enterprise or a college campus and want to keep departments completely separate. • • You are an enterprise that wants to provide distinct security policies to different departments. You have any network that requires more than one security appliance. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 62: Chapter 3 Enabling Multiple Context Mode

    Flash memory called admin.cfg. This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 63: How The Security Appliance Classifies Packets

    IP address after classification depends on how you configure NAT and NAT control. For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in each context: Context A: • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 64: Invalid Classifier Criteria

    Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 65: Classification Examples

    MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 66 (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 67 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 68: Cascading Security Contexts

    Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 69: Management Access To Security Contexts

    To log in with a username, enter the login command. For example, you log in to the admin context with the Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 70: Context Administrator Access

    Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
  • Page 71: Restoring Single Context Mode

    To set the mode to single mode, enter the following command in the system execution space: Step 2 hostname(config)# mode single The security appliance reboots. Cisco Security Appliance Command Line Configuration Guide 3-11 OL-10088-01...
  • Page 72 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode Cisco Security Appliance Command Line Configuration Guide 3-12 OL-10088-01...
  • Page 73: Configuring Switch Ports And Vlan Interfaces For The Cisco Asa 5505 Adaptive Security Appliance

    C H A P T E R Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance.
  • Page 74: Understanding Asa 5505 Ports And Interfaces

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that...
  • Page 75: Default Interface Configuration

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Figure 4-1 ASA 5505 Adaptive Security Appliance with Base License Internet ASA 5505 Home with Base License Business With the Security Plus license, you can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP.
  • Page 76: Vlan Mac Addresses

    “Configuring Switch Ports as Access Ports” section on page 4-9 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring.
  • Page 77: Security Level Overview

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100.
  • Page 78 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces If you are using failover, do not use this procedure to name interfaces that you are reserving for failover Note communications. See Chapter 14, “Configuring Failover,”...
  • Page 79 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces You can configure up to five VLANs with the Security Plus license. You can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP.
  • Page 80 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your switch requires it, or for access control purposes.
  • Page 81: Configuring Switch Ports As Access Ports

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports hostname(config-if)# interface vlan 200 hostname(config-if)# nameif business hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown...
  • Page 82 The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
  • Page 83: Configuring A Switch Port As A Trunk Port

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport access vlan 200 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/2...
  • Page 84 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port To make this switch port a trunk port, enter the following command: Step 3 hostname(config-if)# switchport mode trunk To restore this port to access mode, enter the switchport mode access command.
  • Page 85: Allowing Communication Between Vlan Interfaces On The Same Security Level

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport mode trunk hostname(config-if)# switchport trunk allowed vlan 200 300...
  • Page 86 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide 4-14 OL-10088-01...
  • Page 87: Chapter 5 Configuring Ethernet Settings And Subinterfaces

    To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Configuring and Enabling RJ-45 Interfaces, page 5-1 •...
  • Page 88: Configuring And Enabling Fiber Interfaces

    By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 89: Configuring And Enabling Subinterfaces

    This feature is particularly useful in multiple context mode so you can assign unique interfaces to each context. To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature Licenses and Specifications.” Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 90 To disable the interface, enter the shutdown command. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 91 The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics: • Resource Limits, page 6-2 Default Class, page 6-3 • Class Members, page 6-4 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 92: Chapter 6 Adding And Managing Security Contexts

    Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 93: Default Class

    By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context: Telnet sessions—5 sessions. • SSH sessions—5 sessions. • • IPSec sessions—5 sessions. • MAC addresses—65,535 entries. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 94: Class Members

    To set the resource limits, see the following options: Step 2 To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command: • hostname(config-resmgmt)# limit-resource all 0 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 95 Table 6-1 lists the resource types and the limits. See also the show resource types command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 96 For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands: hostname(config)# class default hostname(config-class)# limit-resource conns 10% All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 97: Configuring A Security Context

    To allocate a physical interface, enter the following command: • hostname(config-ctx)# allocate-interface physical_interface [map_name] [visible | invisible] • To allocate one or more subinterfaces, enter the following command: hostname(config-ctx)# allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible] Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 98 The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8. hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 99 The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL http://url INFO: Creating context with default config Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 100 For example, to assign the context to the gold class, enter the following command: hostname(config-ctx)# member gold Step 6 To view context information, see the show context command in the Cisco Security Appliance Command Reference. The following example sets the admin context to be “administrator,” creates a context called “administrator”...
  • Page 101: Automatically Assigning Mac Addresses To Context Interfaces

    The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, Cisco Security Appliance Command Line Configuration Guide 6-11 OL-10088-01...
  • Page 102: Managing Security Contexts

    To remove a single context, enter the following command in the system execution space: hostname(config)# no context name All context commands are also removed. To remove all contexts (including the admin context), enter the following command in the system • execution space: Cisco Security Appliance Command Line Configuration Guide 6-12 OL-10088-01...
  • Page 103: Changing The Admin Context

    If you want to perform a merge, skip to Step 2. hostname# changeto context name hostname/name# configure terminal hostname/name(config)# clear configure all If required, change to the system execution space by entering the following command: Step 2 hostname/name(config)# changeto system Cisco Security Appliance Command Line Configuration Guide 6-13 OL-10088-01...
  • Page 104: Reloading A Security Context

    To reload the configuration, enter the following command: Step 4 hostname/name(config)# copy startup-config running-config The security appliance copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context. Cisco Security Appliance Command Line Configuration Guide 6-14 OL-10088-01...
  • Page 105: Reloading By Removing And Re-adding The Context

    Lists all context names. The context name with the asterisk (*) is the admin context. Interfaces The interfaces assigned to the context. The URL from which the security appliance loads the context configuration. Cisco Security Appliance Command Line Configuration Guide 6-15 OL-10088-01...
  • Page 106: Viewing Resource Allocation

    Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 See the Cisco Security Appliance Command Reference for more information about the detail output. The following is sample output from the show context count command: hostname# show context count Total active contexts: 2...
  • Page 107 200000 200000 20.00% silver 100000 100000 10.00% bronze 50000 All Contexts: 300000 30.00% Hosts default unlimited gold unlimited silver 26214 26214 bronze 13107 All Contexts: 26214 default gold 5.00% Cisco Security Appliance Command Line Configuration Guide 6-17 OL-10088-01...
  • Page 108 The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A. Cisco Security Appliance Command Line Configuration Guide 6-18 OL-10088-01...
  • Page 109: Viewing Resource Usage

    This sample shows the limits for 6 contexts. hostname# show resource usage summary Resource Current Peak Limit Denied Context Syslogs [rate] 1743 2132 0 Summary Conns 280000(S) 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-19 OL-10088-01...
  • Page 110: Monitoring Syn Attacks In Contexts

