Page 1 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 7.2(1) Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.;...
Page 3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module Sending Traffic to the Content Security and Control Security Services Module Applying QoS Policies Applying Connection Limits and TCP Normalization Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 4: Table Of Contents
Invalid Classifier Criteria Classification Examples Cascading Security Contexts Management Access to Security Contexts System Administrator Access Context Administrator Access 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 5 Contents Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security C H A P T E R Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces...
Page 6 Defining Route Maps Configuring OSPF OSPF Overview Enabling OSPF Redistributing Routes Into OSPF Configuring OSPF Interface Parameters 9-10 Configuring OSPF Area Parameters 9-12 Configuring OSPF NSSA 9-13 Configuring Route Summarization Between OSPF Areas 9-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 7 Configuring a DHCP Server 10-1 Enabling the DHCP Server 10-2 Configuring DHCP Options 10-3 Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Configuring Dynamic DNS 10-6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2: Client Updates Both A and PTR RRs;...
Page 8 Configuring IPv6 Default and Static Routes 12-5 Configuring IPv6 Access Lists 12-6 Configuring IPv6 Neighbor Discovery 12-7 Configuring Neighbor Solicitation Messages 12-7 Configuring Router Advertisement Messages 12-9 Configuring a Static IPv6 Neighbor 12-11 Cisco Security Appliance Command Line Configuration Guide viii OL-10088-01...
Page 9 Using Certificates and User Login Credentials 13-15 Using User Login Credentials 13-15 Using certificates 13-16 Supporting a Zone Labs Integrity Server 13-16 Overview of Integrity Server and Security Appliance Interaction 13-17 Configuring Integrity Server Support 13-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 10 Configuring Unit Health Monitoring 14-36 Configuring Failover Communication Authentication/Encryption 14-36 Verifying the Failover Configuration 14-37 Using the show failover Command 14-37 Viewing Monitored Interfaces 14-45 Displaying the Failover Commands in the Running Configuration 14-45 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 11 C H A P T E R Access List Overview 16-1 Access List Types 16-2 Access Control Entry Order 16-2 Access Control Implicit Deny 16-3 IP Addresses Used for Access Lists When You Use NAT 16-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 12 17-3 NAT Types 17-5 Dynamic NAT 17-5 17-6 Static NAT 17-7 Static PAT 17-7 Bypassing NAT when NAT Control is Enabled 17-8 Policy NAT 17-9 NAT and Same Security Level Interfaces 17-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 13 Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-7 Configuring a RADIUS Server to Download Per-User Access Control List Names 19-11 Configuring Accounting for Network Access 19-12 Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-13 Cisco Security Appliance Command Line Configuration Guide xiii OL-10088-01...
Page 14 21-8 Identifying Traffic in an Inspection Class Map 21-9 Defining Actions in an Inspection Policy Map 21-10 Defining Actions Using a Layer 3/4 Policy Map 21-13 Layer 3/4 Policy Map Overview 21-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 15 Configuring IP Audit for Basic IPS Support 23-7 Applying QoS Policies 24-1 C H A P T E R Overview 24-1 QoS Concepts 24-2 Implementing QoS 24-2 Identifying Traffic for QoS 24-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 16 25-15 Using the Static Command for DNS Rewrite 25-15 Using the Alias Command for DNS Rewrite 25-16 Configuring DNS Rewrite with Two NAT Zones 25-16 DNS Rewrite with Three NAT Zones 25-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 17 ILS Inspection 25-51 MGCP Inspection 25-52 MGCP Inspection Overview 25-53 Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-54 Configuring MGCP Timeout Values 25-56 Verifying and Monitoring MGCP Inspection 25-56 Cisco Security Appliance Command Line Configuration Guide xvii OL-10088-01...
Page 18 C H A P T E R Configuring ARP Inspection 26-1 ARP Inspection Overview 26-1 Adding a Static ARP Entry 26-2 Enabling ARP Inspection 26-2 Customizing the MAC Address Table 26-3 Cisco Security Appliance Command Line Configuration Guide xviii OL-10088-01...
Page 19 Creating a Basic IPSec Configuration 27-22 Using Dynamic Crypto Maps 27-24 Providing Site-to-Site Redundancy 27-26 Viewing an IPSec Configuration 27-26 Clearing Security Associations 27-27 Clearing Crypto Map Configurations 27-27 Supporting the Nokia VPN Client 27-28 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 20 C H A P T E R Overview of Tunnel Groups, Group Policies, and Users 30-1 Tunnel Groups 30-2 General Tunnel-Group Connection Parameters 30-2 IPSec Tunnel-Group Connection Parameters 30-3 WebVPN Tunnel-Group Connection Parameters 30-4 Configuring Tunnel Groups 30-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 21 30-41 Configuring Domain Attributes for Tunneling 30-42 Configuring Attributes for VPN Hardware Clients 30-44 Configuring Backup Server Attributes 30-47 Configuring Microsoft Internet Explorer Client Parameters 30-48 Configuring Network Admission Control Parameters 30-50 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 22 Specifying the Access Control Server Group 33-2 Enabling NAC 33-2 Configuring the Default ACL for NAC 33-3 Configuring Exemptions from NAC 33-4 Changing Advanced Settings 33-5 Changing Clientless Authentication Settings 33-5 Cisco Security Appliance Command Line Configuration Guide xxii OL-10088-01...
