Summary of Contents for Cisco FirePOWER ASA 5500 series
Page 1
Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 7.2(1) Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.;...
Page 3
Sending Traffic to the Advanced Inspection and Prevention Security Services Module Sending Traffic to the Content Security and Control Security Services Module Applying QoS Policies Applying Connection Limits and TCP Normalization Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Invalid Classifier Criteria Classification Examples Cascading Security Contexts Management Access to Security Contexts System Administrator Access Context Administrator Access 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 5
Contents Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security C H A P T E R Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces...
Page 6
Defining Route Maps Configuring OSPF OSPF Overview Enabling OSPF Redistributing Routes Into OSPF Configuring OSPF Interface Parameters 9-10 Configuring OSPF Area Parameters 9-12 Configuring OSPF NSSA 9-13 Configuring Route Summarization Between OSPF Areas 9-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 7
Configuring a DHCP Server 10-1 Enabling the DHCP Server 10-2 Configuring DHCP Options 10-3 Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Configuring Dynamic DNS 10-6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2: Client Updates Both A and PTR RRs;...
Page 9
Using Certificates and User Login Credentials 13-15 Using User Login Credentials 13-15 Using certificates 13-16 Supporting a Zone Labs Integrity Server 13-16 Overview of Integrity Server and Security Appliance Interaction 13-17 Configuring Integrity Server Support 13-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 10
Configuring Unit Health Monitoring 14-36 Configuring Failover Communication Authentication/Encryption 14-36 Verifying the Failover Configuration 14-37 Using the show failover Command 14-37 Viewing Monitored Interfaces 14-45 Displaying the Failover Commands in the Running Configuration 14-45 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 11
C H A P T E R Access List Overview 16-1 Access List Types 16-2 Access Control Entry Order 16-2 Access Control Implicit Deny 16-3 IP Addresses Used for Access Lists When You Use NAT 16-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 12
17-3 NAT Types 17-5 Dynamic NAT 17-5 17-6 Static NAT 17-7 Static PAT 17-7 Bypassing NAT when NAT Control is Enabled 17-8 Policy NAT 17-9 NAT and Same Security Level Interfaces 17-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 13
Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-7 Configuring a RADIUS Server to Download Per-User Access Control List Names 19-11 Configuring Accounting for Network Access 19-12 Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-13 Cisco Security Appliance Command Line Configuration Guide xiii OL-10088-01...
Page 14
21-8 Identifying Traffic in an Inspection Class Map 21-9 Defining Actions in an Inspection Policy Map 21-10 Defining Actions Using a Layer 3/4 Policy Map 21-13 Layer 3/4 Policy Map Overview 21-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 15
Configuring IP Audit for Basic IPS Support 23-7 Applying QoS Policies 24-1 C H A P T E R Overview 24-1 QoS Concepts 24-2 Implementing QoS 24-2 Identifying Traffic for QoS 24-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 16
25-15 Using the Static Command for DNS Rewrite 25-15 Using the Alias Command for DNS Rewrite 25-16 Configuring DNS Rewrite with Two NAT Zones 25-16 DNS Rewrite with Three NAT Zones 25-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 17
ILS Inspection 25-51 MGCP Inspection 25-52 MGCP Inspection Overview 25-53 Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-54 Configuring MGCP Timeout Values 25-56 Verifying and Monitoring MGCP Inspection 25-56 Cisco Security Appliance Command Line Configuration Guide xvii OL-10088-01...
Page 18
C H A P T E R Configuring ARP Inspection 26-1 ARP Inspection Overview 26-1 Adding a Static ARP Entry 26-2 Enabling ARP Inspection 26-2 Customizing the MAC Address Table 26-3 Cisco Security Appliance Command Line Configuration Guide xviii OL-10088-01...