    The following is sample output from the show perfmon command that shows the rate of TCP intercepts for a context called admin. hostname/admin# show perfmon Context:admin PERFMON STATS: Current Average Xlates Cisco Security Appliance Command Line Configuration Guide 6-20 OL-10088-01...
  • Page 111 0 system chunk:channels unlimited 0 system chunk:dbgtrace unlimited 0 system chunk:fixup unlimited 0 system chunk:ip-users unlimited 0 system chunk:list-elem 1014 1014 unlimited 0 system chunk:list-hdr unlimited 0 system chunk:route unlimited 0 system Cisco Security Appliance Command Line Configuration Guide 6-21 OL-10088-01...
  • Page 112 0 Summary tcp-intercept-rate 341306 811579 unlimited 0 Summary globals unlimited 0 Summary np-statics unlimited 0 Summary statics 0 Summary nats 0 Summary ace-rules 0 Summary console-access-rul 0 Summary fixup-rules 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-22 OL-10088-01...
  • Page 113: Chapter 7 Configuring Interface Parameters

    To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Security Level Overview, page 7-1 •...
  • Page 114: Configuring The Interface

    If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 115 Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 116 “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11 to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 117 The following example configures parameters in multiple context mode for the context configuration: hostname/contextA(config)# interface gigabitethernet0/1.1 hostname/contextA(config-if)# nameif inside hostname/contextA(config-if)# security-level 100 hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0 hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDE hostname/contextA(config-if)# no shutdown Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 118: Allowing Communication Between Interfaces On The Same Security Level

    To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface To disable this setting, use the no form of this command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 119: Changing The Login Password

    Setting the Management IP Address for a Transparent Firewall, page 8-5 • Changing the Login Password The login password is used for Telnet and SSH connections. By default, the login password is “cisco.” To change the password, enter the following command: hostname(config)# {passwd | password} password You can enter passwd or password.
  • Page 120: Setting The Hostname

    Time derived from an NTP server overrides any time set manually. This section also describes how to set the time zone and daylight saving time date range. In multiple context mode, set the time in the system configuration only. Note Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 121: Setting The Time Zone And Daylight Saving Time Date Range

    The week value specifies the week of the month as an integer between 1 and 4 or as the words first or last. For example, if the day might fall in the partial fifth week, then specify last. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 122: Setting The Date And Time Using An Ntp Server

    3 that is preferred. You can identify multiple servers; the security appliance uses the most accurate server. Setting the Date and Time Manually To set the date time manually, enter the following command: Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 123: Setting The Management Ip Address For A Transparent Firewall

    (255.255.255.255). This address must be IPv4; the transparent firewall does not support IPv6. The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 124 Chapter 8 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 125: Chapter 9 Configuring Ip Routing

    If you have servers that cannot all be reached through a single default route, then you must configure static routes. The security appliance supports up to three equal cost routes on the same interface for load balancing. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 126: Configuring A Static Route

    The security appliance distributes the traffic among the specified gateways. hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 127: Configuring A Default Route

    This allows you to, for example, define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 128 The track_id is a tracking number you assign with this command. The sla_id is the ID number of the SLA process you defined in Step Define the static route to be installed in the routing table while the tracked object is reachable using one Step 3 of the following options: Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 129 To use a default route obtained through PPPoE, enter the following commands: hostname(config)# interface phy_if hostname(config-if)# pppoe client route track track_id hostname(config-if)# pppoe client route distance admin_distance hostname(config-if)# ip addresss pppoe setroute hostname(config-if)# exit Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 130: Defining Route Maps

    If you specify more than one ACL, then the route can match any of the ACLs. To match the route type, enter the following command: • hostname(config-route-map)# match route-type {internal | external [type-1 | type-2]} Enter one or more set commands. Step 3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 131: Configuring Ospf

    Configuring Route Calculation Timers, page 9-16 • Logging Neighbors Going Up or Down, page 9-17 • • Displaying OSPF Update Packet Pacing, page 9-17 • Monitoring OSPF, page 9-18 Restarting the OSPF Process, page 9-18 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 132: Ospf Overview

    IDs associated with that range of IP addresses. To enable OSPF, perform the following steps: To create an OSPF routing process, enter the following command: Step 1 hostname(config)# router ospf process_id Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 133: Redistributing Routes Into Ospf

    LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1. hostname(config)# route-map 1-to-2 permit hostname(config-route-map)# match metric 1 hostname(config-route-map)# set metric 5 hostname(config-route-map)# set metric-type type-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 134: Configuring Ospf Interface Parameters

    To set the number of seconds that a device must wait before it declares a neighbor OSPF router down • because it has not received a hello packet, enter the following command: hostname(config-interface)# ospf dead-interval seconds The value must be the same for all nodes on the network. Cisco Security Appliance Command Line Configuration Guide 9-10 OL-10088-01...
  • Page 135 10 hostname(config-interface)# ospf dead-interval 40 hostname(config-interface)# ospf authentication-key cisco hostname(config-interface)# ospf message-digest-key 1 md5 cisco hostname(config-interface)# ospf authentication message-digest The following is sample output from the show ospf command: Cisco Security Appliance Command Line Configuration Guide 9-11 OL-10088-01...
  • Page 136: Configuring Ospf Area Parameters

    To enable MD5 authentication for an OSPF area, enter the following command: • hostname(config-router)# area area-id authentication message-digest To define an area to be a stub area, enter the following command: • hostname(config-router)# area area-id stub [no-summary] Cisco Security Appliance Command Line Configuration Guide 9-12 OL-10088-01...
  • Page 137: Configuring Ospf Nssa

    This command helps reduce the size of the routing table. Using this command for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Cisco Security Appliance Command Line Configuration Guide 9-13 OL-10088-01...
  • Page 138: Configuring Route Summarization Between Ospf Areas

    LSA. However, you can configure the security appliance to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database. Cisco Security Appliance Command Line Configuration Guide 9-14 OL-10088-01...
  • Page 139: Defining Static Ospf Neighbors

    The addr argument is the IP address of the OSPF neighbor. The if_name is the interface used to communicate with the neighbor. If the OSPF neighbor is not on the same network as any of the directly-connected interfaces, you must specify the interface. Cisco Security Appliance Command Line Configuration Guide 9-15 OL-10088-01...
  • Page 140: Generating A Default Route

    SPF calculations can be done, one immediately after the other. The following example shows how to configure route calculation timers: hostname(config)# router ospf 1 hostname(config-router)# timers spf 10 120 Cisco Security Appliance Command Line Configuration Guide 9-16 OL-10088-01...
  • Page 141: Logging Neighbors Going Up Or Down