Page 23 Setting the Revalidation Timer 33-9 Configuring Easy VPN Services on the ASA 5505 34-1 C H A P T E R Specifying the Client/Server Role of the Cisco ASA 5505 34-2 Specifying the Primary and Secondary Servers 34-3 Specifying the Mode...
Page 24 Closing Application Access to Prevent hosts File Errors 37-17 Recovering from hosts File Errors When Using Application Access 37-18 Understanding the hosts File 37-18 Stopping Application Access Improperly 37-19 Reconfiguring a hosts File 37-19 Configuring File Access 37-21 Cisco Security Appliance Command Line Configuration Guide xxiv OL-10088-01...
Page 25 37-49 Creating a Capture File 37-50 Using a Browser to Display Capture Data 37-50 Configuring SSL VPN Client 38-1 C H A P T E R Installing SVC 38-1 Platform Requirements 38-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 26 Exporting a Trustpoint Configuration 39-15 Importing a Trustpoint Configuration 39-15 Configuring CA Certificate Map Rules 39-15 Managing System Access 40-1 C H A P T E R Allowing Telnet Access 40-1 Cisco Security Appliance Command Line Configuration Guide xxvi OL-10088-01...
Page 27 41-8 Backing Up a Context Configuration within a Context 41-9 Copying the Configuration from the Terminal Display 41-9 Configuring Auto Update Support 41-9 Configuring Communication with an Auto Update Server 41-9 Cisco Security Appliance Command Line Configuration Guide xxvii OL-10088-01...
Page 28 Changing the Severity Level of a System Log Message 42-21 Changing the Amount of Internal Flash Memory Available for Logs 42-22 Understanding System Log Messages 42-23 System Log Message Format 42-23 Severity Levels 42-23 Cisco Security Appliance Command Line Configuration Guide xxviii OL-10088-01...
Page 29 Example 1: Customer B Context Configuration Example 1: Customer C Context Configuration Example 2: Single Mode Firewall Using Same Security Level Example 3: Shared Resources for Multiple Contexts Example 3: System Configuration Cisco Security Appliance Command Line Configuration Guide xxix OL-10088-01...
Page 30 Example 14: ASA 5505 Base License B-34 Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-36 Example 15: Primary Unit Configuration B-36 Example 15: Secondary Unit Configuration B-38 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 31 Determining the Address to Use with the Subnet Mask IPv6 Addresses IPv6 Address Format IPv6 Address Types Unicast Addresses Multicast Address Anycast Address Required Addresses D-10 IPv6 Address Prefixes D-10 Protocols and Applications D-11 TCP and UDP Ports D-11 Cisco Security Appliance Command Line Configuration Guide xxxi OL-10088-01...
Page 32 Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22 Configuring an External RADIUS Server E-24 Reviewing the RADIUS Configuration Procedure E-24 Security Appliance RADIUS Authorization Attributes E-25 L O S S A R Y N D E X Cisco Security Appliance Command Line Configuration Guide xxxii OL-10088-01...
Page 33: About This Guide
Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550).
Page 34: Related Documentation
Cisco ASDM Release Notes • Cisco PIX 515E Quick Start Guide • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 • • Migrating to ASA for VPN 3000 Series Concentrator Administrators Cisco Security Appliance Command Reference •...
Page 35 Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP routed networks. Chapter 25, “Configuring Describes how to use and configure application inspection. Application Layer Protocol Inspection” Cisco Security Appliance Command Line Configuration Guide xxxv OL-10088-01...
Page 36 Chapter 41, “Managing Describes how to enter license keys and download software and configurations files. Software, Licenses, and Configurations” Chapter 42, “Monitoring the Describes how to monitor the security appliance. Security Appliance” Cisco Security Appliance Command Line Configuration Guide xxxvi OL-10088-01...
Page 37: Document Conventions
Variables for which you must supply a value are shown in font. • italic screen Means reader take note. Notes contain helpful suggestions or references to material not covered in the Note manual. Cisco Security Appliance Command Line Configuration Guide xxxvii OL-10088-01...
Page 38: Documentation Feedback
The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet.
Page 39 We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
Page 40 Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &...
Page 41 Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 42 Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com...
Page 43 A R T Getting Started and General Information...
Page 45 WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes.
