Download  Print this page

Cisco ASA Series Configuration Manual

Firewall cli, asa services module, and the adaptive security virtual appliance.
Hide thumbs
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428

Advertisement

Cisco ASA Series Firewall CLI
Configuration Guide
Software Version 9.4
For the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X,
ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X,
ASA 5585-X, ASA Services Module, and the
Adaptive Security Virtual Appliance
First Published: March 23, 2015
Last Updated: April 7, 2015
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Text Part Number: N/A, Online only

Advertisement

Table of Contents

   Also See for Cisco ASA Series

   Summary of Contents for Cisco ASA Series

  • Page 1 First Published: March 23, 2015 Last Updated: April 7, 2015 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. Text Part Number: N/A, Online only...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
  • Page 3: About This Guide, Related Documentation

    Obtaining Documentation and Submitting a Service Request, page iv Document Objectives The purpose of this guide is to help you configure the firewall features for Cisco ASA series using the command-line interface. This guide does not cover every feature, but describes only the most common configuration scenarios.
  • Page 4 What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html. Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
  • Page 5 Basic Access Control, page 1-2. Step 2 Implement application filtering. See Application Filtering, page 1-2. Step 3 Implement URL filtering. See URL Filtering, page 1-3. Step 4 Implement threat protection. See Threat Protection, page 1-3. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 6 You can augment your rules by making them identity aware. This lets you configure rules based on user identity or group membership. To implement identity control, do any combination of the following: Install Cisco Context Directory Agent (CDA), also known as AD agent, on a separate server to •...
  • Page 7 Install the ASA FirePOWER module on the ASA and use URL filtering criteria in your ASA • FirePOWER access rules. These policies apply to any traffic that you redirect to the module. Related Topics ASA and Cisco Cloud Web Security, page 8-1 • ASA FirePOWER Module, page 7-1 •...
  • Page 8: Network Address Translation

    NAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be translated, but will have all of the security policies applied as normal. Related Topics Network Address Translation (NAT), page 9-1 • NAT Examples and Reference, page 10-1 • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 9 TCP/80, you can map it to TCP/80 to make connections easier for external users. The following example makes a web server on the inside private network available for public access. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 10 If you do not already have an access group on the outside interface, apply it using the access-group Step 4 command: hostname(config)# access-group outside_access_in in interface outside Related Topics • Static NAT, page 9-27 Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 11 A R T Access Control...
  • Page 13 C H A P T E R Objects for Access Control Objects are reusable components for use in your configuration. You can define and use them in Cisco ASA configurations in the place of inline IP addresses, services, names, and so on. Objects make it easy to maintain your configurations because you can modify an object in one place and have it be reflected in all other places that are referencing it.
  • Page 14 [v4 | v6] fully_qualified_domain_name—A fully-qualified domain name, that is, the name of a host, such as www.example.com. Specify v4 to limit the address to IPv4, and v6 for IPv6. If you do not specify an address type, IPv4 is assumed. Example Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 15 Step 3 hostname(config-network-object-group)# description string Example To create a network group that includes the IP addresses of three administrators, enter the following commands: hostname (config)# object-group network admins hostname (config-protocol)# description Administrator Addresses Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 16 Add a service to the object using one of the following commands. Use the no form of the command to Step 2 remove an object. service protocol—The name or number (0-255) of an IP protocol. Specify ip to apply to all • protocols. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 17 Add objects and services to the service object group using one or more of the following commands. Use Step 2 the no form of the command to remove an object. service-object protocol—The name or number (0-255) of an IP protocol. Specify ip to apply to all • protocols. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 18 HTTPS hostname(config-service-object)# service tcp source range 1 1024 destination eq https hostname(config)# object-group service Group1 hostname(config-service-object-group)# service-object object SSH hostname(config-service-object-group)# service-object object EIGRP hostname(config-service-object-group)# service-object object HTTPS Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 19 \\ that separates the domain and group names. group-object object_group_name—The name of an existing user object group. • Example hostname(config-user-object-group)# user EXAMPLE\admin hostname(config-user-object-group)# user-group EXAMPLE\\managers hostname(config-user-object-group)# group-object local-admins Step 3 (Optional) Add a description. hostname(config-user-object-group)# description string Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 20 Configure Security Group Object Groups You can create security group object groups for use in features that support Cisco TrustSec by including the group in an extended ACL, which in turn can be used in an access rule, for example.
  • Page 21 • The time is in the 24-hour format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m. You can repeat this command to configure more than one recurring period. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 22 • Displays all current object groups. Use the id keyword to view a single object group by name. • show running-config object-group grp_type Displays the current object groups by their group type. Cisco ASA Series Firewall CLI Configuration Guide 2-10...
  • Page 23 User object groups for identity firewall were introduced. We introduced the following commands: object-network user, user. Security Group Object Groups for Cisco 8.4(2) Security group object groups for Cisco TrustSec were TrustSec introduced. We introduced the following commands: object-network security, security.
  • Page 24 Chapter 2 Objects for Access Control History for Objects Cisco ASA Series Firewall CLI Configuration Guide 2-12...
  • Page 25 EtherType value in the layer-2 packet. With EtherType ACLs, you can control the flow of non-IP traffic across the device. See Configure EtherType ACLs, page 3-17. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 26 Each ACL has a name or numeric ID, such as outside_in, OUTSIDE_IN, or 101. Limit the names to 241 characters or fewer.Consider using all uppercase letters to make it easier to find the name when viewing a running configuration. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 27 EtherType 8037, the implicit deny at the end of the ACL does not now block any IP traffic that you previously allowed with an extended ACL (or implicitly allowed from a high security Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 28 These types of rules let you differentiate between activity that is acceptable at certain times of the day but that is unacceptable at other times. For example, you could provide additional Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 29 EtherType ACLs do not contain IP addresses. Additional Guidelines When you specify a network mask, the method is different from the Cisco IOS software access-list • command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
  • Page 30: Configure Acls

    OUT remark - this is the inside admin address hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any hostname(config)# access-list OUT remark - this is the hr admin address hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 31 Add an Extended ACE for ICMP-Based Matching, page 3-10 • Add an Extended ACE for User-Based Matching (Identity Firewall), page 3-10 • Add an Extended ACE for Security Group-Based Matching (Cisco TrustSec), page 3-11 • Examples for Extended ACLs, page 3-12 •...
  • Page 32 ACL applied with the access-group command). If you enter the log option without any arguments, you enable syslog message 106100 at the default level (6) and for the default interval (300 seconds). Log options are: Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 33 SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP. object service_obj_id—Specifies a service object created using the object service command. See • Configure Service Objects and Service Groups, page 2-4. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 34 To add an ACE for user or group matching, use the following command: access-list access_list_name [line line_number] extended {deny | permit} protocol_argument [user_argument] source_address_argument [port_argument] dest_address_argument [port_argument] Cisco ASA Series Firewall CLI Configuration Guide 3-10...
  • Page 35 Add an Extended ACE for IP Address or Fully-Qualified Domain Name-Based Matching, page 3-7. You can include both user and Cisco Trustsec security groups in a given ACE. See Add an Extended ACE for Security Group-Based Matching (Cisco TrustSec), page 3-11.
  • Page 36 Add an Extended ACE for IP Address or Fully-Qualified Domain Name-Based Matching, page 3-7. You can include both user and Cisco Trustsec security groups in a given ACE. See Add an Extended ACE for User-Based Matching (Identity Firewall), page 3-10.
  • Page 37 To add a standard access list entry, use the following command: hostname(config)# access-list access_list_name standard {deny | permit} {any4 | host ip_address | ip_address mask} Example: hostname(config)# access-list OSPF standard permit 192.168.1.0 255.255.255.0 Cisco ASA Series Firewall CLI Configuration Guide 3-13...
  • Page 38 There should be an ACE to allow connections to the required port (port 1494 in the case of Citrix) so that an implicit deny does not occur. Cisco ASA Series Firewall CLI Configuration Guide 3-14...
  • Page 39 To add a webtype ACE for IP address matching, use the following command: access-list access_list_name webtype {deny | permit} tcp dest_address_argument [operator port] [log [[level] [interval secs] | disable | default]] [time_range time_range_name]] [inactive]] Example: hostname(config)# access-list acl_company webtype permit tcp any Cisco ASA Series Firewall CLI Configuration Guide 3-15...
  • Page 40 The following example matches URLs such as http://www.example.com/layouts/1033: • access-list VPN-Group webtype permit url http://www.example.com/* The following example matches URLs such as http://www.example.com/ and • http://www.example.net/: access-list test webtype permit url http://www.example.* Cisco ASA Series Firewall CLI Configuration Guide 3-16...
  • Page 41 *://ww?.e*co*/ • The following example matches URLs such as http://www.cisco.com:80 and https://www.cisco.com:81: access-list test webtype permit url *://ww?.c*co*:8[01]/ The range operator “[]” in the preceding example specifies that either character 0 or 1 can occur at that location.
  • Page 42 With access rules, you can enable the transactional commit model to ensure that new rules become active only after rule compilation is complete, but the compilation happens after each ACE you edit. Cisco ASA Series Firewall CLI Configuration Guide 3-18...
  • Page 43 You are asked if you want to save the session. You can save the revert session (revert-save), which lets you undo your changes using the revert command, or the configuration session (config-save), which includes all of the changes made in the session (allowing you to commit the Cisco ASA Series Firewall CLI Configuration Guide 3-19...
  • Page 44 ACE and hit counts. Include an ACL name or you will see all access lists. Displays the current running access-list show running-config access-list [name] configuration. Include an ACL name or you will see all access lists. Cisco ASA Series Firewall CLI Configuration Guide 3-20...
  • Page 45 {permit | deny} isis. Support for Cisco TrustSec in extended ACLs 9.0(1) You can now use Cisco TrustSec security groups for the source and destination. You can use an identity firewall ACL with access rules. We modified the following commands: access-list extended.
  • Page 46 Forward referencing of objects and ACLs in for objects or ACLs that do not yet exist. access rules. We introduced the clear configuration session, clear session, configure session, forward-reference, and show configuration session commands. Cisco ASA Series Firewall CLI Configuration Guide 3-22...
  • Page 47: Access Rules

    EtherType rules (Layer 2 traffic) assigned to interfaces (transparent firewall mode only)—You can apply separate rule sets in the inbound and outbound directions. EtherType rules control network access for non-IP traffic. An EtherType rule permits or denies traffic based on the EtherType. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 48 Rather than creating multiple inbound ACLs to restrict access, you can create a single outbound ACL that allows only the specified hosts. (See the following figure.) The outbound ACL prevents any other hosts from reaching the outside network. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 49 Implicit Permits For routed mode, the following types of traffic are allowed through by default: Unicast IPv4 and IPv6 traffic from a higher security interface to a lower security interface. • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 50 This section describes information about extended access rules. Extended Access Rules for Returning Traffic, page 4-5 • Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules, • page 4-5 Management Access Rules, page 4-5 • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 51 ACL. Alternatively, you can use ICMP rules to control ICMP traffic to the device. Use regular extended access rules to control ICMP traffic through the device. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 52 IP address on the ASA interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the ASA.
  • Page 53 Before you can create an access group, create the ACL. See the general operations configuration guide for more information. To bind an ACL to an interface or to apply it globally, use the following command: access-group access_list { {in | out} interface interface_name [per-user-override | control-plane] | global} Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 54 To protect the device from attacks, you can use ICMP rules to limit ICMP access to ASA interfaces to particular hosts, networks, or ICMP types. ICMP rules function like access rules, where the rules are ordered, and the first rule that matches a packet defines the action. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 55 Examples The following example shows how to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside interface: hostname(config)# icmp deny host 10.1.1.15 inside hostname(config)# icmp permit any inside Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 56 A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source port might differ for a new connection between the same two hosts, you might not see the same flow increment because a new flow was created for the connection. Cisco ASA Series Firewall CLI Configuration Guide 4-10...
  • Page 57 The following example allows some EtherTypes through the ASA, but it denies all others: hostname(config)# access-list ETHER ethertype permit 0x1234 hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside Cisco ASA Series Firewall CLI Configuration Guide 4-11...
  • Page 58 Support for TrustSec 9.0(1) You can now use TrustSec security groups for the source and destination. You can use an identity firewall ACL with access rules. We modified the following commands: access-list extended. Cisco ASA Series Firewall CLI Configuration Guide 4-12...
  • Page 59 Forward referencing of objects and ACLs in for objects or ACLs that do not yet exist. access rules. We introduced the clear config-session, clear session, configure session, forward-reference, and show config-session commands. Cisco ASA Series Firewall CLI Configuration Guide 4-13...
  • Page 60 Chapter 4 Access Rules History for Access Rules Cisco ASA Series Firewall CLI Configuration Guide 4-14...
  • Page 61 The key benefits of the Identity Firewall include: Decoupling network topology from security policies • Simplifying the creation of security policies • Providing the ability to easily identify user activities on network resources • Simplifying user activity monitoring • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 62 Windows 2003 R2 is not supported for the AD Agent server. Note The following figure show the components of the Identity Firewall. The succeeding table describes the roles of these components and how they communicate with one another. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 63 Agent for each new IP address or by maintaining a local copy of the entire user identity and IP address database. Supports host group, subnet, or IP address for the destination of a user identity policy. • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 64: Deployment Scenarios

