Download Print this page

Cisco FirePOWER ASA 5500 series Configuration Manual

Security appliance command line
Hide thumbs

Advertisement

Quick Links

Cisco Security Appliance Command Line
Configuration Guide
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 7.2(1)
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: N/A, Online only
Text Part Number: OL-10088-01

Advertisement

loading

  Related Manuals for Cisco FirePOWER ASA 5500 series

  Summary of Contents for Cisco FirePOWER ASA 5500 series

  • Page 1 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 7.2(1) Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.;...
  • Page 3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module Sending Traffic to the Content Security and Control Security Services Module Applying QoS Policies Applying Connection Limits and TCP Normalization Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 4: Table Of Contents

    Invalid Classifier Criteria Classification Examples Cascading Security Contexts Management Access to Security Contexts System Administrator Access Context Administrator Access 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 5 Contents Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security C H A P T E R Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces...
  • Page 6 Defining Route Maps Configuring OSPF OSPF Overview Enabling OSPF Redistributing Routes Into OSPF Configuring OSPF Interface Parameters 9-10 Configuring OSPF Area Parameters 9-12 Configuring OSPF NSSA 9-13 Configuring Route Summarization Between OSPF Areas 9-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 7 Configuring a DHCP Server 10-1 Enabling the DHCP Server 10-2 Configuring DHCP Options 10-3 Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Configuring Dynamic DNS 10-6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2: Client Updates Both A and PTR RRs;...
  • Page 8 Configuring IPv6 Default and Static Routes 12-5 Configuring IPv6 Access Lists 12-6 Configuring IPv6 Neighbor Discovery 12-7 Configuring Neighbor Solicitation Messages 12-7 Configuring Router Advertisement Messages 12-9 Configuring a Static IPv6 Neighbor 12-11 Cisco Security Appliance Command Line Configuration Guide viii OL-10088-01...
  • Page 9 Using Certificates and User Login Credentials 13-15 Using User Login Credentials 13-15 Using certificates 13-16 Supporting a Zone Labs Integrity Server 13-16 Overview of Integrity Server and Security Appliance Interaction 13-17 Configuring Integrity Server Support 13-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 10 Configuring Unit Health Monitoring 14-36 Configuring Failover Communication Authentication/Encryption 14-36 Verifying the Failover Configuration 14-37 Using the show failover Command 14-37 Viewing Monitored Interfaces 14-45 Displaying the Failover Commands in the Running Configuration 14-45 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 11 C H A P T E R Access List Overview 16-1 Access List Types 16-2 Access Control Entry Order 16-2 Access Control Implicit Deny 16-3 IP Addresses Used for Access Lists When You Use NAT 16-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 12 17-3 NAT Types 17-5 Dynamic NAT 17-5 17-6 Static NAT 17-7 Static PAT 17-7 Bypassing NAT when NAT Control is Enabled 17-8 Policy NAT 17-9 NAT and Same Security Level Interfaces 17-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 13 Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-7 Configuring a RADIUS Server to Download Per-User Access Control List Names 19-11 Configuring Accounting for Network Access 19-12 Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-13 Cisco Security Appliance Command Line Configuration Guide xiii OL-10088-01...
  • Page 14 21-8 Identifying Traffic in an Inspection Class Map 21-9 Defining Actions in an Inspection Policy Map 21-10 Defining Actions Using a Layer 3/4 Policy Map 21-13 Layer 3/4 Policy Map Overview 21-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 15 Configuring IP Audit for Basic IPS Support 23-7 Applying QoS Policies 24-1 C H A P T E R Overview 24-1 QoS Concepts 24-2 Implementing QoS 24-2 Identifying Traffic for QoS 24-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 16 25-15 Using the Static Command for DNS Rewrite 25-15 Using the Alias Command for DNS Rewrite 25-16 Configuring DNS Rewrite with Two NAT Zones 25-16 DNS Rewrite with Three NAT Zones 25-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 17 ILS Inspection 25-51 MGCP Inspection 25-52 MGCP Inspection Overview 25-53 Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-54 Configuring MGCP Timeout Values 25-56 Verifying and Monitoring MGCP Inspection 25-56 Cisco Security Appliance Command Line Configuration Guide xvii OL-10088-01...
  • Page 18 C H A P T E R Configuring ARP Inspection 26-1 ARP Inspection Overview 26-1 Adding a Static ARP Entry 26-2 Enabling ARP Inspection 26-2 Customizing the MAC Address Table 26-3 Cisco Security Appliance Command Line Configuration Guide xviii OL-10088-01...
  • Page 19 Creating a Basic IPSec Configuration 27-22 Using Dynamic Crypto Maps 27-24 Providing Site-to-Site Redundancy 27-26 Viewing an IPSec Configuration 27-26 Clearing Security Associations 27-27 Clearing Crypto Map Configurations 27-27 Supporting the Nokia VPN Client 27-28 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 20 C H A P T E R Overview of Tunnel Groups, Group Policies, and Users 30-1 Tunnel Groups 30-2 General Tunnel-Group Connection Parameters 30-2 IPSec Tunnel-Group Connection Parameters 30-3 WebVPN Tunnel-Group Connection Parameters 30-4 Configuring Tunnel Groups 30-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 21 30-41 Configuring Domain Attributes for Tunneling 30-42 Configuring Attributes for VPN Hardware Clients 30-44 Configuring Backup Server Attributes 30-47 Configuring Microsoft Internet Explorer Client Parameters 30-48 Configuring Network Admission Control Parameters 30-50 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 22 Specifying the Access Control Server Group 33-2 Enabling NAC 33-2 Configuring the Default ACL for NAC 33-3 Configuring Exemptions from NAC 33-4 Changing Advanced Settings 33-5 Changing Clientless Authentication Settings 33-5 Cisco Security Appliance Command Line Configuration Guide xxii OL-10088-01...
  • Page 23 Setting the Revalidation Timer 33-9 Configuring Easy VPN Services on the ASA 5505 34-1 C H A P T E R Specifying the Client/Server Role of the Cisco ASA 5505 34-2 Specifying the Primary and Secondary Servers 34-3 Specifying the Mode...
  • Page 24 Closing Application Access to Prevent hosts File Errors 37-17 Recovering from hosts File Errors When Using Application Access 37-18 Understanding the hosts File 37-18 Stopping Application Access Improperly 37-19 Reconfiguring a hosts File 37-19 Configuring File Access 37-21 Cisco Security Appliance Command Line Configuration Guide xxiv OL-10088-01...
  • Page 25 37-49 Creating a Capture File 37-50 Using a Browser to Display Capture Data 37-50 Configuring SSL VPN Client 38-1 C H A P T E R Installing SVC 38-1 Platform Requirements 38-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 26 Exporting a Trustpoint Configuration 39-15 Importing a Trustpoint Configuration 39-15 Configuring CA Certificate Map Rules 39-15 Managing System Access 40-1 C H A P T E R Allowing Telnet Access 40-1 Cisco Security Appliance Command Line Configuration Guide xxvi OL-10088-01...
  • Page 27 41-8 Backing Up a Context Configuration within a Context 41-9 Copying the Configuration from the Terminal Display 41-9 Configuring Auto Update Support 41-9 Configuring Communication with an Auto Update Server 41-9 Cisco Security Appliance Command Line Configuration Guide xxvii OL-10088-01...
  • Page 28 Changing the Severity Level of a System Log Message 42-21 Changing the Amount of Internal Flash Memory Available for Logs 42-22 Understanding System Log Messages 42-23 System Log Message Format 42-23 Severity Levels 42-23 Cisco Security Appliance Command Line Configuration Guide xxviii OL-10088-01...
  • Page 29 Example 1: Customer B Context Configuration Example 1: Customer C Context Configuration Example 2: Single Mode Firewall Using Same Security Level Example 3: Shared Resources for Multiple Contexts Example 3: System Configuration Cisco Security Appliance Command Line Configuration Guide xxix OL-10088-01...
  • Page 30 Example 14: ASA 5505 Base License B-34 Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-36 Example 15: Primary Unit Configuration B-36 Example 15: Secondary Unit Configuration B-38 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 31 Determining the Address to Use with the Subnet Mask IPv6 Addresses IPv6 Address Format IPv6 Address Types Unicast Addresses Multicast Address Anycast Address Required Addresses D-10 IPv6 Address Prefixes D-10 Protocols and Applications D-11 TCP and UDP Ports D-11 Cisco Security Appliance Command Line Configuration Guide xxxi OL-10088-01...
  • Page 32 Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22 Configuring an External RADIUS Server E-24 Reviewing the RADIUS Configuration Procedure E-24 Security Appliance RADIUS Authorization Attributes E-25 L O S S A R Y N D E X Cisco Security Appliance Command Line Configuration Guide xxxii OL-10088-01...
  • Page 33: About This Guide

    Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550).
  • Page 34: Related Documentation

    Cisco ASDM Release Notes • Cisco PIX 515E Quick Start Guide • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 • • Migrating to ASA for VPN 3000 Series Concentrator Administrators Cisco Security Appliance Command Reference •...
  • Page 35 Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP routed networks. Chapter 25, “Configuring Describes how to use and configure application inspection. Application Layer Protocol Inspection” Cisco Security Appliance Command Line Configuration Guide xxxv OL-10088-01...
  • Page 36 Chapter 41, “Managing Describes how to enter license keys and download software and configurations files. Software, Licenses, and Configurations” Chapter 42, “Monitoring the Describes how to monitor the security appliance. Security Appliance” Cisco Security Appliance Command Line Configuration Guide xxxvi OL-10088-01...
  • Page 37: Document Conventions

    Variables for which you must supply a value are shown in font. • italic screen Means reader take note. Notes contain helpful suggestions or references to material not covered in the Note manual. Cisco Security Appliance Command Line Configuration Guide xxxvii OL-10088-01...
  • Page 38: Documentation Feedback

    The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet.
  • Page 39 We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
  • Page 40 Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &...
  • Page 41 Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
  • Page 42 Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com...
  • Page 43 A R T Getting Started and General Information...
  • Page 45 WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes.
  • Page 46 Using AAA for Through Traffic You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 47 TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal. Firewall Mode Overview The security appliance runs in two different firewall modes: • Routed Transparent • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 48 The fast path is responsible for the following tasks: – IP checksum verification – Session lookup TCP sequence number check – NAT translations based on existing sessions – Layer 3 and Layer 4 header adjustments – Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 49: Intrusion Prevention Services Functional Overview

    The security appliance invokes various standard protocols to accomplish these functions. Intrusion Prevention Services Functional Overview The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
  • Page 50: Security Context Overview

    You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one Note mode and others in another. Multiple context mode supports static routing only. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 51: Chapter 2 Getting Started

    Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security appliances.
  • Page 52: Restoring The Factory Default Configuration

    All inside IP addresses are translated when accessing the outside using interface PAT. By default, inside users can access the outside with an access list, and outside users are prevented • from accessing the inside. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 53: Asa 5510 And Higher Default Configuration

    The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives • an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 54: Pix 515/515E Default Configuration

    If you want to use ASDM to configure the security appliance instead of the command-line interface, you Note can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 55: Setting Transparent Or Routed Firewall Mode

    You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 56: Working With The Configuration

    Creating Text Configuration Files Offline, page 2-9 • Saving Configuration Changes This section describes how to save your configuration, and includes the following topics: Saving Configuration Changes in Single Context Mode, page 2-7 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 57: Saving Configuration Changes In Single Context Mode

    Sometimes, a context is not saved because of an error. See the following information for errors: For contexts that are not saved because of low memory, the following message appears: • The context 'context a' could not be saved due to Unavailability of resources Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 58: Copying The Startup Configuration To The Running Configuration

    Viewing the Configuration The following commands let you view the running and startup configurations. • To view the running configuration, enter the following command: hostname# show running-config Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 59: Clearing And Removing Configuration Settings

    Alternatively, you can download a text file to the security appliance internal Flash memory. Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading the configuration file to the security appliance. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 60 In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Cisco Security Appliance Command Line Configuration Guide 2-10 OL-10088-01...
  • Page 61 You are a large enterprise or a college campus and want to keep departments completely separate. • • You are an enterprise that wants to provide distinct security policies to different departments. You have any network that requires more than one security appliance. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 62: Chapter 3 Enabling Multiple Context Mode

    Flash memory called admin.cfg. This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 63: How The Security Appliance Classifies Packets

    IP address after classification depends on how you configure NAT and NAT control. For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in each context: Context A: • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 64: Invalid Classifier Criteria

    Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 65: Classification Examples

    MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 66 (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 67 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 68: Cascading Security Contexts

    Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 69: Management Access To Security Contexts

    To log in with a username, enter the login command. For example, you log in to the admin context with the Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 70: Context Administrator Access

    Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
  • Page 71: Restoring Single Context Mode

    To set the mode to single mode, enter the following command in the system execution space: Step 2 hostname(config)# mode single The security appliance reboots. Cisco Security Appliance Command Line Configuration Guide 3-11 OL-10088-01...
  • Page 72 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode Cisco Security Appliance Command Line Configuration Guide 3-12 OL-10088-01...
  • Page 73: Configuring Switch Ports And Vlan Interfaces For The Cisco Asa 5505 Adaptive Security Appliance

    C H A P T E R Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance.
  • Page 74: Understanding Asa 5505 Ports And Interfaces

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that...
  • Page 75: Default Interface Configuration

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Figure 4-1 ASA 5505 Adaptive Security Appliance with Base License Internet ASA 5505 Home with Base License Business With the Security Plus license, you can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP.
  • Page 76: Vlan Mac Addresses

    “Configuring Switch Ports as Access Ports” section on page 4-9 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring.
  • Page 77: Security Level Overview

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100.
  • Page 78 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces If you are using failover, do not use this procedure to name interfaces that you are reserving for failover Note communications. See Chapter 14, “Configuring Failover,”...
  • Page 79 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces You can configure up to five VLANs with the Security Plus license. You can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP.
  • Page 80 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your switch requires it, or for access control purposes.
  • Page 81: Configuring Switch Ports As Access Ports

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports hostname(config-if)# interface vlan 200 hostname(config-if)# nameif business hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown...
  • Page 82 The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
  • Page 83: Configuring A Switch Port As A Trunk Port

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport access vlan 200 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/2...
  • Page 84 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port To make this switch port a trunk port, enter the following command: Step 3 hostname(config-if)# switchport mode trunk To restore this port to access mode, enter the switchport mode access command.
  • Page 85: Allowing Communication Between Vlan Interfaces On The Same Security Level

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport mode trunk hostname(config-if)# switchport trunk allowed vlan 200 300...
  • Page 86 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide 4-14 OL-10088-01...
  • Page 87: Chapter 5 Configuring Ethernet Settings And Subinterfaces