Page 46 Using AAA for Through Traffic You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 47 TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal. Firewall Mode Overview The security appliance runs in two different firewall modes: • Routed Transparent • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 48 The fast path is responsible for the following tasks: – IP checksum verification – Session lookup TCP sequence number check – NAT translations based on existing sessions – Layer 3 and Layer 4 header adjustments – Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 49: Intrusion Prevention Services Functional Overview
The security appliance invokes various standard protocols to accomplish these functions. Intrusion Prevention Services Functional Overview The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
Page 50: Security Context Overview
You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one Note mode and others in another. Multiple context mode supports static routing only. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 51: Chapter 2 Getting Started
Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security appliances.
Page 52: Restoring The Factory Default Configuration
All inside IP addresses are translated when accessing the outside using interface PAT. By default, inside users can access the outside with an access list, and outside users are prevented • from accessing the inside. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 53: Asa 5510 And Higher Default Configuration
The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives • an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 54: Pix 515/515E Default Configuration
If you want to use ASDM to configure the security appliance instead of the command-line interface, you Note can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 55: Setting Transparent Or Routed Firewall Mode
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 56: Working With The Configuration
Creating Text Configuration Files Offline, page 2-9 • Saving Configuration Changes This section describes how to save your configuration, and includes the following topics: Saving Configuration Changes in Single Context Mode, page 2-7 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 57: Saving Configuration Changes In Single Context Mode
Sometimes, a context is not saved because of an error. See the following information for errors: For contexts that are not saved because of low memory, the following message appears: • The context 'context a' could not be saved due to Unavailability of resources Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 58: Copying The Startup Configuration To The Running Configuration
Viewing the Configuration The following commands let you view the running and startup configurations. • To view the running configuration, enter the following command: hostname# show running-config Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 59: Clearing And Removing Configuration Settings
Alternatively, you can download a text file to the security appliance internal Flash memory. Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading the configuration file to the security appliance. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 60 In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Cisco Security Appliance Command Line Configuration Guide 2-10 OL-10088-01...
Page 61 You are a large enterprise or a college campus and want to keep departments completely separate. • • You are an enterprise that wants to provide distinct security policies to different departments. You have any network that requires more than one security appliance. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 62: Chapter 3 Enabling Multiple Context Mode
Flash memory called admin.cfg. This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 63: How The Security Appliance Classifies Packets
IP address after classification depends on how you configure NAT and NAT control. For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in each context: Context A: • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 64: Invalid Classifier Criteria
Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 65: Classification Examples
MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 66 (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 67 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 68: Cascading Security Contexts
Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 69: Management Access To Security Contexts
To log in with a username, enter the login command. For example, you log in to the admin context with the Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 70: Context Administrator Access
Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
Page 71: Restoring Single Context Mode
To set the mode to single mode, enter the following command in the system execution space: Step 2 hostname(config)# mode single The security appliance reboots. Cisco Security Appliance Command Line Configuration Guide 3-11 OL-10088-01...
Page 72 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode Cisco Security Appliance Command Line Configuration Guide 3-12 OL-10088-01...
Page 73: Configuring Switch Ports And Vlan Interfaces For The Cisco Asa 5505 Adaptive Security Appliance
C H A P T E R Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance.