    Scenario 1 shows a simple installation without component redundancy. Scenario 2 also shows a simple installation without redundancy. However, in this deployment scenario, the Active Directory server and AD Agent are co-located on the same Windows server. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 65 AD Agent AD Server AD Agent AD Server AD Server The following figure shows how all Identity Firewall components—Active Directory server, the AD Agent, and the clients—are installed and communicate on the LAN. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 66 Directory server is installed on the main site LAN. However, the AD Agent is installed and accessed by the clients at the remote site. The remote clients connect to the Active Directory servers at the main site over a WAN. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 67 When failover is configured, the standby ASA must also be configured to connect to the AD Agent • directly to retrieve user groups. The standby ASA does not send NetBIOS packets to clients even when the NetBIOS probing options are configured for the Identity Firewall. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 68 When you issue a user-identity update active-user-database command, the ASA requests the total number of user-IP mapped entries to be downloaded. Then the AD Agent initiates a UDP connection to the ASA and sends the change of authorization request packet. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 69 ASA holds the session for 4-5 minutes, during which time this error message continues to appear if you have issued the user-identity update active-user-database command. When you use the Cisco Context Directory Agent (CDA) in conjunction with the ASA or Cisco •...
  • Page 70 Before running the AD Agent Installer, you must install the patches listed in the README First for the Cisco Active Directory Agent on each Microsoft Active Directory server that the AD Agent monitors. These patches are required even when the AD Agent is installed directly on the domain controller server.
  • Page 71 The string argument is a case-sensitive string of up to 128 characters that specifies the name of the directory object in the LDAP hierarchy. Spaces are not permitted in the string, but other special characters are allowed. Cisco ASA Series Firewall CLI Configuration Guide 5-11...
  • Page 72 By default, if the ldap-over-ssl command is not enabled, the default server port is 389; if the ldap-over-ssl command is enabled, the default server port is 636. Step 11 Set the amount of time before LDAP queries time out. group-search-timeout seconds Example: hostname(config-aaa-server-host)# group-search-timeout 300 Cisco ASA Series Firewall CLI Configuration Guide 5-12...
  • Page 73 The first server defined in the aaa_server_group_tag argument is the primary AD Agent and the second server defined is the secondary AD Agent. The Identity Firewall supports defining only two AD Agent hosts. Cisco ASA Series Firewall CLI Configuration Guide 5-13...
  • Page 74 LOCAL domain unless the VPN is authenticated by LDAP with the Active Directory. In this case, the Identity Firewall can associate the users with their Active Directory domain. Cisco ASA Series Firewall CLI Configuration Guide 5-14...
  • Page 75 By default, the idle timeout is set to 60 minutes. This option does not apply to VPN or cut-through proxy users. Specify the amount of time before the ASA queries the Active Directory server for user group Step 6 information. user-identity poll-import-user-group-timer hours hours Example: hostname(config)# user-identity poll-import-user-group-timer hours 1 Cisco ASA Series Firewall CLI Configuration Guide 5-15...
  • Page 76 Specify the action when a user's MAC address is found to be inconsistent with the ASA IP address Step 11 currently mapped to that MAC address. user-identity action mac-address-mismatch remove-user-ip Example: hostname(config)# user-identity action mac-address-mismatch remove-user-ip Cisco ASA Series Firewall CLI Configuration Guide 5-16...
  • Page 77 We recommend that you configure the ASA, Active Directory, and Active Directory agent to synchronize their clocks among themselves using NTP. Define the server group of the AD Agent. Step 15 user-identity ad-agent aaa-server aaa_server_group_tag Example: hostname(config)# user-identity ad-agent aaa-server adagent Cisco ASA Series Firewall CLI Configuration Guide 5-17...
  • Page 78 AAA rule, and were handled already by the access rule), but permits all None users. For example: access-list 100 ex permit ip user CISCO\xyz any any access-list 100 ex deny ip user CISCO\abc any any access-list 100 ex permit ip user NONE any any...
  • Page 79 The user is authenticated by the Active Directory domain controller via LDAP. • The ASA uses the inside interface to connect to the Active Directory domain controller on the • corporate network. Cisco ASA Series Firewall CLI Configuration Guide 5-19...
  • Page 80 VPN as belonging the LOCAL domain. There are two different ways to apply identity firewall (IDFW) rules to VPN users: Apply VPN-Filter with bypassing access-list check disabled • Apply VPN-Filter with bypassing access-list check enabled • Cisco ASA Series Firewall CLI Configuration Guide 5-20...
  • Page 81 LOCAL\user1 any 10.0.0.0 255.255.255.0 group-policy group1 internal group-policy group1 attributes vpn-filter value v1 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless Monitoring the Identity Firewall See the following commands for monitoring the Identity Firewall status: show user-identity ad-agent • Cisco ASA Series Firewall CLI Configuration Guide 5-21...
  • Page 82 Cisco ASA Series Firewall CLI Configuration Guide 5-22...
  • Page 83 In the Cisco TrustSec feature, enforcement devices use a combination of user attributes and endpoint attributes to make role-based and identity-based access control decisions. The availability and propagation of this information enables security across networks at the access, distribution, and core layers of the network.
  • Page 84 (RBAC). Device and user credentials acquired during authentication are used to classify packets by security groups. Every packet entering the Cisco TrustSec cloud is tagged with a security group tag (SGT). The tagging helps trusted intermediaries identify the source identity of the packet and enforce security policies along the data path.
  • Page 85 The PDP provides features such as 802.1x, MAB, and web authentication. The PDP supports authorization and enforcement through VLAN, DACL, and security group access (SGACL/SXP/SGT). In the Cisco TrustSec feature, the Cisco Identity Services Engine (ISE) acts as the PDP. The Cisco ISE provides identity and access control policy functionality. •...
  • Page 86 Note of network, user-based, and security-group based attributes can be configured in a security policy. To configure the ASA to function with Cisco TrustSec, you must import a Protected Access Credential (PAC) file from the ISE. Importing the PAC file to the ASA establishes a secure communication channel with the ISE. After the channel is established, the ASA initiates a PAC secure RADIUS transaction with the ISE and downloads Cisco TrustSec environment data (that is, the security group table).
  • Page 87 Chapter 6 ASA and Cisco TrustSec About Cisco TrustSec The following figure shows how a security policy is enforced in Cisco TrustSec. Figure 6-2 Security Policy Enforcement AD (PIP) ISE (PDP/PAP) Authentication User Network Data Flow Access Firewall End-Point Switch...
  • Page 88 ASA to upstream devices for policy enforcement. Listener mode—Configures the ASA so that it can receive IP-SGT mapping entries from • downstream devices (SGT-capable switches) and use that information to create policy definitions. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 89 Reconciliation Timer—If an SXP connection is brought up within the delete hold-down timer • period, a bulk update is performed on this connection. This means that the most recent mapping entries are learned and are associated with a new connection instantiation identifier. A periodic, Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 90 You can configure the ASA to refresh the security group table when the SXP reconcile timer expires • and you can download the security group table on demand. When the security group table on the ASA is updated from the ISE, changes are reflected in the appropriate security policies. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 91 You can configure multiple ISE servers on the ASA and if the first server is unreachable, it continues to the next server, and so on. However, if the server list is downloaded as part of the Cisco TrustSec environment data, it is ignored.
  • Page 92 Register the ASA with the ISE The ASA must be configured as a recognized Cisco TrustSec network device in the ISE before the ASA can successfully import a PAC file. To register the ASA with the ISE, perform the following steps: Log into the ISE.
  • Page 93 Supports a list of servers via configuration. If the first server is unreachable, the ASA tries to contact • the second server in the list, and so on. However, the server list downloaded as part of the Cisco TrustSec environment data is ignored.
  • Page 94 The ASASM does not support Layer 2 Security Group Tagging Imposition. • Additional Guidelines • Cisco TrustSec supports the Smart Call Home feature in single context and multi-context mode, but not in the system context. The ASA can only be configured to interoperate in a single Cisco TrustSec domain. •...
  • Page 95 (SXP peer A) - - - - (ASA) - - - (SXP peer B) Therefore, when configuring the ASA to integrate with Cisco TrustSec, you must enable the no-NAT, no-SEQ-RAND, and MD5-AUTHENTICATION TCP options on the ASA to configure SXP connections.
  • Page 96 If the ISE is also used for user authentication, enter the shared secret that was entered on the ISE when you registered the ASA with the ISE. Step 5 Exit from the aaa server host configuration mode. exit Example: hostname(config-aaa-server-host)# exit Cisco ASA Series Firewall CLI Configuration Guide 6-14...
  • Page 97 You may configure only one instance of the server group on the ASA for Cisco TrustSec. Note Examples The following example shows how to configure the ASA to communicate with the ISE server for Cisco TrustSec integration: hostname(config)# aaa-server ISEserver protocol radius hostname(config-aaa-server-group)# exit hostname(config)# aaa-server ISEserver (inside) host 192.0.2.1...
  • Page 98 25f4964ed75835cde0adb7e198e0bcdb hostname(exec_pac_hex)# 6aa8e363b0e4f9b4ac241be9ab576d0b hostname(exec_pac_hex)# a1fcd34e5dd05dbe1312cbfea072fdb9 hostname(exec_pac_hex)# ee356fb61fe987d2d8f0ac3ef0467627 hostname(exec_pac_hex)# 7f8b137da2b840e16da520468b039bae hostname(exec_pac_hex)# 36a4d844acc85cdefd7cb2cc58787590 hostname(exec_pac_hex)# ef123882a69b6c37bdbc9320e403024f hostname(exec_pac_hex)# 354d42f404ec2d67ef3606575014584b hostname(exec_pac_hex)# 2796e65ccd6e6c8d14d92448a8b24f6e hostname(exec_pac_hex)# 47015a21f4f66cf6129d352bdfd4520f hostname(exec_pac_hex)# 3f0c6f340a80715df4498956efe15dec hostname(exec_pac_hex)# c08bb9a58cb6cb83ac91a3c40ce61de0 hostname(exec_pac_hex)# 284b743e52fd68e848685e2d78c33633 hostname(exec_pac_hex)# f2b4c5824138fc7bac9d9b83ac58ff9f hostname(exec_pac_hex)# 1dbc84c416322f1f3c5951cf2132994a hostname(exec_pac_hex)# a7cf20409df1d0d6621eba2b3af83252 Cisco ASA Series Firewall CLI Configuration Guide 6-16...
  • Page 99 SXP connection. Configure the default password for TCP MD5 authentication with SXP peers. By default, SXP Step 3 connections do not have a password. cts sxp default password [0 | 8] password Cisco ASA Series Firewall CLI Configuration Guide 6-17...
  • Page 100 Examples The following example shows how to set default values for SXP: hostname(config)# cts sxp enable hostname(config)# cts sxp default source-ip 192.168.1.100 hostname(config)# cts sxp default password 8 ******** Cisco ASA Series Firewall CLI Configuration Guide 6-18...
  • Page 101 The following example shows how to configure SXP peers on the ASA: hostname(config)# cts sxp enable hostname(config)# cts sxp connection peer 192.168.1.100 password default mode peer speaker hostname(config)# cts sxp connection peer 192.168.1.101 password default mode peer Cisco ASA Series Firewall CLI Configuration Guide 6-19...
  • Page 102 You can incorporate Cisco TrustSec policy in many ASA features. Any feature that uses extended ACLs (unless listed in this chapter as unsupported) can take advantage of Cisco TrustSec. You can add security group arguments to extended ACLs, as well as traditional network-based parameters.
  • Page 103 For example, an access rule permits or denies traffic on an interface using network information. With Cisco TrustSec, you can control access based on security group. For example, you could create an access rule for sample_securitygroup1 10.0.0.0 255.0.0.0, meaning the security group could have any IP address on subnet 10.0.0.0/8.
  • Page 104 Guidelines for Cisco TrustSec Layer 2 Security Group Tagging Imposition Cisco TrustSec identifies and authenticates each network user and resource and assigns a 16-bit number called a Security Group Tag (SGT). This identifier is in turn propagated between network hops, which allows any intermediary devices such as ASAs, switches, and routers to enforce polices based on this identity tag.
  • Page 105 Manager. the egress interface for from-the-box traffic. Note If there is no matched IP-SGT mapping from the IP-SGT Manager, then a reserved SGT value of “0x0” for “Unknown” is used. Cisco ASA Series Firewall CLI Configuration Guide 6-23...
  • Page 106 The following example enables an interface for Layer 2 SGT imposition and defines whether or not the interface is trusted: ciscoasa(config)# interface gi0/0 ciscoasa(config-if)# cts manual ciscoasa(config-if-cts-manual)# propagate sgt ciscoasa(config-if-cts-manual)# policy static sgt 50 trusted Cisco ASA Series Firewall CLI Configuration Guide 6-24...
  • Page 107: Troubleshooting Tips