    There are no configuration tasks for this feature; it occurs automatically. To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified interface, enter the following command: hostname# show ospf flood-list if_name Cisco Security Appliance Command Line Configuration Guide 9-17 OL-10088-01...
  • Page 142: Monitoring Ospf

    [process-id] virtual-links Restarting the OSPF Process To restart an OSPF process, clear redistribution, or counters, enter the following command: hostname(config)# clear ospf pid {process | redistribution | counters [neighbor [neighbor-interface] [neighbor-id]]} Cisco Security Appliance Command Line Configuration Guide 9-18 OL-10088-01...
  • Page 143: Configuring Rip

    (Optional) To generate a default route into RIP, enter the following command: Step 4 hostname(config-router): default-information originate Step 5 (Optional) To specify an interface to operate in passive mode, enter the following command: hostname(config-router): passive-interface [default | if_name] Cisco Security Appliance Command Line Configuration Guide 9-19 OL-10088-01...
  • Page 144: Redistributing Routes Into The Rip Routing Process

    To redistribute connected routes into the RIP routing process, enter the following command: • hostname(config-router): redistribute connected [metric {metric_value | transparent}] [route-map map_name] To redistribute static routes into the RIP routing process, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 9-20 OL-10088-01...
  • Page 145: Configuring Rip Send/receive Version On An Interface

    The security appliance supports RIP message authentication for RIP Version 2 messages. To enable RIP message authentication, perform the following steps: Enter interface configuration mode for the interface you are configuring by entering the following Step 1 command: hostname(config)# interface phy_if Cisco Security Appliance Command Line Configuration Guide 9-21 OL-10088-01...
  • Page 146: Monitoring Rip

    Use the following debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Debugging output is assigned high priority in the CPU process and can render the system unusable. It is best to use debug commands during periods of lower network traffic and fewer users.
  • Page 147: How The Routing Table Is Populated

    Because the routing protocols have metrics based on algorithms that are different from the other protocols, it is not always possible to determine the “best path” for two routes to the same destination that were generated by different routing protocols. Cisco Security Appliance Command Line Configuration Guide 9-23 OL-10088-01...
  • Page 148: Backup Routes

    If the destination does not match an entry in the routing table, the packet is forwarded through the • interface specified for the default route. If a default route has not been configured, the packet is discarded. Cisco Security Appliance Command Line Configuration Guide 9-24 OL-10088-01...
  • Page 149 192.168.32.0/24 network. It also falls within the other route in the routing table, but the 192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes are always preferred over shorter ones when forwarding a packet. Cisco Security Appliance Command Line Configuration Guide 9-25 OL-10088-01...
  • Page 150 Chapter 9 Configuring IP Routing The Routing Table Cisco Security Appliance Command Line Configuration Guide 9-26 OL-10088-01...
  • Page 151: Configuring A Dhcp Server

    This section describes how to configure DHCP server provided by the security appliance. This section includes the following topics: • Enabling the DHCP Server, page 10-2 Configuring DHCP Options, page 10-3 • • Using Cisco IP Phones with a DHCP Server, page 10-4 Cisco Security Appliance Command Line Configuration Guide 10-1 OL-10088-01...
  • Page 152: Enabling The Dhcp Server

    To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the timeout value for those packets. Cisco Security Appliance Command Line Configuration Guide 10-2...
  • Page 153: Configuring Dhcp Options

    46 ascii hello command and the security appliance accepts the configuration although option 46 is defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the option codes and their associated types and expected values, refer to RFC 2132. Cisco Security Appliance Command Line Configuration Guide 10-3 OL-10088-01...
  • Page 154: Using Cisco Ip Phones With A Dhcp Server

    Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security appliance DHCP server provides values for both options in the response if they are configured on the security appliance.
  • Page 155: Configuring Dhcp Relay Services

    To enable DHCP relay on the interface connected to the clients, enter the following command: Step 2 hostname(config)# dhcprelay enable interface (Optional) To set the number of seconds allowed for relay address negotiation, enter the following Step 3 command: Cisco Security Appliance Command Line Configuration Guide 10-5 OL-10088-01...
  • Page 156: Configuring Dynamic Dns

    Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration, page 10-7 • Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs., page 10-8 Cisco Security Appliance Command Line Configuration Guide 10-6 OL-10088-01...
  • Page 157 Ethernet0 hostname(if-config)# ddns update ddns-2 hostname(if-config)# ddns update hostname asa.example.com hostname(if-config)# ip address dhcp Step 4 To configure the DHCP server, enter the following command: hostname(if-config)# dhcpd update dns Cisco Security Appliance Command Line Configuration Guide 10-7 OL-10088-01...
  • Page 158: Client And Updates Both Rrs

    Ethernet0 hostname(config-if)# dhcp client update dns both hostname(config-if)# ddns update hostname asa To configure the DHCP server, enter the following commands: Step 2 hostname(config-if)# dhcpd update dns hostname(config-if)# dhcpd domain example.com Cisco Security Appliance Command Line Configuration Guide 10-8 OL-10088-01...
  • Page 159: Example 5: Client Updates A Rr; Server Updates Ptr Rr

    Enabling WCCP Redirection, page 10-10 • WCCP Feature Support The following WCCPv2 features are supported with the security appliance: Redirection of multiple TCP/UDP port-destined traffic. • Authentication for cache engines in a service group. • Cisco Security Appliance Command Line Configuration Guide 10-9 OL-10088-01...
  • Page 160: Wccp Interaction With Other Features

    To configure WCCP redirection, perform the following steps: To enable a WCCP service group, enter the following command: Step 1 hostname(config)# wccp {web-cache | service_number} [redirect-list access_list] [group-list access_list] [password password] Cisco Security Appliance Command Line Configuration Guide 10-10 OL-10088-01...
  • Page 161 For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside interface to a web cache, enter the following commands: hostname(config)# wccp web-cache hostname(config)# wccp interface inside web-cache redirect in Cisco Security Appliance Command Line Configuration Guide 10-11 OL-10088-01...
  • Page 162 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Web Cache Services Using WCCP Cisco Security Appliance Command Line Configuration Guide 10-12 OL-10088-01...
  • Page 163: Configuring Multicast Routing

    The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as Note the RP address. Cisco Security Appliance Command Line Configuration Guide 11-13 OL-10088-01...
  • Page 164: Enabling Multicast Routing

    Limiting the Number of IGMP States on an Interface, page 11-16 • Modifying the Query Interval and Query Timeout, page 11-16 Changing the Query Response Time, page 11-17 • Changing the IGMP Version, page 11-17 • Cisco Security Appliance Command Line Configuration Guide 11-14 OL-10088-01...
  • Page 165: Disabling Igmp On An Interface