    To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Configuring and Enabling RJ-45 Interfaces, page 5-1 •...
  • Page 88: Configuring And Enabling Fiber Interfaces

    By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 89: Configuring And Enabling Subinterfaces

    This feature is particularly useful in multiple context mode so you can assign unique interfaces to each context. To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature Licenses and Specifications.” Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 90 To disable the interface, enter the shutdown command. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 91 The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics: • Resource Limits, page 6-2 Default Class, page 6-3 • Class Members, page 6-4 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 92: Chapter 6 Adding And Managing Security Contexts

    Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 93: Default Class

    By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context: Telnet sessions—5 sessions. • SSH sessions—5 sessions. • • IPSec sessions—5 sessions. • MAC addresses—65,535 entries. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 94: Class Members

    To set the resource limits, see the following options: Step 2 To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command: • hostname(config-resmgmt)# limit-resource all 0 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 95 Table 6-1 lists the resource types and the limits. See also the show resource types command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 96 For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands: hostname(config)# class default hostname(config-class)# limit-resource conns 10% All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 97: Configuring A Security Context

    To allocate a physical interface, enter the following command: • hostname(config-ctx)# allocate-interface physical_interface [map_name] [visible | invisible] • To allocate one or more subinterfaces, enter the following command: hostname(config-ctx)# allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible] Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 98 The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8. hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 99 The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL http://url INFO: Creating context with default config Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 100 For example, to assign the context to the gold class, enter the following command: hostname(config-ctx)# member gold Step 6 To view context information, see the show context command in the Cisco Security Appliance Command Reference. The following example sets the admin context to be “administrator,” creates a context called “administrator”...
  • Page 101: Automatically Assigning Mac Addresses To Context Interfaces

    The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, Cisco Security Appliance Command Line Configuration Guide 6-11 OL-10088-01...
  • Page 102: Managing Security Contexts

    To remove a single context, enter the following command in the system execution space: hostname(config)# no context name All context commands are also removed. To remove all contexts (including the admin context), enter the following command in the system • execution space: Cisco Security Appliance Command Line Configuration Guide 6-12 OL-10088-01...
  • Page 103: Changing The Admin Context

    If you want to perform a merge, skip to Step 2. hostname# changeto context name hostname/name# configure terminal hostname/name(config)# clear configure all If required, change to the system execution space by entering the following command: Step 2 hostname/name(config)# changeto system Cisco Security Appliance Command Line Configuration Guide 6-13 OL-10088-01...
  • Page 104: Reloading A Security Context

    To reload the configuration, enter the following command: Step 4 hostname/name(config)# copy startup-config running-config The security appliance copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context. Cisco Security Appliance Command Line Configuration Guide 6-14 OL-10088-01...
  • Page 105: Reloading By Removing And Re-Adding The Context

    Lists all context names. The context name with the asterisk (*) is the admin context. Interfaces The interfaces assigned to the context. The URL from which the security appliance loads the context configuration. Cisco Security Appliance Command Line Configuration Guide 6-15 OL-10088-01...
  • Page 106: Viewing Resource Allocation

    Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 See the Cisco Security Appliance Command Reference for more information about the detail output. The following is sample output from the show context count command: hostname# show context count Total active contexts: 2...
  • Page 107 200000 200000 20.00% silver 100000 100000 10.00% bronze 50000 All Contexts: 300000 30.00% Hosts default unlimited gold unlimited silver 26214 26214 bronze 13107 All Contexts: 26214 default gold 5.00% Cisco Security Appliance Command Line Configuration Guide 6-17 OL-10088-01...
  • Page 108 The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A. Cisco Security Appliance Command Line Configuration Guide 6-18 OL-10088-01...
  • Page 109: Viewing Resource Usage

    This sample shows the limits for 6 contexts. hostname# show resource usage summary Resource Current Peak Limit Denied Context Syslogs [rate] 1743 2132 0 Summary Conns 280000(S) 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-19 OL-10088-01...
  • Page 110: Monitoring Syn Attacks In Contexts

    The following is sample output from the show perfmon command that shows the rate of TCP intercepts for a context called admin. hostname/admin# show perfmon Context:admin PERFMON STATS: Current Average Xlates Cisco Security Appliance Command Line Configuration Guide 6-20 OL-10088-01...
  • Page 111 0 system chunk:channels unlimited 0 system chunk:dbgtrace unlimited 0 system chunk:fixup unlimited 0 system chunk:ip-users unlimited 0 system chunk:list-elem 1014 1014 unlimited 0 system chunk:list-hdr unlimited 0 system chunk:route unlimited 0 system Cisco Security Appliance Command Line Configuration Guide 6-21 OL-10088-01...
  • Page 112 0 Summary tcp-intercept-rate 341306 811579 unlimited 0 Summary globals unlimited 0 Summary np-statics unlimited 0 Summary statics 0 Summary nats 0 Summary ace-rules 0 Summary console-access-rul 0 Summary fixup-rules 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-22 OL-10088-01...
  • Page 113: Chapter 7 Configuring Interface Parameters

    To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Security Level Overview, page 7-1 •...
  • Page 114: Configuring The Interface

    If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 115 Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 116 “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11 to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 117 The following example configures parameters in multiple context mode for the context configuration: hostname/contextA(config)# interface gigabitethernet0/1.1 hostname/contextA(config-if)# nameif inside hostname/contextA(config-if)# security-level 100 hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0 hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDE hostname/contextA(config-if)# no shutdown Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 118: Allowing Communication Between Interfaces On The Same Security Level

    To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface To disable this setting, use the no form of this command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 119: Changing The Login Password

    Setting the Management IP Address for a Transparent Firewall, page 8-5 • Changing the Login Password The login password is used for Telnet and SSH connections. By default, the login password is “cisco.” To change the password, enter the following command: hostname(config)# {passwd | password} password You can enter passwd or password.
  • Page 120: Setting The Hostname

    Time derived from an NTP server overrides any time set manually. This section also describes how to set the time zone and daylight saving time date range. In multiple context mode, set the time in the system configuration only. Note Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 121: Setting The Time Zone And Daylight Saving Time Date Range

    The week value specifies the week of the month as an integer between 1 and 4 or as the words first or last. For example, if the day might fall in the partial fifth week, then specify last. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 122: Setting The Date And Time Using An Ntp Server

    3 that is preferred. You can identify multiple servers; the security appliance uses the most accurate server. Setting the Date and Time Manually To set the date time manually, enter the following command: Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 123: Setting The Management Ip Address For A Transparent Firewall

    (255.255.255.255). This address must be IPv4; the transparent firewall does not support IPv6. The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 124 Chapter 8 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 125: Chapter 9 Configuring Ip Routing

    If you have servers that cannot all be reached through a single default route, then you must configure static routes. The security appliance supports up to three equal cost routes on the same interface for load balancing. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 126: Configuring A Static Route

    The security appliance distributes the traffic among the specified gateways. hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 127: Configuring A Default Route

    This allows you to, for example, define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 128 The track_id is a tracking number you assign with this command. The sla_id is the ID number of the SLA process you defined in Step Define the static route to be installed in the routing table while the tracked object is reachable using one Step 3 of the following options: Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 129 To use a default route obtained through PPPoE, enter the following commands: hostname(config)# interface phy_if hostname(config-if)# pppoe client route track track_id hostname(config-if)# pppoe client route distance admin_distance hostname(config-if)# ip addresss pppoe setroute hostname(config-if)# exit Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 130: Defining Route Maps

    If you specify more than one ACL, then the route can match any of the ACLs. To match the route type, enter the following command: • hostname(config-route-map)# match route-type {internal | external [type-1 | type-2]} Enter one or more set commands. Step 3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 131: Configuring Ospf

    Configuring Route Calculation Timers, page 9-16 • Logging Neighbors Going Up or Down, page 9-17 • • Displaying OSPF Update Packet Pacing, page 9-17 • Monitoring OSPF, page 9-18 Restarting the OSPF Process, page 9-18 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 132: Ospf Overview

    IDs associated with that range of IP addresses. To enable OSPF, perform the following steps: To create an OSPF routing process, enter the following command: Step 1 hostname(config)# router ospf process_id Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 133: Redistributing Routes Into Ospf

    LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1. hostname(config)# route-map 1-to-2 permit hostname(config-route-map)# match metric 1 hostname(config-route-map)# set metric 5 hostname(config-route-map)# set metric-type type-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 134: Configuring Ospf Interface Parameters

    To set the number of seconds that a device must wait before it declares a neighbor OSPF router down • because it has not received a hello packet, enter the following command: hostname(config-interface)# ospf dead-interval seconds The value must be the same for all nodes on the network. Cisco Security Appliance Command Line Configuration Guide 9-10 OL-10088-01...
  • Page 135 10 hostname(config-interface)# ospf dead-interval 40 hostname(config-interface)# ospf authentication-key cisco hostname(config-interface)# ospf message-digest-key 1 md5 cisco hostname(config-interface)# ospf authentication message-digest The following is sample output from the show ospf command: Cisco Security Appliance Command Line Configuration Guide 9-11 OL-10088-01...
  • Page 136: Configuring Ospf Area Parameters

    To enable MD5 authentication for an OSPF area, enter the following command: • hostname(config-router)# area area-id authentication message-digest To define an area to be a stub area, enter the following command: • hostname(config-router)# area area-id stub [no-summary] Cisco Security Appliance Command Line Configuration Guide 9-12 OL-10088-01...
  • Page 137: Configuring Ospf Nssa

    This command helps reduce the size of the routing table. Using this command for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Cisco Security Appliance Command Line Configuration Guide 9-13 OL-10088-01...
  • Page 138: Configuring Route Summarization Between Ospf Areas

    LSA. However, you can configure the security appliance to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database. Cisco Security Appliance Command Line Configuration Guide 9-14 OL-10088-01...
  • Page 139: Defining Static Ospf Neighbors

    The addr argument is the IP address of the OSPF neighbor. The if_name is the interface used to communicate with the neighbor. If the OSPF neighbor is not on the same network as any of the directly-connected interfaces, you must specify the interface. Cisco Security Appliance Command Line Configuration Guide 9-15 OL-10088-01...
  • Page 140: Generating A Default Route

    SPF calculations can be done, one immediately after the other. The following example shows how to configure route calculation timers: hostname(config)# router ospf 1 hostname(config-router)# timers spf 10 120 Cisco Security Appliance Command Line Configuration Guide 9-16 OL-10088-01...
  • Page 141: Logging Neighbors Going Up Or Down

    There are no configuration tasks for this feature; it occurs automatically. To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified interface, enter the following command: hostname# show ospf flood-list if_name Cisco Security Appliance Command Line Configuration Guide 9-17 OL-10088-01...
  • Page 142: Monitoring Ospf

    [process-id] virtual-links Restarting the OSPF Process To restart an OSPF process, clear redistribution, or counters, enter the following command: hostname(config)# clear ospf pid {process | redistribution | counters [neighbor [neighbor-interface] [neighbor-id]]} Cisco Security Appliance Command Line Configuration Guide 9-18 OL-10088-01...
  • Page 143: Configuring Rip

    (Optional) To generate a default route into RIP, enter the following command: Step 4 hostname(config-router): default-information originate Step 5 (Optional) To specify an interface to operate in passive mode, enter the following command: hostname(config-router): passive-interface [default | if_name] Cisco Security Appliance Command Line Configuration Guide 9-19 OL-10088-01...
  • Page 144: Redistributing Routes Into The Rip Routing Process

    To redistribute connected routes into the RIP routing process, enter the following command: • hostname(config-router): redistribute connected [metric {metric_value | transparent}] [route-map map_name] To redistribute static routes into the RIP routing process, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 9-20 OL-10088-01...
  • Page 145: Configuring Rip Send/Receive Version On An Interface

    The security appliance supports RIP message authentication for RIP Version 2 messages. To enable RIP message authentication, perform the following steps: Enter interface configuration mode for the interface you are configuring by entering the following Step 1 command: hostname(config)# interface phy_if Cisco Security Appliance Command Line Configuration Guide 9-21 OL-10088-01...
  • Page 146: Monitoring Rip

    Use the following debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Debugging output is assigned high priority in the CPU process and can render the system unusable. It is best to use debug commands during periods of lower network traffic and fewer users.
  • Page 147: How The Routing Table Is Populated

    Because the routing protocols have metrics based on algorithms that are different from the other protocols, it is not always possible to determine the “best path” for two routes to the same destination that were generated by different routing protocols. Cisco Security Appliance Command Line Configuration Guide 9-23 OL-10088-01...
  • Page 148: Backup Routes

    If the destination does not match an entry in the routing table, the packet is forwarded through the • interface specified for the default route. If a default route has not been configured, the packet is discarded. Cisco Security Appliance Command Line Configuration Guide 9-24 OL-10088-01...
  • Page 149 192.168.32.0/24 network. It also falls within the other route in the routing table, but the 192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes are always preferred over shorter ones when forwarding a packet. Cisco Security Appliance Command Line Configuration Guide 9-25 OL-10088-01...
  • Page 150 Chapter 9 Configuring IP Routing The Routing Table Cisco Security Appliance Command Line Configuration Guide 9-26 OL-10088-01...
  • Page 151: Configuring A Dhcp Server

    This section describes how to configure DHCP server provided by the security appliance. This section includes the following topics: • Enabling the DHCP Server, page 10-2 Configuring DHCP Options, page 10-3 • • Using Cisco IP Phones with a DHCP Server, page 10-4 Cisco Security Appliance Command Line Configuration Guide 10-1 OL-10088-01...
  • Page 152: Enabling The Dhcp Server

    To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the timeout value for those packets. Cisco Security Appliance Command Line Configuration Guide 10-2...
  • Page 153: Configuring Dhcp Options

    46 ascii hello command and the security appliance accepts the configuration although option 46 is defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the option codes and their associated types and expected values, refer to RFC 2132. Cisco Security Appliance Command Line Configuration Guide 10-3 OL-10088-01...
  • Page 154: Using Cisco Ip Phones With A Dhcp Server

    Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security appliance DHCP server provides values for both options in the response if they are configured on the security appliance.
  • Page 155: Configuring Dhcp Relay Services

    To enable DHCP relay on the interface connected to the clients, enter the following command: Step 2 hostname(config)# dhcprelay enable interface (Optional) To set the number of seconds allowed for relay address negotiation, enter the following Step 3 command: Cisco Security Appliance Command Line Configuration Guide 10-5 OL-10088-01...
  • Page 156: Configuring Dynamic Dns

    Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration, page 10-7 • Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs., page 10-8 Cisco Security Appliance Command Line Configuration Guide 10-6 OL-10088-01...
  • Page 157 Ethernet0 hostname(if-config)# ddns update ddns-2 hostname(if-config)# ddns update hostname asa.example.com hostname(if-config)# ip address dhcp Step 4 To configure the DHCP server, enter the following command: hostname(if-config)# dhcpd update dns Cisco Security Appliance Command Line Configuration Guide 10-7 OL-10088-01...
  • Page 158: Client And Updates Both Rrs

    Ethernet0 hostname(config-if)# dhcp client update dns both hostname(config-if)# ddns update hostname asa To configure the DHCP server, enter the following commands: Step 2 hostname(config-if)# dhcpd update dns hostname(config-if)# dhcpd domain example.com Cisco Security Appliance Command Line Configuration Guide 10-8 OL-10088-01...
  • Page 159: Example 5: Client Updates A Rr; Server Updates Ptr Rr

    Enabling WCCP Redirection, page 10-10 • WCCP Feature Support The following WCCPv2 features are supported with the security appliance: Redirection of multiple TCP/UDP port-destined traffic. • Authentication for cache engines in a service group. • Cisco Security Appliance Command Line Configuration Guide 10-9 OL-10088-01...
  • Page 160: Wccp Interaction With Other Features

    To configure WCCP redirection, perform the following steps: To enable a WCCP service group, enter the following command: Step 1 hostname(config)# wccp {web-cache | service_number} [redirect-list access_list] [group-list access_list] [password password] Cisco Security Appliance Command Line Configuration Guide 10-10 OL-10088-01...
  • Page 161 For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside interface to a web cache, enter the following commands: hostname(config)# wccp web-cache hostname(config)# wccp interface inside web-cache redirect in Cisco Security Appliance Command Line Configuration Guide 10-11 OL-10088-01...
  • Page 162 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Web Cache Services Using WCCP Cisco Security Appliance Command Line Configuration Guide 10-12 OL-10088-01...
  • Page 163: Configuring Multicast Routing

    The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as Note the RP address. Cisco Security Appliance Command Line Configuration Guide 11-13 OL-10088-01...
  • Page 164: Enabling Multicast Routing

    Limiting the Number of IGMP States on an Interface, page 11-16 • Modifying the Query Interval and Query Timeout, page 11-16 Changing the Query Response Time, page 11-17 • Changing the IGMP Version, page 11-17 • Cisco Security Appliance Command Line Configuration Guide 11-14 OL-10088-01...
  • Page 165: Disabling Igmp On An Interface

    Create an access list for the multicast traffic. You can create more than one entry for a single access list. Step 1 You can use extended or standard access lists. To create a standard access list, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 11-15 OL-10088-01...
  • Page 166: Limiting The Number Of Igmp States On An Interface

    (by default, 255 seconds), then the security appliance becomes the designated router and starts sending the query messages. To change this timeout value, enter the following command: hostname(config-if)# igmp query-timeout seconds Cisco Security Appliance Command Line Configuration Guide 11-16 OL-10088-01...
  • Page 167: Changing The Query Response Time

    In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another. Static multicast routes are not advertised or redistributed. Cisco Security Appliance Command Line Configuration Guide 11-17 OL-10088-01...
  • Page 168: Disabling Pim On An Interface

    You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: hostname(config-if)# no pim To reenable PIM on an interface, enter the following command: hostname(config-if)# pim Only the no pim command appears in the interface configuration. Note Cisco Security Appliance Command Line Configuration Guide 11-18 OL-10088-01...
  • Page 169: Configuring A Static Rendezvous Point Address

    Router query messages are used to elect the PIM DR. The PIM DR is responsible for sending router query messages. By default, router query messages are sent every 30 seconds. You can change this value by entering the following command: Cisco Security Appliance Command Line Configuration Guide 11-19 OL-10088-01...
  • Page 170: Configuring A Multicast Boundary

    For example the following access list, when used with the pim neighbor-filter command, prevents the 10.1.1.1 router from becoming a PIM neighbor: hostname(config)# access-list pim_nbr deny 10.1.1.1 255.255.255.255 Use the pim neighbor-filter command on an interface to filter the neighbor routers. Step 2 Cisco Security Appliance Command Line Configuration Guide 11-20 OL-10088-01...
  • Page 171: Supporting Mixed Bidirctional/Sparse-Mode Pim Networks

    For More Information about Multicast Routing The following RFCs from the IETF provide technical details about the IGMP and multicast routing standards used for implementing the SMR feature: • RFC 2236 IGMPv2 Cisco Security Appliance Command Line Configuration Guide 11-21 OL-10088-01...
  • Page 172 Chapter 11 Configuring Multicast Routing For More Information about Multicast Routing RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt • Cisco Security Appliance Command Line Configuration Guide 11-22 OL-10088-01...
  • Page 173: Chapter 12 Configuring Ipv6

    • configure • copy • http • name • object-group • • ping show conn • • show local-host show tcpstat • • telnet • tftp-server • • write • Cisco Security Appliance Command Line Configuration Guide 12-1 OL-10088-01...
  • Page 174 Configuring IPv6 Default and Static Routes, page 12-5 • Configuring IPv6 Access Lists, page 12-6 • Configuring IPv6 Neighbor Discovery, page 12-7 • Configuring a Static IPv6 Neighbor, page 12-11 • Cisco Security Appliance Command Line Configuration Guide 12-2 OL-10088-01...
  • Page 175: Configuring Ipv6 On An Interface

    Use the optional eui-64 keyword to use the Modified EUI-64 interface ID in the low order 64 bits of the address. hostname(config-if)# ipv6 address ipv6-address [eui-64] Cisco Security Appliance Command Line Configuration Guide 12-3 OL-10088-01...
  • Page 176: Configuring A Dual Ip Stack On An Interface

    When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface. Cisco Security Appliance Command Line Configuration Guide 12-4 OL-10088-01...
  • Page 177: Configuring Ipv6 Default And Static Routes

    %PIX|ASA-6-110001: No route to dest_address from source_address You can add a default route and static routes using the ipv6 route command. To configure an IPv6 default route and static routes, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 12-5 OL-10088-01...
  • Page 178: Configuring Ipv6 Access Lists

    • can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr. Cisco Security Appliance Command Line Configuration Guide 12-6 OL-10088-01...
  • Page 179: Configuring Ipv6 Neighbor Discovery

    After the source node receives the neighbor advertisement, the source node and destination node can communicate. Figure 12-1 shows the neighbor solicitation and response process. Cisco Security Appliance Command Line Configuration Guide 12-7 OL-10088-01...
  • Page 180 IPv6 operation. To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value Cisco Security Appliance Command Line Configuration Guide 12-8 OL-10088-01...
  • Page 181: Configuring Router Advertisement Messages

    When a router advertisement is sent in response to a router solicitation, the destination address in the router advertisement message is the unicast address of the source of the router solicitation message. Cisco Security Appliance Command Line Configuration Guide 12-9...
  • Page 182 To configure which IPv6 prefixes are included in IPv6 router advertisements, enter the following command: hostname(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length Note For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement messages must always be 64 bits. Cisco Security Appliance Command Line Configuration Guide 12-10 OL-10088-01...
  • Page 183: Configuring A Static Ipv6 Neighbor

    Excluding the name from the command displays the setting for all interfaces that have IPv6 enabled on them. The output for the command shows the following: The name and status of the interface. • The link-local and global unicast addresses. • Cisco Security Appliance Command Line Configuration Guide 12-11 OL-10088-01...
  • Page 184: The Show Ipv6 Route Command

    O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 fe80::/10 [0/0] via ::, inside fec0::a:0:0:a0a:a70/128 [0/0] via ::, inside fec0:0:0:a::/64 [0/0] via ::, inside ff00::/8 [0/0] via ::, inside Cisco Security Appliance Command Line Configuration Guide 12-12 OL-10088-01...
  • Page 185: Configuring Aaa Servers And The Local Database

    About Accounting, page 13-2 • About Authentication Authentication controls access by requiring valid user credentials, which are typically a username and password. You can configure the security appliance to authenticate the following items: Cisco Security Appliance Command Line Configuration Guide 13-1 OL-10088-01...
  • Page 186: About Authorization

    The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. This section describes support for each AAA server type and the local database. This section contains the following topics: Summary of Support, page 13-3 • Cisco Security Appliance Command Line Configuration Guide 13-2 OL-10088-01...
  • Page 187: Summary Of Support

    RADIUS authentication response. 4. Local command authorization is supported by privilege level only. 5. Command accounting is available for TACACS+ only. RADIUS Server Support The security appliance supports RADIUS servers. Cisco Security Appliance Command Line Configuration Guide 13-3 OL-10088-01...
  • Page 188: Authentication Methods

    Accounting attributes defined in RFC 2139. • RADIUS attributes for tunneled protocol support, defined in RFC 2868. • Cisco IOS VSAs, identified by RADIUS vendor ID 9. • • Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076. Microsoft VSAs, defined in RFC 2548.
  • Page 189: Sdi Version Support

    The security appliance does not support changing user passwords during tunnel negotiation. To avoid Note this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the security appliance. For a simple Kerberos server configuration example, see Example 13-2. Cisco Security Appliance Command Line Configuration Guide 13-5 OL-10088-01...
  • Page 190: Ldap Server Support

    If you do not configure SASL, we strongly recommend that you secure LDAP communications with Note SSL. See the ldap-over-ssl command in the Cisco Security Appliance Command Reference. When user LDAP authentication has succeeded, the LDAP server returns the attributes for the authenticated user.
  • Page 191: Authorization With Ldap For Vpn

    LDAP. This example then creates an IPSec remote access tunnel group named remote-1, and assigns that new tunnel group to the previously created ldap_dir_1 AAA server for authorization. hostname(config)# tunnel-group remote-1 type ipsec-ra hostname(config)# tunnel-group remote-1 general-attributes hostname(config-general)# authorization-server-group ldap_dir_1 hostname(config-general)# Cisco Security Appliance Command Line Configuration Guide 13-7 OL-10088-01...
  • Page 192: Ldap Attribute Mapping

    You must create LDAP attribute maps that map your existing user-defined attribute names and values to Cisco attribute names and values that are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or remove them as needed.
  • Page 193: Sso Support For Webvpn With Http Forms

    Appendix E, “Configuring an External Server for Authorization and Authentication”. Alternatively, you can enter “?” within ldap-attribute-map mode to display the complete list of Cisco LDAP attribute names, as shown in the following example: hostname(config)# ldap attribute-map att_map_1 hostname(config-ldap-attribute-map)# map-name att_map_1 ?
  • Page 194: User Profiles

    If you add to the local database users who can gain access to the CLI but who should not be allowed to Caution enter privileged mode, enable command authorization. (See the “Configuring Local Command Authorization” section on page 40-7.) Without command authorization, users can access privileged Cisco Security Appliance Command Line Configuration Guide 13-10 OL-10088-01...
  • Page 195 When you enter a username attributes command, you enter username mode. The commands available in this mode are as follows: group-lock • password-storage • vpn-access-hours • vpn-filter • vpn-framed-ip-address • • vpn-group-policy vpn-idle-timeout • vpn-session-timeout • vpn-simultaneous-logins • vpn-tunnel-protocol • Cisco Security Appliance Command Line Configuration Guide 13-11 OL-10088-01...
  • Page 196: Identifying Aaa Server Groups And Servers

    • Use these commands as needed to configure the user profile. For more information about these commands, see the Cisco Security Appliance Command Reference. When you have finished configuring the user profiles, enter exit to return to config mode. For example, the following command assigns a privilege level of 15 to the admin user account:...
  • Page 197 Where a command is applicable to the server type you specified and no default value is provided (indicated by “—”), use the command to specify the value. For more information about these commands, see the Cisco Security Appliance Command Reference. Cisco Security Appliance Command Line Configuration Guide...
  • Page 198 Example 13-1 Multiple AAA Server Groups and Servers hostname(config)# aaa-server AuthInbound protocol tacacs+ hostname(config-aaa-server-group)# max-failed-attempts 2 hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20 hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey Cisco Security Appliance Command Line Configuration Guide 13-14 OL-10088-01...
  • Page 199: Using Certificates And User Login Credentials

    Enabled by authentication server group setting – Uses the username and password as credentials – Authorization • Enabled by authorization server group setting – – Uses the username as a credential Cisco Security Appliance Command Line Configuration Guide 13-15 OL-10088-01...
  • Page 200: Using Certificates

    Server, it will not be granted access to the private network protected by the Integrity Server and security appliance. This section includes the following topics: Overview of Integrity Server and Security Appliance Interaction, page 13-17 • • Configuring Integrity Server Support, page 13-17 Cisco Security Appliance Command Line Configuration Guide 13-16 OL-10088-01...
  • Page 201: Overview Of Integrity Server And Security Appliance Interaction

    The following commands ensure that the security appliance waits 12 seconds for a response from either the active or standby Integrity servers before declaring an the Integrity server as failed and closing the VPN client connections: hostname(config)# zonelabs-integrity fail-timeout 12 hostname(config)# zonelabs-integrity fail-close hostname(config)# Cisco Security Appliance Command Line Configuration Guide 13-17 OL-10088-01...
  • Page 202 “Configuring Firewall Policies” section on page 30-54. The command arguments that specify firewall policies are not used when the firewall type is zonelabs-integrity because the Integrity server determines the policies. Cisco Security Appliance Command Line Configuration Guide 13-18 OL-10088-01...
  • Page 203: Understanding Failover

    VPN failover is not supported on units running in multiple context mode. VPN failover available for Note Active/Standby failover configurations only. This section includes the following topics: Failover System Requirements, page 14-2 • Cisco Security Appliance Command Line Configuration Guide 14-1 OL-10088-01...
  • Page 204: Chapter 14 Configuring Failover

    24 hours until the unit is returned to failover duty. A unit with an FO or FO_AA license operates in standalone mode if it is booted without being connected to a failover peer Cisco Security Appliance Command Line Configuration Guide 14-2...
  • Page 205: The Failover And Stateful Failover Links

    Failover cable. On the ASA 5500 series adaptive security appliance, the failover link can only be a LAN-based connection. This section includes the following topics: LAN-Based Failover Link, page 14-4 • Serial Cable Failover Link (PIX Security Appliance Only), page 14-4 • Cisco Security Appliance Command Line Configuration Guide 14-3 OL-10088-01...
  • Page 206 The cable determines which unit is primary and which is secondary, eliminating the need to • manually enter that information in the unit configurations. The disadvantages include: Distance limitation—the units cannot be separated by more than 6 feet. • Slower configuration replication. • Cisco Security Appliance Command Line Configuration Guide 14-4 OL-10088-01...
  • Page 207: Stateful Failover Link