    192.168.1.0 255.255.255.0 outside..----------------More--------------------- Use the capture capture-name type inline-tag tag command to capture only the Cisco CMD packets (EtherType 0x8909) with or without a specific SGT value. The following example displays output from the show capture command for a specified SGT value: hostname# show capture my-inside-capture 1: 11:34:42.931012 INLINE-TAG 36 10.0.101.22 >...
  • Page 108 The ASA uses the SGT from AAA information and the assigned IP address to add an SGT in the Layer 2 header. Packets that include the SGT are passed to the next peer device in the Cisco TrustSec network. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 109 • Shows data for all SXP connections. show cts environment-data • Shows the Cisco TrustSec environment information contained in the security group table on the ASA. show cts sgt-map • Shows the IP address-security group table manager entries in the control path.
  • Page 110 In this release, the ASA integrates with Cisco TrustSec to provide security group-based policy enforcement. Access policies within the Cisco TrustSec domain are topology-independent, based on the roles of source and destination devices rather than on network IP addresses.
  • Page 111 After dropping undesired traffic and taking any other actions applied by policy, the traffic is returned to the ASA for further processing and ultimate transmission. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 112 The following figure shows the traffic flow when using the ASA FirePOWER module in inline mode. In this example, the module blocks traffic that is not allowed for a certain application. All other traffic is forwarded through the ASA. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 113 ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure inline tap monitor-only mode for some contexts, and regular inline mode for others. The following figure shows the traffic flow when operating in inline tap mode. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 114 Figure 7-3 ASA FirePOWER Passive Monitor-Only, Traffic-Forwarding Mode Switch Main System Gig 1/1 inside outside Firewall Decryption Policy Gig 1/3 SPAN Port Forwarded Traffic ASA FirePOWER inspection ASA FirePOWER Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 115 You are responsible for maintaining consistent policies on the ASA FirePOWER modules in the • high-availability ASA pair to ensure consistent failover behavior. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 116 For ASA model software and hardware compatibility with the ASA FirePOWER module, see Cisco Compatibility. For the 5512-X through ASA 5555-X, you must install a Cisco solid state drive (SSD). For more • information, see the ASA 5500-X hardware guide. (The SSD is standard on the 5506-X, 5508-X, and 5516-X.)
  • Page 117 Management 1/0 interface outside facing; or you can route between it and a different ASA interface if you have an inside router. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 118 If you want to deploy a separate router on the inside network, then you can route between management Note and inside. In this case, you can manage both the ASA and ASA FirePOWER module on the Management interface with the appropriate configuration changes. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 119 Gateway IP: 192.168.1.1 • Step 3 (Optional for 5506-X/5508-X/5516-X) Register the ASA FirePOWER module to a FireSIGHT Management Center: > configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE} reg_key [nat_id] where: Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 120 For inline and inline tap (monitor-only) modes, you configure a service policy to redirect traffic to the module. If you want passive monitor-only mode, you configure a traffic redirection interface, which bypasses ASA policies. The following topics explain how to configure these modes. Cisco ASA Series Firewall CLI Configuration Guide 7-10...
  • Page 121 Send the traffic to the ASA FirePOWER module. Step 4 sfr {fail-close | fail-open} [monitor-only] Where: The fail-close keyword sets the ASA to block all traffic if the ASA FirePOWER module is • unavailable. Cisco ASA Series Firewall CLI Configuration Guide 7-11...
  • Page 122 You cannot configure both a traffic-forwarding interface and a service policy for ASA FirePOWER • traffic. Procedure Enter interface configuration mode for the physical interface you want to use for traffic-forwarding. Step 1 interface physical_interface Cisco ASA Series Firewall CLI Configuration Guide 7-12...
  • Page 123 Upgrade the System Software, page 7-20 • Install or Reimage the Module This section describes how to install or reimage a software or hardware module. • Install or Reimage the Software Module, page 7-14 Cisco ASA Series Firewall CLI Configuration Guide 7-13...
  • Page 124 The following example uses TFTP: ciscoasa# copy tftp://10.1.1.89/asasfr-5500x-boot-5.4.1-58.img disk0:/asasfr-5500x-boot-5.4.1-58.img Download the ASA FirePOWER system software from Cisco.com to an HTTP, HTTPS, or FTP server Step 2 accessible from the ASA FirePOWER management interface. Do not download it to disk0 on the ASA.
  • Page 125 Include the noconfirm option if you do not want to respond to confirmation messages. Use an HTTP, HTTPS, or FTP URL; if a username and password are required, you will be prompted to supply them. Cisco ASA Series Firewall CLI Configuration Guide 7-15...
  • Page 126 To accomplish a TFTP boot, you must: Place the Boot Image and a System Software package on a TFTP server that can be accessed through • the Management1/0 interface on the ASA FirePOWER module. Cisco ASA Series Firewall CLI Configuration Guide 7-16...
  • Page 127 DNS information—You must identify at least one DNS server, and you can also set the domain name and search domain. • NTP information—You can enable NTP and configure the NTP servers, for setting system time. Step 9 Install the System Software image: system install [noconfirm] url Cisco ASA Series Firewall CLI Configuration Guide 7-17...
  • Page 128 In multiple context mode, perform this procedure in the system execution space. Procedure Step 1 Enter one of the following commands: Hardware module (ASA 5585-X): • hw-module module 1 {reload | reset} Software module (all other models): • Cisco ASA Series Firewall CLI Configuration Guide 7-18...
  • Page 129 Uninstall module sfr? [confirm] Reload the ASA: Step 2 reload You must reload the ASA before you can install a new module. Cisco ASA Series Firewall CLI Configuration Guide 7-19...
  • Page 130 FireSIGHT System User Guide or the online help in FireSIGHT Management Center. For ASDM management, you can apply upgrades to the system software and components using Configuration > ASA FirePOWER Configuration > Updates. Click Help on the Updates page for more information. Cisco ASA Series Firewall CLI Configuration Guide 7-20...
  • Page 131 Getting details from the Service Module, please wait... Card Type: FirePOWER Services Software Module Model: ASA5555 Hardware version: Serial Number: FCH1714J6HP Firmware version: Software version: 5.3.1-100 MAC Address Range: bc16.6520.1dcb to bc16.6520.1dcb Cisco ASA Series Firewall CLI Configuration Guide 7-21...
  • Page 132 Shows dropped packets. The drop types are explained below. • show conn Shows if a connection is being forwarded to a module by displaying the ‘X - inspected by service module’ flag. Cisco ASA Series Firewall CLI Configuration Guide 7-22...
  • Page 133 ASASFR permit tcp any any eq 80 hostname(config)# class-map my-sfr-class hostname(config-cmap)# match access-list ASASFR hostname(config-cmap)# policy-map my-sfr-policy hostname(config-pmap)# class my-sfr-class hostname(config-pmap-c)# sfr fail-close hostname(config-pmap-c)# service-policy my-sfr-policy global Cisco ASA Series Firewall CLI Configuration Guide 7-23...
  • Page 134 In this mode, neither the module nor the ASA affects the traffic. FirePOWER 5.4.1 We fully supported the following command: traffic-forward sfr monitor-only. You can configure this in CLI only. Cisco ASA Series Firewall CLI Configuration Guide 7-24...
  • Page 135 ASA 5506W-X, ASA 5506H-X, ASA 5508-X, and ASA ASDM 7.4(1) FirePOWER software module, including 5516-X. You can manage the module using FireSIGHT support for configuring the module in ASDM Management Center or you can use ASDM. FirePOWER 5.4.1 Cisco ASA Series Firewall CLI Configuration Guide 7-25...
  • Page 136 Chapter 7 ASA FirePOWER Module History for the ASA FirePOWER Module Cisco ASA Series Firewall CLI Configuration Guide 7-26...
  • Page 137 HTTPS traffic to the Cloud Web Security proxy servers based on service policy rules. The Cloud Web Security proxy servers then scan the content and allow, block, or send a warning about the traffic based on the policy configured in Cisco ScanCenter to enforce acceptable use and to protect users from malware.
  • Page 138 In ScanCenter, traffic is matched against policy rules in order until a rule is matched. Cloud Web Security then applies the configured action for the rule, allowing or blocking the traffic, or warning the user. With warnings, the user has the option to continue on to the web site. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 139 ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter notation. For example, if you specify “Cisco\\Boulder1,” the ASA modifies the group name to be “Cisco\Boulder1” with only one backslash (\) when sending the group name to Cloud Web Security.
  • Page 140 Many combinations of keys, groups, and policy rules are possible. Failover from Primary to Backup Proxy Server When you subscribe to the Cisco Cloud Web Security service, you are assigned a primary Cloud Web Security proxy server and backup proxy server.
  • Page 141 ASA and Cisco Cloud Web Security Guidelines for Cloud Web Security On the Cloud Web Security side, you must purchase a Cisco Cloud Web Security license and identify the number of users that the ASA handles. Then log into ScanCenter and generate your authentication keys.
  • Page 142 Security proxy servers do not become unreachable in the Active/Active failover scenario. Procedure Step 1 Enter ScanSafe general-options configuration mode. In multiple context mode, do this in the system context. scansafe general-options Example Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 143 192.168.43.10 hostname(cfg-scansafe)# server backup fqdn server.example.com When you subscribe to the Cisco Cloud Web Security service, you are assigned primary and backup Cloud Web Security proxy servers. Enter their IP addresses (ip), or fully-qualified domain names (fqdn), on these commands.
  • Page 144 Example hostname(config)# class-map type inspect scansafe match-any whitelist1 Specify the whitelisted users and groups. Step 2 match [not] {[user username] [group groupname]} Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 145 The match not keyword specifies that the user or group should be filtered using Cloud Web Security. For example, if you whitelist the group “cisco,” but you want to scan traffic from users “johncrichton” and “aerynsun,” which are members of that group, you can specify match not for those users. Repeat this command to add as many users and groups as needed.
  • Page 146 FQDN network objects might be useful in exempting traffic to specific servers. You can also use identity firewall user arguments and Cisco Trustsec security groups to help identify traffic. Note that Trustsec security group information is not sent to Cloud Web Security; you cannot define policy based on security group.
  • Page 147 If you are editing the default global policy (or any in-use policy) to use a different ScanSafe Note inspection policy map, you must remove the ScanSafe inspection with the no inspect scansafe command, and then re-add it with the new inspection policy map name. Cisco ASA Series Firewall CLI Configuration Guide 8-11...
  • Page 148 The following example configures two classes: one for HTTP and one for HTTPS. Each ACL exempts traffic to www.cisco.com and to tools.cisco.com, and to the DMZ network, for both HTTP and HTTPS. All other traffic is sent to Cloud Web Security, except for traffic from several whitelisted users and groups.
  • Page 149 CISCO\\Engineering Where: user-group—Specifies a group name defined in the AD server. • object-group-user—The name of a local object created by the object-group user command. This • group can include multiple groups. Cisco ASA Series Firewall CLI Configuration Guide 8-13...
  • Page 150 After you configure the ASA service policy rules, launch the ScanCenter Portal to configure Web content scanning, filtering, malware protection services, and reports. Go to: https://scancenter.scansafe.com/portal/admin/login.jsp. For more information, see the Cisco ScanSafe Cloud Web Security Configuration Guides: http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h Monitoring Cloud Web Security...
  • Page 151 Active Directory Integration Example for Identity Firewall, page 8-17 Cloud Web Security Example with Identity Firewall The following example shows a complete configuration for Cisco Cloud Web Security in single context mode, including the optional configuration for identity firewall. Configure Cloud Web Security on the ASA.
  • Page 152 Cisco ASA Series Firewall CLI Configuration Guide 8-16...
  • Page 153 Running the last command should show the status as “UP.” For the AD_Agent to monitor logon/logoff events, you need to ensure that these are logged on all DCs that are actively being monitored. To do this, choose: Cisco ASA Series Firewall CLI Configuration Guide 8-17...
  • Page 154 The following example shows how to manually start the download of the database from the Active Directory Agent if you think the user database is out of sync with Active Directory: hostname(config)# user-identity update active-user-database Cisco ASA Series Firewall CLI Configuration Guide 8-18...
  • Page 155 Cloud Web Security 9.0(1) This feature was introduced. Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic. It can also redirect and report about web traffic based on user identity. We introduced or modified the following commands:...
  • Page 156 Chapter 8 ASA and Cisco Cloud Web Security History for Cisco Cloud Web Security Cisco ASA Series Firewall CLI Configuration Guide 8-20...
  • Page 157 A R T Network Address Translation...
  • Page 159 Other functions of NAT include: Security—Keeping internal IP addresses hidden discourages direct attacks. • • IP routing solutions—Overlapping IP addresses are not a problem when you use NAT. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 160 NAT rules, and one or both can be translated/untranslated. For static NAT, the rule is bidirectional, so be aware that “source” and “destination” are used in commands and descriptions throughout this guide even though a given connection might originate at the “destination” address. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 161 Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that sourceA/destinationA can have a different translation than sourceA/destinationB. Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 162 Order of NAT Rules. • Network object NAT—Automatically ordered in the NAT table. – Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules). – Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 163 NAT rule to section 3 when you add the rule. For section 2 rules, for example, you have the following IP addresses defined within network objects: 192.168.1.0/24 (static) Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 164 In transparent mode, you must choose specific source and destination interfaces. Guidelines for NAT The following topics provide detailed guidelines for implementing NAT. Firewall Mode Guidelines for NAT, page 9-7 • IPv6 NAT Guidelines, page 9-7 • Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 165 For example, if the IPv6 prefix is a /96 prefix, then the IPv4 address is appended in the last 32-bits of the address. For example, if you map 192.168.1.0/24 to 201b::0/96, then 192.168.1.4 will Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 166 IPv6-to-IPv6 or IPv4-to-IPv4; with this prerequisite, the ASA can determine the value of any in a NAT rule. For example, if you configure a rule from “any” to an IPv6 server, and that server was Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 167 If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback. • Dynamic PAT (Hide): Cisco ASA Series Firewall CLI Configuration Guide...
  • Page 168 The mapped object or group can contain a host, range, or subnet. – – The static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. Cisco ASA Series Firewall CLI Configuration Guide 9-10...
  • Page 169 NAT, you can only perform port translation on the destination. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. Cisco ASA Series Firewall CLI Configuration Guide 9-11...
  • Page 170 The following figure shows a typical dynamic NAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. Figure 9-2 Dynamic NAT Security Appliance 10.1.1.1 209.165.201.1 10.1.1.2 209.165.201.2 Inside Outside Cisco ASA Series Firewall CLI Configuration Guide 9-12...
  • Page 171 Some multimedia applications that have a data stream on one port, the control path on another port, • and are not open standard. Default Inspections and NAT Limitations, page 12-6 for more information about NAT and PAT support. Cisco ASA Series Firewall CLI Configuration Guide 9-13...
  • Page 172 You can also specify the keyword any for one or both of the interfaces, for example (any,outside). • Mapped IP address—Specify the network object or network object group that includes the mapped IP addresses. Cisco ASA Series Firewall CLI Configuration Guide 9-14...
  • Page 173 IPv4_PAT hostname(config-network-object)# host 209.165.201.31 hostname(config-network-object)# object-group network IPv4_GROUP hostname(config-network-object)# network-object object IPv4_NAT_RANGE hostname(config-network-object)# network-object object IPv4_PAT hostname(config-network-object)# object network my_net_obj5 hostname(config-network-object)# subnet 2001:DB8::/96 hostname(config-network-object)# nat (inside,outside) dynamic IPv4_GROUP interface Cisco ASA Series Firewall CLI Configuration Guide 9-15...
  • Page 174 NAT rules), then use the after-auto keyword. You can insert a rule anywhere in the applicable section using the line argument. Source addresses: • Real—Specify a network object, group, or the any keyword. – Cisco ASA Series Firewall CLI Configuration Guide 9-16...