    Create an access list for the multicast traffic. You can create more than one entry for a single access list. Step 1 You can use extended or standard access lists. To create a standard access list, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 11-15 OL-10088-01...
  • Page 166: Limiting The Number Of Igmp States On An Interface

    (by default, 255 seconds), then the security appliance becomes the designated router and starts sending the query messages. To change this timeout value, enter the following command: hostname(config-if)# igmp query-timeout seconds Cisco Security Appliance Command Line Configuration Guide 11-16 OL-10088-01...
  • Page 167: Changing The Query Response Time

    In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another. Static multicast routes are not advertised or redistributed. Cisco Security Appliance Command Line Configuration Guide 11-17 OL-10088-01...
  • Page 168: Disabling Pim On An Interface

    You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: hostname(config-if)# no pim To reenable PIM on an interface, enter the following command: hostname(config-if)# pim Only the no pim command appears in the interface configuration. Note Cisco Security Appliance Command Line Configuration Guide 11-18 OL-10088-01...
  • Page 169: Configuring A Static Rendezvous Point Address

    Router query messages are used to elect the PIM DR. The PIM DR is responsible for sending router query messages. By default, router query messages are sent every 30 seconds. You can change this value by entering the following command: Cisco Security Appliance Command Line Configuration Guide 11-19 OL-10088-01...
  • Page 170: Configuring A Multicast Boundary

    For example the following access list, when used with the pim neighbor-filter command, prevents the 10.1.1.1 router from becoming a PIM neighbor: hostname(config)# access-list pim_nbr deny 10.1.1.1 255.255.255.255 Use the pim neighbor-filter command on an interface to filter the neighbor routers. Step 2 Cisco Security Appliance Command Line Configuration Guide 11-20 OL-10088-01...
  • Page 171: Supporting Mixed Bidirctional/sparse-mode Pim Networks

    For More Information about Multicast Routing The following RFCs from the IETF provide technical details about the IGMP and multicast routing standards used for implementing the SMR feature: • RFC 2236 IGMPv2 Cisco Security Appliance Command Line Configuration Guide 11-21 OL-10088-01...
  • Page 172 Chapter 11 Configuring Multicast Routing For More Information about Multicast Routing RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt • Cisco Security Appliance Command Line Configuration Guide 11-22 OL-10088-01...
  • Page 173: Chapter 12 Configuring Ipv6

    • configure • copy • http • name • object-group • • ping show conn • • show local-host show tcpstat • • telnet • tftp-server • • write • Cisco Security Appliance Command Line Configuration Guide 12-1 OL-10088-01...
  • Page 174 Configuring IPv6 Default and Static Routes, page 12-5 • Configuring IPv6 Access Lists, page 12-6 • Configuring IPv6 Neighbor Discovery, page 12-7 • Configuring a Static IPv6 Neighbor, page 12-11 • Cisco Security Appliance Command Line Configuration Guide 12-2 OL-10088-01...
  • Page 175: Configuring Ipv6 On An Interface

    Use the optional eui-64 keyword to use the Modified EUI-64 interface ID in the low order 64 bits of the address. hostname(config-if)# ipv6 address ipv6-address [eui-64] Cisco Security Appliance Command Line Configuration Guide 12-3 OL-10088-01...
  • Page 176: Configuring A Dual Ip Stack On An Interface

    When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface. Cisco Security Appliance Command Line Configuration Guide 12-4 OL-10088-01...
  • Page 177: Configuring Ipv6 Default And Static Routes

    %PIX|ASA-6-110001: No route to dest_address from source_address You can add a default route and static routes using the ipv6 route command. To configure an IPv6 default route and static routes, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 12-5 OL-10088-01...
  • Page 178: Configuring Ipv6 Access Lists

    • can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr. Cisco Security Appliance Command Line Configuration Guide 12-6 OL-10088-01...
  • Page 179: Configuring Ipv6 Neighbor Discovery

    After the source node receives the neighbor advertisement, the source node and destination node can communicate. Figure 12-1 shows the neighbor solicitation and response process. Cisco Security Appliance Command Line Configuration Guide 12-7 OL-10088-01...
  • Page 180 IPv6 operation. To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value Cisco Security Appliance Command Line Configuration Guide 12-8 OL-10088-01...
  • Page 181: Configuring Router Advertisement Messages

    When a router advertisement is sent in response to a router solicitation, the destination address in the router advertisement message is the unicast address of the source of the router solicitation message. Cisco Security Appliance Command Line Configuration Guide 12-9...
  • Page 182 To configure which IPv6 prefixes are included in IPv6 router advertisements, enter the following command: hostname(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length Note For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement messages must always be 64 bits. Cisco Security Appliance Command Line Configuration Guide 12-10 OL-10088-01...
  • Page 183: Configuring A Static Ipv6 Neighbor

    Excluding the name from the command displays the setting for all interfaces that have IPv6 enabled on them. The output for the command shows the following: The name and status of the interface. • The link-local and global unicast addresses. • Cisco Security Appliance Command Line Configuration Guide 12-11 OL-10088-01...
  • Page 184: The Show Ipv6 Route Command

    O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 fe80::/10 [0/0] via ::, inside fec0::a:0:0:a0a:a70/128 [0/0] via ::, inside fec0:0:0:a::/64 [0/0] via ::, inside ff00::/8 [0/0] via ::, inside Cisco Security Appliance Command Line Configuration Guide 12-12 OL-10088-01...
  • Page 185: Configuring Aaa Servers And The Local Database

    About Accounting, page 13-2 • About Authentication Authentication controls access by requiring valid user credentials, which are typically a username and password. You can configure the security appliance to authenticate the following items: Cisco Security Appliance Command Line Configuration Guide 13-1 OL-10088-01...
  • Page 186: About Authorization

    The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. This section describes support for each AAA server type and the local database. This section contains the following topics: Summary of Support, page 13-3 • Cisco Security Appliance Command Line Configuration Guide 13-2 OL-10088-01...
  • Page 187: Summary Of Support

    RADIUS authentication response. 4. Local command authorization is supported by privilege level only. 5. Command accounting is available for TACACS+ only. RADIUS Server Support The security appliance supports RADIUS servers. Cisco Security Appliance Command Line Configuration Guide 13-3 OL-10088-01...
  • Page 188: Authentication Methods

    Accounting attributes defined in RFC 2139. • RADIUS attributes for tunneled protocol support, defined in RFC 2868. • Cisco IOS VSAs, identified by RADIUS vendor ID 9. • • Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076. Microsoft VSAs, defined in RFC 2548.
  • Page 189: Sdi Version Support