Page 19
Creating a Basic IPSec Configuration 27-22 Using Dynamic Crypto Maps 27-24 Providing Site-to-Site Redundancy 27-26 Viewing an IPSec Configuration 27-26 Clearing Security Associations 27-27 Clearing Crypto Map Configurations 27-27 Supporting the Nokia VPN Client 27-28 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 20
C H A P T E R Overview of Tunnel Groups, Group Policies, and Users 30-1 Tunnel Groups 30-2 General Tunnel-Group Connection Parameters 30-2 IPSec Tunnel-Group Connection Parameters 30-3 WebVPN Tunnel-Group Connection Parameters 30-4 Configuring Tunnel Groups 30-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 21
30-41 Configuring Domain Attributes for Tunneling 30-42 Configuring Attributes for VPN Hardware Clients 30-44 Configuring Backup Server Attributes 30-47 Configuring Microsoft Internet Explorer Client Parameters 30-48 Configuring Network Admission Control Parameters 30-50 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 22
Specifying the Access Control Server Group 33-2 Enabling NAC 33-2 Configuring the Default ACL for NAC 33-3 Configuring Exemptions from NAC 33-4 Changing Advanced Settings 33-5 Changing Clientless Authentication Settings 33-5 Cisco Security Appliance Command Line Configuration Guide xxii OL-10088-01...
Page 23
Setting the Revalidation Timer 33-9 Configuring Easy VPN Services on the ASA 5505 34-1 C H A P T E R Specifying the Client/Server Role of the Cisco ASA 5505 34-2 Specifying the Primary and Secondary Servers 34-3 Specifying the Mode...
Page 24
Closing Application Access to Prevent hosts File Errors 37-17 Recovering from hosts File Errors When Using Application Access 37-18 Understanding the hosts File 37-18 Stopping Application Access Improperly 37-19 Reconfiguring a hosts File 37-19 Configuring File Access 37-21 Cisco Security Appliance Command Line Configuration Guide xxiv OL-10088-01...
Page 25
37-49 Creating a Capture File 37-50 Using a Browser to Display Capture Data 37-50 Configuring SSL VPN Client 38-1 C H A P T E R Installing SVC 38-1 Platform Requirements 38-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 26
Exporting a Trustpoint Configuration 39-15 Importing a Trustpoint Configuration 39-15 Configuring CA Certificate Map Rules 39-15 Managing System Access 40-1 C H A P T E R Allowing Telnet Access 40-1 Cisco Security Appliance Command Line Configuration Guide xxvi OL-10088-01...
Page 27
41-8 Backing Up a Context Configuration within a Context 41-9 Copying the Configuration from the Terminal Display 41-9 Configuring Auto Update Support 41-9 Configuring Communication with an Auto Update Server 41-9 Cisco Security Appliance Command Line Configuration Guide xxvii OL-10088-01...
Page 28
Changing the Severity Level of a System Log Message 42-21 Changing the Amount of Internal Flash Memory Available for Logs 42-22 Understanding System Log Messages 42-23 System Log Message Format 42-23 Severity Levels 42-23 Cisco Security Appliance Command Line Configuration Guide xxviii OL-10088-01...
Page 29
Example 1: Customer B Context Configuration Example 1: Customer C Context Configuration Example 2: Single Mode Firewall Using Same Security Level Example 3: Shared Resources for Multiple Contexts Example 3: System Configuration Cisco Security Appliance Command Line Configuration Guide xxix OL-10088-01...
Page 30
Example 14: ASA 5505 Base License B-34 Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-36 Example 15: Primary Unit Configuration B-36 Example 15: Secondary Unit Configuration B-38 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 31
Determining the Address to Use with the Subnet Mask IPv6 Addresses IPv6 Address Format IPv6 Address Types Unicast Addresses Multicast Address Anycast Address Required Addresses D-10 IPv6 Address Prefixes D-10 Protocols and Applications D-11 TCP and UDP Ports D-11 Cisco Security Appliance Command Line Configuration Guide xxxi OL-10088-01...