  • Page 175 209.165.201.0 255.255.255.224 hostname(config)# object network SERVERS_2 hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0 hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination static SERVERS_1 SERVERS_1 hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination static SERVERS_2 SERVERS_2 Cisco ASA Series Firewall CLI Configuration Guide 9-17...
  • Page 176 Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026. Cisco ASA Series Firewall CLI Configuration Guide 9-18...
  • Page 177 If you use the same PAT pool object in two separate rules, then be sure to specify the same options for each rule. For example, if one rule specifies extended PAT and a flat range, then the other rule must also specify extended PAT and a flat range. Cisco ASA Series Firewall CLI Configuration Guide 9-19...
  • Page 178 {IPv4_address IPv4_mask | IPv6_address/IPv6_prefix}—The address of a network. For • IPv4 subnets, include the mask after a space, for example, 10.0.0.0 255.0.0.0. For IPv6, include the address and prefix as a single unit (no spaces), such as 2001:DB8:0:CD30::/60. Cisco ASA Series Firewall CLI Configuration Guide 9-20...
  • Page 179 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also specify the include-reserve keyword. Cisco ASA Series Firewall CLI Configuration Guide 9-21...
  • Page 180 If you use an object, the object or group cannot contain a subnet. The object must define a host, or for a PAT pool, a range. The group (for a PAT pool) can include hosts and ranges. Cisco ASA Series Firewall CLI Configuration Guide 9-22...
  • Page 181 -- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when Cisco ASA Series Firewall CLI Configuration Guide 9-23...
  • Page 182 PAT_POOL hostname(config-network-object)# range 209.165.200.225 209.165.200.254 hostname(config)# object network TELNET_SVR hostname(config-network-object)# host 209.165.201.23 hostname(config)# object service TELNET hostname(config-service-object)# service tcp destination eq 23 hostname(config)# object network SERVERS hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0 Cisco ASA Series Firewall CLI Configuration Guide 9-24...
  • Page 183 Cisco ASA Series Firewall CLI Configuration Guide 9-25...
  • Page 184 The following example creates a deny rule for H.323 traffic, so that it uses multi-session PAT: hostname(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720 hostname(config)# xlate per-session deny udp any4 209.165.201.7 range 1718 1719 Cisco ASA Series Firewall CLI Configuration Guide 9-26...
  • Page 185 About Static NAT with Port Address Translation When you specify the port with static NAT, you can choose to map the port and/or the IP address to the same value or to a different value. Cisco ASA Series Firewall CLI Configuration Guide 9-27...
  • Page 186 NAT with port translation rules that use the same mapped IP address, but different ports. For details on how to configure this example, see Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation), page 10-5. Cisco ASA Series Firewall CLI Configuration Guide 9-28...
  • Page 187 NAT, when the real host initiates traffic, it always uses the first mapped address. However, for traffic initiated to the host, you can initiate traffic to any of the mapped addresses, and they will be untranslated to the single real address. Cisco ASA Series Firewall CLI Configuration Guide 9-29...
  • Page 188 Multiple Mapped Addresses (Static NAT, One-to-Many), page 10-4. Figure 9-9 One-to-Many Static NAT Example Host Undo Translation Outside 209.165.201.5 10.1.2.27 Undo Translation 209.165.201.3 10.1.2.27 Undo Translation 209.165.201.4 10.1.2.27 Inside Load Balancer 10.1.2.27 Web Servers Cisco ASA Series Firewall CLI Configuration Guide 9-30...
  • Page 189 TCP destination port, and both hosts are translated to the same IP address, then both connections will be reset because of an address conflict (the 5-tuple is not unique). Cisco ASA Series Firewall CLI Configuration Guide 9-31...
  • Page 190 Example hostname(config-network-object)# subnet 10.2.1.0 255.255.255.0 Configure static NAT for the object IP addresses. You can only define a single NAT rule for a given Step 4 object. Cisco ASA Series Firewall CLI Configuration Guide 9-32...
  • Page 191 10.1.1.1 hostname(config-network-object)# nat (inside,outside) static 10.2.2.2 dns The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside using a mapped object. Cisco ASA Series Firewall CLI Configuration Guide 9-33...
  • Page 192 You can, however, have different quantities if desired. For more information, see Static NAT, page 9-27. (Optional.) Create service objects for the: Step 2 Source or Destination real ports • Source or Destination mapped ports • Cisco ASA Series Firewall CLI Configuration Guide 9-34...
  • Page 193 The order of the service objects for destination port translation is service mapped_obj real_obj. In the rare case where you specify both the source and destination ports in the object, the first service object contains the real source Cisco ASA Series Firewall CLI Configuration Guide 9-35...
  • Page 194 IPv6 network, and the dynamic PAT translation to an IPv4 PAT pool when accessing the IPv4 network: hostname(config)# object network INSIDE_NW hostname(config-network-object)# subnet 2001:DB8:AAAA::/96 hostname(config)# object network MAPPED_IPv6_NW hostname(config-network-object)# subnet 2001:DB8:BBBB::/96 hostname(config)# object network OUTSIDE_IPv6_NW hostname(config-network-object)# subnet 2001:DB8:CCCC::/96 hostname(config)# object network OUTSIDE_IPv4_NW hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0 Cisco ASA Series Firewall CLI Configuration Guide 9-36...
  • Page 195 Create or edit the network object for which you want to configure NAT. The object must be a different Step 2 one than what you use for the mapped addresses, even though the contents must be the same in each object. object network obj_name Example Cisco ASA Series Firewall CLI Configuration Guide 9-37...
  • Page 196 Route lookup—(Routed mode only; interfaces specified.) Specify route-lookup to determine the • egress interface using a route lookup instead of using the interface specified in the NAT command. Determining the Egress Interface, page 10-14 for more information. Cisco ASA Series Firewall CLI Configuration Guide 9-38...
  • Page 197 Step 3 Configure identity NAT. nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}] source static {nw_obj nw_obj | any any} [destination static {mapped_obj | interface [ipv6]} real_obj] [service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj] [no-proxy-arp] [route-lookup] [inactive] [description desc] Cisco ASA Series Firewall CLI Configuration Guide 9-39...
  • Page 198 To reactivate it, reenter the whole command without the inactive keyword. Description—Optional.) Provide a description up to 200 characters using the description keyword. • Monitoring NAT To monitor object NAT, use the following commands: show nat • Cisco ASA Series Firewall CLI Configuration Guide 9-40...
  • Page 199 Twice NAT 8.3(1) Twice NAT lets you identify both the source and destination address in a single rule. We modified or introduced the following commands: nat, show nat, show xlate, show nat pool. Cisco ASA Series Firewall CLI Configuration Guide 9-41...
  • Page 200 PAT IP address if ports are available. We did not modify any commands. This feature is not available in 8.5(1) or 8.6(1). Cisco ASA Series Firewall CLI Configuration Guide 9-42...
  • Page 201 We modifed the following command: nat dynamic [pat-pool mapped_object [extended]] and nat source dynamic [pat-pool mapped_object [extended]]. This feature is not available in 8.5(1) or 8.6(1). Cisco ASA Series Firewall CLI Configuration Guide 9-43...
  • Page 202 Because of routing issues, we do not recommend using this feature unless you know you need it; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations: Only supports Cisco IPsec and AnyConnect Client.
  • Page 203 Engine compilation is completed; without affecting the rule matching performance. We added the nat keyword to the following commands: asp rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit. Cisco ASA Series Firewall CLI Configuration Guide 9-45...
  • Page 204 Chapter 9 Network Address Translation (NAT) History for NAT Cisco ASA Series Firewall CLI Configuration Guide 9-46...
  • Page 205 The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. Cisco ASA Series Firewall CLI Configuration Guide 10-1...
  • Page 206 The following example configures dynamic NAT for inside users on a private network when they access the outside. Also, when inside users connect to an outside web server, that web server address is translated to an address that appears to be on the inside network. Cisco ASA Series Firewall CLI Configuration Guide 10-2...
  • Page 207 Create a network object for the outside web server. Step 4 hostname(config)# object network myWebServ hostname(config-network-object)# host 209.165.201.12 Configure static NAT for the web server. Step 5 hostname(config-network-object)# nat (outside,inside) static 10.1.2.20 Cisco ASA Series Firewall CLI Configuration Guide 10-3...
  • Page 208 Create a network object for the load balancer. Step 2 hostname(config)# object network myLBHost hostname(config-network-object)# host 10.1.2.27 Step 3 Configure static NAT for the load balancer applying the range object. hostname(config-network-object)# nat (inside,outside) static myPublicIPs Cisco ASA Series Firewall CLI Configuration Guide 10-4...
  • Page 209 (inside,outside) static 209.165.201.3 service tcp http http Create a network object for the SMTP server and configure static NAT with port translation, mapping Step 3 the SMTP port to itself. Cisco ASA Series Firewall CLI Configuration Guide 10-5...
  • Page 210 209.165.201.11 209.165.200.225 209.165.201.0/27 209.165.200.224/27 Translation Translation 10.1.2.27 209.165.202.129 10.1.2.27 209.165.202.130 Inside 10.1.2.0/24 Packet Packet Dest. Address: Dest. Address: 209.165.201.11 209.165.200.225 10.1.2.27 Procedure Add a network object for the inside network: Step 1 Cisco ASA Series Firewall CLI Configuration Guide 10-6...
  • Page 211 Telnet services. When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129:port. When the host accesses the same server for web services, the real address is translated to 209.165.202.130:port. Cisco ASA Series Firewall CLI Configuration Guide 10-7...
  • Page 212 Add a network object for the PAT address when using HTTP: Step 6 hostname(config)# object network PATaddress2 hostname(config-network-object)# host 209.165.202.130 Cisco ASA Series Firewall CLI Configuration Guide 10-8...
  • Page 213 You can configure NAT in both routed and transparent firewall mode. This section describes typical usage for each firewall mode. NAT in Routed Mode, page 10-10 • NAT in Transparent Mode, page 10-10 • Cisco ASA Series Firewall CLI Configuration Guide 10-9...
  • Page 214 The following figure shows a typical NAT scenario in transparent mode, with the same network on the inside and outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the upstream router does not have to perform NAT. Cisco ASA Series Firewall CLI Configuration Guide 10-10...
  • Page 215 This section describes how the ASA handles accepting and delivering packets with NAT. • Mapped Addresses and Routing, page 10-12 Cisco ASA Series Firewall CLI Configuration Guide 10-11...
  • Page 216 ASA: specify the bridge group IP address. For remote hosts in transparent mode, in the static route on the upstream router, you can alternatively specify the downstream router IP address. Cisco ASA Series Firewall CLI Configuration Guide 10-12...
  • Page 217 ARP functionality. Due to internal processes for virtual Telnet, proxy ARP lets the ASA keep traffic destined for the virtual Telnet address rather than send the traffic out the source interface according to the NAT rule. (See the following figure). Cisco ASA Series Firewall CLI Configuration Guide 10-13...
  • Page 218 The following figure shows the egress interface selection method in routed mode. In almost all cases, a route lookup is equivalent to the NAT rule interface, but in some configurations, the two methods might differ. Cisco ASA Series Firewall CLI Configuration Guide 10-14...
  • Page 219 NAT to access the Internet. The below example uses interface PAT rules. To allow the VPN traffic to exit the same interface it entered, you also need to enable intra-interface communication (also known as “hairpin” networking). Cisco ASA Series Firewall CLI Configuration Guide 10-15...
  • Page 220 PAT rule by using an identity NAT rule between those networks. Identity NAT simply translates an address to the same address. Cisco ASA Series Firewall CLI Configuration Guide 10-16...
  • Page 221 10.2.2.78 in San Jose), you do not want to perform NAT; you need to exempt that traffic by creating an identity NAT rule. Identity NAT simply translates an address to the same address. Cisco ASA Series Firewall CLI Configuration Guide 10-17...
  • Page 222 See the following sample NAT configuration for ASA1 (Boulder): ! Enable hairpin for VPN client traffic: same-security-traffic permit intra-interface ! Identify local VPN network, & perform object interface PAT when going to Internet: Cisco ASA Series Firewall CLI Configuration Guide 10-18...
  • Page 223 ASA (see the management-access command). For example, if you enter the ASA from the outside interface, the management-access feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface. Cisco ASA Series Firewall CLI Configuration Guide 10-19...
  • Page 224 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside network, & perform object interface PAT when going to Internet: object network inside_nw subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface Cisco ASA Series Firewall CLI Configuration Guide 10-20...
  • Page 225 DNS rewrite is actually done on the xlate entry, not the NAT rule. Thus, if there is no xlate for a • dynamic rule, rewrite cannot be done correctly. The same problem does not occur for static NAT. Cisco ASA Series Firewall CLI Configuration Guide 10-21...
  • Page 226 In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address.
  • Page 227 DNS Reply Modification, DNS Server, Host, and Server on Separate Networks The following figure shows a user on the inside network requesting the IP address for ftp.cisco.com, which is on the DMZ network, from an outside DNS server. The DNS server replies with the mapped address (209.165.201.10) according to the static rule between outside and DMZ even though the user is...
  • Page 228 DNS and NAT If the user needs to access ftp.cisco.com using the real address, then no further configuration is required. If there is also a static rule between the inside and DMZ, then you also need to enable DNS reply modification on this rule.
  • Page 229 In this case, when an inside IPv6 user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.200.225. Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) you need to configure DNS reply modification for the static translation.
  • Page 230 DNS_SERVER hostname(config-network-object)# host 209.165.201.15 hostname(config-network-object)# nat (outside,inside) static 2001:DB8::D1A5:C90F/128 net-to-net Step 3 Configure an IPv4 PAT pool for translating the inside IPv6 network. hostname(config)# object network IPv4_POOL hostname(config-network-object)# range 203.0.113.1 203.0.113.254 Cisco ASA Series Firewall CLI Configuration Guide 10-26...
  • Page 231 PTR Modification, DNS Server on Host Network ftp.cisco.com 209.165.201.10 Static Translation on Inside to: 10.1.2.56 DNS Server PTR Record Outside ftp.cisco.com Reverse DNS Query 209.165.201.10 Reverse DNS Query Modification 10.1.2.56 209.165.201.10 Inside Reverse DNS Query 10.1.2.56? User 10.1.2.27 Cisco ASA Series Firewall CLI Configuration Guide 10-27...
  • Page 232 Chapter 10 NAT Examples and Reference DNS and NAT Cisco ASA Series Firewall CLI Configuration Guide 10-28...
  • Page 233 A R T Service Policies and Application Inspection...
  • Page 235 The point of service policies is to apply advanced services to the traffic you are allowing. Any traffic permitted by access rules can have service policies applied, and thus receive special processing, such as being redirected to a service module or having application inspection applied. Cisco ASA Series Firewall CLI Configuration Guide 11-1...
  • Page 236 : in the service policy map. : In ASDM, this maps to call-out 4, rule actions, for the sip-class-inside policy. policy-map type inspect sip sip-high parameters rtp-conformance enforce-payloadtype no traffic-non-sip software-version action mask log Cisco ASA Series Firewall CLI Configuration Guide 11-2...
  • Page 237 0:00:30 half-closed 0:10:00 idle 1:00:00 reset dcd 0:15:00 5 user-statistics accounting : The service-policy command applies the policy map rule set to the inside interface. : This command activates the policies. service-policy test-inside-policy interface inside Cisco ASA Series Firewall CLI Configuration Guide 11-3...
  • Page 238 Chapter 14, “Inspection for Voice and Video • Protocols.” Chapter 15, “Inspection of Database, Directory, • and Management Protocols.” Chapter 8, “ASA and Cisco Cloud Web Security.” • ASA IPS See the ASA IPS quick start guide. ASA CX See the ASA CX quick start guide.
  • Page 239 • If a packet matches a class map for HTTP inspection, but also matches another class map that includes HTTP inspection, then the second class map actions are not applied. Cisco ASA Series Firewall CLI Configuration Guide 11-5...
  • Page 240 You cannot configure QoS priority queuing and QoS policing for the same set of traffic. • Cisco ASA Series Firewall CLI Configuration Guide 11-6...
  • Page 241 Example 11-2 Misconfiguration for HTTP packets: FTP Inspection Also Configured class-map ftp [it should be 21] match port tcp eq 80 class-map http match port tcp eq 80 policy-map test class ftp inspect ftp class http inspect http Cisco ASA Series Firewall CLI Configuration Guide 11-7...
  • Page 242 This limit also includes default class maps of all types, limiting user-configured class maps to approximately 235. See Default Class Maps (Traffic Classes), page 11-10. Policy Map Guidelines See the following guidelines for using policy maps: Cisco ASA Series Firewall CLI Configuration Guide 11-8...