    The security appliance does not support changing user passwords during tunnel negotiation. To avoid Note this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the security appliance. For a simple Kerberos server configuration example, see Example 13-2. Cisco Security Appliance Command Line Configuration Guide 13-5 OL-10088-01...
  • Page 190: Ldap Server Support

    If you do not configure SASL, we strongly recommend that you secure LDAP communications with Note SSL. See the ldap-over-ssl command in the Cisco Security Appliance Command Reference. When user LDAP authentication has succeeded, the LDAP server returns the attributes for the authenticated user.
  • Page 191: Authorization With Ldap For Vpn

    LDAP. This example then creates an IPSec remote access tunnel group named remote-1, and assigns that new tunnel group to the previously created ldap_dir_1 AAA server for authorization. hostname(config)# tunnel-group remote-1 type ipsec-ra hostname(config)# tunnel-group remote-1 general-attributes hostname(config-general)# authorization-server-group ldap_dir_1 hostname(config-general)# Cisco Security Appliance Command Line Configuration Guide 13-7 OL-10088-01...
  • Page 192: Ldap Attribute Mapping

    You must create LDAP attribute maps that map your existing user-defined attribute names and values to Cisco attribute names and values that are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or remove them as needed.
  • Page 193: Sso Support For Webvpn With Http Forms

    Appendix E, “Configuring an External Server for Authorization and Authentication”. Alternatively, you can enter “?” within ldap-attribute-map mode to display the complete list of Cisco LDAP attribute names, as shown in the following example: hostname(config)# ldap attribute-map att_map_1 hostname(config-ldap-attribute-map)# map-name att_map_1 ?
  • Page 194: User Profiles

    If you add to the local database users who can gain access to the CLI but who should not be allowed to Caution enter privileged mode, enable command authorization. (See the “Configuring Local Command Authorization” section on page 40-7.) Without command authorization, users can access privileged Cisco Security Appliance Command Line Configuration Guide 13-10 OL-10088-01...
  • Page 195 When you enter a username attributes command, you enter username mode. The commands available in this mode are as follows: group-lock • password-storage • vpn-access-hours • vpn-filter • vpn-framed-ip-address • • vpn-group-policy vpn-idle-timeout • vpn-session-timeout • vpn-simultaneous-logins • vpn-tunnel-protocol • Cisco Security Appliance Command Line Configuration Guide 13-11 OL-10088-01...
  • Page 196: Identifying Aaa Server Groups And Servers

    • Use these commands as needed to configure the user profile. For more information about these commands, see the Cisco Security Appliance Command Reference. When you have finished configuring the user profiles, enter exit to return to config mode. For example, the following command assigns a privilege level of 15 to the admin user account:...
  • Page 197 Where a command is applicable to the server type you specified and no default value is provided (indicated by “—”), use the command to specify the value. For more information about these commands, see the Cisco Security Appliance Command Reference. Cisco Security Appliance Command Line Configuration Guide...
  • Page 198 Example 13-1 Multiple AAA Server Groups and Servers hostname(config)# aaa-server AuthInbound protocol tacacs+ hostname(config-aaa-server-group)# max-failed-attempts 2 hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20 hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey Cisco Security Appliance Command Line Configuration Guide 13-14 OL-10088-01...
  • Page 199: Using Certificates And User Login Credentials

    Enabled by authentication server group setting – Uses the username and password as credentials – Authorization • Enabled by authorization server group setting – – Uses the username as a credential Cisco Security Appliance Command Line Configuration Guide 13-15 OL-10088-01...
  • Page 200: Using Certificates

    Server, it will not be granted access to the private network protected by the Integrity Server and security appliance. This section includes the following topics: Overview of Integrity Server and Security Appliance Interaction, page 13-17 • • Configuring Integrity Server Support, page 13-17 Cisco Security Appliance Command Line Configuration Guide 13-16 OL-10088-01...
  • Page 201: Overview Of Integrity Server And Security Appliance Interaction

    The following commands ensure that the security appliance waits 12 seconds for a response from either the active or standby Integrity servers before declaring an the Integrity server as failed and closing the VPN client connections: hostname(config)# zonelabs-integrity fail-timeout 12 hostname(config)# zonelabs-integrity fail-close hostname(config)# Cisco Security Appliance Command Line Configuration Guide 13-17 OL-10088-01...
  • Page 202 “Configuring Firewall Policies” section on page 30-54. The command arguments that specify firewall policies are not used when the firewall type is zonelabs-integrity because the Integrity server determines the policies. Cisco Security Appliance Command Line Configuration Guide 13-18 OL-10088-01...
  • Page 203: Understanding Failover

    VPN failover is not supported on units running in multiple context mode. VPN failover available for Note Active/Standby failover configurations only. This section includes the following topics: Failover System Requirements, page 14-2 • Cisco Security Appliance Command Line Configuration Guide 14-1 OL-10088-01...
  • Page 204: Chapter 14 Configuring Failover

    24 hours until the unit is returned to failover duty. A unit with an FO or FO_AA license operates in standalone mode if it is booted without being connected to a failover peer Cisco Security Appliance Command Line Configuration Guide 14-2...
  • Page 205: The Failover And Stateful Failover Links

    Failover cable. On the ASA 5500 series adaptive security appliance, the failover link can only be a LAN-based connection. This section includes the following topics: LAN-Based Failover Link, page 14-4 • Serial Cable Failover Link (PIX Security Appliance Only), page 14-4 • Cisco Security Appliance Command Line Configuration Guide 14-3 OL-10088-01...
  • Page 206 The cable determines which unit is primary and which is secondary, eliminating the need to • manually enter that information in the unit configurations. The disadvantages include: Distance limitation—the units cannot be separated by more than 6 feet. • Slower configuration replication. • Cisco Security Appliance Command Line Configuration Guide 14-4 OL-10088-01...
  • Page 207: Stateful Failover Link

    Note Enable the PortFast option on Cisco switch ports that connect directly to the security appliance. If you are using the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.
  • Page 208: Active/active And Active/standby Failover

    MAC addresses over the failover link. In this case, the secondary unit MAC addresses are used. Cisco Security Appliance Command Line Configuration Guide 14-6 OL-10088-01...
  • Page 209 You do not have to save the active configuration to Flash memory to replicate the commands. Cisco Security Appliance Command Line Configuration Guide 14-7 OL-10088-01...
  • Page 210 For each failure event, the table shows the failover policy (failover or no failover), the action taken by the active unit, the action taken by the standby unit, and any special notes about the failover condition and actions. Cisco Security Appliance Command Line Configuration Guide 14-8 OL-10088-01...
  • Page 211: Active/active Failover