    Note Enable the PortFast option on Cisco switch ports that connect directly to the security appliance. If you are using the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.
  • Page 208: Active/Active And Active/Standby Failover

    MAC addresses over the failover link. In this case, the secondary unit MAC addresses are used. Cisco Security Appliance Command Line Configuration Guide 14-6 OL-10088-01...
  • Page 209 You do not have to save the active configuration to Flash memory to replicate the commands. Cisco Security Appliance Command Line Configuration Guide 14-7 OL-10088-01...
  • Page 210 For each failure event, the table shows the failover policy (failover or no failover), the action taken by the active unit, the action taken by the standby unit, and any special notes about the failover condition and actions. Cisco Security Appliance Command Line Configuration Guide 14-8 OL-10088-01...
  • Page 211: Active/Active Failover

    Failover Actions, page 14-13 • Active/Active Failover Overview Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic. Cisco Security Appliance Command Line Configuration Guide 14-9 OL-10088-01...
  • Page 212 When a unit boots while the peer unit is active (with both failover groups in the active state), the failover groups remain in the active state on the active unit regardless of the primary or secondary preference of the failover group until one of the following: Cisco Security Appliance Command Line Configuration Guide 14-10 OL-10088-01...
  • Page 213 Commands entered in the system execution space are replicated from the unit on which failover • group 1 is in the active state to the unit on which failover group 1 is in the standby state. Cisco Security Appliance Command Line Configuration Guide 14-11 OL-10088-01...
  • Page 214 See the “Failover Health Monitoring” section on page 14-15 for more information about interface and unit monitoring. Cisco Security Appliance Command Line Configuration Guide 14-12 OL-10088-01...
  • Page 215 Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Cisco Security Appliance Command Line Configuration Guide 14-13 OL-10088-01...
  • Page 216: Determining Which Type Of Failover To Use

    Supported end-user applications are not required to reconnect to keep the same communication session. The state information passed to the standby unit includes the following: NAT translation table. • TCP connection states. • Cisco Security Appliance Command Line Configuration Guide 14-14 OL-10088-01...
  • Page 217: Failover Health Monitoring

    • Note If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Call Manager. This occurs because there is no session information for the CTIQBE hangup message on the standby unit.
  • Page 218: Interface Monitoring

    If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the unit will fail again. Cisco Security Appliance Command Line Configuration Guide 14-16...
  • Page 219: Failover Feature/Platform Matrix

    Active unit interface up, but connection problem 5 seconds 25 seconds 75 seconds causes interface testing. Configuring Failover This section describes how to configure failover and includes the following topics: Failover Configuration Limitations, page 14-18 • Cisco Security Appliance Command Line Configuration Guide 14-17 OL-10088-01...
  • Page 220: Failover Configuration Limitations

    The primary unit is the unit that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted. Cisco Security Appliance Command Line Configuration Guide 14-18 OL-10088-01...
  • Page 221 IP addresses for the interface. The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby IP address subnet mask. Cisco Security Appliance Command Line Configuration Guide 14-19 OL-10088-01...
  • Page 222: Configuring Lan-Based Active/Standby Failover

    (routed mode), for the management IP address (transparent mode), or for the management-only interface. The standby IP address is used on the security appliance that is currently the standby unit. It must be in the same subnet as the active IP address. Cisco Security Appliance Command Line Configuration Guide 14-20 OL-10088-01...
  • Page 223 (Optional) To enable Stateful Failover, configure the Stateful Failover link. Stateful Failover is not available on the ASA 5505 series adaptive security appliance. Note Specify the interface to be used as Stateful Failover link: hostname(config)# failover link if_name phy_if Cisco Security Appliance Command Line Configuration Guide 14-21 OL-10088-01...
  • Page 224 For multiple context mode, all steps are performed in the system execution space unless noted otherwise. To configure the secondary unit, perform the following steps: (PIX security appliance only) Enable LAN-based failover: Step 1 hostname(config)# failover lan enable Cisco Security Appliance Command Line Configuration Guide 14-22 OL-10088-01...
  • Page 225: Configuring Optional Active/Standby Failover Settings

    Enabling HTTP Replication with Stateful Failover, page 14-24 • Disabling and Enabling Interface Monitoring, page 14-24 • Configuring Interface Health Monitoring, page 14-24 • Configuring Failover Criteria, page 14-25 • Configuring Virtual MAC Addresses, page 14-25 • Cisco Security Appliance Command Line Configuration Guide 14-23 OL-10088-01...
  • Page 226 To change the interface poll time, enter the following command in global configuration mode: hostname(config)# failover polltime interface [msec] time [holdtime time] Cisco Security Appliance Command Line Configuration Guide 14-24 OL-10088-01...
  • Page 227 MAC address is assigned to an interface: The mac-address command (in interface configuration mode) address. The failover mac address command address. The mac-address auto command generated address. Cisco Security Appliance Command Line Configuration Guide 14-25 OL-10088-01...
  • Page 228: Configuring Active/Active Failover

    The command prompt changes to , where context is the name of the current context. You must enter a hostname/context(config-if)# management IP address for each context in transparent firewall multiple context mode. Cisco Security Appliance Command Line Configuration Guide 14-26 OL-10088-01...
  • Page 229 Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member of failover group 1. Enter the following commands to assign each context to a failover group: Cisco Security Appliance Command Line Configuration Guide 14-27 OL-10088-01...
  • Page 230: Configuring Lan-Based Active/Active Failover

    The command prompt changes to , where context is the name of the current context. In transparent hostname/context(config-if)# firewall mode, you must enter a management IP address for each context. Cisco Security Appliance Command Line Configuration Guide 14-28 OL-10088-01...
  • Page 231 If the Stateful Failover link uses the failover link or a regular data interface, skip this step. Note You have already defined the active and standby IP addresses for the interface. Cisco Security Appliance Command Line Configuration Guide 14-29 OL-10088-01...
  • Page 232 This allows the secondary unit to communicate with and receive the running configuration from the primary unit. To bootstrap the secondary unit in an Active/Active failover configuration, perform the following steps: Step 1 (PIX security appliance only) Enable LAN-based failover: Cisco Security Appliance Command Line Configuration Guide 14-30 OL-10088-01...
  • Page 233 To force a failover group to become active on the secondary unit, enter the following command in the system execution space on the primary unit: hostname# no failover active group group_id The group_id argument specifies the group you want to become active on the secondary unit. Cisco Security Appliance Command Line Configuration Guide 14-31 OL-10088-01...
  • Page 234: Configuring Optional Active/Active Failover Settings

    To enable HTTP state replication for both failover groups, you must enter this command in each group. This command should be entered in the system execution space. hostname(config)# failover group {1 | 2} hostname(config-fover-group)# replication http Cisco Security Appliance Command Line Configuration Guide 14-32 OL-10088-01...
  • Page 235 Active/Active failover uses virtual MAC addresses on all interfaces. If you do not specify the virtual MAC addresses, then they are computed as follows: • Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01. • Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02. Cisco Security Appliance Command Line Configuration Guide 14-33 OL-10088-01...
  • Page 236 2 header is rewritten and the packet is re-injected into the stream. Using the asr-group command to configure asymmetric routing support is more secure than using the Note static command with the nailed option. Cisco Security Appliance Command Line Configuration Guide 14-34 OL-10088-01...
  • Page 237 A on the unit where context A is in the active state. This forwarding continues as needed until the session ends. Cisco Security Appliance Command Line Configuration Guide 14-35 OL-10088-01...
  • Page 238: Configuring Unit Health Monitoring

    1 to 63 characters. The characters can be any combination of numbers, letters, or punctuation. The hex key argument specifies a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f). Cisco Security Appliance Command Line Configuration Guide 14-36 OL-10088-01...
  • Page 239: Verifying The Failover Configuration

    This host: Primary - Active Active time: 13434 (sec) Interface inside (10.130.9.3): Normal Interface outside (10.132.9.3): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface inside (10.130.9.4): Normal Interface outside (10.132.9.4): Normal Cisco Security Appliance Command Line Configuration Guide 14-37 OL-10088-01...
  • Page 240 Interface outside (192.168.5.131): Normal Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. Stateful Obj xmit xerr rerr RPC services TCP conn UDP conn ARP tbl Xlate_Timeout GTP PDP GTP PDPMCB Cisco Security Appliance Command Line Configuration Guide 14-38 OL-10088-01...
  • Page 241 The amount of time the unit has been active. This time is cumulative, so the standby unit, if it was active in the past, also shows a value. slot x Information about the module in the slot or empty. Cisco Security Appliance Command Line Configuration Guide 14-39 OL-10088-01...
  • Page 242 Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Cisco Security Appliance Command Line Configuration Guide 14-40 OL-10088-01...
  • Page 243 Interface inside (10.130.8.5): Normal admin Interface fourth (10.130.9.5): Normal ctx1 Interface outside (10.1.1.1): Normal ctx1 Interface inside (10.2.2.1): Normal ctx2 Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Secondary Cisco Security Appliance Command Line Configuration Guide 14-41 OL-10088-01...
  • Page 244 Interface inside (192.168.0.1): Normal Other host: Primary State: Standby Active time: 0 (sec) admin Interface outside (192.168.5.131): Normal admin Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. Cisco Security Appliance Command Line Configuration Guide 14-42 OL-10088-01...
  • Page 245 Active Time in seconds • Group 1 State Active or Standby Ready • Group 2 State Active Time in seconds • slot x Information about the module in the slot or empty. Cisco Security Appliance Command Line Configuration Guide 14-43 OL-10088-01...
  • Page 246 Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Cisco Security Appliance Command Line Configuration Guide 14-44 OL-10088-01...
  • Page 247: Viewing Monitored Interfaces

    All of the failover commands are displayed. On units running multiple context mode, enter this command in the system execution space. Entering show running-config all failover displays the failover commands in the running configuration and includes commands for which you have not changed the default value. Cisco Security Appliance Command Line Configuration Guide 14-45 OL-10088-01...
  • Page 248: Testing The Failover Functionality

    To force the standby unit or failover group to become active, enter one of the following commands: For Active/Standby failover: • Enter the following command on the standby unit: hostname# failover active Or, enter the following command on the active unit: Cisco Security Appliance Command Line Configuration Guide 14-46 OL-10088-01...
  • Page 249: Disabling Failover

    Monitoring Failover When a failover occurs, both security appliances send out system messages. This section includes the following topics: Failover System Messages, page 14-48 • Cisco Security Appliance Command Line Configuration Guide 14-47 OL-10088-01...
  • Page 250: Failover System Messages

    411002 messages. This is normal activity. Debug Messages To see debug messages, enter the debug fover command. See the Cisco Security Appliance Command Reference for more information. Because debugging output is assigned high priority in the CPU process, it can drastically affect system Note performance.
  • Page 251 A R T Configuring the Firewall...
  • Page 253: Routed Mode Overview

    By default, NAT is not required. If you want to enforce a NAT policy that requires hosts on a higher security interface (inside) to use NAT when communicating with a lower security interface (outside), you can enable NAT control (see the nat-control command). Cisco Security Appliance Command Line Configuration Guide 15-1 OL-10088-01...
  • Page 254: Chapter 15 Firewall Mode Overview

    An Inside User Visits a Web Server, page 15-3 • An Outside User Visits a Web Server on the DMZ, page 15-4 • An Inside User Visits a Web Server on the DMZ, page 15-5 • Cisco Security Appliance Command Line Configuration Guide 15-2 OL-10088-01...
  • Page 255: An Inside User Visits A Web Server

    The security appliance translates the local source address (10.1.2.27) to the global address 209.165.201.10, which is on the outside interface subnet. The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet. Cisco Security Appliance Command Line Configuration Guide 15-3 OL-10088-01...
  • Page 256: An Outside User Visits A Web Server On The Dmz

    In this case, the classifier “knows” that the DMZ web server address belongs to a certain context because of the server address translation. Cisco Security Appliance Command Line Configuration Guide 15-4...
  • Page 257: An Inside User Visits A Web Server On The Dmz

    The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). Cisco Security Appliance Command Line Configuration Guide 15-5 OL-10088-01...
  • Page 258: An Outside User Attempts To Access An Inside Host

    The security appliance receives the packet and because it is a new session, the security appliance verifies if the packet is allowed according to the security policy (access lists, filters, AAA). Cisco Security Appliance Command Line Configuration Guide 15-6 OL-10088-01...
  • Page 259: A Dmz User Attempts To Access An Inside Host

    “stealth firewall,” and is not seen as a router hop to connected devices. This section describes transparent firewall mode, and includes the following topics: Transparent Firewall Network, page 15-8 • Allowing Layer 3 Traffic, page 15-8 • Cisco Security Appliance Command Line Configuration Guide 15-7 OL-10088-01...
  • Page 260: Transparent Firewall Network

    For example, by using an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV. Cisco Security Appliance Command Line Configuration Guide 15-8 OL-10088-01...
  • Page 261: Mac Address Lookups

    IP address assigned to the entire device. The security appliance uses this IP address as the source address for packets originating on the security appliance, such as system messages or AAA communications. Cisco Security Appliance Command Line Configuration Guide 15-9 OL-10088-01...
  • Page 262: Unsupported Features In Transparent Mode

    You also cannot allow IPv6 using an EtherType access list. Multicast You can allow multicast traffic through the security appliance by allowing it in an extended access list. NAT is performed on the upstream router. Cisco Security Appliance Command Line Configuration Guide 15-10 OL-10088-01...
  • Page 263: How Data Moves Through The Transparent Firewall

    Another access list lets the outside users access only the web server on the inside network. Figure 15-8 Typical Transparent Firewall Data Path www.example.com Internet 209.165.201.2 Management IP 209.165.201.6 209.165.200.230 Host 209.165.201.3 Web Server 209.165.200.225 Cisco Security Appliance Command Line Configuration Guide 15-11 OL-10088-01...
  • Page 264: An Inside User Visits A Web Server

    If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. Cisco Security Appliance Command Line Configuration Guide 15-12...
  • Page 265: An Outside User Visits A Web Server On The Inside Network

    (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface. The security appliance records that a session is established. Cisco Security Appliance Command Line Configuration Guide 15-13 OL-10088-01...
  • Page 266: An Outside User Attempts To Access An Inside Host