  • Page 243 (An interface policy overrides the global policy for a particular feature.) The default policy includes the following application inspections: • • Cisco ASA Series Firewall CLI Configuration Guide 11-9...
  • Page 244 This class, which is used in the default global policy, is a special shortcut to match the default ports for all inspections. Cisco ASA Series Firewall CLI Configuration Guide 11-10...
  • Page 245 For example, you might want to drop all HTTP requests with a body length greater than 1000 bytes. Inspection Policy Map Actions Inspection Class Map/ Match Commands Cisco ASA Series Firewall CLI Configuration Guide 11-11...
  • Page 246 Service Policy Inspection Inspection Determine on which interfaces you want to apply the policy map, or apply it globally, as described in Step 4 Apply Actions to an Interface (Service Policy), page 11-17. Cisco ASA Series Firewall CLI Configuration Guide 11-12...
  • Page 247 ACE to match each port. hostname(config-cmap)# match tcp eq 80 match default-inspection-traffic—Matches default traffic for inspection: the default TCP and • UDP ports used by all applications that the ASA can inspect. Cisco ASA Series Firewall CLI Configuration Guide 11-13...
  • Page 248 10.1.1.1 255.255.255.255 hostname(config)# class-map all_udp hostname(config-cmap)# description "This class-map matches all UDP traffic" hostname(config-cmap)# match access-list udp hostname(config-cmap)# class-map all_tcp Cisco ASA Series Firewall CLI Configuration Guide 11-14...
  • Page 249 For applications that use multiple, non-contiguous ports, use the match access-list command and define an ACE to match each port. hostname(config-cmap)# match tcp eq 80 Cisco ASA Series Firewall CLI Configuration Guide 11-15...
  • Page 250 256 The following example shows how multi-match works in a policy map: hostname(config)# class-map inspection_default hostname(config-cmap)# match default-inspection-traffic hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 Cisco ASA Series Firewall CLI Configuration Guide 11-16...
  • Page 251 • fail-close generates a syslog (767001) for IPv6 traffic that is dropped by application inspections that do not support IPv6 traffic. By default, syslogs are not generated. Cisco ASA Series Firewall CLI Configuration Guide 11-17...
  • Page 252 Figure 11-1 HTTP Inspection and QoS Policing Security appliance insp. port 80 police port 80 insp. Host B Host A inside outside See the following commands for this example: hostname(config)# class-map http_traffic Cisco ASA Series Firewall CLI Configuration Guide 11-18...
  • Page 253 Any HTTP connection destined for Server B that enters the ASA through the inside interface is classified for HTTP inspection. Connections initiated from Server B to Host B do not match the ACL in the class map, so they are not affected. Cisco ASA Series Firewall CLI Configuration Guide 11-19...
  • Page 254 IP address used on the outside network, 209.165.200.225. You must use the real IP address in the ACL in the class map. If you applied it to the outside interface, you would also use the real address. Cisco ASA Series Firewall CLI Configuration Guide 11-20...
  • Page 255 Match any for inspection policy maps 8.0(2) The match any keyword was introduced for use with inspection policy maps: traffic can match one or more criteria to match the class map. Formerly, only match all was available. Cisco ASA Series Firewall CLI Configuration Guide 11-21...
  • Page 256 Chapter 11 Service Policy Using the Modular Policy Framework History for Service Policies Cisco ASA Series Firewall CLI Configuration Guide 11-22...
  • Page 257 As illustrated in the following figure, the ASA uses three databases for its basic operation: ACLs—Used for authentication and authorization of connections based on specific networks, hosts, • and services (TCP/UDP port numbers). Inspections—Contains a static, predefined set of application-level inspection functions. • Cisco ASA Series Firewall CLI Configuration Guide 12-1...
  • Page 258 However, the fast path relies on predictable port numbers and does not perform address translations inside a packet. Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. Cisco ASA Series Firewall CLI Configuration Guide 12-2...
  • Page 259 For example: hostname(config)# policy-map test hostname(config-pmap)# class sip hostname(config-pmap-c)# no inspect sip sip-map1 hostname(config-pmap-c)# inspect sip sip-map2 Cisco ASA Series Firewall CLI Configuration Guide 12-3...
  • Page 260 They are matched according to the order in the policy map: ftp3 and then ftp2. class-map type inspect ftp match-all ftp1 match request-cmd get class-map type inspect ftp match-all ftp2 Cisco ASA Series Firewall CLI Configuration Guide 12-4...
  • Page 261 200 connections. For example, if an FTP client opens multiple secondary connections, the FTP inspection engine allows only 200 active connections and the 201 connection is dropped and the adaptive security appliance generates a system error message. Cisco ASA Series Firewall CLI Configuration Guide 12-5...
  • Page 262 No NAT support is available for RFC 1123 — name resolution through WINS. TCP/21 (Clustering) No static PAT. RFC 959 — UDP/3386 No extended PAT. — Requires a special license. UDP/2123 No NAT. Cisco ASA Series Firewall CLI Configuration Guide 12-6...
  • Page 263 NAT of the packets for NBNS UDP port No NAT64. ports) 137 and NBDS UDP port 138. PPTP TCP/1723 No NAT64. RFC 2637 — (Clustering) No static PAT. RADIUS 1646 No NAT64. RFC 2865 — Accounting Cisco ASA Series Firewall CLI Configuration Guide 12-7...
  • Page 264 111 and performs Sun RPC inspection. TFTP UDP/69 No NAT64. RFC 1350 Payload IP addresses are not translated. (Clustering) No static PAT. WAAS TCP/1- No extended PAT. — — 65535 No NAT64. Cisco ASA Series Firewall CLI Configuration Guide 12-8...
  • Page 265 TCP application, as opposed to one that applies to all TCP applications. For some applications, you can perform special actions when you enable inspection. See Cisco ASA Series Firewall CLI Configuration Guide 12-9...
  • Page 266 To enable SNMP inspection, enable SNMP inspection for the default class. Do not add another class that matches SNMP. Enable application inspection. Step 5 hostname(config-pmap-c)# inspect protocol The protocol is one of the following values: Cisco ASA Series Firewall CLI Configuration Guide 12-10...
  • Page 267 HTTP Inspection, page 13-14. If you added an HTTP inspection policy map according to Configure an HTTP Inspection Policy Map, page 13-16, identify the map name in this command. icmp ICMP Inspection, page 13-21. Cisco ASA Series Firewall CLI Configuration Guide 12-11...
  • Page 268 RSH Inspection, page 15-16. rtsp [map_name] RTSP Inspection, page 14-17. If you added a RTSP inspection policy map according to Configure RTSP Inspection Policy Map, page 14-19, identify the map name in this command. Cisco ASA Series Firewall CLI Configuration Guide 12-12...
  • Page 269 TFTP Inspection, page 13-45. waas Enables TCP option 33 parsing. Use when deploying Cisco Wide Area Application Services products. xdmcp XDMCP Inspection, page 15-21. vxlan VXLAN Inspection, page 15-22.
  • Page 270 21 hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056 hostname(config)# class-map new_inspection hostname(config-cmap)# match access-list ftp_inspect Cisco ASA Series Firewall CLI Configuration Guide 12-14...
  • Page 271 Matches either expression it separates. For example, dog|cat matches dog or cat. Question mark A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose. Cisco ASA Series Firewall CLI Configuration Guide 12-15...
  • Page 272 Matches an ASCII character as octal (exactly three digits). For example, the character 040 represents a space. Procedure Test a regular expression to make sure it matches what you think it will match. Step 1 Cisco ASA Series Firewall CLI Configuration Guide 12-16...
  • Page 273 (Optional) Add a description to the class map: Step 2 hostname(config-cmap)# description string Identify the regular expressions you want to include by entering the following command for each regular Step 3 expression: Cisco ASA Series Firewall CLI Configuration Guide 12-17...
  • Page 274 Match any for inspection policy maps 8.0(2) The match any keyword was introduced for use with inspection policy maps: traffic can match one or more criteria to match the class map. Formerly, only match all was available. Cisco ASA Series Firewall CLI Configuration Guide 12-18...
  • Page 275 The following sections describe DNS application inspection. DNS Inspection Actions, page 13-2 • Defaults for DNS Inspection, page 13-2 • Configure DNS Inspection, page 13-2 • • Monitoring DNS Inspection, page 13-8 Cisco ASA Series Firewall CLI Configuration Guide 13-1...
  • Page 276 Configure DNS Inspection DNS inspection is enabled by default. You need to configure it only if you want non-default processing. If you want to customize DNS inspection, use the following process. Cisco ASA Series Firewall CLI Configuration Guide 13-2...
  • Page 277 Specify the traffic on which you want to perform actions using one of the following match commands. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied. Cisco ASA Series Firewall CLI Configuration Guide 13-3...
  • Page 278 Not all options are available for each match or class command. See the CLI help or the command reference for the exact options available. The drop keyword drops all packets that match. Cisco ASA Series Firewall CLI Configuration Guide 13-4...
  • Page 279 {[drop] [log]}—Requires a TSIG resource record to be present. You can drop a non-conforming packet, log the packet, or both. For example: hostname(config-pmap)# parameters hostname(config-pmap-p)# dns-guard hostname(config-pmap-p)# message-length maximum 1024 hostname(config-pmap-p)# nat-rewrite hostname(config-pmap-p)# protocol-enforcement Cisco ASA Series Firewall CLI Configuration Guide 13-5...
  • Page 280 For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 11-13. Step 2 Add or edit a policy map that sets the actions to take with the class map traffic. Cisco ASA Series Firewall CLI Configuration Guide 13-6...
  • Page 281 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 13-7...
  • Page 282 Configure FTP Inspection, page 13-10 • Verifying and Monitoring FTP Inspection, page 13-14 FTP Inspection Overview The FTP application inspection inspects the FTP sessions and performs four tasks: Prepares dynamic secondary data connection • Cisco ASA Series Firewall CLI Configuration Guide 13-8...
  • Page 283 Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than 1024. As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the negotiated port falls in this range, then the TCP connection is freed. Cisco ASA Series Firewall CLI Configuration Guide 13-9...
  • Page 284 To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map. Cisco ASA Series Firewall CLI Configuration Guide 13-10...
  • Page 285 [not] username regex {regex_name | class class_name}—Matches the FTP username • against the specified regular expression or regular expression class. Enter exit to leave class map configuration mode. Cisco ASA Series Firewall CLI Configuration Guide 13-11...
  • Page 286 The following example shows how to mask this banner: hostname(config)# policy-map type inspect ftp mymap hostname(config-pmap)# parameters hostname(config-pmap-p)# mask-banner hostname(config)# class-map match-all ftp-traffic hostname(config-cmap)# match port tcp eq ftp hostname(config)# policy-map ftp-policy hostname(config-pmap)# class ftp-traffic Cisco ASA Series Firewall CLI Configuration Guide 13-12...
  • Page 287 Otherwise, you are specifying the class you created earlier in this procedure. Configure FTP inspection. Step 4 inspect ftp [strict [ftp_policy_map]] Where: • strict implements strict FTP. You must use strict FTP to specify an FTP inspection policy map. Cisco ASA Series Firewall CLI Configuration Guide 13-13...
  • Page 288 In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959. HTTP Inspection The following sections describe the HTTP inspection engine. • HTTP Inspection Overview, page 13-15 • Configure HTTP Inspection, page 13-15 Cisco ASA Series Firewall CLI Configuration Guide 13-14...
  • Page 289 Do not configure HTTP inspection in both a service module and on the ASA, as the inspections are not compatible. Procedure Configure an HTTP Inspection Policy Map, page 13-16. Step 1 Configure the HTTP Inspection Service Policy, page 13-19. Step 2 Cisco ASA Series Firewall CLI Configuration Guide 13-15...
  • Page 290 [not] request body {regex {regex_name | class class_name} | length gt bytes}—Matches text found in the HTTP request message body against the specified regular expression or regular expression class, or messages where the request body is greater than the specified length. Cisco ASA Series Firewall CLI Configuration Guide 13-16...
  • Page 291 (count) in the header. You can specify the field name explicitly or match the field name to a regular expression or regular expression class. Field names are listed in the previous bullet. Cisco ASA Series Firewall CLI Configuration Guide 13-17...
  • Page 292 • HTTP message that should be searched in a body match. The default is 200 bytes. A large number will have a significant impact on performance. Cisco ASA Series Firewall CLI Configuration Guide 13-18...
  • Page 293 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. Step 1 class-map name match parameter Example: hostname(config)# class-map http_class_map hostname(config-cmap)# match access-list http Cisco ASA Series Firewall CLI Configuration Guide 13-19...
  • Page 294 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 13-20...
  • Page 295 The Instant Messaging (IM) inspect engine lets you control the network usage of IM and stop leakage of confidential data, propagation of worms, and other threats to the corporate network. IM inspection is not enabled by default. You must configure it if you want IM inspection. Cisco ASA Series Firewall CLI Configuration Guide 13-21...
  • Page 296 If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied. • match [not] protocol {im-yahoo | im-msn}—Matches a specific IM protocol, either Yahoo or MSN. Cisco ASA Series Firewall CLI Configuration Guide 13-22...
  • Page 297 The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server or client. The log keyword, which you can use alone or with one of the other keywords, sends a system log message. Cisco ASA Series Firewall CLI Configuration Guide 13-23...
  • Page 298 However, the default inspect class does include the default IM ports, so you can simply edit the default global inspection policy to add IM inspection. You can alternatively create a new service policy as desired, for example, an interface-specific policy. Cisco ASA Series Firewall CLI Configuration Guide 13-24...
  • Page 299 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces. service-policy policymap_name {global | interface interface_name} Cisco ASA Series Firewall CLI Configuration Guide 13-25...
  • Page 300 The Options field is padded so that the field ends on a 32 bit boundary. • Internet header length (IHL) in the packet changes. • • The total length of the packet changes. Cisco ASA Series Firewall CLI Configuration Guide 13-26...
  • Page 301 IP options inspection is enabled by default. You need to configure it only if you want to allow additional options than the default map allows. Procedure Configure an IP Options Inspection Policy Map, page 13-28. Step 1 Configure the IP Options Inspection Service Policy, page 13-28. Step 2 Cisco ASA Series Firewall CLI Configuration Guide 13-27...
  • Page 302 Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. class-map name match parameter Example: hostname(config)# class-map ip_options_class_map hostname(config-cmap)# match access-list ipoptions Cisco ASA Series Firewall CLI Configuration Guide 13-28...
  • Page 303 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 13-29...
  • Page 304 IPsec Pass Through inspection is not enabled by default. You must configure it if you want IPsec Pass Through inspection. Procedure Step 1 Configure an IPsec Pass Through Inspection Policy Map, page 13-31. Step 2 Configure the IPsec Pass Through Inspection Service Policy, page 13-32. Cisco ASA Series Firewall CLI Configuration Guide 13-30...
  • Page 305 10 timeout 0:11:00 hostname(config-pmap-p)# ah per-client-max 5 timeout 0:06:00 hostname(config)# policy-map inspection_policy hostname(config-pmap)# class ipsecpassthru-traffic hostname(config-pmap-c)# inspect ipsec-pass-thru iptmap hostname(config)# service-policy inspection_policy interface outside Cisco ASA Series Firewall CLI Configuration Guide 13-31...
  • Page 306 For information on creating the inspection policy map, Configure an IPsec Pass Through Inspection Policy Map, page 13-31. Example: hostname(config-class)# no inspect ipsec-pass-thru hostname(config-class)# inspect ipsec-pass-thru ipsec-map Cisco ASA Series Firewall CLI Configuration Guide 13-32...
  • Page 307 Drops any packet with a routing type header. • Following is the policy map configuration: policy-map type inspect ipv6 _default_ipv6_map description Default IPV6 policy-map parameters verify-header type verify-header order match header routing-type range 0 255 drop log Cisco ASA Series Firewall CLI Configuration Guide 13-33...
  • Page 308 Specify the action to perform on matching packets. You can drop the packet and optionally log it, or just log it. If you do not enter an action, the packet is logged. hostname(config-pmap)# {drop [log] | log} Cisco ASA Series Firewall CLI Configuration Guide 13-34...
  • Page 309 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. Step 1 class-map name match parameter Example: hostname(config)# class-map ipv6_class_map hostname(config-cmap)# match access-list ipv6 Cisco ASA Series Firewall CLI Configuration Guide 13-35...
  • Page 310 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 13-36...
  • Page 311 Where the drop action drops the packet. The log action sends a system log message when this policy map matches traffic. Example hostname(config)# policy-map type inspect netbios netbios_map hostname(config-pmap)# parameters hostname(config-pmap-p)# protocol-violation drop log hostname(config)# policy-map netbios_policy hostname(config-pmap)# class inspection_default hostname(config-pmap-c)# inspect netbios netbios_map Cisco ASA Series Firewall CLI Configuration Guide 13-37...