    Failover Actions, page 14-13 • Active/Active Failover Overview Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic. Cisco Security Appliance Command Line Configuration Guide 14-9 OL-10088-01...
  • Page 212 When a unit boots while the peer unit is active (with both failover groups in the active state), the failover groups remain in the active state on the active unit regardless of the primary or secondary preference of the failover group until one of the following: Cisco Security Appliance Command Line Configuration Guide 14-10 OL-10088-01...
  • Page 213 Commands entered in the system execution space are replicated from the unit on which failover • group 1 is in the active state to the unit on which failover group 1 is in the standby state. Cisco Security Appliance Command Line Configuration Guide 14-11 OL-10088-01...
  • Page 214 See the “Failover Health Monitoring” section on page 14-15 for more information about interface and unit monitoring. Cisco Security Appliance Command Line Configuration Guide 14-12 OL-10088-01...
  • Page 215 Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Cisco Security Appliance Command Line Configuration Guide 14-13 OL-10088-01...
  • Page 216: Determining Which Type Of Failover To Use

    Supported end-user applications are not required to reconnect to keep the same communication session. The state information passed to the standby unit includes the following: NAT translation table. • TCP connection states. • Cisco Security Appliance Command Line Configuration Guide 14-14 OL-10088-01...
  • Page 217: Failover Health Monitoring

    • Note If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Call Manager. This occurs because there is no session information for the CTIQBE hangup message on the standby unit.
  • Page 218: Interface Monitoring

    If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the unit will fail again. Cisco Security Appliance Command Line Configuration Guide 14-16...
  • Page 219: Failover Feature/platform Matrix

    Active unit interface up, but connection problem 5 seconds 25 seconds 75 seconds causes interface testing. Configuring Failover This section describes how to configure failover and includes the following topics: Failover Configuration Limitations, page 14-18 • Cisco Security Appliance Command Line Configuration Guide 14-17 OL-10088-01...
  • Page 220: Failover Configuration Limitations

    The primary unit is the unit that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted. Cisco Security Appliance Command Line Configuration Guide 14-18 OL-10088-01...
  • Page 221 IP addresses for the interface. The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby IP address subnet mask. Cisco Security Appliance Command Line Configuration Guide 14-19 OL-10088-01...
  • Page 222: Configuring Lan-based Active/standby Failover

    (routed mode), for the management IP address (transparent mode), or for the management-only interface. The standby IP address is used on the security appliance that is currently the standby unit. It must be in the same subnet as the active IP address. Cisco Security Appliance Command Line Configuration Guide 14-20 OL-10088-01...
  • Page 223 (Optional) To enable Stateful Failover, configure the Stateful Failover link. Stateful Failover is not available on the ASA 5505 series adaptive security appliance. Note Specify the interface to be used as Stateful Failover link: hostname(config)# failover link if_name phy_if Cisco Security Appliance Command Line Configuration Guide 14-21 OL-10088-01...
  • Page 224 For multiple context mode, all steps are performed in the system execution space unless noted otherwise. To configure the secondary unit, perform the following steps: (PIX security appliance only) Enable LAN-based failover: Step 1 hostname(config)# failover lan enable Cisco Security Appliance Command Line Configuration Guide 14-22 OL-10088-01...
  • Page 225: Configuring Optional Active/standby Failover Settings

    Enabling HTTP Replication with Stateful Failover, page 14-24 • Disabling and Enabling Interface Monitoring, page 14-24 • Configuring Interface Health Monitoring, page 14-24 • Configuring Failover Criteria, page 14-25 • Configuring Virtual MAC Addresses, page 14-25 • Cisco Security Appliance Command Line Configuration Guide 14-23 OL-10088-01...
  • Page 226 To change the interface poll time, enter the following command in global configuration mode: hostname(config)# failover polltime interface [msec] time [holdtime time] Cisco Security Appliance Command Line Configuration Guide 14-24 OL-10088-01...
  • Page 227 MAC address is assigned to an interface: The mac-address command (in interface configuration mode) address. The failover mac address command address. The mac-address auto command generated address. Cisco Security Appliance Command Line Configuration Guide 14-25 OL-10088-01...
  • Page 228: Configuring Active/active Failover

    The command prompt changes to , where context is the name of the current context. You must enter a hostname/context(config-if)# management IP address for each context in transparent firewall multiple context mode. Cisco Security Appliance Command Line Configuration Guide 14-26 OL-10088-01...
  • Page 229 Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member of failover group 1. Enter the following commands to assign each context to a failover group: Cisco Security Appliance Command Line Configuration Guide 14-27 OL-10088-01...
  • Page 230: Configuring Lan-based Active/active Failover

    The command prompt changes to , where context is the name of the current context. In transparent hostname/context(config-if)# firewall mode, you must enter a management IP address for each context. Cisco Security Appliance Command Line Configuration Guide 14-28 OL-10088-01...
  • Page 231 If the Stateful Failover link uses the failover link or a regular data interface, skip this step. Note You have already defined the active and standby IP addresses for the interface. Cisco Security Appliance Command Line Configuration Guide 14-29 OL-10088-01...
  • Page 232 This allows the secondary unit to communicate with and receive the running configuration from the primary unit. To bootstrap the secondary unit in an Active/Active failover configuration, perform the following steps: Step 1 (PIX security appliance only) Enable LAN-based failover: Cisco Security Appliance Command Line Configuration Guide 14-30 OL-10088-01...
  • Page 233 To force a failover group to become active on the secondary unit, enter the following command in the system execution space on the primary unit: hostname# no failover active group group_id The group_id argument specifies the group you want to become active on the secondary unit. Cisco Security Appliance Command Line Configuration Guide 14-31 OL-10088-01...
  • Page 234: Configuring Optional Active/active Failover Settings

    To enable HTTP state replication for both failover groups, you must enter this command in each group. This command should be entered in the system execution space. hostname(config)# failover group {1 | 2} hostname(config-fover-group)# replication http Cisco Security Appliance Command Line Configuration Guide 14-32 OL-10088-01...
  • Page 235 Active/Active failover uses virtual MAC addresses on all interfaces. If you do not specify the virtual MAC addresses, then they are computed as follows: • Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01. • Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02. Cisco Security Appliance Command Line Configuration Guide 14-33 OL-10088-01...
  • Page 236 2 header is rewritten and the packet is re-injected into the stream. Using the asr-group command to configure asymmetric routing support is more secure than using the Note static command with the nailed option. Cisco Security Appliance Command Line Configuration Guide 14-34 OL-10088-01...
  • Page 237 A on the unit where context A is in the active state. This forwarding continues as needed until the session ends. Cisco Security Appliance Command Line Configuration Guide 14-35 OL-10088-01...
  • Page 238: Configuring Unit Health Monitoring