    (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface. The packet is denied, and the security appliance drops the packet. Cisco Security Appliance Command Line Configuration Guide 15-14 OL-10088-01...
  • Page 267 Transparent Mode Overview If the outside user is attempting to attack the inside network, the security appliance employs many technologies to determine if a packet is valid for an already established session. Cisco Security Appliance Command Line Configuration Guide 15-15 OL-10088-01...
  • Page 268 Chapter 15 Firewall Mode Overview Transparent Mode Overview Cisco Security Appliance Command Line Configuration Guide 15-16 OL-10088-01...
  • Page 269: Access List Overview

    Access List Types, page 16-2 • • Access Control Entry Order, page 16-2 Access Control Implicit Deny, page 16-3 • • IP Addresses Used for Access Lists When You Use NAT, page 16-3 Cisco Security Appliance Command Line Configuration Guide 16-1 OL-10088-01...
  • Page 270: Access List Types

    After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked. You can disable an ACE by specifying the keyword inactive in the access-list command. Cisco Security Appliance Command Line Configuration Guide 16-2 OL-10088-01...
  • Page 271: C H A P T E R 16 Identifying Traffic With Access Lists

    Inbound ACL Permit from 10.1.1.0/24 209.165.200.225 10.1.1.0/24 10.1.1.0/24 209.165.201.4:port See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 hostname(config)# access-group INSIDE in interface inside Cisco Security Appliance Command Line Configuration Guide 16-3 OL-10088-01...
  • Page 272 209.165.200.225 209.165.201.5 Outside Inside 10.1.1.34 209.165.201.5 Static NAT See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside Cisco Security Appliance Command Line Configuration Guide 16-4 OL-10088-01...
  • Page 273: Adding An Extended Access List

    For information about logging options that you can add to the end of the ACE, see the “Logging Access List Activity” section on page 16-18. For information about time range options, see “Scheduling Extended Access List Activation” section on page 16-17. Cisco Security Appliance Command Line Configuration Guide 16-5 OL-10088-01...
  • Page 274: Allowing Special Ip Traffic Through The Transparent Firewall

    To add an ACE, enter the following command: hostname(config)# access-list access_list_name [line line_number] [extended] {deny | permit} protocol source_address mask [operator port] dest_address mask [operator port | icmp_type] [inactive] Cisco Security Appliance Command Line Configuration Guide 16-6 OL-10088-01...
  • Page 275 ICMP types. When you specify a network mask, the method is different from the Cisco IOS software access-list command. The security appliance uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
  • Page 276: Adding An Ethertype Access List

    TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the security appliance.
  • Page 277: Adding A Standard Access List

    To add an ACE, enter the following command: hostname(config)# access-list access_list_name standard {deny | permit} {any | ip_address mask} The following sample access list identifies routes to 192.168.1.0/24: hostname(config)# access-list OSPF standard permit 192.168.1.0 255.255.255.0 Cisco Security Appliance Command Line Configuration Guide 16-9 OL-10088-01...
  • Page 278: Adding A Webtype Access List

    After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers. You can also nest object groups in other object groups. Cisco Security Appliance Command Line Configuration Guide 16-10 OL-10088-01...
  • Page 279: Adding Object Groups

    “Protocols and Applications” section on page D-11. For example, to create a protocol group for TCP, UDP, and ICMP, enter the following commands: hostname(config)# object-group protocol tcp_udp_icmp hostname(config-protocol)# protocol-object tcp hostname(config-protocol)# protocol-object udp hostname(config-protocol)# protocol-object icmp Cisco Security Appliance Command Line Configuration Guide 16-11 OL-10088-01...
  • Page 280: Adding A Network Object Group

    To add a service group, enter the following command: Step 1 hostname(config)# object-group service grp_id {tcp | udp | tcp-udp} The grp_id is a text string up to 64 characters in length. Cisco Security Appliance Command Line Configuration Guide 16-12 OL-10088-01...
  • Page 281: Adding An Icmp Type Object Group

    The description can be up to 200 characters. To define the ICMP types in the group, enter the following command for each type: Step 3 hostname(config-icmp-type)# icmp-object icmp_type Cisco Security Appliance Command Line Configuration Guide 16-13 OL-10088-01...
  • Page 282: Nesting Object Groups

    You only need to specify the admin object group in your ACE as follows: hostname(config)# access-list ACL_IN extended permit ip object-group admin host 209.165.201.29 Cisco Security Appliance Command Line Configuration Guide 16-14 OL-10088-01...
  • Page 283: Using Object Groups With An Access List

    209.165.201.16 hostname(config-network)# network-object host 209.165.201.78 hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied object-group web eq www hostname(config)# access-list ACL_IN extended permit ip any any hostname(config)# access-group ACL_IN in interface inside Cisco Security Appliance Command Line Configuration Guide 16-15 OL-10088-01...
  • Page 284: Displaying Object Groups

    Entering a dash (-) at the beginning of the remark helps set it apart from ACEs. hostname(config)# access-list OUT remark - this is the inside admin address hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any Cisco Security Appliance Command Line Configuration Guide 16-16 OL-10088-01...
  • Page 285: Scheduling Extended Access List Activation

    8:00 1 january 2006 The following is an example of a weekly periodic time range from 8:00 a.m. to 6:00 p.m on weekdays.: hostname(config)# time-range workinghours Cisco Security Appliance Command Line Configuration Guide 16-17 OL-10088-01...
  • Page 286: Applying The Time Range To An Ace

    Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list Note does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE manually to the end of the access list, as follows. Cisco Security Appliance Command Line Configuration Guide 16-18 OL-10088-01...
  • Page 287: Configuring Logging For An Access Control Entry

    For connectionless protocols, such as ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed information about this system message.
  • Page 288: Managing Deny Flows

    The number is between 1 and 4096. 4096 is the default. To set the amount of time between system messages (number 106101) that identify that the • maximum number of deny flows was reached, enter the following command: Cisco Security Appliance Command Line Configuration Guide 16-20 OL-10088-01...
  • Page 289 Chapter 16 Identifying Traffic with Access Lists Logging Access List Activity hostname(config)# access-list alert-interval secs The seconds are between 1 and 3600. 300 is the default. Cisco Security Appliance Command Line Configuration Guide 16-21 OL-10088-01...
  • Page 290 Chapter 16 Identifying Traffic with Access Lists Logging Access List Activity Cisco Security Appliance Command Line Configuration Guide 16-22 OL-10088-01...
  • Page 291: Nat Overview

    NAT and Same Security Level Interfaces, page 17-12 Order of NAT Commands Used to Match Real Addresses, page 17-13 • • Mapped Address Guidelines, page 17-13 DNS and NAT, page 17-14 • Cisco Security Appliance Command Line Configuration Guide 17-1 OL-10088-01...
  • Page 292: Introduction To Nat

    209.165.201.10, and the security appliance receives the packet. The security appliance then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27 before sending it on to the host. Cisco Security Appliance Command Line Configuration Guide 17-2 OL-10088-01...
  • Page 293: Chapter 17 Applying Nat

    NAT to translate the inside host address (see Figure 17-2). Figure 17-2 NAT Control and Outbound Traffic Security Appliance 10.1.1.1 209.165.201.1 No NAT 10.1.2.1 Inside Outside Cisco Security Appliance Command Line Configuration Guide 17-3 OL-10088-01...
  • Page 294 MAC addresses for shared interfaces. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more information about the relationship between the classifier and NAT. Cisco Security Appliance Command Line Configuration Guide 17-4 OL-10088-01...
  • Page 295: Nat Types

    IP address after the translation times out (see the timeout xlate command in the Cisco Security Appliance Command Reference). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the security appliance rejects any attempt to connect to a real host address directly.
  • Page 296 Note access list allows it. Because the address is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the access list. Cisco Security Appliance Command Line Configuration Guide 17-6 OL-10088-01...
  • Page 297: Static Nat

    (if there is an access list that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT. Cisco Security Appliance Command Line Configuration Guide 17-7 OL-10088-01...
  • Page 298 8080. Similarly, if you want to provide extra security, you can tell your web users to connect to non-standard port 6785, and then undo translation to port 80. Cisco Security Appliance Command Line Configuration Guide 17-8...
  • Page 299: Bypassing Nat When Nat Control Is Enabled

    NAT in that the ports are not considered. See the “Bypassing NAT” section on page 17-28 for other differences. You can accomplish the same result as NAT exemption using static identity NAT, which does support policy NAT. Cisco Security Appliance Command Line Configuration Guide 17-9 OL-10088-01...
  • Page 300 NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 hostname(config)# nat (inside) 1 access-list NET1 hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list NET2 hostname(config)# global (outside) 2 209.165.202.130 Cisco Security Appliance Command Line Configuration Guide 17-10 OL-10088-01...
  • Page 301 NAT access list specifies the real addresses and the destination addresses, but for traffic originated on the remote network, the access list identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using this translation. Cisco Security Appliance Command Line Configuration Guide 17-11 OL-10088-01...
  • Page 302: Nat And Same Security Level Interfaces

    (even when NAT control is not enabled). Traffic identified for static NAT is not affected. See the “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-6 to enable same security communication. Cisco Security Appliance Command Line Configuration Guide 17-12 OL-10088-01...
  • Page 303: Order Of Nat Commands Used To Match Real Addresses

    If the mapped interface is passive (not advertising routes) or you are using static routing, then you need to add a static route on the upstream router that sends traffic destined for the mapped addresses to the security appliance. Cisco Security Appliance Command Line Configuration Guide 17-13 OL-10088-01...
  • Page 304 DNS server, and not the mapped address. When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The security appliance refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14.
  • Page 305: Configuring Nat Control

    DNS server on the outside. The security appliance has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply...
  • Page 306: Using Dynamic Nat And Pat

    Outside Global 1: 209.165.201.3- 209.165.201.10 Translation 10.1.2.27 209.165.201.3 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Cisco Security Appliance Command Line Configuration Guide 17-16 OL-10088-01...
  • Page 307 209.165.201.3 10.1.1.15 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Cisco Security Appliance Command Line Configuration Guide 17-17 OL-10088-01...
  • Page 308 17-16). If you use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the the destination addresses and ports are unique in each access list. Cisco Security Appliance Command Line Configuration Guide 17-18 OL-10088-01...
  • Page 309 PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT mapped statement supports (see Figure 17-17). Cisco Security Appliance Command Line Configuration Guide 17-19 OL-10088-01...
  • Page 310 17-18). Note that for outside NAT (DMZ interface to Inside interface), the inside host uses a static command to allow outside access, so both the source and destination addresses are translated. Cisco Security Appliance Command Line Configuration Guide 17-20 OL-10088-01...
  • Page 311 If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected. Cisco Security Appliance Command Line Configuration Guide 17-21 OL-10088-01...
  • Page 312: Configuring Dynamic Nat Or Pat

    However, clearing the translation table disconnects all current connections that use translations. To configure dynamic NAT or PAT, perform the following steps: To identify the real addresses that you want to translate, enter one of the following commands: Step 1 Cisco Security Appliance Command Line Configuration Guide 17-22 OL-10088-01...
  • Page 313 You can specify a single address (for PAT) or a range of addresses (for NAT). The range can go across subnet boundaries if desired. For example, you can specify the following “supernet”: Cisco Security Appliance Command Line Configuration Guide 17-23...
  • Page 314 TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23 hostname(config)# nat (inside) 1 access-list WEB hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list TELNET hostname(config)# global (outside) 2 209.165.202.130 Cisco Security Appliance Command Line Configuration Guide 17-24 OL-10088-01...
  • Page 315: Using Static Nat

    See the “Configuring Dynamic NAT or PAT” section on page 17-22 for information about the other options. • To configure regular static NAT, enter the following command: Cisco Security Appliance Command Line Configuration Guide 17-25 OL-10088-01...
  • Page 316: Using Static Pat

    Figure 17-22 Static PAT Security Appliance 10.1.1.1:23 209.165.201.1:23 10.1.1.2:8080 209.165.201.2:80 Inside Outside For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports. Cisco Security Appliance Command Line Configuration Guide 17-26 OL-10088-01...
  • Page 317 (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering: hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0 255.255.255.0 eq http hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP Cisco Security Appliance Command Line Configuration Guide 17-27 OL-10088-01...
  • Page 318: Bypassing Nat

    Configuring NAT Exemption, page 17-31 • Configuring Identity NAT Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create NAT translations, and responding traffic is allowed back. Cisco Security Appliance Command Line Configuration Guide 17-28 OL-10088-01...
  • Page 319: Configuring Static Identity Nat

    NAT or policy NAT. Policy NAT lets you identify the real and destination addresses when determining the real addresses to translate (see the “Policy NAT” section on page 17-9 for more Cisco Security Appliance Command Line Configuration Guide 17-29 OL-10088-01...
  • Page 320 For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when accessed by the outside: hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255 Cisco Security Appliance Command Line Configuration Guide 17-30 OL-10088-01...
  • Page 321: Configuring Nat Exemption

    NAT exemption does not consider the ports. NAT exemption also does not consider the inactive or time-range keywords; all ACEs are considered to be active for NAT exemption configuration. Cisco Security Appliance Command Line Configuration Guide 17-31 OL-10088-01...
  • Page 322: Nat Examples

    (inside) 0 access-list NET1 NAT Examples This section describes typical scenarios that use NAT solutions, and includes the following topics: Overlapping Networks, page 17-33 • Redirecting Ports, page 17-34 • Cisco Security Appliance Command Line Configuration Guide 17-32 OL-10088-01...
  • Page 323: Overlapping Networks

    Configure the following static routes so that traffic to the dmz network can be routed correctly by the Step 3 security appliance: hostname(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1 hostname(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1 Cisco Security Appliance Command Line Configuration Guide 17-33 OL-10088-01...
  • Page 324: Redirecting Ports

    HTTP request to security appliance outside IP address 209.165.201.25 are redirected to 10.1.1.5. • HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80. • To implement this scenario, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 17-34 OL-10088-01...
  • Page 325 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering Step 5 the following command: hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 Cisco Security Appliance Command Line Configuration Guide 17-35 OL-10088-01...
  • Page 326 Chapter 17 Applying NAT NAT Examples Cisco Security Appliance Command Line Configuration Guide 17-36 OL-10088-01...
  • Page 327 These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound. Cisco Security Appliance Command Line Configuration Guide 18-1 OL-10088-01...
  • Page 328: C H A P T E R 18 Permitting Or Denying Network Access

    INSIDE in interface inside hostname(config)# access-list HR extended permit ip any any hostname(config)# access-group HR in interface hr hostname(config)# access-list ENG extended permit ip any any hostname(config)# access-group ENG in interface eng Cisco Security Appliance Command Line Configuration Guide 18-2 OL-10088-01...
  • Page 329 209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6 host 209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq www hostname(config)# access-group OUTSIDE out interface outside Cisco Security Appliance Command Line Configuration Guide 18-3 OL-10088-01...
  • Page 330 The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces: hostname(config)# access-list nonIP ethertype deny 1256 hostname(config)# access-list nonIP ethertype permit any hostname(config)# access-group ETHER in interface inside Cisco Security Appliance Command Line Configuration Guide 18-4 OL-10088-01...
  • Page 331: Applying An Access List To An Interface