Page 74: Understanding Asa 5505 Ports And Interfaces
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that...
Page 75: Default Interface Configuration
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Figure 4-1 ASA 5505 Adaptive Security Appliance with Base License Internet ASA 5505 Home with Base License Business With the Security Plus license, you can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP.
Page 76: Vlan Mac Addresses
“Configuring Switch Ports as Access Ports” section on page 4-9 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring.
Page 77: Security Level Overview
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100.
Page 78 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces If you are using failover, do not use this procedure to name interfaces that you are reserving for failover Note communications. See Chapter 14, “Configuring Failover,”...
Page 79 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces You can configure up to five VLANs with the Security Plus license. You can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP.
Page 80 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your switch requires it, or for access control purposes.
Page 81: Configuring Switch Ports As Access Ports
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports hostname(config-if)# interface vlan 200 hostname(config-if)# nameif business hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown...
Page 82 The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
Page 83: Configuring A Switch Port As A Trunk Port
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport access vlan 200 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/2...
Page 84 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port To make this switch port a trunk port, enter the following command: Step 3 hostname(config-if)# switchport mode trunk To restore this port to access mode, enter the switchport mode access command.
Page 85: Allowing Communication Between Vlan Interfaces On The Same Security Level
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport mode trunk hostname(config-if)# switchport trunk allowed vlan 200 300...
Page 86 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide 4-14 OL-10088-01...
Page 87: Chapter 5 Configuring Ethernet Settings And Subinterfaces
To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Configuring and Enabling RJ-45 Interfaces, page 5-1 •...
Page 88: Configuring And Enabling Fiber Interfaces
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 89: Configuring And Enabling Subinterfaces
This feature is particularly useful in multiple context mode so you can assign unique interfaces to each context. To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature Licenses and Specifications.” Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 90 To disable the interface, enter the shutdown command. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 91 The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics: • Resource Limits, page 6-2 Default Class, page 6-3 • Class Members, page 6-4 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 92: Chapter 6 Adding And Managing Security Contexts
Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 93: Default Class
By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context: Telnet sessions—5 sessions. • SSH sessions—5 sessions. • • IPSec sessions—5 sessions. • MAC addresses—65,535 entries. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 94: Class Members
To set the resource limits, see the following options: Step 2 To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command: • hostname(config-resmgmt)# limit-resource all 0 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 95 Table 6-1 lists the resource types and the limits. See also the show resource types command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 96 For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands: hostname(config)# class default hostname(config-class)# limit-resource conns 10% All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 97: Configuring A Security Context
To allocate a physical interface, enter the following command: • hostname(config-ctx)# allocate-interface physical_interface [map_name] [visible | invisible] • To allocate one or more subinterfaces, enter the following command: hostname(config-ctx)# allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible] Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 98 The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8. hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 99 The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL http://url INFO: Creating context with default config Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 100 For example, to assign the context to the gold class, enter the following command: hostname(config-ctx)# member gold Step 6 To view context information, see the show context command in the Cisco Security Appliance Command Reference. The following example sets the admin context to be “administrator,” creates a context called “administrator”...
Page 101: Automatically Assigning Mac Addresses To Context Interfaces
The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, Cisco Security Appliance Command Line Configuration Guide 6-11 OL-10088-01...