    1 to 63 characters. The characters can be any combination of numbers, letters, or punctuation. The hex key argument specifies a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f). Cisco Security Appliance Command Line Configuration Guide 14-36 OL-10088-01...
  • Page 239: Verifying The Failover Configuration

    This host: Primary - Active Active time: 13434 (sec) Interface inside (10.130.9.3): Normal Interface outside (10.132.9.3): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface inside (10.130.9.4): Normal Interface outside (10.132.9.4): Normal Cisco Security Appliance Command Line Configuration Guide 14-37 OL-10088-01...
  • Page 240 Interface outside (192.168.5.131): Normal Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. Stateful Obj xmit xerr rerr RPC services TCP conn UDP conn ARP tbl Xlate_Timeout GTP PDP GTP PDPMCB Cisco Security Appliance Command Line Configuration Guide 14-38 OL-10088-01...
  • Page 241 The amount of time the unit has been active. This time is cumulative, so the standby unit, if it was active in the past, also shows a value. slot x Information about the module in the slot or empty. Cisco Security Appliance Command Line Configuration Guide 14-39 OL-10088-01...
  • Page 242 Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Cisco Security Appliance Command Line Configuration Guide 14-40 OL-10088-01...
  • Page 243 Interface inside (10.130.8.5): Normal admin Interface fourth (10.130.9.5): Normal ctx1 Interface outside (10.1.1.1): Normal ctx1 Interface inside (10.2.2.1): Normal ctx2 Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Secondary Cisco Security Appliance Command Line Configuration Guide 14-41 OL-10088-01...
  • Page 244 Interface inside (192.168.0.1): Normal Other host: Primary State: Standby Active time: 0 (sec) admin Interface outside (192.168.5.131): Normal admin Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. Cisco Security Appliance Command Line Configuration Guide 14-42 OL-10088-01...
  • Page 245 Active Time in seconds • Group 1 State Active or Standby Ready • Group 2 State Active Time in seconds • slot x Information about the module in the slot or empty. Cisco Security Appliance Command Line Configuration Guide 14-43 OL-10088-01...
  • Page 246 Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Cisco Security Appliance Command Line Configuration Guide 14-44 OL-10088-01...
  • Page 247: Viewing Monitored Interfaces

    All of the failover commands are displayed. On units running multiple context mode, enter this command in the system execution space. Entering show running-config all failover displays the failover commands in the running configuration and includes commands for which you have not changed the default value. Cisco Security Appliance Command Line Configuration Guide 14-45 OL-10088-01...
  • Page 248: Testing The Failover Functionality

    To force the standby unit or failover group to become active, enter one of the following commands: For Active/Standby failover: • Enter the following command on the standby unit: hostname# failover active Or, enter the following command on the active unit: Cisco Security Appliance Command Line Configuration Guide 14-46 OL-10088-01...
  • Page 249: Disabling Failover

    Monitoring Failover When a failover occurs, both security appliances send out system messages. This section includes the following topics: Failover System Messages, page 14-48 • Cisco Security Appliance Command Line Configuration Guide 14-47 OL-10088-01...
  • Page 250: Failover System Messages

    411002 messages. This is normal activity. Debug Messages To see debug messages, enter the debug fover command. See the Cisco Security Appliance Command Reference for more information. Because debugging output is assigned high priority in the CPU process, it can drastically affect system Note performance.
  • Page 251 A R T Configuring the Firewall...
  • Page 253: Routed Mode Overview

    By default, NAT is not required. If you want to enforce a NAT policy that requires hosts on a higher security interface (inside) to use NAT when communicating with a lower security interface (outside), you can enable NAT control (see the nat-control command). Cisco Security Appliance Command Line Configuration Guide 15-1 OL-10088-01...
  • Page 254: Chapter 15 Firewall Mode Overview

    An Inside User Visits a Web Server, page 15-3 • An Outside User Visits a Web Server on the DMZ, page 15-4 • An Inside User Visits a Web Server on the DMZ, page 15-5 • Cisco Security Appliance Command Line Configuration Guide 15-2 OL-10088-01...
  • Page 255: An Inside User Visits A Web Server

    The security appliance translates the local source address (10.1.2.27) to the global address 209.165.201.10, which is on the outside interface subnet. The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet. Cisco Security Appliance Command Line Configuration Guide 15-3 OL-10088-01...
  • Page 256: An Outside User Visits A Web Server On The Dmz

    In this case, the classifier “knows” that the DMZ web server address belongs to a certain context because of the server address translation. Cisco Security Appliance Command Line Configuration Guide 15-4...
  • Page 257: An Inside User Visits A Web Server On The Dmz

    The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). Cisco Security Appliance Command Line Configuration Guide 15-5 OL-10088-01...
  • Page 258: An Outside User Attempts To Access An Inside Host

    The security appliance receives the packet and because it is a new session, the security appliance verifies if the packet is allowed according to the security policy (access lists, filters, AAA). Cisco Security Appliance Command Line Configuration Guide 15-6 OL-10088-01...
  • Page 259: A Dmz User Attempts To Access An Inside Host

    “stealth firewall,” and is not seen as a router hop to connected devices. This section describes transparent firewall mode, and includes the following topics: Transparent Firewall Network, page 15-8 • Allowing Layer 3 Traffic, page 15-8 • Cisco Security Appliance Command Line Configuration Guide 15-7 OL-10088-01...
  • Page 260: Transparent Firewall Network

    For example, by using an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV. Cisco Security Appliance Command Line Configuration Guide 15-8 OL-10088-01...
  • Page 261: Mac Address Lookups

    IP address assigned to the entire device. The security appliance uses this IP address as the source address for packets originating on the security appliance, such as system messages or AAA communications. Cisco Security Appliance Command Line Configuration Guide 15-9 OL-10088-01...
  • Page 262: Unsupported Features In Transparent Mode

    You also cannot allow IPv6 using an EtherType access list. Multicast You can allow multicast traffic through the security appliance by allowing it in an extended access list. NAT is performed on the upstream router. Cisco Security Appliance Command Line Configuration Guide 15-10 OL-10088-01...
  • Page 263: How Data Moves Through The Transparent Firewall

    Another access list lets the outside users access only the web server on the inside network. Figure 15-8 Typical Transparent Firewall Data Path www.example.com Internet 209.165.201.2 Management IP 209.165.201.6 209.165.200.230 Host 209.165.201.3 Web Server 209.165.200.225 Cisco Security Appliance Command Line Configuration Guide 15-11 OL-10088-01...
  • Page 264: An Inside User Visits A Web Server

    If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. Cisco Security Appliance Command Line Configuration Guide 15-12...
  • Page 265: An Outside User Visits A Web Server On The Inside Network