    Chapter 18 Permitting or Denying Network Access Applying an Access List to an Interface hostname(config)# access-group ETHER in interface outside Cisco Security Appliance Command Line Configuration Guide 18-5 OL-10088-01...
  • Page 332 Chapter 18 Permitting or Denying Network Access Applying an Access List to an Interface Cisco Security Appliance Command Line Configuration Guide 18-6 OL-10088-01...
  • Page 333: Aaa Performance

    Configuring Authentication for Network Access This section includes the following topics: Authentication Overview, page 19-2 • • Enabling Network Access Authentication, page 19-3 Enabling Secure Authentication of Web Clients, page 19-5 • Cisco Security Appliance Command Line Configuration Guide 19-1 OL-10088-01...
  • Page 334: Chapter 19 Applying Aaa For Network Acces

    A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command in the Cisco Security Appliance Command Reference for timeout values.) For example, if you configure the security appliance to authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the authentication session exists, the user does not also have to authenticate for FTP.
  • Page 335: Static Pat And Http

    Alternatively, you can configure virtual Telnet. With virtual Telnet, the user Telnets to a given IP address configured on the security appliance, and the security appliance provides a Telnet prompt. For more information about the virtual telnet command, see the Cisco Security Appliance Command Reference.
  • Page 336 Step You can alternatively use the aaa authentication include command (which identifies traffic within the Note command). However, you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. Step 4 (Optional) If you are using the local database for network access authentication and you want to limit...
  • Page 337: Enabling Secure Authentication Of Web Clients

    You can configure the security appliance to perform network access authorization with TACACS+. You identify the traffic to be authorized by specifying access lists that authorization rules must match. Alternatively, you can identify the traffic directly in authorization rules themselves. Cisco Security Appliance Command Line Configuration Guide 19-5 OL-10088-01...
  • Page 338 Alternatively, you can use the aaa authorization include command (which identifies traffic Note within the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
  • Page 339: Configuring Radius Authorization

    Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-11 Configuring a RADIUS Server to Send Downloadable Access Control Lists This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics: About the Downloadable Access List Feature and Cisco Secure ACS, page 19-8 •...
  • Page 340 Because the name of the downloadable access list includes the date and time it was last modified, matching the name sent by Cisco Secure ACS to the name of an access list previous downloaded means that the security appliance has the most recent version of the downloadable access list.
  • Page 341 Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions, available at http://www.ietf.org. If the access list required is less than approximately 4 KB in length, Cisco Secure ACS responds with an access-accept message containing the access list. The largest access list that can fit in a single access-accept message is slightly less than 4 KB because some of the message must be other required attributes.
  • Page 342 If this parameter is omitted, the sequence value is 0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used. The following example is an access list definition as it should be configured for a cisco-av-pair VSA on a RADIUS server: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0...
  • Page 343: Configuring A Radius Server To Download Per-User Access Control List Names

    RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11) as follows: filter-id=acl_name In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface, Note omitting filter-id= and entering only acl_name.
  • Page 344: Configuring Accounting For Network Access

    Alternatively, you can use the aaa accounting include command (which identifies traffic within Note the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires...
  • Page 345: Using Mac Addresses To Exempt Traffic From Authentication And Authorization

    The following example bypasses authentication for a single MAC address: hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# aaa mac-exempt match abc The following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3: hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000...
  • Page 346 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000 hostname(config)# aaa mac-exempt match 1 Cisco Security Appliance Command Line Configuration Guide 19-14 OL-10088-01...
  • Page 347: Filtering Overview

    This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing through the firewall. This section includes the following topics: ActiveX Filtering Overview, page 20-2 • • Enabling ActiveX Filtering, page 20-2 Cisco Security Appliance Command Line Configuration Guide 20-1 OL-10088-01...
  • Page 348: C H A P T E R 20 Applying Filtering Services

    To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter activex 80 0 0 0 0 Cisco Security Appliance Command Line Configuration Guide 20-2 OL-10088-01...
  • Page 349: Filtering Java Applets

    This section describes how to filter URLs and FTP requests with an external server. This section includes the following topics: URL Filtering Overview, page 20-4 • Identifying the Filtering Server, page 20-4 • Buffering the Content Server Response, page 20-5 • • Caching Server Addresses, page 20-6 Cisco Security Appliance Command Line Configuration Guide 20-3 OL-10088-01...
  • Page 350: Url Filtering Overview

    (if_name) host local_ip [timeout seconds] [protocol TCP | UDP version [1|4] [connections num_conns] ] For Secure Computing SmartFilter (formerly N2H2): hostname(config)# url-server (if_name) vendor {secure-computing | n2h2} host <local_ip> [port <number>] [timeout <seconds>] [protocol {TCP [connections <number>]} | UDP] Cisco Security Appliance Command Line Configuration Guide 20-4 OL-10088-01...
  • Page 351: Buffering The Content Server Response

    To enable buffering of responses for HTTP or FTP requests that are pending a response from the filtering server, enter the following command: hostname(config)# url-block block block-buffer-limit Replace block-buffer with the maximum number of HTTP responses that can be buffered while awaiting responses from the url-server. Cisco Security Appliance Command Line Configuration Guide 20-5 OL-10088-01...
  • Page 352: Caching Server Addresses

    • Truncating Long HTTP URLs, page 20-7 • Exempting Traffic from Filtering, page 20-7 • Configuring HTTP Filtering You must identify and enable the URL filtering server before enabling HTTP filtering. Cisco Security Appliance Command Line Configuration Guide 20-6 OL-10088-01...
  • Page 353: Enabling Filtering Of Long Http Urls

    For example, the following commands cause all HTTP requests to be forwarded to the filtering server except for those from 10.0.2.54. hostname(config)# filter url http 0 0 0 0 Cisco Security Appliance Command Line Configuration Guide 20-7 OL-10088-01...
  • Page 354: Filtering Https Urls

    CWD command successful.” If the filtering server denies the request, alters the FTP return code to show that the connection was denied. For example, the security appliance changes code 250 to “550 Requested file is prohibited by URL filtering policy.” Cisco Security Appliance Command Line Configuration Guide 20-8 OL-10088-01...
  • Page 355: Viewing Filtering Statistics And Configuration

    Global Statistics: -------------------- URLs total/allowed/denied 13/3/10 URLs allowed by cache/server URLs denied by cache/server 0/10 HTTPSs total/allowed/denied 138/137/1 HTTPSs allowed by cache/server 0/137 HTTPSs denied by cache/server Cisco Security Appliance Command Line Configuration Guide 20-9 OL-10088-01...
  • Page 356: Viewing Buffer Configuration And Statistics

    Current number of packets held (global): Packets dropped due to exceeding url-block buffer limit: 7546 HTTP server retransmission: Number of packets released back to client: This shows the URL block statistics. Cisco Security Appliance Command Line Configuration Guide 20-10 OL-10088-01...
  • Page 357: Viewing Caching Statistics

    URL Access and URL Server Req rows. Viewing Filtering Configuration The following is sample output from the show running-config filter command: hostname# show running-config filter filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Cisco Security Appliance Command Line Configuration Guide 20-11 OL-10088-01...
  • Page 358 Chapter 20 Applying Filtering Services Viewing Filtering Statistics and Configuration Cisco Security Appliance Command Line Configuration Guide 20-12 OL-10088-01...
  • Page 359: Modular Policy Framework Overview

    Using a Layer 3/4 Class Map” section on page 21-2. (Application inspection only) Define special actions for application inspection traffic. See the “Configuring Special Actions for Application Inspections” section on page 21-5. Cisco Security Appliance Command Line Configuration Guide 21-1 OL-10088-01...
  • Page 360: Chapter 21 Using Modular Policy Framework

    You can create multiple Layer 3/4 class maps for each Layer 3/4 policy map. You can create the following types of class maps: Creating a Layer 3/4 Class Map for Through Traffic, page 21-3 • • Creating a Layer 3/4 Class Map for Management Traffic, page 21-5 Cisco Security Appliance Command Line Configuration Guide 21-2 OL-10088-01...
  • Page 361: Creating A Layer 3/4 Class Map For Through Traffic

    Not all applications whose ports are included in the match default-inspection-traffic command are enabled by default in the policy map. Cisco Security Appliance Command Line Configuration Guide 21-3 OL-10088-01...
  • Page 362 "This class-map matches all HTTP traffic" hostname(config-cmap)# match port tcp eq http hostname(config-cmap)# class-map to_server hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1" hostname(config-cmap)# match access-list host_foo Cisco Security Appliance Command Line Configuration Guide 21-4 OL-10088-01...
  • Page 363: Creating A Layer 3/4 Class Map For Management Traffic

    Some applications do not support an inspection class map. Parameters—Parameters affect the behavior of the inspection engine. • Cisco Security Appliance Command Line Configuration Guide 21-5 OL-10088-01...
  • Page 364: Creating A Regular Expression

    Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For example, type d[Ctrl+V]g to enter d?g in the configuration. See the regex command in the Cisco Security Appliance Command Reference for performance impact information when matching a regular expression to packets.
  • Page 365 When character is not a metacharacter, matches the literal character. Carriage return Matches a carriage return 0x0d. Newline Matches a new line 0x0a. Matches a tab 0x09. Formfeed Matches a form feed 0x0c. Cisco Security Appliance Command Line Configuration Guide 21-7 OL-10088-01...
  • Page 366: Creating A Regular Expression Class Map

    URL strings inside HTTP packets. To create a regular expression class map, perform the following steps: Create one or more regular expressions according to the “Creating a Regular Expression” section. Step 1 Cisco Security Appliance Command Line Configuration Guide 21-8 OL-10088-01...
  • Page 367: Identifying Traffic In An Inspection Class Map

    Where the application is the application you want to inspect. For supported applications, see Chapter 25, “Configuring Application Layer Protocol Inspection.” The class_map_name argument is the name of the class map up to 40 characters in length. Cisco Security Appliance Command Line Configuration Guide 21-9 OL-10088-01...
  • Page 368: Defining Actions In An Inspection Policy Map

    Specify the action you want to perform on the matching traffic by entering the following command: hostname(config-pmap-c)# {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Cisco Security Appliance Command Line Configuration Guide 21-10 OL-10088-01...
  • Page 369 (higher priority) and match filename (lower priority). The ftp3 class map includes both commands, but it is ranked according to the lowest priority command, match filename. The ftp1 class map includes the Cisco Security Appliance Command Line Configuration Guide 21-11...
  • Page 370 (a Layer 3/4 class map not shown) hostname(config-pmap)# class test hostname(config-pmap-c)# inspect http http-map1 hostname(config-pmap-c)# service-policy test interface outside Cisco Security Appliance Command Line Configuration Guide 21-12 OL-10088-01...
  • Page 371: Defining Actions Using A Layer 3/4 Policy Map

    Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant. Cisco Security Appliance Command Line Configuration Guide 21-13 OL-10088-01...
  • Page 372: Default Layer 3/4 Policy Map

    The default policy map configuration includes the following commands: policy-map global_policy class inspection_default Cisco Security Appliance Command Line Configuration Guide 21-14 OL-10088-01...
  • Page 373: Adding A Layer 3/4 Policy Map

    If there is no match default_inspection_traffic command in a class map, then at most one Note inspect command is allowed to be configured under the class. Repeat Step 3 Step 4 for each class map you want to include in this policy map. Step 5 Cisco Security Appliance Command Line Configuration Guide 21-15 OL-10088-01...
  • Page 374 For any TCP connection other than Telnet and FTP, it will match class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the security appliance does not make this match because they previously matched other classes. Cisco Security Appliance Command Line Configuration Guide 21-16 OL-10088-01...
  • Page 375: Applying A Layer 3/4 Policy To An Interface Using A Service Policy

    Applying Inspection to HTTP Traffic Globally, page 21-18 • Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers, page 21-19 • Applying Inspection to HTTP Traffic with NAT, page 21-20 • Cisco Security Appliance Command Line Configuration Guide 21-17 OL-10088-01...
  • Page 376: Applying Inspection And Qos Policing To Http Traffic

    Global HTTP Inspection Security appliance port 80 insp. port 80 insp. inside outside Host B Host A See the following commands for this example: hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 Cisco Security Appliance Command Line Configuration Guide 21-18 OL-10088-01...
  • Page 377: Applying Inspection And Connection Limits To Http Traffic To Specific Servers

    100 hostname(config)# policy-map policy_serverB hostname(config-pmap)# class http_serverB hostname(config-pmap-c)# inspect http hostname(config)# service-policy policy_serverB interface inside hostname(config)# service-policy policy_serverA interface outside Cisco Security Appliance Command Line Configuration Guide 21-19 OL-10088-01...
  • Page 378: Applying Inspection To Http Traffic With Nat

    192.168.1.1 any eq 80 hostname(config)# class-map http_client hostname(config-cmap)# match access-list http_client hostname(config)# policy-map http_client hostname(config-pmap)# class http_client hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_client interface inside Cisco Security Appliance Command Line Configuration Guide 21-20 OL-10088-01...
  • Page 379: Managing The Aip Ssm

    C H A P T E R Managing AIP SSM and CSC SSM The Cisco ASA 5500 series adaptive security appliance supports a variety of SSMs. This chapter describes how to configure the adaptive security appliance to support an AIP SSM or a CSC SSM, including how to send traffic to these SSMs.
  • Page 380: Chapter 22 Managing Aip Ssm And Csc Ssm

    SSM is very robust and beyond the scope of this document, detailed configuration information is available in the following separate documentation: Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface • Cisco Intrusion Prevention System Command Reference •...
  • Page 381 The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic should the AIP SSM card fail for any reason: hostname(config)# access-list IPS permit ip any any hostname(config)# class-map my-ips-class Cisco Security Appliance Command Line Configuration Guide 22-3 OL-10088-01...
  • Page 382: Sessioning To The Aip Ssm And Running Setup

    1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'. Enter the username and password. The default username and password are both cisco. Step 2 Note The first time you log in to the AIP SSM you are prompted to change the default password.
  • Page 383: Managing The Csc Ssm

    You are now ready to configure the AIP SSM for intrusion prevention. See the following two guides for AIP SSM configuration information: Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface • Cisco Intrusion Prevention System Command Reference •...
  • Page 384 CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM. Use of the CSC SSM GUI is explained in the Trend Micro InterScan for Cisco CSC SSM Administrator Guide.
  • Page 385: Getting Started With The Csc Ssm