Page 102: Managing Security Contexts
To remove a single context, enter the following command in the system execution space: hostname(config)# no context name All context commands are also removed. To remove all contexts (including the admin context), enter the following command in the system • execution space: Cisco Security Appliance Command Line Configuration Guide 6-12 OL-10088-01...
Page 103: Changing The Admin Context
If you want to perform a merge, skip to Step 2. hostname# changeto context name hostname/name# configure terminal hostname/name(config)# clear configure all If required, change to the system execution space by entering the following command: Step 2 hostname/name(config)# changeto system Cisco Security Appliance Command Line Configuration Guide 6-13 OL-10088-01...
Page 104: Reloading A Security Context
To reload the configuration, enter the following command: Step 4 hostname/name(config)# copy startup-config running-config The security appliance copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context. Cisco Security Appliance Command Line Configuration Guide 6-14 OL-10088-01...
Page 105: Reloading By Removing And Re-Adding The Context
Lists all context names. The context name with the asterisk (*) is the admin context. Interfaces The interfaces assigned to the context. The URL from which the security appliance loads the context configuration. Cisco Security Appliance Command Line Configuration Guide 6-15 OL-10088-01...
Page 106: Viewing Resource Allocation
Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 See the Cisco Security Appliance Command Reference for more information about the detail output. The following is sample output from the show context count command: hostname# show context count Total active contexts: 2...
Page 107 200000 200000 20.00% silver 100000 100000 10.00% bronze 50000 All Contexts: 300000 30.00% Hosts default unlimited gold unlimited silver 26214 26214 bronze 13107 All Contexts: 26214 default gold 5.00% Cisco Security Appliance Command Line Configuration Guide 6-17 OL-10088-01...
Page 108 The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A. Cisco Security Appliance Command Line Configuration Guide 6-18 OL-10088-01...
Page 109: Viewing Resource Usage
This sample shows the limits for 6 contexts. hostname# show resource usage summary Resource Current Peak Limit Denied Context Syslogs [rate] 1743 2132 0 Summary Conns 280000(S) 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-19 OL-10088-01...
Page 110: Monitoring Syn Attacks In Contexts
The following is sample output from the show perfmon command that shows the rate of TCP intercepts for a context called admin. hostname/admin# show perfmon Context:admin PERFMON STATS: Current Average Xlates Cisco Security Appliance Command Line Configuration Guide 6-20 OL-10088-01...
Page 111 0 system chunk:channels unlimited 0 system chunk:dbgtrace unlimited 0 system chunk:fixup unlimited 0 system chunk:ip-users unlimited 0 system chunk:list-elem 1014 1014 unlimited 0 system chunk:list-hdr unlimited 0 system chunk:route unlimited 0 system Cisco Security Appliance Command Line Configuration Guide 6-21 OL-10088-01...
Page 112 0 Summary tcp-intercept-rate 341306 811579 unlimited 0 Summary globals unlimited 0 Summary np-statics unlimited 0 Summary statics 0 Summary nats 0 Summary ace-rules 0 Summary console-access-rul 0 Summary fixup-rules 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-22 OL-10088-01...
Page 113: Chapter 7 Configuring Interface Parameters
To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Security Level Overview, page 7-1 •...
Page 114: Configuring The Interface
If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 115 Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 116 “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11 to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 117 The following example configures parameters in multiple context mode for the context configuration: hostname/contextA(config)# interface gigabitethernet0/1.1 hostname/contextA(config-if)# nameif inside hostname/contextA(config-if)# security-level 100 hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0 hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDE hostname/contextA(config-if)# no shutdown Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 118: Allowing Communication Between Interfaces On The Same Security Level
To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface To disable this setting, use the no form of this command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 119: Changing The Login Password
Setting the Management IP Address for a Transparent Firewall, page 8-5 • Changing the Login Password The login password is used for Telnet and SSH connections. By default, the login password is “cisco.” To change the password, enter the following command: hostname(config)# {passwd | password} password You can enter passwd or password.
Page 120: Setting The Hostname
Time derived from an NTP server overrides any time set manually. This section also describes how to set the time zone and daylight saving time date range. In multiple context mode, set the time in the system configuration only. Note Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 121: Setting The Time Zone And Daylight Saving Time Date Range
The week value specifies the week of the month as an integer between 1 and 4 or as the words first or last. For example, if the day might fall in the partial fifth week, then specify last. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 122: Setting The Date And Time Using An Ntp Server
3 that is preferred. You can identify multiple servers; the security appliance uses the most accurate server. Setting the Date and Time Manually To set the date time manually, enter the following command: Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 123: Setting The Management Ip Address For A Transparent Firewall
(255.255.255.255). This address must be IPv4; the transparent firewall does not support IPv6. The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 124 Chapter 8 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 125: Chapter 9 Configuring Ip Routing
If you have servers that cannot all be reached through a single default route, then you must configure static routes. The security appliance supports up to three equal cost routes on the same interface for load balancing. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 126: Configuring A Static Route
The security appliance distributes the traffic among the specified gateways. hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 127: Configuring A Default Route
This allows you to, for example, define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 128 The track_id is a tracking number you assign with this command. The sla_id is the ID number of the SLA process you defined in Step Define the static route to be installed in the routing table while the tracked object is reachable using one Step 3 of the following options: Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 129 To use a default route obtained through PPPoE, enter the following commands: hostname(config)# interface phy_if hostname(config-if)# pppoe client route track track_id hostname(config-if)# pppoe client route distance admin_distance hostname(config-if)# ip addresss pppoe setroute hostname(config-if)# exit Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 130: Defining Route Maps
If you specify more than one ACL, then the route can match any of the ACLs. To match the route type, enter the following command: • hostname(config-route-map)# match route-type {internal | external [type-1 | type-2]} Enter one or more set commands. Step 3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 131: Configuring Ospf
Configuring Route Calculation Timers, page 9-16 • Logging Neighbors Going Up or Down, page 9-17 • • Displaying OSPF Update Packet Pacing, page 9-17 • Monitoring OSPF, page 9-18 Restarting the OSPF Process, page 9-18 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 132: Ospf Overview
IDs associated with that range of IP addresses. To enable OSPF, perform the following steps: To create an OSPF routing process, enter the following command: Step 1 hostname(config)# router ospf process_id Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 133: Redistributing Routes Into Ospf
LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1. hostname(config)# route-map 1-to-2 permit hostname(config-route-map)# match metric 1 hostname(config-route-map)# set metric 5 hostname(config-route-map)# set metric-type type-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
Page 134: Configuring Ospf Interface Parameters
To set the number of seconds that a device must wait before it declares a neighbor OSPF router down • because it has not received a hello packet, enter the following command: hostname(config-interface)# ospf dead-interval seconds The value must be the same for all nodes on the network. Cisco Security Appliance Command Line Configuration Guide 9-10 OL-10088-01...
Page 135 10 hostname(config-interface)# ospf dead-interval 40 hostname(config-interface)# ospf authentication-key cisco hostname(config-interface)# ospf message-digest-key 1 md5 cisco hostname(config-interface)# ospf authentication message-digest The following is sample output from the show ospf command: Cisco Security Appliance Command Line Configuration Guide 9-11 OL-10088-01...
Page 136: Configuring Ospf Area Parameters
To enable MD5 authentication for an OSPF area, enter the following comm

Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 2 Getting Started

Chapter 3 Enabling Multiple Context Mode

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Chapter 5 Configuring Ethernet Settings and Subinterfaces

Chapter 6 Adding and Managing Security Contexts

Chapter 7 Configuring Interface Parameters

Chapter 8 Configuring Basic Setting

Chapter 9 Configuring IP Routing

CHAPTER 10 Configuring DHCP, DDNS, and WCCP Services

Configuring Multicast Routing

Chapter 12 Configuring Ipv6

Configuring AAA Servers and the Local Database

Chapter 14 Configuring Failover

Chapter 15 Firewall Mode Overview

CHAPTER 16 Identifying Traffic with Access Lists

Chapter 17 Applying NAT

CHAPTER 18 Permitting or Denying Network Access

Chapter 19 Applying AAA for Network Acces

Quick Links

Troubleshooting

Related Manuals for Cisco FirePOWER ASA 5500 series

Summary of Contents for Cisco FirePOWER ASA 5500 series