    (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface. The security appliance records that a session is established. Cisco Security Appliance Command Line Configuration Guide 15-13 OL-10088-01...
  • Page 266: An Outside User Attempts To Access An Inside Host

    (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface. The packet is denied, and the security appliance drops the packet. Cisco Security Appliance Command Line Configuration Guide 15-14 OL-10088-01...
  • Page 267 Transparent Mode Overview If the outside user is attempting to attack the inside network, the security appliance employs many technologies to determine if a packet is valid for an already established session. Cisco Security Appliance Command Line Configuration Guide 15-15 OL-10088-01...
  • Page 268 Chapter 15 Firewall Mode Overview Transparent Mode Overview Cisco Security Appliance Command Line Configuration Guide 15-16 OL-10088-01...
  • Page 269: Access List Overview

    Access List Types, page 16-2 • • Access Control Entry Order, page 16-2 Access Control Implicit Deny, page 16-3 • • IP Addresses Used for Access Lists When You Use NAT, page 16-3 Cisco Security Appliance Command Line Configuration Guide 16-1 OL-10088-01...
  • Page 270: Access List Types

    After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked. You can disable an ACE by specifying the keyword inactive in the access-list command. Cisco Security Appliance Command Line Configuration Guide 16-2 OL-10088-01...
  • Page 271: C H A P T E R 16 Identifying Traffic With Access Lists

    Inbound ACL Permit from 10.1.1.0/24 209.165.200.225 10.1.1.0/24 10.1.1.0/24 209.165.201.4:port See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 hostname(config)# access-group INSIDE in interface inside Cisco Security Appliance Command Line Configuration Guide 16-3 OL-10088-01...
  • Page 272 209.165.200.225 209.165.201.5 Outside Inside 10.1.1.34 209.165.201.5 Static NAT See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside Cisco Security Appliance Command Line Configuration Guide 16-4 OL-10088-01...
  • Page 273: Adding An Extended Access List

    For information about logging options that you can add to the end of the ACE, see the “Logging Access List Activity” section on page 16-18. For information about time range options, see “Scheduling Extended Access List Activation” section on page 16-17. Cisco Security Appliance Command Line Configuration Guide 16-5 OL-10088-01...
  • Page 274: Allowing Special Ip Traffic Through The Transparent Firewall

    To add an ACE, enter the following command: hostname(config)# access-list access_list_name [line line_number] [extended] {deny | permit} protocol source_address mask [operator port] dest_address mask [operator port | icmp_type] [inactive] Cisco Security Appliance Command Line Configuration Guide 16-6 OL-10088-01...
  • Page 275 ICMP types. When you specify a network mask, the method is different from the Cisco IOS software access-list command. The security appliance uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
  • Page 276: Adding An Ethertype Access List

    TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the security appliance.
  • Page 277: Adding A Standard Access List

    To add an ACE, enter the following command: hostname(config)# access-list access_list_name standard {deny | permit} {any | ip_address mask} The following sample access list identifies routes to 192.168.1.0/24: hostname(config)# access-list OSPF standard permit 192.168.1.0 255.255.255.0 Cisco Security Appliance Command Line Configuration Guide 16-9 OL-10088-01...
  • Page 278: Adding A Webtype Access List

    After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers. You can also nest object groups in other object groups. Cisco Security Appliance Command Line Configuration Guide 16-10 OL-10088-01...
  • Page 279: Adding Object Groups

    “Protocols and Applications” section on page D-11. For example, to create a protocol group for TCP, UDP, and ICMP, enter the following commands: hostname(config)# object-group protocol tcp_udp_icmp hostname(config-protocol)# protocol-object tcp hostname(config-protocol)# protocol-object udp hostname(config-protocol)# protocol-object icmp Cisco Security Appliance Command Line Configuration Guide 16-11 OL-10088-01...
  • Page 280: Adding A Network Object Group

    To add a service group, enter the following command: Step 1 hostname(config)# object-group service grp_id {tcp | udp | tcp-udp} The grp_id is a text string up to 64 characters in length. Cisco Security Appliance Command Line Configuration Guide 16-12 OL-10088-01...
  • Page 281: Adding An Icmp Type Object Group

    The description can be up to 200 characters. To define the ICMP types in the group, enter the following command for each type: Step 3 hostname(config-icmp-type)# icmp-object icmp_type Cisco Security Appliance Command Line Configuration Guide 16-13 OL-10088-01...
  • Page 282: Nesting Object Groups

    You only need to specify the admin object group in your ACE as follows: hostname(config)# access-list ACL_IN extended permit ip object-group admin host 209.165.201.29 Cisco Security Appliance Command Line Configuration Guide 16-14 OL-10088-01...
  • Page 283: Using Object Groups With An Access List

    209.165.201.16 hostname(config-network)# network-object host 209.165.201.78 hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied object-group web eq www hostname(config)# access-list ACL_IN extended permit ip any any hostname(config)# access-group ACL_IN in interface inside Cisco Security Appliance Command Line Configuration Guide 16-15 OL-10088-01...
  • Page 284: Displaying Object Groups

    Entering a dash (-) at the beginning of the remark helps set it apart from ACEs. hostname(config)# access-list OUT remark - this is the inside admin address hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any Cisco Security Appliance Command Line Configuration Guide 16-16 OL-10088-01...
  • Page 285: Scheduling Extended Access List Activation

    8:00 1 january 2006 The following is an example of a weekly periodic time range from 8:00 a.m. to 6:00 p.m on weekdays.: hostname(config)# time-range workinghours Cisco Security Appliance Command Line Configuration Guide 16-17 OL-10088-01...
  • Page 286: Applying The Time Range To An Ace

    Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list Note does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE manually to the end of the access list, as follows. Cisco Security Appliance Command Line Configuration Guide 16-18 OL-10088-01...
  • Page 287: Configuring Logging For An Access Control Entry

    For connectionless protocols, such as ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed information about this system message.
  • Page 288: Managing Deny Flows

    The number is between 1 and 4096. 4096 is the default. To set the amount of time between system messages (number 106101) that identify that the • maximum number of deny flows was reached, enter the following command: Cisco Security Appliance Command Line Configuration Guide 16-20 OL-10088-01...
  • Page 289 Chapter 16 Identifying Traffic with Access Lists Logging Access List Activity hostname(config)# access-list alert-interval secs The seconds are between 1 and 3600. 300 is the default. Cisco Security Appliance Command Line Configuration Guide 16-21 OL-10088-01...
  • Page 290 Chapter 16 Identifying Traffic with Access Lists Logging Access List Activity Cisco Security Appliance Command Line Configuration Guide 16-22 OL-10088-01...
  • <