Page 32
Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22 Configuring an External RADIUS Server E-24 Reviewing the RADIUS Configuration Procedure E-24 Security Appliance RADIUS Authorization Attributes E-25 L O S S A R Y N D E X Cisco Security Appliance Command Line Configuration Guide xxxii OL-10088-01...
Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550).
Cisco ASDM Release Notes • Cisco PIX 515E Quick Start Guide • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 • • Migrating to ASA for VPN 3000 Series Concentrator Administrators Cisco Security Appliance Command Reference •...
Page 35
Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP routed networks. Chapter 25, “Configuring Describes how to use and configure application inspection. Application Layer Protocol Inspection” Cisco Security Appliance Command Line Configuration Guide xxxv OL-10088-01...
Page 36
Chapter 41, “Managing Describes how to enter license keys and download software and configurations files. Software, Licenses, and Configurations” Chapter 42, “Monitoring the Describes how to monitor the security appliance. Security Appliance” Cisco Security Appliance Command Line Configuration Guide xxxvi OL-10088-01...
Variables for which you must supply a value are shown in font. • italic screen Means reader take note. Notes contain helpful suggestions or references to material not covered in the Note manual. Cisco Security Appliance Command Line Configuration Guide xxxvii OL-10088-01...
The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet.
Page 39
We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
Page 40
Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &...
Page 41
Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 42
Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com...
Page 43
A R T Getting Started and General Information...
Page 45
WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes.
Page 46
Using AAA for Through Traffic You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 47
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal. Firewall Mode Overview The security appliance runs in two different firewall modes: • Routed Transparent • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 48
The fast path is responsible for the following tasks: – IP checksum verification – Session lookup TCP sequence number check – NAT translations based on existing sessions – Layer 3 and Layer 4 header adjustments – Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
The security appliance invokes various standard protocols to accomplish these functions. Intrusion Prevention Services Functional Overview The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one Note mode and others in another. Multiple context mode supports static routing only. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security appliances.
All inside IP addresses are translated when accessing the outside using interface PAT. By default, inside users can access the outside with an access list, and outside users are prevented • from accessing the inside. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives • an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
If you want to use ASDM to configure the security appliance instead of the command-line interface, you Note can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Creating Text Configuration Files Offline, page 2-9 • Saving Configuration Changes This section describes how to save your configuration, and includes the following topics: Saving Configuration Changes in Single Context Mode, page 2-7 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Sometimes, a context is not saved because of an error. See the following information for errors: For contexts that are not saved because of low memory, the following message appears: • The context 'context a' could not be saved due to Unavailability of resources Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Viewing the Configuration The following commands let you view the running and startup configurations. • To view the running configuration, enter the following command: hostname# show running-config Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Alternatively, you can download a text file to the security appliance internal Flash memory. Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading the configuration file to the security appliance. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 60
In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Cisco Security Appliance Command Line Configuration Guide 2-10 OL-10088-01...
Page 61
You are a large enterprise or a college campus and want to keep departments completely separate. • • You are an enterprise that wants to provide distinct security policies to different departments. You have any network that requires more than one security appliance. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Flash memory called admin.cfg. This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
IP address after classification depends on how you configure NAT and NAT control. For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in each context: Context A: • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 66
(the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 67
Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
To log in with a username, enter the login command. For example, you log in to the admin context with the Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
To set the mode to single mode, enter the following command in the system execution space: Step 2 hostname(config)# mode single The security appliance reboots. Cisco Security Appliance Command Line Configuration Guide 3-11 OL-10088-01...
C H A P T E R Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance.
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that...
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Figure 4-1 ASA 5505 Adaptive Security Appliance with Base License Internet ASA 5505 Home with Base License Business With the Security Plus license, you can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP.
“Configuring Switch Ports as Access Ports” section on page 4-9 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring.
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Security Level Overview Each VLAN interface must have