    SSM. This procedure provides an overview of those steps. To configure the adaptive security appliance and the CSC SSM, follow these steps: If the CSC SSM did not come pre-installed in a Cisco ASA 5500 series adaptive security appliance, Step 1 install it and connect a network cable to the management port of the SSM.
  • Page 386 In a web browser, access ASDM for the adaptive security appliance that the CSC SSM is in. Step 4 If you are accessing ASDM for the first time, see the Cisco ASA 5500 Series Adaptive Security Note Appliance Getting Started Guide for assistance with the Startup Wizard.
  • Page 387: Determining What Traffic To Scan

    FTP connections from clients inside the adaptive security appliance to servers outside the adaptive • security appliance. • POP3 connections from clients inside the security appliance to servers outside the adaptive security appliance. Cisco Security Appliance Command Line Configuration Guide 22-9 OL-10088-01...
  • Page 388 192.168.10.0 255.255.255.0 209.165.201.7 255.255.255.255 eq 80 The second policy in this example, applied to the outside interface, could use the following access list: access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25 Cisco Security Appliance Command Line Configuration Guide 22-10 OL-10088-01...
  • Page 389: Limiting Connections Through The Csc Ssm

    “Determining What Traffic to Scan” section on page 22-9. Create a class map to identify the traffic that should be diverted to the CSC SSM. Use the class-map Step 2 command to do so, as follows. Cisco Security Appliance Command Line Configuration Guide 22-11 OL-10088-01...
  • Page 390 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. The adaptive security appliance begins diverting traffic to the CSC SSM as specified. Cisco Security Appliance Command Line Configuration Guide 22-12 OL-10088-01...
  • Page 391: Checking Ssm Status

    While the adaptive security appliance transfers an application image to the SSM, the Status field in the output reads “Recover”. For more information about possible statuses, see the entry for the show module command in the Cisco Security Appliance Command Reference.
  • Page 392: Transferring An Image Onto An Ssm

    If you do not back up the configuration of the SSM application, it is lost when you transfer an image onto the SSM. For more information about how your SSM supports backups, see the documentation for your SSM. Cisco Security Appliance Command Line Configuration Guide 22-14 OL-10088-01...
  • Page 393 Complete the prompts as applicable. If you are modifying a configuration, you can keep the previously configured value by pressing Enter. The following example shows the prompts. For more information about them, see the entry for the hw-module module recover command in the Cisco Security Appliance Command Reference.
  • Page 394 If your SSM supports configuration backups and you want to restore the configuration of the application Note running on the SSM, see the documentation for your SSM for details. Cisco Security Appliance Command Line Configuration Guide 22-16 OL-10088-01...
  • Page 395: Configuring Tcp Normalization

    Step 2 Configure the TCP map criteria by entering commands for one or more of the following options: Prevent inconsistent TCP retransmissions: • hostname(config-tcp-map)# check-retransmission Verify the checksum: • hostname(config-tcp-map)# checksum-verification Cisco Security Appliance Command Line Configuration Guide 23-1 OL-10088-01...
  • Page 396: Chapter 23 Preventing Network Attack

    It is at this point that the attacker can send a malicious packet with a long TTL that appears to the security Cisco Security Appliance Command Line Configuration Guide 23-2...
  • Page 397 Cisco Security Appliance Command Line Configuration Guide 23-3 OL-10088-01...
  • Page 398: Configuring Connection Limits And Timeouts

    | per-client-max number | random-sequence-number {enable | disable}}. . . where number is an integer between 0 and 65535. The default is 0, which means no limit on connections. Cisco Security Appliance Command Line Configuration Guide 23-4 OL-10088-01...
  • Page 399: Preventing Ip Spoofing

    Similarly, if traffic enters the inside interface from an unknown source address, the security appliance drops the packet because the matching route (the default route) indicates the outside interface. Cisco Security Appliance Command Line Configuration Guide 23-5 OL-10088-01...
  • Page 400: Configuring The Fragment Size

    To shun connections from the source IP address, enter the following command: Step 2 hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id] If you enter only the source IP address, then all future connections are shunned; existing connections remain active. Cisco Security Appliance Command Line Configuration Guide 23-6 OL-10088-01...
  • Page 401: Configuring Ip Audit For Basic Ips Support

    Step 3 ip audit interface interface_name policy_name To disable signatures, or for more information about signatures, see the ip audit signature command in Step 4 the Cisco Security Appliance Command Reference. Cisco Security Appliance Command Line Configuration Guide 23-7 OL-10088-01...
  • Page 402 Chapter 23 Preventing Network Attacks Configuring IP Audit for Basic IPS Support Cisco Security Appliance Command Line Configuration Guide 23-8 OL-10088-01...
  • Page 403: Overview

    A flow can be defined in a number of ways. In the security appliance, QoS can apply to a combination of source and destination IP addresses, source and destination port number, and the TOS byte of the IP header. Cisco Security Appliance Command Line Configuration Guide 24-1 OL-10088-01...
  • Page 404: Chapter 24 Applying Qo Policie

    Associating actions with each traffic class to formulate policies. Activating the policies. The specification of a classification policy—that is, the definition of traffic classes—is separate from the specification of the policies that act on the results of the classification. Cisco Security Appliance Command Line Configuration Guide 24-2 OL-10088-01...
  • Page 405 (priority-queue command) on each named, physical interface transmitting prioritized traffic. The following example enables a default priority-queue with the default queue-limit and tx-ring-limit: priority-queue name-interface The following sections explain each of these uses in more detail. Cisco Security Appliance Command Line Configuration Guide 24-3 OL-10088-01...
  • Page 406: Identifying Traffic For Qos

    By creating a class-map (named “host-specific”), you can then police the “host-specific” class before the LAN-to-LAN connection polices the tunnel. In this example, the “host-specific” traffic is rate-limited before the tunnel, then the tunnel is rate-limited: Cisco Security Appliance Command Line Configuration Guide 24-4 OL-10088-01...
  • Page 407: Defining A Qos Policy Map

    The following table summarizes the match command criteria available and relevant to QoS. For the full list of all match commands and their syntax, see Cisco Security Appliance Command Reference: Command Description match access-list Matches, by name or number, access list traffic within a class map.
  • Page 408: Applying Rate Limiting

    LAN-to-LAN VPN flow if there is no police command defined for tunnel-group of LAN-to-LAN VPN. In other words, the policing values of class-default are never applied to the individual flow of a LAN-to-LAN VPN that exists before encryption. Cisco Security Appliance Command Line Configuration Guide 24-6 OL-10088-01...
  • Page 409: Activating The Service Policy

    Using the policy-map example in the previous section, the following service-policy command activates the policy-map “qos,” defined in the previous section, for traffic on the outside interface: hostname(config)# service-policy qos interface outside Cisco Security Appliance Command Line Configuration Guide 24-7 OL-10088-01...
  • Page 410: Applying Low Latency Queueing

    The queue-limit command specifies a maximum number of packets that can be queued to a priority queue before it drops data. This limit must be in the range of 0 through 2048 packets. Cisco Security Appliance Command Line Configuration Guide 24-8...
  • Page 411: Reducing Queue Latency

    Create a class map or modify an existing class map to identify traffic that you want to police or to identify Step 2 as priority traffic. Use the class-map command to do so, as follows: hostname(config)# class-map class_map_name hostname(config-cmap)# Cisco Security Appliance Command Line Configuration Guide 24-9 OL-10088-01...
  • Page 412 If you want the traffic selected by the class map to be marked as priority traffic, enter the priority command. hostname(config-pmap-c)# priority Priority queuing does not occur automatically to traffic marked as priority. To enable priority Note queuing, you must complete Step 8 also, which enables the priority queues. Cisco Security Appliance Command Line Configuration Guide 24-10 OL-10088-01...
  • Page 413 For details about priority queuing, see the “Applying Low Latency Queueing” section on page 24-8 and the priority command page in the Cisco Security Appliance Command Reference. If you want the security appliance to police the traffic selected by the class map, enter the police •...
  • Page 414: Viewing Qos Configuration

    Class-map: browse police Interface outside: cir 56000 bps, bc 10500 bytes conformed 10065 packets, 12621510 bytes; actions: transmit exceeded 499 packets, 625146 bytes; actions: drop conformed 5600 bps, exceed 5016 bps Cisco Security Appliance Command Line Configuration Guide 24-12 OL-10088-01...
  • Page 415: Viewing Qos Policy Map Configuration

    To display the priority-queue configuration for an interface, enter the show running-config priority-queue command in global configuration mode. The following example shows the priority-queue configuration for the interface named “test”: hostname(config)# show running-config priority-queue test priority-queue test queue-limit 2048 tx-ring-limit 256 hostname(config)# Cisco Security Appliance Command Line Configuration Guide 24-13 OL-10088-01...
  • Page 416: Viewing Qos Statistics

    EXEC mode: hostname# show service-policy priority Note This is the same command you use to view configuration of policies that include the priority keyword. Cisco Security Appliance Command Line Configuration Guide 24-14 OL-10088-01...
  • Page 417: Viewing Qos Priority Queue Statistics

    “Packets Enqueued” denotes the overall number of packets that have been queued in this queue. • “Current Q Length” denotes the current depth of this queue. • “Max Q Length” denotes the maximum depth that ever occurred in this queue. • Cisco Security Appliance Command Line Configuration Guide 24-15 OL-10088-01...
  • Page 418 Chapter 24 Applying QoS Policies Viewing QoS Statistics Cisco Security Appliance Command Line Configuration Guide 24-16 OL-10088-01...
  • Page 419 ICMP Inspection, page 25-51 • ICMP Error Inspection, page 25-51 • ILS Inspection, page 25-51 • MGCP Inspection, page 25-52 • NetBIOS Inspection, page 25-56 • PPTP Inspection, page 25-58 • Cisco Security Appliance Command Line Configuration Guide 25-1 OL-10088-01...
  • Page 420: C H A P T E R 25 Configuring Application Layer Protocol Inspection

    Inspection Limitations See the following limitations for application protocol inspection: Cisco Security Appliance Command Line Configuration Guide 25-2 OL-10088-01...
  • Page 421: Default Inspection Policy

    NetBIOS is supported by performing Server over IP 138 (Source NAT of the packets for NBNS UDP port ports) 137 and NBDS UDP port 138. PPTP TCP/1723 — RFC 2637 — Cisco Security Appliance Command Line Configuration Guide 25-3 OL-10088-01...
  • Page 422 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny Cisco Security Appliance Command Line Configuration Guide 25-4 OL-10088-01...
  • Page 423: Configuring Application Inspection

    10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 hostname(config)# class-map inspection_default hostname(config-cmap)# match access-list inspect View the entire class map using the following command: hostname(config-cmap)# show running-config class-map inspection_default class-map inspection_default match default-inspection-traffic Cisco Security Appliance Command Line Configuration Guide 25-5 OL-10088-01...
  • Page 424 25-3. If you want to modify the default policy (for example, to add or delete an inspection, or to identify an additional class map for your actions), then enter global_policy as the name. Cisco Security Appliance Command Line Configuration Guide 25-6 OL-10088-01...
  • Page 425 If you added a GTP inspection policy map according to the “Configuring a GTP Inspection Policy Map for Additional Inspection Control” section on page 25-32, identify the map name in this command. Cisco Security Appliance Command Line Configuration Guide 25-7 OL-10088-01...
  • Page 426 If you added a SIP inspection policy map according to “Configuring a SIP Inspection Policy Map for Additional Inspection Control” section on page 25-63, identify the map name in this command. Cisco Security Appliance Command Line Configuration Guide 25-8 OL-10088-01...
  • Page 427: Ctiqbe Inspection

    SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the security appliance. TAPI and JTAPI are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco CallManager.
  • Page 428: Limitations And Restrictions

    Cisco TSP configuration on the PC. • When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP SoftPhone registrations to succeed.
  • Page 429: Dcerpc Inspection

    Configuring a DCERPC Inspection Policy Map for Additional Inspection Control, page 25-12 DCERPC Overview DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely. Cisco Security Appliance Command Line Configuration Guide 25-11 OL-10088-01...
  • Page 430: Configuring A Dcerpc Inspection Policy Map For Additional Inspection Control

    The epm-service-only keyword enforces endpoint mapper service during binding so that only its service traffic is processed. The lookup-operation keyword enables the lookup operation of the endpoint mapper service. Cisco Security Appliance Command Line Configuration Guide 25-12 OL-10088-01...
  • Page 431: Dns Inspection

    If you enter the inspect dns command without the maximum-length option, DNS packet size Note is not checked Enforces a domain-name length of 255 bytes and a label length of 63 bytes. • Cisco Security Appliance Command Line Configuration Guide 25-13 OL-10088-01...
  • Page 432: How Dns Rewrite Works

    DNS reply. As a result, the web client on the inside network gets the correct address for connecting to the web server on the inside network. For configuration instructions for scenarios similar to this one, see “Configuring DNS Rewrite with Two NAT Zones” section on page 25-16. Cisco Security Appliance Command Line Configuration Guide 25-14 OL-10088-01...
  • Page 433: Configuring Dns Rewrite

    • For detailed syntax and additional functions for the alias, nat, and static command, see the appropriate command page in the Cisco Security Appliance Command Reference. Using the Static Command for DNS Rewrite The static command causes addresses on an IP network residing on a specific interface to be translated into addresses on another IP network on a different interface.
  • Page 434: Using The Alias Command For Dns Rewrite

    TCP port that the web server listens to for HTTP requests. Apply the access list created in Step 2 to the mapped interface. To do so, use the access-group command, Step 3 as follows: hostname(config)# access-group acl-name in interface mapped_ifc Cisco Security Appliance Command Line Configuration Guide 25-16 OL-10088-01...
  • Page 435: Dns Rewrite With Three Nat Zones

    “Configuring DNS Rewrite with Three NAT Zones” section on page 25-19. Figure 25-2 DNS Rewrite with Three NAT Zones DNS server erver.example.com IN A 209.165.200.5 Outside Security Web server appliance 192.168.100.10 192.168.100.1 99.99.99.2 Inside 10.10.10.1 Web client 10.10.10.25 Cisco Security Appliance Command Line Configuration Guide 25-17 OL-10088-01...
  • Page 436 If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns option were not specified, the A-record rewrite in step would be reverted and other processing for the packet continues. Cisco Security Appliance Command Line Configuration Guide 25-18 OL-10088-01...
  • Page 437: Configuring Dns Rewrite With Three Nat Zones