  • Page 312 Where netbios_policy_map is the optional NetBIOS inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the NetBIOS inspection policy map, see Configure a NetBIOS Inspection Policy Map for Additional Inspection Control, page 13-37. Example: hostname(config-class)# no inspect netbios Cisco ASA Series Firewall CLI Configuration Guide 13-38...
  • Page 313 ESMTP messages as well as detect several attacks, block senders/receivers, and block mail relay. The following sections describe the ESMTP inspection engine. • SMTP and ESMTP Inspection Overview, page 13-40 Cisco ASA Series Firewall CLI Configuration Guide 13-39...
  • Page 314 For unknown commands, the ASA changes all the characters in the packet to X. In this case, the • server generates an error code to the client. Because of the change in the packet, the TCP checksum has to be recalculated or adjusted. TCP stream editing. • Cisco ASA Series Firewall CLI Configuration Guide 13-40...
  • Page 315 998 match header line length gt 998 drop-connection log match sender-address length gt 320 drop-connection log match MIME filename length gt 255 drop-connection log match ehlo-reply-parameter others mask Cisco ASA Series Firewall CLI Configuration Guide 13-41...
  • Page 316 [not] ehlo-reply-parameter parameter [parameter2...]—Matches ESMTP EHLO reply • parameters. You can specify one or more of the following parameters: 8bitmime, auth, binaryname, checkpoint, dsn, etrn, others, pipelining, size, vrfy. Cisco ASA Series Firewall CLI Configuration Guide 13-42...
  • Page 317 {drop-connection [log] | log}—Identifies a domain name for • mail relay. You can either drop the connection and optionally log it, or log it. mask-banner—Masks the banner from the ESMTP server. • Cisco ASA Series Firewall CLI Configuration Guide 13-43...
  • Page 318 For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 11-13. Add or edit a policy map that sets the actions to take with the class map traffic. Step 2 policy-map name Cisco ASA Series Firewall CLI Configuration Guide 13-44...
  • Page 319 You can only apply one policy map to each interface. TFTP Inspection TFTP inspection is enabled by default. TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and client. Cisco ASA Series Firewall CLI Configuration Guide 13-45...
  • Page 320 TFTP inspection must be enabled if static PAT is used to redirect TFTP traffic. For information on enabling TFTP inspection, see Configure Application Layer Protocol Inspection, page 12-9. Cisco ASA Series Firewall CLI Configuration Guide 13-46...
  • Page 321 SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the ASA. TAPI and JTAPI are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco CallManager. For information on enabling CTIQBE inspection, see...
  • Page 322 Cisco IP SoftPhone requires the Cisco CallManager IP address to be specified explicitly in its Cisco TSP configuration on the PC. When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP •...
  • Page 323 Verifying and Monitoring H.323 Inspection, page 14-10 H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The ASA supports H.323 through Version 6, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
  • Page 324 The ASA does not support TCP options in the Proxy ACK for the TPKT. Note Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection and times out with the H.323 timeout as configured with the timeout command. Cisco ASA Series Firewall CLI Configuration Guide 14-4...
  • Page 325 ASN.1 coder. Limitations for H.323 Inspection H.323 inspection is tested and supported for Cisco Unified Communications Manager (CUCM) 7.0. It is not supported for CUCM 8.0 and higher. H.323 inspection might work with other releases and products.
  • Page 326 If you want to perform different actions for each match command, you should identify the traffic directly in the policy map. Create the class map by entering the following command: hostname(config)# class-map type inspect h323 [match-all | match-any] class_map_name hostname(config-cmap)# Cisco ASA Series Firewall CLI Configuration Guide 14-6...
  • Page 327 This option is available for called or calling party matching. To configure parameters that affect the inspection engine, perform the following steps: Step 5 To enter parameters configuration mode, enter the following command: Cisco ASA Series Firewall CLI Configuration Guide 14-7...
  • Page 328 3 “5553456789” hostname(config)# class-map type inspect h323 match-all h323_traffic hostname(config-pmap-c)# match called-party regex caller1 hostname(config-pmap-c)# match calling-party regex caller2 hostname(config)# policy-map type inspect h323 h323_map hostname(config-pmap)# parameters hostname(config-pmap-p)# class h323_traffic Cisco ASA Series Firewall CLI Configuration Guide 14-8...
  • Page 329 Where h323_policy_map is the optional H.323 inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the H.323 inspection policy map, see Configure H.323 Inspection Policy Map, page 14-6. Example: hostname(config-class)# no inspect h323 h225 hostname(config-class)# no inspect h323 ras Cisco ASA Series Firewall CLI Configuration Guide 14-9...
  • Page 330 If there is an abnormally large number of connections, check that the sessions are timing out based on the default timeout values or the values set by you. If they are not, then there is a problem that needs to be investigated. Cisco ASA Series Firewall CLI Configuration Guide 14-10...
  • Page 331 The second LCN of 259 has a foreign RTP IP address/port pair of 172.30.254.203/49606 and an RTCP IP address/port pair of 172.30.254.203/49607 with a local RTP IP address/port pair of 10.130.56.3/49606 and RTCP port of 49607. Cisco ASA Series Firewall CLI Configuration Guide 14-11...
  • Page 332 The following figure illustrates how you can use NAT with MGCP. Cisco ASA Series Firewall CLI Configuration Guide 14-12...
  • Page 333 Use the following process to enable MGCP inspection. Procedure Configuring an MGCP Inspection Policy Map for Additional Inspection Control, page 14-14. Step 1 Configure the MGCP Inspection Service Policy, page 14-15. Step 2 Cisco ASA Series Firewall CLI Configuration Guide 14-13...
  • Page 334 The following example shows how to define an MGCP map: hostname(config)# policy-map type inspect mgcp sample_map hostname(config-pmap)# parameters hostname(config-pmap-p)# call-agent 10.10.11.5 101 hostname(config-pmap-p)# call-agent 10.10.11.6 101 hostname(config-pmap-p)# call-agent 10.10.11.7 102 hostname(config-pmap-p)# call-agent 10.10.11.8 102 hostname(config-pmap-p)# gateway 10.10.10.115 101 Cisco ASA Series Firewall CLI Configuration Guide 14-14...
  • Page 335 Where mgcp_policy_map is the optional MGCP inspection policy map. For information on creating the MGCP inspection policy map, see Configuring an MGCP Inspection Policy Map for Additional Inspection Control, page 14-14. Example: Cisco ASA Series Firewall CLI Configuration Guide 14-15...
  • Page 336 The timeout mgcp-pat command lets you set the timeout for PAT xlates. Because MGCP does not have a keepalive mechanism, if you use non-Cisco MGCP gateways (call agents), the PAT xlates are torn down after the default timeout interval, which is 30 seconds.
  • Page 337 The RTSP inspection engine lets the ASA pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. For Cisco IP/TV, use RTSP TCP ports 554 and 8554. Note RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. The ASA only supports TCP, in conformity with RFC 2326.
  • Page 338 NAT on fragmented packets. • With Cisco IP/TV, the number of translates the ASA performs on the SDP part of the message is proportional to the number of program listings in the Content Manager (each program listing can have at least six embedded IP addresses).
  • Page 339 [not] url-filter regex {regex_name | class class_name}—Matches the URL against the specified regular expression or regular expression class. Step 2 To create an RTSP inspection policy map, enter the following command: hostname(config)# policy-map type inspect rtsp policy_map_name hostname(config-pmap)# Cisco ASA Series Firewall CLI Configuration Guide 14-19...
  • Page 340 Cisco ASA Series Firewall CLI Configuration Guide 14-20...
  • Page 341 To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure. Configure RTSP inspection. Step 4 inspect rtsp [rtsp_policy_map] Cisco ASA Series Firewall CLI Configuration Guide 14-21...
  • Page 342 Limitations for SIP Inspection, page 14-23 • • Default SIP Inspection, page 14-24 • Configure SIP Inspection, page 14-24 • Configure SIP Timeout Values, page 14-29 Verifying and Monitoring SIP Inspection, page 14-29 • Cisco ASA Series Firewall CLI Configuration Guide 14-22...
  • Page 343 RTC Client 5.0 is not supported. Limitations for SIP Inspection SIP inspection is tested and supported for Cisco Unified Communications Manager (CUCM) 7.0, 8.0, 8.6, and 10.5. It is not supported for CUCM 8.5, or 9.x. SIP inspection might work with other releases and products.
  • Page 344 When defining traffic matching criteria, you can either create a class map or include the match statements directly in the policy map. The following procedure explains both approaches. Cisco ASA Series Firewall CLI Configuration Guide 14-24...
  • Page 345 [not] message-path regex {regex_name | class class_name}—Matches the SIP via • header against the specified regular expression or regular expression class. Cisco ASA Series Firewall CLI Configuration Guide 14-25...
  • Page 346 How Multiple Traffic Classes are Handled, page 12-4. Step 5 To configure parameters that affect the inspection engine, perform the following steps: To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# Cisco ASA Series Firewall CLI Configuration Guide 14-26...
  • Page 347 Trust Verification Services servers, which • enable Cisco Unified IP Phones to authenticate application servers during HTTPS establishment. You can enter the command up to four times to identify four servers. SIP inspection opens pinholes to each server for each registered phone, and the phone decides which to use.
  • Page 348 To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure. Step 4 Configure SIP inspection. inspect sip [sip_policy_map] [tls-proxy proxy_name] Where: Cisco ASA Series Firewall CLI Configuration Guide 14-28...
  • Page 349 The show sip command displays information for SIP sessions established across the ASA. Along with the debug sip and show local-host commands, this command is used for troubleshooting SIP inspection engine issues. Cisco ASA Series Firewall CLI Configuration Guide 14-29...
  • Page 350 The ASA also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
  • Page 351 Cisco CallManager server. When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an ACL to connect to the protected TFTP server on UDP port 69. While you do need a static entry for the TFTP server, this does not have to be an identity static entry.
  • Page 352 Specify the action to perform on matching packets. You can drop the packet and optionally log it. hostname(config-pmap)# drop [log] Repeat the process until you identify all message IDs that you want to drop. Cisco ASA Series Firewall CLI Configuration Guide 14-32...
  • Page 353 You can alternatively create a new service policy as desired, for example, an interface-specific policy. Procedure If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. Step 1 class-map name match parameter Cisco ASA Series Firewall CLI Configuration Guide 14-33...
  • Page 354 If you are editing an existing service policy (such as the default global policy called global_policy), you Step 5 are done. Otherwise, activate the policy map on one or more interfaces. service-policy policymap_name {global | interface interface_name} Example: hostname(config)# service-policy global_policy global Cisco ASA Series Firewall CLI Configuration Guide 14-34...
  • Page 355 There are two active Skinny sessions set up across the ASA. The first one is established between an internal Cisco IP Phone at local address 10.0.0.11 and an external Cisco CallManager at 172.18.1.33. TCP port 2000 is the CallManager.
  • Page 356 UC-IME Proxy was removed. configuring SIP inspection. Use TLS Proxy to inspect encrypted traffic. We removed the following commands: phone-proxy, uc-ime. We removed the phone-proxy and uc-ime keywords from the inspect sip command. Cisco ASA Series Firewall CLI Configuration Guide 14-36...
  • Page 357 • Configure DCERPC Inspection, page 15-2 DCERPC Overview DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely. Cisco ASA Series Firewall CLI Configuration Guide 15-1...
  • Page 358 Create a DCERPC inspection policy map, enter the following command: hostname(config)# policy-map type inspect dcerpc policy_map_name hostname(config-pmap)# Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. Cisco ASA Series Firewall CLI Configuration Guide 15-2...
  • Page 359 Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. class-map name match parameter Example: hostname(config)# class-map dcerpc_class_map hostname(config-cmap)# match access-list dcerpc Cisco ASA Series Firewall CLI Configuration Guide 15-3...
  • Page 360 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 15-4...
  • Page 361 GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS backbone between a GGSN, an SGSN and the UTRAN. GTP does not include any inherent security or encryption of user data, but using GTP with the ASA helps protect your network against these risks. Cisco ASA Series Firewall CLI Configuration Guide 15-5...
  • Page 362 Configure a GTP Inspection Policy Map, page 15-7. Step 1 Configure the GTP Inspection Service Policy, page 15-9. Step 2 (Optional) Configure RADIUS accounting inspection to protect against over-billing attacks. See Step 3 Inspection, page 15-12. Cisco ASA Series Firewall CLI Configuration Guide 15-6...
  • Page 363 How Multiple Traffic Classes are Handled, page 12-4. To configure parameters that affect the inspection engine, perform the following steps: Step 4 To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters Cisco ASA Series Firewall CLI Configuration Guide 15-7...
  • Page 364 When the ASA performs GTP inspection, by default the ASA drops GTP responses from GSNs that were not specified in the GTP request. This situation occurs when you use load-balancing among a pool of GSNs to provide efficiency and scalability of GPRS. Cisco ASA Series Firewall CLI Configuration Guide 15-8...
  • Page 365 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection. Step 1 class-map name match parameter Example: hostname(config)# class-map gtp_class_map hostname(config-cmap)# match access-list gtp Cisco ASA Series Firewall CLI Configuration Guide 15-9...
  • Page 366 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 15-10...
  • Page 367 NSAPI. A GTP tunnel is defined by two associated PDP contexts in different GSN nodes and is identified with a Tunnel ID. A GTP tunnel is necessary to forward packets between an external packet data network and a MS user. Cisco ASA Series Firewall CLI Configuration Guide 15-11...
  • Page 368 Users in multiple directories are not unified. • Single users having multiple identities in multiple directories cannot be recognized by NAT. • For information on enabling ILS inspection, see Configure Application Layer Protocol Inspection, page 12-9. Cisco ASA Series Firewall CLI Configuration Guide 15-12...
  • Page 369 RADIUS accounting inspection is not enabled by default. You must configure it if you want RADIUS accounting inspection. Procedure Configure a RADIUS Accounting Inspection Policy Map, page 15-14. Step 1 Configure the RADIUS Accounting Inspection Service Policy, page 15-15. Step 2 Cisco ASA Series Firewall CLI Configuration Guide 15-13...
  • Page 370 RADIUS accounting messages from these hosts. timeout users time—Sets the idle timeout for users (in hh:mm:ss format). To have no timeout, • specify 00:00:00. The default is one hour. Example policy-map type inspect radius-accounting radius-acct-pmap Cisco ASA Series Firewall CLI Configuration Guide 15-14...
  • Page 371 Configure RADIUS accounting inspection. Step 4 inspect radius-accounting radius_accounting_policy_map Where radius_accounting_policy_map is the RADIUS accounting inspection policy map you created in Configure a RADIUS Accounting Inspection Policy Map, page 15-14. Cisco ASA Series Firewall CLI Configuration Guide 15-15...
  • Page 372 Use the snmp-map map_name command to create the map and enter SNMP map configuration mode, then the deny version version command to identify the versions to disallow. The version can be 1, 2, 2c, or 3. Cisco ASA Series Firewall CLI Configuration Guide 15-16...
  • Page 373 If you are editing the default global policy (or any in-use policy) to use a different inspection Note policy map, you must remove the SNMP inspection with the no inspect snmp command, and then re-add it with the new inspection policy map name. Cisco ASA Series Firewall CLI Configuration Guide 15-17...
  • Page 374 The SQL*Net inspection engine will recalculate the checksum, change IP, TCP lengths, and readjust Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old message. Cisco ASA Series Firewall CLI Configuration Guide 15-18...
  • Page 375 RPC sessions. To create entries in the Sun RPC services table, use the sunrpc-server command in global configuration mode: hostname(config)# sunrpc-server interface_name ip_address mask service service_type protocol {tcp | udp} port[-port] timeout hh:mm:ss Cisco ASA Series Firewall CLI Configuration Guide 15-19...
  • Page 376 IP address 192.168.100.2 on the inside interface. To display the pinholes open for Sun RPC services, enter the show sunrpc-server active command. The following is sample output from show sunrpc-server active command: Cisco ASA Series Firewall CLI Configuration Guide 15-20...
  • Page 377 During the XWindows session, the manager talks to the display Xserver on the well-known port 6000 | n. Each display has a separate connection to the Xserver, as a result of the following terminal setting. setenv DISPLAY Xserver:n where n is the display number. Cisco ASA Series Firewall CLI Configuration Guide 15-21...
  • Page 378 We did not modify any commands. VXLAN packet inspection 9.4(1) The ASA can inspect the VXLAN header to enforce compliance with the standard format. We introduced the following command: inspect vxlan. Cisco ASA Series Firewall CLI Configuration Guide 15-22...
  • Page 379 A R T Connection Management and Threat Detection...
  • Page 381: Connection Settings

    Whenever idle times are exceeded, DCD probes both sides of the connection to see if both sides agree the connection is valid. The show service-policy command includes counters to show the amount of activity from DCD. Cisco ASA Series Firewall CLI Configuration Guide 16-1...
  • Page 382 You also use these rules to customize TCP Normalizer, change TCP sequence randomization, decrement time-to-live on packets, and implement TCP Intercept, Dead Connection Detection, or TCP State Bypass. Cisco ASA Series Firewall CLI Configuration Guide 16-2...
  • Page 383 1 minute. The default is 2 minutes. The SIP media timer is used used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout. Cisco ASA Series Firewall CLI Configuration Guide 16-3...
  • Page 384 Wikipedia for details on SYN cookies). When the ASA receives an ACK back from the client, it can then authenticate that the client is real and allow the connection to the server. The component that performs the proxy is called TCP Intercept. Cisco ASA Series Firewall CLI Configuration Guide 16-4...
  • Page 385 Set the embryonic connection limits. Step 3 set connection embryonic-conn-max n—The maximum number of simultaneous embryonic • connections allowed, between 0 and 2000000. The default is 0, which allows unlimited connections. Cisco ASA Series Firewall CLI Configuration Guide 16-5...
  • Page 386 <Rank> <Server IP:Port> <Interface> <Ave Rate> <Cur Rate> <Total> <Source IP (Last Attack Time)> ---------------------------------------------------------------------------------- 10.1.1.5:80 inside 1249 9503 2249245 <various> Last: 10.0.0.3 (0 secs ago) 10.1.1.6:80 inside 10 10 6080 10.0.0.200 (0 secs ago) Cisco ASA Series Firewall CLI Configuration Guide 16-6...
  • Page 387 TCP packet sending out, it is an invalid ACK. – Whenever the ACK number of a received TCP packet is greater than the sequence number of the next TCP packet sending out, it is an invalid ACK. Cisco ASA Series Firewall CLI Configuration Guide 16-7...
  • Page 388 {allow | clear}—Set the action for packets with the URG flag. You can allow the • packet, or clear the flag and allow the packet. The default is to clear the flag. Cisco ASA Series Firewall CLI Configuration Guide 16-8...
  • Page 389 For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports between the well known FTP data port and the Telnet port, enter the following commands: hostname(config)# tcp-map tmap hostname(config-tcp-map)# urgent-flag allow hostname(config-tcp-map)# class-map urg-class hostname(config-cmap)# match port tcp range ftp-data telnet Cisco ASA Series Firewall CLI Configuration Guide 16-9...
  • Page 390 ASA 1, then the packets will match the entry in the fast path, and are passed through. But if subsequent packets go to ASA 2, where there was not a SYN packet that went through Cisco ASA Series Firewall CLI Configuration Guide 16-10...
  • Page 391 TCP normalization—The TCP normalizer is disabled. • Service module functionality—You cannot use TCP state bypass and any application running on any • type of service module, such as ASA FirePOWER. Stateful failover. • Cisco ASA Series Firewall CLI Configuration Guide 16-11...
  • Page 392 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. Cisco ASA Series Firewall CLI Configuration Guide 16-12...
  • Page 393 Add or edit a policy map that sets the actions to take with the class map traffic, and identify the class Step 2 map. policy-map name class name Example: hostname(config)# policy-map global_policy hostname(config-pmap)# class preserve-sq-no Cisco ASA Series Firewall CLI Configuration Guide 16-13...
  • Page 394 This procedure shows a service policy for traffic that goes through the ASA. You can also configure the connection maximum and embryonic connection maximum for management (to the box) traffic. Before You Begin If you want to customize the TCP Normalizer, create the required TCP Map before proceeding. Cisco ASA Series Firewall CLI Configuration Guide 16-14...
  • Page 395 0 and 2000000. The default is 0, which allows unlimited connections. This argument restricts the maximum number of simultaneous connections that are allowed for each host that is matched to the class. Cisco ASA Series Firewall CLI Configuration Guide 16-15...
  • Page 396 50 burst-size 6 Customize TCP Normalizer behavior by applying a TCP map. Step 6 set connection advanced-options tcp-map-name Example: Cisco ASA Series Firewall CLI Configuration Guide 16-16...
  • Page 397 You can use the following commands to monitor connections: show conn • Shows connection information. The “b” flag indicates traffic subject to TCP State Bypass. show service-policy • Shows service policy statistics, including Dead Connection Detection (DCD) statistics. Cisco ASA Series Firewall CLI Configuration Guide 16-17...
  • Page 398 The PAT xlate timeout is now configurable, to a value between 30 seconds and 5 minutes. We introduced the following command: timeout pat-xlate. This feature is not available in 8.5(1) or 8.6(1). Cisco ASA Series Firewall CLI Configuration Guide 16-18...
  • Page 399 30 seconds timeout and connection timeout was lowered from 5 minutes to 30 seconds to provide better DoS protection. We modified the following commands: set connection timeout half-closed, timeout half-closed. Cisco ASA Series Firewall CLI Configuration Guide 16-19...
  • Page 400 Chapter 16 Connection Settings History for Connection Settings Cisco ASA Series Firewall CLI Configuration Guide 16-20...
  • Page 401: Quality Of Service