    (dmz,outside) 209.165.200.225 192.168.100.10 dns hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www hostname(config)# access-group 101 in interface outside This configuration requires the following A-record on the DNS server: server.example.com. IN A 209.165.200.225 Cisco Security Appliance Command Line Configuration Guide 25-19 OL-10088-01...
  • Page 438: Verifying And Monitoring Dns Inspection

    (Optional) Add one or more regular expressions for use in traffic matching commands according to the Step 1 “Creating a Regular Expression” section on page 21-6. See the types of text you can match in the match commands described in Step Cisco Security Appliance Command Line Configuration Guide 25-20 OL-10088-01...
  • Page 439 DNS class field. The range keyword specifies a range and the eq keyword specifies an exact match. (Optional) To match a DNS question or resource record, enter the following command: hostname(config-cmap)# match {question | {resource-record answer | authority | any}} Cisco Security Appliance Command Line Configuration Guide 25-21 OL-10088-01...
  • Page 440 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 441 RD hostname(config-pmap-c)# mask log hostname(config)# class-map dns_serv_map hostname(config-cmap)# match default-inspection-traffic hostname(config)# policy-map pub_policy hostname(config-pmap)# class dns_serv_map hostname(config-pmap-c)# inspect dns serv_prot hostname(config)# service-policy pub_policy interface dmz Cisco Security Appliance Command Line Configuration Guide 25-23 OL-10088-01...
  • Page 442: Esmtp Inspection

    {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 443: Ftp Inspection

    FTP Inspection This section describes the FTP inspection engine. This section includes the following topics: • FTP Inspection Overview, page 25-26 Using the strict Option, page 25-26 • Cisco Security Appliance Command Line Configuration Guide 25-25 OL-10088-01...
  • Page 444: Ftp Inspection Overview

    If it is not five, then the PORT command is assumed to be truncated and the TCP connection is closed. Incorrect command—Checks the FTP command to see if it ends with <CR><LF> characters, as • required by the RFC. If it does not, the connection is closed. Cisco Security Appliance Command Line Configuration Guide 25-26 OL-10088-01...
  • Page 445: Configuring An Ftp Inspection Policy Map For Additional Inspection Control

    To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map. Cisco Security Appliance Command Line Configuration Guide 25-27 OL-10088-01...
  • Page 446 Disallows the client command for sending a file to the server. Disallows the command that deletes a directory on the server. rnfr Disallows the command that specifies rename-from filename. rnto Disallows the command that specifies rename-to filename. Cisco Security Appliance Command Line Configuration Guide 25-28 OL-10088-01...
  • Page 447 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 448: Verifying And Monitoring Ftp Inspection

    The username is obtained by looking up a table providing the IP address. • • The username, source IP address, destination IP address, NAT address, and the file operation are logged. Cisco Security Appliance Command Line Configuration Guide 25-30 OL-10088-01...
  • Page 449: Gtp Inspection

    UTRAN is the networking protocol used for implementing wireless networks in this system. GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS backbone between a GGSN, an SGSN and the UTRAN. Cisco Security Appliance Command Line Configuration Guide 25-31 OL-10088-01...
  • Page 450: Configuring A Gtp Inspection Policy Map For Additional Inspection Control

    1. The class regex_class_name is the regular expression class map you created in Step To match a message ID, enter the following command: Step 4 hostname(config-pmap)# match [not] message id [message_id | range lower_range upper_range] Cisco Security Appliance Command Line Configuration Guide 25-32 OL-10088-01...
  • Page 451 To create an object to represent the pool of load-balancing GSNs, perform the following steps: Use the object-group command to define a new network object group representing the pool of load-balancing GSNs. hostname(config)# object-group network GSN-pool-name hostname(config-network)# Cisco Security Appliance Command Line Configuration Guide 25-33 OL-10088-01...
  • Page 452 IP addresses, one per network-object command, instead of identifying whole networks. The example then modifies a GTP map to permit responses from the GSN pool to the SGSN. hostname(config)# object-group network gsnpool32 hostname(config-network)# network-object 192.168.100.0 255.255.255.0 hostname(config)# object-group network sgsn32 Cisco Security Appliance Command Line Configuration Guide 25-34 OL-10088-01...
  • Page 453 The following example shows how to limit the number of tunnels in the network: hostname(config)# policy-map type inspect gtp gmap hostname(config-pmap)# parameters hostname(config-pmap-p)# tunnel-limit 3000 hostname(config)# policy-map global_policy hostname(config-pmap)# class inspection_default hostname(config-pmap-c)# inspect gtp gmap hostname(config)# service-policy global_policy global Cisco Security Appliance Command Line Configuration Guide 25-35 OL-10088-01...
  • Page 454: Verifying And Monitoring Gtp Inspection

    Verifying and Monitoring GTP Inspection To display GTP configuration, enter the show service-policy inspect gtp command in privileged EXEC mode. For the detailed syntax for this command, see the command page in the Cisco Security Appliance Command Reference. Use the show service-policy inspect gtp statistics command to show the statistics for GTP inspection.
  • Page 455: H.323 Inspection

    • H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
  • Page 456: Limitations And Restrictions

    To specify actions when a message violates a parameter, create an H.323 inspection policy map. You can then apply the inspection policy map when you enable H.323 inspection according to the “Configuring Application Inspection” section on page 25-5. Cisco Security Appliance Command Line Configuration Guide 25-38 OL-10088-01...
  • Page 457 Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. (Optional) To add a description to the policy map, enter the following command: Step 5 hostname(config-pmap)# description string Cisco Security Appliance Command Line Configuration Guide 25-39 OL-10088-01...
  • Page 458 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 459: Configuring H.323 And H.225 Timeout Values

    The show h225 command displays information for H.225 sessions established across the security appliance. Along with the debug h323 h225 event, debug h323 h245 event, and show local-host commands, this command is used for troubleshooting H.323 inspection engine issues. Cisco Security Appliance Command Line Configuration Guide 25-41 OL-10088-01...
  • Page 460: Monitoring H.245 Sessions

    The media negotiated between these endpoints have an LCN of 258 with the foreign RTP IP address/port pair of 172.30.254.203/49608 and an RTCP IP address/port of 172.30.254.203/49609 with a local RTP IP address/port pair of 10.130.56.3/49608 and an RTCP port of 49609. Cisco Security Appliance Command Line Configuration Guide 25-42 OL-10088-01...
  • Page 461: Monitoring H.323 Ras Sessions

    Control”), can help prevent attackers from using HTTP messages for circumventing network security policy. It verifies the following for all HTTP messages: Conformance to RFC 2616 • Use of RFC-defined methods only. • Compliance with the additional criteria. • Cisco Security Appliance Command Line Configuration Guide 25-43 OL-10088-01...
  • Page 462: Configuring An Http Inspection Policy Map For Additional Inspection Control

    HTTP request message, enter the following command: hostname(config-cmap)# match [not] req-resp content-type mismatch (Optional) To match text found in the HTTP request message arguments, enter the following command: Cisco Security Appliance Command Line Configuration Guide 25-44 OL-10088-01...
  • Page 463 (Optional) To match text found in the HTTP response message header, or to restrict the count or length of the header, enter the following command: hostname(config-cmap)# match [not] response header {[field] [regex [regex_name | class regex_class_name]] | [length gt max_length_bytes | count gt max_count]} Cisco Security Appliance Command Line Configuration Guide 25-45 OL-10088-01...
  • Page 464 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 465: Instant Messaging Inspection

    This section describes the IM inspection engine. This section includes the following topics: IM Inspection Overview, page 25-48 • Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control, page • 25-48 Cisco Security Appliance Command Line Configuration Guide 25-47 OL-10088-01...
  • Page 466: Im Inspection Overview

    Where the string is the description of the class map (up to 200 characters). (Optional) To match traffic of a specific IM protocol, such as Yahoo or MSN, enter the following command: hostname(config-cmap)# match [not] protocol {im-yahoo | im-msn} Cisco Security Appliance Command Line Configuration Guide 25-48 OL-10088-01...
  • Page 467 Specify the traffic on which you want to perform actions using one of the following methods: Step 6 • Specify the IM class map that you created in Step 3 by entering the following command: Cisco Security Appliance Command Line Configuration Guide 25-49 OL-10088-01...
  • Page 468 Cisco Security Appliance Command Line Configuration Guide 25-50 OL-10088-01...
  • Page 469: Icmp Inspection

    The security appliance supports NAT for ILS, which is used to register and locate endpoints in the ILS or SiteServer Directory. PAT cannot be supported because only IP addresses are stored by an LDAP database. Cisco Security Appliance Command Line Configuration Guide 25-51 OL-10088-01...
  • Page 470: Mgcp Inspection

    This section describes MGCP application inspection. This section includes the following topics: MGCP Inspection Overview, page 25-53 • Configuring an MGCP Inspection Policy Map for Additional Inspection Control, page 25-54 • Configuring MGCP Timeout Values, page 25-56 • Cisco Security Appliance Command Line Configuration Guide 25-52 OL-10088-01...
  • Page 471: Mgcp Inspection Overview

    209.165.200.231 Gateway is told to send its media MGCP SCCP 209.165.200.231 RTP to 10.0.0.76 (public address from 209.165.200.231 of the IP Phone) 209.165.200.231 RTP to 209.165.201.1 from 209.165.200.231 10.0.0.76 Branch offices Cisco Security Appliance Command Line Configuration Guide 25-53 OL-10088-01...
  • Page 472: Configuring An Mgcp Inspection Policy Map For Additional Inspection Control

    To create an MGCP inspection policy map, enter the following command: Step 1 hostname(config)# policy-map type inspect mgcp map_name hostname(config-pmap)# Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. Cisco Security Appliance Command Line Configuration Guide 25-54 OL-10088-01...
  • Page 473 10.10.11.5 101 hostname(config-pmap-p)# call-agent 10.10.11.6 101 hostname(config-pmap-p)# call-agent 10.10.11.7 102 hostname(config-pmap-p)# call-agent 10.10.11.8 102 hostname(config-pmap-p)# gateway 10.10.10.115 101 hostname(config-pmap-p)# gateway 10.10.10.116 102 hostname(config-pmap-p)# gateway 10.10.10.117 102 hostname(config-pmap-p)# command-queue 150 Cisco Security Appliance Command Line Configuration Guide 25-55 OL-10088-01...
  • Page 474: Configuring Mgcp Timeout Values

    The timeout mgcp-pat command lets you set the timeout for PAT xlates. Because MGCP does not have a keepalive mechanism, if you use non-Cisco MGCP gateways (call agents), the PAT xlates are torn down after the default timeout interval, which is 30 seconds.
  • Page 475: Configuring A Netbios Inspection Policy Map For Additional Inspection Control

    {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 476: Pptp Inspection

    PAC (PPTP Access Concentrator) to the headend PNS (PPTP Network Server). When used this way, the PAC is the remote client and the PNS is the server. Cisco Security Appliance Command Line Configuration Guide 25-58 OL-10088-01...
  • Page 477: Radius Accounting Inspection

    10.1.1.1 inside key 123456789 send response enable gprs validate-attribute 22 Configure the service policy and control-plane keywords. Step 3 policy-map type management global_policy class c1 inspect radius-accounting radius_accounting_map service-policy global_policy control-plane abc global Cisco Security Appliance Command Line Configuration Guide 25-59 OL-10088-01...
  • Page 478: Rsh Inspection

    The RTSP inspection engine lets the security appliance pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. For Cisco IP/TV, use RTSP TCP port 554 and TCP 8554. Note RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. The security appliance only supports TCP, in conformity with RFC 2326.
  • Page 479: Restrictions And Limitations

    SDP files as part of HTTP or RTSP messages. Packets could be fragmented and security appliance cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translates the security appliance performs on the SDP part of the •...
  • Page 480: Sip Instant Messaging

    SDP media information fields and the media type. There can be multiple media addresses and ports for a session. The security appliance opens RTP/RTCP connections between the two endpoints using these media addresses/ports. Cisco Security Appliance Command Line Configuration Guide 25-62 OL-10088-01...
  • Page 481: Configuring A Sip Inspection Policy Map For Additional Inspection Control

    The CLI enters class-map configuration mode, where you can enter one or more match commands. Cisco Security Appliance Command Line Configuration Guide 25-63...
  • Page 482 (Optional) To match an URI in the SIP headers, enter the following command: hostname(config-cmap)# match [not] uri {sip | tel} length gt length Where length is the number of bytes the URI is greater than. 0 to 65536. Cisco Security Appliance Command Line Configuration Guide 25-64 OL-10088-01...
  • Page 483 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 484: Configuring Sip Timeout Values

    To configure the timeout for the SIP control connection, enter the following command: hostname(config)# timeout sip hh:mm:ss Cisco Security Appliance Command Line Configuration Guide 25-66 OL-10088-01...
  • Page 485: Verifying And Monitoring Sip Inspection

    This section describes SCCP application inspection. This section includes the following topics: SCCP Inspection Overview, page 25-68 • Supporting Cisco IP Phones, page 25-68 • • Restrictions and Limitations, page 25-68 Verifying and Monitoring SCCP Inspection, page 25-69 • Cisco Security Appliance Command Line Configuration Guide 25-67 OL-10088-01...
  • Page 486: Sccp Inspection Overview

    The security appliance also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
  • Page 487: Verifying And Monitoring Sccp Inspection

    MEDIA 10.0.0.22/20798 172.18.1.11/22948 The output indicates that a call has been established between two internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively. The following is sample output from the show xlate debug command for these Skinny connections:...
  • Page 488 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 489: Smtp And Extended Smtp Inspection

    SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply. Cisco Security Appliance Command Line Configuration Guide 25-71...
  • Page 490: Snmp Inspection

    To specify the versions of SNMP to deny, enter the following command for each version: hostname(config-snmp-map)# deny version version hostname(config-snmp-map)# where version is 1, 2, 2c, or 3. The following example denies SNMP Versions 1 and 2: hostname(config)# snmp-map sample_map hostname(config-snmp-map)# deny version 1 Cisco Security Appliance Command Line Configuration Guide 25-72 OL-10088-01...
  • Page 491: Sql*Net Inspection

    This section describes Sun RPC application inspection. This section includes the following topics: Sun RPC Inspection Overview, page 25-74 • Managing Sun RPC Services, page 25-74 • Verifying and Monitoring Sun RPC Inspection, page 25-75 • Cisco Security Appliance Command Line Configuration Guide 25-73 OL-10088-01...
  • Page 492: Sun Rpc Inspection Overview

    To clear the active Sun RPC services, enter the following command: hostname(config)# clear sunrpc-server a