    This section describes the QoS features available on the ASA. Supported QoS Features, page 17-2 • What is a Token Bucket?, page 17-2 • Policing, page 17-2 • Priority Queuing, page 17-3 • DSCP (DiffServ) Preservation, page 17-3 • Cisco ASA Series Firewall CLI Configuration Guide 17-1...
  • Page 402 When traffic exceeds the maximum rate, the ASA drops the excess traffic. Policing also sets the largest single burst of traffic allowed. Cisco ASA Series Firewall CLI Configuration Guide 17-2...
  • Page 403 Supported in routed firewall mode only. Does not support transparent firewall mode. IPv6 Guidelines Does not support IPv6. Model Guidelines (ASA 5512-X through ASA 5555-X) Priority queuing is not supported on the Management 0/0 • interface. (ASASM) Only policing is supported. • Cisco ASA Series Firewall CLI Configuration Guide 17-3...
  • Page 404 VPN, you might use 160 bytes. We recommend 256 bytes if you do not know what size to use. Delay—The delay depends on your application. For example, the recommended maximum delay for • VoIP is 200 ms. We recommend 500 ms if you do not know what delay to use. Cisco ASA Series Firewall CLI Configuration Guide 17-4...
  • Page 405 (Mbps or Kbps) Kbps 0.125 __________ # of bytes/ms ÷ ___________ __________ __________ __________ # of bytes/ms Maximum packet Delay (ms) TX ring limit from Step 1 size (bytes) (# of packets) Cisco ASA Series Firewall CLI Configuration Guide 17-5...
  • Page 406 The upper limit of the range of values for the tx-ring-limit command is determined dynamically at run time. To view this limit, enter tx-ring-limit ? on the command line. The key determinants are the memory needed to support the queues and the memory available on the device. Cisco ASA Series Firewall CLI Configuration Guide 17-6...
  • Page 407 Identify Traffic (Layer 3/4 Class Maps), page 11-13 for more information. Create a class map to identify the traffic for which you want to perform policing. Step 3 Cisco ASA Series Firewall CLI Configuration Guide 17-7...
  • Page 408 56000 10500 The options are: conform-burst argument—Specifies the maximum number of instantaneous bytes allowed in a • sustained burst before throttling to the conforming rate value, between 1000 and 512000000 bytes. Cisco ASA Series Firewall CLI Configuration Guide 17-8...
  • Page 409 499 packets, 625146 bytes; actions: drop conformed 5600 bps, exceed 5016 bps Class-map: cmap2 police Interface outside: cir 200000 bps, bc 37500 bytes conformed 17179 packets, 20614800 bytes; actions: transmit exceeded 617 packets, 770718 bytes; actions: drop Cisco ASA Series Firewall CLI Configuration Guide 17-9...
  • Page 410 “Packets Enqueued” denotes the overall number of packets that have been queued in this queue. • “Current Q Length” denotes the current depth of this queue. • “Max Q Length” denotes the maximum depth that ever occurred in this queue. • Cisco ASA Series Firewall CLI Configuration Guide 17-10...
  • Page 411 LAN-to-LAN connection polices the tunnel. In this example, the “host-specific” traffic is rate-limited before the tunnel, then the tunnel is rate-limited: hostname(config)# access-list host-over-l2l extended permit ip any host 192.168.10.10 hostname(config)# class-map host-specific hostname(config-cmap)# match access-list host-over-l2l Cisco ASA Series Firewall CLI Configuration Guide 17-11...
  • Page 412 56000 10500 hostname(config-pmap-c)# class TG1-voice hostname(config-pmap-c)# priority hostname(config-pmap-c)# class TG1-best-effort hostname(config-pmap-c)# police output 200000 37500 hostname(config-pmap-c)# class class-default hostname(config-pmap-c)# police output 1000000 37500 hostname(config-pmap-c)# service-policy qos global Cisco ASA Series Firewall CLI Configuration Guide 17-12...
  • Page 413 Ten Gigabit Ethernet support for a standard 8.2(3)/8.4(1) We added support for a standard priority queue on Ten priority queue on the ASA 5585-X Gigabit Ethernet interfaces for the ASA 5585-X. Cisco ASA Series Firewall CLI Configuration Guide 17-13...
  • Page 414 Chapter 17 Quality of Service History for QoS Cisco ASA Series Firewall CLI Configuration Guide 17-14...
  • Page 415 ACL statistics are enabled by default. • Scanning threat detection, which determines when a host is performing a scan. You can optionally shun any hosts determined to be a scanning threat. Cisco ASA Series Firewall CLI Configuration Guide 18-1...
  • Page 416 The threat-detection statistics host command affects performance in a significant way; if you have a high traffic load, you might consider enabling this type of statistics temporarily. The threat-detection statistics port command, however, has modest impact. Cisco ASA Series Firewall CLI Configuration Guide 18-2...
  • Page 417 Traffic that is denied by an ACL does not trigger scanning threat detection; only traffic that is • allowed through the ASA and that creates a flow is affected by scanning threat detection. Cisco ASA Series Firewall CLI Configuration Guide 18-3...
  • Page 418 Basic threat detection statistics are enabled by default, and might be the only threat detection service that you need. Use the following procedure if you want to implement additional threat detection services. Cisco ASA Series Firewall CLI Configuration Guide 18-4...
  • Page 419 You can configure up to three different rate intervals for each event type. Configure Advanced Threat Detection Statistics You can configure the ASA to collect extensive statistics. By default, statistics for ACLs are enabled. To enable other statistics, perform the following steps. Cisco ASA Series Firewall CLI Configuration Guide 18-5...
  • Page 420 Protect Servers from a SYN Flood DoS Attack (TCP Intercept), page 16-4). threat-detection statistics tcp-intercept [rate-interval minutes] [burst-rate attacks_per_sec] [average-rate attacks_per_sec] Example: hostname(config)# threat-detection statistics tcp-intercept rate-interval 60 burst-rate 800 average-rate 600 Cisco ASA Series Firewall CLI Configuration Guide 18-6...
  • Page 421 Step 3 threat-detection rate scanning-threat rate-interval rate_interval average-rate av_rate burst-rate burst_rate Example: hostname(config)# threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20 hostname(config)# threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20 Cisco ASA Series Firewall CLI Configuration Guide 18-7...
  • Page 422 You can clear statistics using the clear threat-detection rate command. The following is sample output from the show threat-detection rate command: hostname# show threat-detection rate Average(eps) Current(eps) Trigger Total events 10-min ACL drop: Cisco ASA Series Firewall CLI Configuration Guide 18-8...
  • Page 423 [rate-1 | rate-2 | rate-3] | tcp-intercept [all] detail]] statistics that exceed the minimum display rate in events per second. You can set the min_display_rate between 0 and 2147483647. Following rows explain optional keywords. Cisco ASA Series Firewall CLI Configuration Guide 18-9...
  • Page 424 The following is sample output from the show threat-detection statistics host command: hostname# show threat-detection statistics host Average(eps) Current(eps) Trigger Total events Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0 1-hour Sent byte: 2938 10580308 Cisco ASA Series Firewall CLI Configuration Guide 18-10...
  • Page 425 HOST_PORT_CLOSE. Any client accessing the port of the host is immediately classified as a bad access without the need to wait for a timeout. Cisco ASA Series Firewall CLI Configuration Guide 18-11...
  • Page 426 Monitoring Shunned Hosts, Attackers, and Targets To monitor and manage shunned hosts and attackers and targets, use the following commands: show threat-detection shun • Displays the hosts that are currently shunned. For example: Cisco ASA Series Firewall CLI Configuration Guide 18-12...
  • Page 427 60 burst-rate 800 average-rate 600 threat-detection scanning-threat shun except ip-address 10.1.1.0 255.255.255.0 threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20 threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20 Cisco ASA Series Firewall CLI Configuration Guide 18-13...
  • Page 428 The following commands were modified: threat-detection statistics port number-of-rates, threat-detection statistics protocol number-of-rates. Improved memory usage 8.3(1) The memory usage for threat detection was improved. The following command was introduced: show threat-detection memory. Cisco ASA Series Firewall CLI Configuration Guide 18-14...

Comments to this Manuals

Symbols: 0
Latest comments: