Download Print this page

Cisco ASA Series Cli Configuration Manual

Software version 9.0 for the services module
Hide thumbs

Advertisement

Table of Contents
Cisco ASA Series CLI Configuration Guide
Software Version 9.0 for the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550,
ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA
5585-X, and the ASA Services Module
Released: October 29, 2012
Updated: February 25, 2013
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Text Part Number: N/A, Online only

Advertisement

Table of Contents
loading

  Summary of Contents for Cisco ASA Series

  • Page 1 Cisco ASA Series CLI Configuration Guide Software Version 9.0 for the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, and the ASA Services Module...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
  • Page 3: About This Guide

    This guide applies to the Cisco ASA series. Throughout this guide, the term “ASA” applies generically to supported models, unless specified otherwise.
  • Page 4 Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
  • Page 5 ESP, which provides both authentication and encryption. See also encryption and VPN. Refer to the RFC 2402. Advanced Inspection and Prevention. For example, the AIP SSM or AIP SSC, which runs IPS software. Cisco ASA Series CLI Configuration Guide GL-1...
  • Page 6 BPDU Bridge Protocol Data Unit. Spanning-Tree Protocol hello packet that is sent out at configurable intervals to exchange information among bridges in the network. Protocol data unit is the OSI term for packet. Cisco ASA Series CLI Configuration Guide GL-2...
  • Page 7 Compression can reduce the size of transferring packets and increase communication performance. configuration, config, A file on the ASA that represents the equivalent of settings, preferences, and properties administered config file ASDM or the CLI. Cisco ASA Series CLI Configuration Guide GL-3...
  • Page 8 CTIQBE is used by the TAPI/JTAPI protocol inspection module and supports NAT, PAT, and bidirectional NAT. This protocol enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to communicate with Cisco CallManager for call setup and voice traffic across the ASA.
  • Page 9 See also encryption. Data encryption standard. DES was published in 1977 by the National Bureau of Standards and is a secret key encryption scheme based on the Lucifer algorithm from IBM. Cisco uses DES in classic crypto (40-bit and 56-bit key lengths),...
  • Page 10 Enhanced Interior Gateway Routing Protocol. The ASA does not support EIGRP. EMBLEM Enterprise Management BaseLine Embedded Manageability. A syslog format designed to be consistent with the Cisco IOS system log format and is more compatible with CiscoWorks management applications. encryption Application of a specific algorithm or cipher to data so as to render the data incomprehensible to those unauthorized to see the information.
  • Page 11 Suite of ITU-T standard specifications for video conferencing over circuit-switched media, such as ISDN, fractional T-1, and switched-56 lines. Extensions of ITU-T standard H.320 enable video conferencing over LANs and other packet-switched networks, as well as video over the Internet. Cisco ASA Series CLI Configuration Guide GL-7...
  • Page 12 A hash algorithm is a one-way function that operates on a message of arbitrary length to create a Algorithm fixed-length message digest used by cryptographic services to ensure its data integrity. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. Cisco uses both SHA-1 hashes within our implementation of the IPsec framework.
  • Page 13 The use of where the IP address is also the IP address of the outside interface. See Dynamic PAT, Static PAT. Internet The global network that uses IP. Not a LAN. See also intranet. Cisco ASA Series CLI Configuration Guide GL-9...
  • Page 14 Internet Service Provider. An organization that provides connection to the Internet via their services, such as modem dial in over telephone voice lines or DSL. JTAPI Java Telephony Application Programming Interface. A Java-based API supporting telephony functions. See also TAPI. Cisco ASA Series CLI Configuration Guide GL-10...
  • Page 15 Layer Two Tunneling Protocol. An IETF standards track protocol defined in RFC 2661 that provides tunneling of PPP. L2TP is an extension to the PPP. L2TP merges the older Cisco Layer Two Forwarding (L2F) protocol with PPTP. L2TP can be used with IPsec encryption and is considered more secure against attack than PPTP.
  • Page 16 Mode Config IKE Mode Configuration. Modular Policy A means of configuring ASA features in a manner similar to Cisco IOS software Modular CLI. Framework mobile station. Refers generically to any mobile device, such as a mobile handset or computer, that is used to access network services.
  • Page 17 IMSI. See also IMSI. NSSA not-so-stubby-area. An OSPF feature described by RFC 1587. NSSA was first introduced in Cisco IOS software release 11.2. It is a nonproprietary extension of the existing stub area feature that allows the injection of external routes in a limited fashion into the stub area.
  • Page 18 See also PIM-SM. PIM-SM Protocol Independent Multicast-Sparse Mode. With PIM-SM, which is the default for Cisco routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded from one MC router to the next, until the packets reach every registered host. See also PIM.
  • Page 19 These characteristics of key pairs provide a scalable and secure method of authentication over an insecure media, such as the Internet. Cisco ASA Series CLI Configuration Guide GL-15...
  • Page 20 (named after its inventors, Rivest, Shamir, and Adelman) with a variable key length. The main weakness of RSA is that it is significantly slow to compute compared to popular secret-key algorithms, such as DES. The Cisco implementation of uses a Diffie-Hellman exchange to get the secret keys.
  • Page 21 SA is used by only, and unlike the IPsec SA, it is bidirectional. SCCP Skinny Client Control Protocol. A Cisco-proprietary protocol used between Cisco Call Manager and Cisco VoIP phones. SCEP Simple Certificate Enrollment Protocol. A method of requesting and receiving (also known as enrolling) certificates from CAs.
  • Page 22 ASA is sent through an IPsec tunnel. All traffic originating from the client is sent to the outside interface through a tunnel, and client access to the Internet from its remote site is denied. Cisco ASA Series CLI Configuration Guide GL-18...
  • Page 23 See also AAA, RADIUS. TAPI Telephony Application Programming Interface. A programming interface in Microsoft Windows that supports telephony functions. Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. Cisco ASA Series CLI Configuration Guide GL-19...
  • Page 24 Transport mode is less secure than tunnel mode. TAPI Service Provider. See also TAPI. tunnel mode IPsec encryption mode that encrypts both the header and data portion (payload) of each packet. Tunnel mode is more secure than transport mode. Cisco ASA Series CLI Configuration Guide GL-20...
  • Page 25 IP address that matches the correct source interface according to the routing table. Uniform Resource Locator. A standardized addressing scheme for accessing hypertext documents and other services using a browser. For example, http://www.cisco.com. user EXEC mode The lowest privilege level at the ASA CLI. The user EXEC mode prompt appears as follows when you first access the ASA: hostname>...
  • Page 26 This lets different vendors have VSAs of the same number. The combination of a vendor number and a VSA number makes a VSA unique. For example, the cisco-av-pair VSA is attribute 1 in the set of VSAs related to vendor number 9. Each vendor can define up to 256 VSAs. A...
  • Page 27 IKE Extended Authentication. xlate An xlate, also referred to as a translation entry, represents the mapping of one IP address to another, or the mapping of one IP address/port pair to another. Cisco ASA Series CLI Configuration Guide GL-23...
  • Page 28 Glossary Cisco ASA Series CLI Configuration Guide GL-24...
  • Page 29 NAT guidelines 42-24 command 73-10 Network Admission Control, default 43-16 downloadable access lists 41-3 43-13 outbound network access 51-7 37-8 phone proxy local database support 19-9 remarks 43-1 performance 19-2 scheduling activation 80-4 server Cisco ASA Series CLI Configuration Guide IN-1...
  • Page 30 Clientless SSL VPN actions application access using WebVPN command replication 77-69 and hosts file errors configuration synchronization 77-70 quitting properly device initialization application inspection primary unit 45-1 about secondary unit 45-6 applying triggers 45-6 configuring Cisco ASA Series CLI Configuration Guide IN-2...
  • Page 31 Ethernet TCP state bypass 11-8, 11-10 9-19 protected switch ports asymmetric routing support 11-2 Security Plus license attacks 74-1 62-10 server (headend) DNS request for all records 11-4 62-10 SPAN DNS zone transfer Cisco ASA Series CLI Configuration Guide IN-3...
  • Page 32 Auto-MDI/MDIX 60-7 updates auto-signon 60-19 70-84 examples group policy attribute for Clientless SSL VPN 60-22 feature history 70-101 username attribute for Clientless SSL VPN 84-28 graylist Auto-Update, configuring 60-2 description 60-13 dropping traffic Cisco ASA Series CLI Configuration Guide IN-4...
  • Page 33 Cisco Trust Agent caching 85-2 Cisco UMA. See Cisco Unified Mobility. capturing packets Cisco Unified Mobility 67-23 cascading access lists 53-2 architecture CA server 50-2, 50-3 40-4 ASA role Digicert 53-5 40-4 certificate Geotrust Cisco ASA Series CLI Configuration Guide IN-5...
  • Page 34 EtherChannels, configuring on paging 6-22 switch syntax formatting 6-46 executing a command cluster-wide client 6-23 failover 69-4 VPN 3002 hardware, forcing client update 6-63 feature history 69-4 Windows, client update notification Cisco ASA Series CLI Configuration Guide IN-6...
  • Page 35 66-17 master unit CSC SSM 6-12 80-20 Policy-Based Routing logging 6-10 82-28 spanned EtherChannel configuration examples for SNMP performance scaling factor configuration mode 6-21 2-2, 2-4 prerequisites accessing Cisco ASA Series CLI Configuration Guide IN-7...
  • Page 36 66-1 about 65-4 64-21, 64-23, 66-14 loading an image 66-10 sending traffic to 66-3 what to scan 66-19 CSC SSM feature history 80-18 date and time in messages 70-78 custom firewall 16-2 DDNS Cisco ASA Series CLI Configuration Guide IN-8...
  • Page 37 DSCP preservation 15-6 12-2 Cisco IP Phones dual IP stack, configuring 15-5 25-6 options dual-ISP support 15-8 10-12, 11-5 relay duplex, configuring 15-4 67-35 server dynamic crypto map 41-5 72-12 transparent firewall creating Cisco ASA Series CLI Configuration Guide IN-9...
  • Page 38 ICMP message 10-30 minimum interfaces 25-3 ECMP mode editing command lines 10-7 active 70-47 egress VLAN for VPN sessions 10-7 41-5 EIGRP 10-7 passive 29-2 DUAL algorithm 10-34 monitoring 29-15 hello interval Cisco ASA Series CLI Configuration Guide IN-10...
  • Page 39 7-21 username attribute for Clientless SSL VPN debug messages 8-16, 9-25 filtering disabling 63-2 ActiveX Ethernet failover cable 63-14 failover link 63-4 8-16, 9-24 Java applet forcing 63-4 66-6, 82-17 Java applets guidelines Cisco ASA Series CLI Configuration Guide IN-11...
  • Page 40 70-3 general parameters, tunnel group 70-83 html-content filter 70-3 general tunnel-group connection parameters 70-87 keep-alive-ignore 39-12, 39-14, 39-15, 39-18, 40-10 generating RSA keys 70-87 port forward 77-77 global e-mail proxy attributes Cisco ASA Series CLI Configuration Guide IN-12...
  • Page 41 14-3 in banners 70-92 username attribute 14-3 multiple context mode 67-13 ID method for ISAKMP peers, determining hosts, subnet masks for hosts file 67-2, 76-3 benefits 77-69 errors Cisco ASA Series CLI Configuration Guide IN-13...
  • Page 42 51-9 addressing requirements for phone proxy 20-2, 21-2, 22-2, 41-7, 66-6 default settings 51-3, 52-2 supported for phone proxy 10-12, 11-5 duplex IPSec 10-25 enabling 57-13 anti-replay window 7-19 failover monitoring Cisco ASA Series CLI Configuration Guide IN-14...
  • Page 43 Clientless SSL VPN 31-3 router advertisement messages 70-101 username attribute for Clientless SSL VPN 31-4 static neighbors Kerberos 25-5 static routes 37-11 configuring IPv6 addresses 37-6 support anycast Kerberos tickets format Cisco ASA Series CLI Configuration Guide IN-15...
  • Page 44 82-17 licensing requirements for SNMP 70-68 LEAP Bypass, group policy 7-19 link up/down test licenses activation key See low-latency queue 3-36 entering load balancing 3-34 location 69-10 cluster configurations 3-35 obtaining Cisco ASA Series CLI Configuration Guide IN-16...
  • Page 45 80-15 configuring 4-15 static entry 80-19 viewing queue statistics 4-15 MAC learning, disabling 80-19 severity level, changing management interfaces 80-18 timestamp, including 20-2, 21-2, 22-2, 41-7 default settings 80-20 logging feature history Cisco ASA Series CLI Configuration Guide IN-17...
  • Page 46 Master Passphrase 40-4 Microsoft Windows CA, supported match commands 69-11 mixed cluster scenarios, load balancing 36-4 inspection class map mixed-mode Cisco UCM cluster, configuring for phone 35-12, 35-15 Layer 3/4 class map 51-17 proxy 67-16, 67-17 matching, certificate group 53-1...
  • Page 47 NAT 33-11 network object NAT dynamic PAT 34-18 32-8 twice NAT about static with port translation 33-7 network object NAT 32-4 34-11 about twice NAT 32-2 terminology identity 32-11 32-10 transparent mode about Cisco ASA Series CLI Configuration Guide IN-19...
  • Page 48 NetFlow event logging 37-6 support 81-8 disabling 7-19 Network Activity test Network Admission Control 73-10 ACL, default object NAT 73-13 clientless authentication See network object NAT 70-70 configuring B-14 open ports 73-11 exemptions Cisco ASA Series CLI Configuration Guide IN-20...
  • Page 49 51-3, 52-2 IP phones supported 51-27 Linksys routers, configuring packet 51-8 NAT and PAT requirements 85-2 capture 51-7 ports classifier 51-11 85-3 rate limiting packet capture, enabling 51-16 58-7 required certificates packet trace, enabling Cisco ASA Series CLI Configuration Guide IN-21...
  • Page 50 B-11 TCP and UDP 65-3 PRSM port translation 40-2 public key cryptography 32-4 about posture validation 73-11 exemptions 73-10 revalidation timer 73-1 uses, requirements, and limitations 57-1, 57-3 11-4 about power over Ethernet Cisco ASA Series CLI Configuration Guide IN-22...
  • Page 51 47-11 RAS, H.323 troubleshooting 5-33 resource usage 80-19 rate limit 73-10 revalidation timer, Network Admission Control 57-3 rate limiting 40-2 revoked certificates 51-11 rate limiting, phone proxy 77-81 rewrite, disabling 47-15 RealPlayer Cisco ASA Series CLI Configuration Guide IN-23...
  • Page 52 See also SAs 39-12, 39-14, 39-15, 39-18, 40-10, 42-4 keys, generating 70-64 security attributes, group policy RTSP inspection security contexts 47-15 about about 47-15 configuring 5-19 adding rules admin context 42-10 ICMP about Cisco ASA Series CLI Configuration Guide IN-24...
  • Page 53 Clientless SSL VPN 80-12 sending messages to a Telnet or SSH session SIP inspection 80-11 47-19 sending messages to the console port about 80-9 47-18 sending messages to the internal log buffer configuring Cisco ASA Series CLI Configuration Guide IN-25...
  • Page 54 77-16 to ?? reload SSO with WebVPN 64-24, 66-16 reset configuring HTTP Basic and NTLM 77-17 authentication 64-10 routing 77-23 configuring HTTP form protocol 64-13 sessioning to 77-18, 77-20 configuring SiteMinder 64-23, 66-17 shutdown Cisco ASA Series CLI Configuration Guide IN-26...
  • Page 55 80-16 address range by message class 80-1, 80-6 determining output destinations 80-6 dotted decimal syslog message server 80-6 number of hosts Telnet or SSH session Cisco ASA Series CLI Configuration Guide IN-27...
  • Page 56 56-5 unsupported features B-15 timestamp reply, ICMP message 62-6, 62-9 TCP SYN+FIN flags attack B-15 timestamp request, ICMP message Telnet 77-7 TLS1, used to access the security appliance Cisco ASA Series CLI Configuration Guide IN-28...
  • Page 57 68-2 troubleshooting tunnel mode 47-9 H.323 twice NAT 47-11 32-14 H.323 RAS about 51-28 32-13 phone proxy comparison with network object NAT 47-24 34-1 configuring 82-24 34-7 troubleshooting SNMP dynamic NAT Cisco ASA Series CLI Configuration Guide IN-29...
  • Page 58 70-95 70-67 username webvpn mode user authentication, group policy users user EXEC mode 82-16 SNMP accessing 80-5, 81-3 using clustering prompt 67-27 U-turn username 37-22 adding 73-14 clientless authentication Cisco ASA Series CLI Configuration Guide IN-30...
  • Page 59 VPN flex license 77-69 troubleshooting 70-93 vpn-framed-ip-address username attribute 77-7 use of HTTPS 70-66 VPN hardware client, group policy attributes 77-104 usernames and passwords 70-92 vpn-idle-timeout username attribute 77-82, 77-104 use suggestions vpn load balancing Cisco ASA Series CLI Configuration Guide IN-31...
  • Page 60 WebVPN, Application Access Panel webvpn attributes 70-81 group policy 70-44 welcome message, group policy 70-53 WINS server, configuring 74-4 Xauth, Easy VPN client 10-23 XOFF frames 70-78 Zone Labs firewalls 70-75 Zone Labs Integrity Server Cisco ASA Series CLI Configuration Guide IN-32...
  • Page 61 A R T Getting Started with the ASA...
  • Page 63: Table Of Contents

    C H A P T E R Introduction to the Cisco ASA The Cisco ASA provides advanced stateful firewall and VPN concentrator functionality in one device, and for some models, integrated services modules such as IPS. The ASA includes many advanced...
  • Page 64: Asdm Client Operating System And Browser Requirements

    When using Java 6 for accessing the splash screen in a browser, by default, Internet Explorer on Windows Vista and later and Firefox on all operating systems do not support DES for SSL; therefore without the strong encryption license (3DES/AES), see the following workarounds: Cisco ASA Series CLI Configuration Guide...
  • Page 65: Hardware And Software Compatibility

    To change the security setting, open System Preferences, and click Security & Privacy. On the General tab, under Allow applications downloaded from, click Anywhere. Hardware and Software Compatibility For a complete list of supported hardware and software, see the Cisco ASA Compatibility: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html VPN Specifications See Supported VPN Platforms, Cisco ASA 5500 Series: http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html...
  • Page 66: New Features

    The active cluster member count • The output of the show cluster info command and the show cluster history command on the cluster master New Features in ASA 9.0(2)/ASDM 7.1(2) Released: February 25, 2013 Cisco ASA Series CLI Configuration Guide...
  • Page 67 See the following limitations: • Secure Desktop (Vault) is not supported with Windows 8. Dynamic Access Policies: ASDM was updated to enable selection of Windows 8 in the DAP Operating Windows 8 Support System attribute. Cisco ASA Series CLI Configuration Guide...
  • Page 68 Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed. The login password is also used for Telnet sessions from the switch to the ASASM (see the session command).
  • Page 69 Released: October 29, 2012 Table 1-5 lists the new features for ASA Version 9.0(1)/ASDM Version 7.0(1). Note Features added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(1) unless they are explicitly listed in this table. Cisco ASA Series CLI Configuration Guide...
  • Page 70 IP addresses. The ASA can utilize the Cisco TrustSec solution for other types of security group based policies, such as application inspection; for example, you can configure a class map containing an access policy based on a security group.
  • Page 71 New Features for ASA Version 9.0(1)/ASDM Version 7.0(1) (continued) Feature Description Cisco Cloud Web Security (ScanSafe) Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic. It can also redirect and report about web traffic based on user identity. Note Clientless SSL VPN is not supported with Cloud Web Security;...
  • Page 72 Therefore, Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC inspection uses this pinhole mechanism to support outbound dynamic access lists. Also available in 8.4(4.1). Cisco ASA Series CLI Configuration Guide 1-10...
  • Page 73 We modified the following commands: set connection conn-max, set connection embryonic-conn-max, set connection per-client-embryonic-max, set connection per-client-max. We modified the following screen: Configuration > Firewall > Service Policy Rules > Connection Settings. Also available in 8.4(5) High Availability and Scalability Features Cisco ASA Series CLI Configuration Guide 1-11...
  • Page 74 For EIGRP, bulk synchronization, route synchronization, and spanned EtherChannels are supported in the clustering environment. Multicast routing supports clustering. We introduced or modified the following commands: show route cluster, debug route cluster, show mfib cluster, debug mfib cluster. Cisco ASA Series CLI Configuration Guide 1-12...
  • Page 75 This release of the ASA continues to support IPv6 VPN traffic on its inside interface using the SSL protocol as it has in the past. This release does not provide IKEv2/IPsec protocol on the inside interface. Cisco ASA Series CLI Configuration Guide 1-13...
  • Page 76 IKEv2/IPsec protocol. We introduced the following command: ipv6-split-tunnel-policy. We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Edit group policy) > Advanced > Split Tunneling. Cisco ASA Series CLI Configuration Guide 1-14...
  • Page 77 This feature can be used by clients configured to use the SSL or IKEv2/IPsec protocol. We introduced the following command: gateway-fqdn. We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Edit group policy) > Advanced > AnyConnect. Cisco ASA Series CLI Configuration Guide 1-15...
  • Page 78 We modified the following screens: Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add > Cisco AAA attribute Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add > Device > Add Endpoint Attribute Configuration >...
  • Page 79 We modified the following screen: Configuration > Device Management > DHCP > DHCP Relay. Cisco ASA Series CLI Configuration Guide 1-17...
  • Page 80 Configuration > Device Setup > Routing > OSPFv3 > Summary Prefix Configuration > Device Setup > Routing > OSPFv3 > Virtual Link Monitoring > Routing > OSPFv3 LSAs Monitoring > Routing > OSPFv3 Neighbors Cisco ASA Series CLI Configuration Guide 1-18...
  • Page 81 (767001) when unsupported inspections receive and drop IPv6 traffic. We modified the following command: service-policy fail-close. We modified the following screen: Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard - Service Policy. Remote Access Features Cisco ASA Series CLI Configuration Guide 1-19...
  • Page 82 Remote File Explorer network from their web browser. When users click the Remote File System icon on the Cisco SSL VPN portal page, an applet is launched on the user's system displaying the remote file system in a tree and folder view.
  • Page 83 Custom attributes can benefit AnyConnect clients configured for either IKEv2/IPsec or SSL protocols. We added the following command: anyconnect-custom-attr. A new screen was added: Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes. Cisco ASA Series CLI Configuration Guide 1-21...
  • Page 84 Configuration > Site-to-Site VPN > Certificate Management > Identity Certificates Configuration > Site-to-Site VPN > Advanced > System Options Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto Maps Cisco ASA Series CLI Configuration Guide 1-22...
  • Page 85 You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1). Module Features ASA Services Module support on the Cisco The Cisco 7600 series now supports the ASASM. For specific hardware and 7600 switch software requirements, see: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html. Cisco ASA Series CLI Configuration Guide...
  • Page 86: How The Asa Services Module Works With The Switch

    We did not modify any screens. How the ASA Services Module Works with the Switch You can install the ASASM in the Catalyst 6500 series and Cisco 7600 series switches with Cisco IOS software on both the switch supervisor and the integrated MSFC.
  • Page 87 MSFC/Router In Front of the ASASM Internet Internet Router VLAN 100 VLAN 200 MSFC/Router ASASM VLAN 200 VLAN 201 ASASM MSFC/Router VLAN 201 VLAN 301 VLAN 303 VLAN 203 Inside Inside VLAN 302 VLAN 202 Cisco ASA Series CLI Configuration Guide 1-25...
  • Page 88: Firewall Functional Overview

    Because the ASA lets you configure many interfaces with varied security policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired, these terms are used in a general sense only. Cisco ASA Series CLI Configuration Guide 1-26...
  • Page 89: Applying Nat

    You can use private addresses on your inside networks. Private addresses are not routable on the Internet. • NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host. • NAT can resolve IP routing problems by supporting overlapping IP addresses. Cisco ASA Series CLI Configuration Guide 1-27...
  • Page 90 Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a network feature that lets you give priority to these types of traffic. QoS refers to the capability of a network to provide better service to selected network traffic. Cisco ASA Series CLI Configuration Guide 1-28...
  • Page 91 Configuring Cisco Unified Communications The Cisco ASA 5500 series is a strategic platform to provide proxy functions for unified communications deployments. The purpose of a proxy is to terminate and reoriginate connections between a client and server.
  • Page 92 These protocols include FTP, H.323, and SNMP. • Is this an established connection? Cisco ASA Series CLI Configuration Guide 1-30...
  • Page 93: Vpn Functional Overview

    Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. Cisco ASA Series CLI Configuration Guide 1-31...
  • Page 94: Asa Clustering Overview

    (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. You perform all configuration (aside from the bootstrap configuration) on the master unit only; the configuration is then replicated to the member units. Cisco ASA Series CLI Configuration Guide 1-32...
  • Page 95 Configuring the Switch for Use with the ASA Services Module This chapter describes how to configure the Catalyst 6500 series or Cisco 7600 series switch for use with the ASASM. Before completing the procedures in this chapter, configure the basic properties of your switch, including assigning VLANs to switch ports, according to the documentation that came with your switch.
  • Page 96: Guidelines And Limitations

    Configuring the Switch for Use with the ASA Services Module Guidelines and Limitations To view a matrix of hardware and software compatibility for the ASASM and Cisco IOS versions, see the Cisco ASA 5500 Series Hardware and Software Compatibility: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html Some ASASM features interact with Cisco IOS features.
  • Page 97: Verifying The Module Installation

    Distributed Forwarding Card WS-F6700-DFC3C SAL1443XRDC Base PID: Model Serial No. ---- ----------- ---------- 2 WS-SVC-APP-HW-1 SAD143502E8 4 TRIFECTA SAD135101Z9 Online Diag Status ---- ------------------- Pass 2/0 Not Applicable Not Applicable 4/0 Not Applicable Pass Pass Cisco ASA Series ASDM Configuration Guide...
  • Page 98: Assigning Vlans To The Asa Services Module

    You can assign up to 16 firewall VLAN groups to each ASASM. (You can create more than 16 VLAN groups in Cisco IOS software, but only 16 can be assigned per ASASM.) For example, you can assign all the VLANs to one group; or you can create an inside group and an outside group; or you can create a group for each customer.
  • Page 99: Using The Msfc As A Directly Connected Router

    ASASM outside interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI). This section includes the following topics: • Information About SVIs, page 1-6 • Configuring SVIs, page 1-8 Cisco ASA Series ASDM Configuration Guide...
  • Page 100 For example, with multiple SVIs, you could accidentally allow traffic to pass around the ASASM by assigning both the inside and outside VLANs to the MSFC. (See Figure 1-1.) Figure 1-1 Multiple SVI Misconfiguration Internet VLAN 100 MSFC VLAN 200 ASA SM VLAN 201 VLAN 201 Inside Cisco ASA Series ASDM Configuration Guide...
  • Page 101 IPX traffic to pass on VLAN 201. Figure 1-2 Multiple SVIs for IPX Internet VLAN 100 MSFC VLAN 200 ASA SM VLAN 201 VLAN 201 Inside IPX Host IP Host Cisco ASA Series ASDM Configuration Guide...
  • Page 102 Allows you to add more than one SVI to the ASASM. firewall multiple-vlan-interfaces Example: Router(config)# firewall multiple-vlan-interfaces Step 2 Adds a VLAN interface to the MSFC. interface vlan vlan_number Example: Router(config)# interface vlan 55 Cisco ASA Series ASDM Configuration Guide...
  • Page 103: Configuring The Switch For Asa Failover

    Assigning VLANs to the Secondary ASA Services Module, page 1-10 • Adding a Trunk Between a Primary Switch and Secondary Switch, page 1-10 • Ensuring Compatibility with Transparent Firewall Mode, page 1-10 • Enabling Autostate Messaging for Rapid Link Failure Detection, page 1-10 Cisco ASA Series ASDM Configuration Guide...
  • Page 104 The last interface belonging to a VLAN goes down. • The first interface belonging to a VLAN comes up. Detailed Steps Command Purpose Enables autostate messaging in Cisco IOS software. firewall autostate Autostate messaging is disabled by default. Example: Router(config)# firewall autostate Cisco ASA Series ASDM Configuration Guide...
  • Page 105: Resetting The Asa Services Module

    Displays all configured VLAN groups. show firewall vlan-group Displays the status and information about the configured show interface vlan VLAN interface. Examples The following is sample output from the show firewall module [mod-num] state command: Cisco ASA Series ASDM Configuration Guide 1-11...
  • Page 106 Router# show firewall module Module Vlan-groups 50,52 51,52 The following is sample output from the show firewall module [mod-num] version command: Router# show firewall module 2 version ASA Service Module 2: Sw Version: 100.7(8)19 Cisco ASA Series ASDM Configuration Guide 1-12...
  • Page 107: Feature History For The Switch For Use With The Asa Services Module

    We introduced or modified the following commands: firewall transparent, mac address auto, firewall autostate (IOS), interface vlan. ASA Services Module support on the Cisco 9.0(1) The Cisco 7600 series now supports the ASASM. 7600 switch Cisco ASA Series ASDM Configuration Guide 1-13...
  • Page 108 Chapter 1 Configuring the Switch for Use with the ASA Services Module Feature History for the Switch for Use with the ASA Services Module Cisco ASA Series ASDM Configuration Guide 1-14...
  • Page 109: Getting Started

    Press the Enter key to see the following prompt: hostname> This prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode. Step 3 To access privileged EXEC mode, enter the following command: hostname> enable Cisco ASA Series CLI Configuration Guide...
  • Page 110: Accessing The Asa Services Module Command-Line Interface

    Later, you can configure remote access directly to the ASASM using Telnet or SSH according to the “Configuring ASA Access for ASDM, Telnet, or SSH” section on page 1-1. This section includes the following topics: • Information About Connection Methods, page 1-3 Cisco ASA Series CLI Configuration Guide...
  • Page 111 You must use a direct serial connection to return the console to the switch prompt. In this case, either change the terminal server or switch escape character in Cisco IOS, or use the Telnet session command instead. Note Because of the persistence of the console connection, if you do not properly log out of the ASASM, the connection may exist longer than intended.
  • Page 112 Enter the login password to the ASASM. Set the password using the passwd command. 9.0(1): The default password is “cisco.” 9.0(2) and later: There is no default password. You access user EXEC mode. Step 2...
  • Page 113: Logging Out

    (^) character as a standalone character, you can temporarily or permanently change the escape character to a different character. In Cisco IOS, before you session to the ASASM, use the terminal escape-character ascii_number command (to change temporarily) or the default escape-character ascii_number command (to change permanently).
  • Page 114: Configuring Asdm Access For Appliances

    Accessing ASDM Using the Factory Default Configuration With a factory default configuration (see the “Factory Default Configurations” section on page 1-18), ASDM connectivity is pre-configured with default network settings. Connect to ASDM using the following interface and network settings: Cisco ASA Series CLI Configuration Guide...
  • Page 115 Step 1 Enables transparent firewall mode. This command clears your (Optional) configuration. firewall transparent Example: hostname(config)# firewall transparent Step 2 Do one of the following to configure a management interface, depending on your mode: Cisco ASA Series CLI Configuration Guide...
  • Page 116 DHCP range. You can later change the 192.168.1.5-192.168.1.254 inside IPS module management address using the ASA if hostname(config)# dhcpd enable inside required. Step 5 Enables the HTTP server for ASDM. http server enable Example: hostname(config)# http server enable Cisco ASA Series CLI Configuration Guide...
  • Page 117 If you do not have a factory default configuration, or want to change the firewall or context mode, perform the following steps. Prerequisites Access the CLI according to the “Accessing the Appliance Command-Line Interface” section on page 1-1. Cisco ASA Series CLI Configuration Guide...
  • Page 118 Enables the HTTP server for ASDM. http server enable Example: hostname(config)# http server enable Step 6 Allows the management host to access ASDM. http ip_address mask interface_name Example: hostname(config)# http 192.168.1.0 255.255.255.0 management Cisco ASA Series CLI Configuration Guide 1-10...
  • Page 119: Configuring Asdm Access For The Asa Services Module

    “Assigning VLANs to the ASA Services Module” section on page 1-4. • Connect to the ASASM and access global configuration mode according to the “Accessing the ASA Services Module Command-Line Interface” section on page 1-2. Cisco ASA Series CLI Configuration Guide 1-11...
  • Page 120 Enables DHCP for the management host on the management interface network. Make sure you do not include the management dhcpd address ip_address-ip_address address in the range. interface_name dhcpd enable interface_name Example: hostname(config)# dhcpd address 192.168.1.2-192.168.1.254 inside hostname(config)# dhcpd enable inside Cisco ASA Series CLI Configuration Guide 1-12...
  • Page 121 The following configuration converts the firewall mode to transparent mode, configures the VLAN 1 interface and assigns it to BVI 1, and enables ASDM for a management host: firewall transparent interface bvi 1 ip address 192.168.1.1 255.255.255.0 interface vlan 1 bridge-group 1 nameif inside Cisco ASA Series CLI Configuration Guide 1-13...
  • Page 122: Starting Asdm

    Where interface_ip_address is the management IP address of the ASA. See the “Configuring ASDM Access for Appliances” section on page 1-6 or the “Configuring ASDM Access for the ASA Services Module” section on page 1-11 for more information about management access. Cisco ASA Series CLI Configuration Guide 1-14...
  • Page 123 With HTTPS authentication enabled, enter your username and associated password. If there is a new version of ASDM on the ASA, the ASDM Launcher automatically downloads the new version and requests that you update the current version before starting ASDM. Cisco ASA Series CLI Configuration Guide 1-15...
  • Page 124 Step 1 Start the Java Web Start application. Step 2 Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher appears. Step 3 Enter the username and password, and click OK. For a factory default configuration, leave these fields empty.
  • Page 125 Step 2 Double-click the installer to install the software. Step 3 Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu. Step 4 Check the Run in Demo Mode check box. The Demo Mode window appears.
  • Page 126: Factory Default Configurations

    Getting Started Factory Default Configurations Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new ASAs. • ASA 5505—The factory default configuration configures interfaces and NAT so that the ASA is ready to use in your network immediately.
  • Page 127 Ethernet 0/0 assigned to outside. • IP addresses— Outside address from DHCP; inside address set manually to 192.168.1.1/24. • Network address translation (NAT)—All inside IP addresses are translated when accessing the outside using interface PAT. Cisco ASA Series CLI Configuration Guide 1-19...
  • Page 128 Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vlan 1 no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown Cisco ASA Series CLI Configuration Guide 1-20...
  • Page 129 IP addresses—The IP addresses configured should be changed to match the network to which you are connecting. • Static routes—For some kinds of traffic, static routes are required. See the “MAC Address vs. Route Lookups” section on page 1-6. Cisco ASA Series CLI Configuration Guide 1-21...
  • Page 130 192.168.1.1 255.255.255.0 interface vlan2 nameif outside security-level 0 bridge-group 1 no shutdown interface vlan1 nameif inside security-level 100 bridge-group 1 no shutdown http server enable http 192.168.1.0 255.255.255.0 inside dhcpd address 192.168.1.5-192.168.1.254 inside Cisco ASA Series CLI Configuration Guide 1-22...
  • Page 131: Working With The Configuration

    Additional information about contexts is in Chapter 1, “Configuring Multiple Context Mode.” This section includes the following topics: • Saving Configuration Changes, page 1-24 • Copying the Startup Configuration to the Running Configuration, page 1-25 Cisco ASA Series CLI Configuration Guide 1-23...
  • Page 132: Saving Configuration Changes

    URL, except for an HTTP or HTTPS hostname# write memory URL, which do not let you save the configuration to the server. Note The copy running-config startup-config command is equivalent to the write memory command. Cisco ASA Series CLI Configuration Guide 1-24...
  • Page 133 The context 'context a' could not be saved due to Unknown errors Copying the Startup Configuration to the Running Configuration Copy a new startup configuration to the running configuration using one of the following options. Cisco ASA Series CLI Configuration Guide 1-25...
  • Page 134 Example: For example, to remove a specific nat command, enter enough of the hostname(config)# no nat (inside) 1 command to identify it uniquely as follows: hostname(config)# no nat (inside) 1 Cisco ASA Series CLI Configuration Guide 1-26...
  • Page 135: Applying Configuration Changes To Connections

    To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy. To disconnect connections, enter one of the following commands. Cisco ASA Series CLI Configuration Guide 1-27...
  • Page 136: Reloading The Asa

    Reloading the ASA To reload the ASA, enter the following command: Command Purpose Reloads the ASA. reload Note In multiple context mode, you can only reload from the system Example: execution space. hostname (config)# reload Cisco ASA Series CLI Configuration Guide 1-28...
  • Page 137 The ASA acts as a router between connected networks, and each interface requires an IP address on a different subnet. The ASA supports multiple dynamic routing protocols. However, we recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the ASA for extensive routing needs. Cisco ASA Series CLI Configuration Guide...
  • Page 138 Using the Transparent Firewall in Your Network The ASA connects the same network between its interfaces. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network. Cisco ASA Series CLI Configuration Guide...
  • Page 139 For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. Cisco ASA Series CLI Configuration Guide...
  • Page 140: Information About The Firewall Mode

    ACL. Note Broadcast and multicast traffic can be passed using access rules. See the “Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules” section on page 7-6 for more information. Cisco ASA Series CLI Configuration Guide...
  • Page 141 EtherType access list to deny them. If you are using failover, you might want to block BPDUs to prevent the switch port from going into a blocking state when the topology changes. See the “Transparent Firewall Mode Requirements” section on page 9-14 for more information. Cisco ASA Series CLI Configuration Guide...
  • Page 142 ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. Cisco ASA Series CLI Configuration Guide...
  • Page 143: Licensing Requirements For The Firewall Mode

    The default timeout value for dynamic MAC address table entries is 5 minutes. • By default, each interface automatically learns the MAC addresses of entering traffic, and the ASA adds corresponding entries to the MAC address table. Cisco ASA Series CLI Configuration Guide...
  • Page 144: Guidelines And Limitations

    (by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on...
  • Page 145: Setting The Firewall Mode

    ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration is cleared, and you will have to reconnect to the ASA using the console port in any case. • Set the mode within the context. Cisco ASA Series CLI Configuration Guide...
  • Page 146: Configuring Arp Inspection For The Transparent Firewall

    If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry times out before it can be updated. Note The transparent firewall uses dynamic ARP entries in the ARP table for traffic to and from the ASA, such as management traffic. Cisco ASA Series CLI Configuration Guide 1-10...
  • Page 147 Examples For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP packets, enter the following command: hostname(config)# arp-inspection outside enable no-flood Cisco ASA Series CLI Configuration Guide 1-11...
  • Page 148: Customizing The Mac Address Table For The Transparent Firewall

    To change the timeout, enter the following command: Command Purpose Sets the MAC address entry timeout. mac-address-table aging-time timeout_value The timeout_value (in minutes) is between 5 and 720 (12 hours). 5 minutes is the default. Example: hostname(config)# mac-address-table aging-time 10 Cisco ASA Series CLI Configuration Guide 1-12...
  • Page 149: Monitoring The Transparent Firewall

    The following is sample output from the show mac-address-table command that shows the entire table: hostname# show mac-address-table interface mac address type Time Left ----------------------------------------------------------------------- outside 0009.7cbe.2100 static inside 0010.7cbe.6101 static inside 0009.7cbe.5101 dynamic Cisco ASA Series CLI Configuration Guide 1-13...
  • Page 150 An Inside User Visits a Web Server on the DMZ, page 1-17 • An Outside User Attempts to Access an Inside Host, page 1-17 • A DMZ User Attempts to Access an Inside Host, page 1-19 Cisco ASA Series CLI Configuration Guide 1-14...
  • Page 151 The ASA performs NAT by untranslating the global destination address to the local user address, 10.1.2.27. The ASA forwards the packet to the inside user. Cisco ASA Series CLI Configuration Guide 1-15...
  • Page 152 The ASA performs NAT by translating the local source address to 209.165.201.3. The ASA forwards the packet to the outside user. Cisco ASA Series CLI Configuration Guide 1-16...
  • Page 153 The ASA forwards the packet to the inside user. An Outside User Attempts to Access an Inside Host Figure 1-6 shows an outside user attempting to access the inside network. Cisco ASA Series CLI Configuration Guide 1-17...
  • Page 154 The packet is denied, and the ASA drops the packet and logs the connection attempt. If the outside user is attempting to attack the inside network, the ASA employs many technologies to determine if a packet is valid for an already established session. Cisco ASA Series CLI Configuration Guide 1-18...
  • Page 155 The ASA receives the packet and because it is a new session, the ASA verifies if the packet is allowed according to the security policy (access lists, filters, AAA). The packet is denied, and the ASA drops the packet and logs the connection attempt. Cisco ASA Series CLI Configuration Guide 1-19...
  • Page 156 An Inside User Visits a Web Server Using NAT, page 1-22 • An Outside User Visits a Web Server on the Inside Network, page 1-23 • An Outside User Attempts to Access an Inside Host, page 1-24 Cisco ASA Series CLI Configuration Guide 1-20...
  • Page 157 The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA forwards the packet to the inside user. Cisco ASA Series CLI Configuration Guide 1-21...
  • Page 158 The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA performs NAT by untranslating the mapped address to the real address, 10.1.2.27. Cisco ASA Series CLI Configuration Guide 1-22...
  • Page 159 The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The ASA forwards the packet to the outside user. Cisco ASA Series CLI Configuration Guide 1-23...
  • Page 160 The packet is denied because there is no access list permitting the outside host, and the ASA drops the packet. If the outside user is attempting to attack the inside network, the ASA employs many technologies to determine if a packet is valid for an already established session. Cisco ASA Series CLI Configuration Guide 1-24...
  • Page 161: Feature History For The Firewall Mode

    You can set the firewall mode independently for each context mode security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. Cisco ASA Series CLI Configuration Guide 1-25...
  • Page 162 Chapter 1 Configuring the Transparent or Routed Firewall Feature History for the Firewall Mode Cisco ASA Series CLI Configuration Guide 1-26...
  • Page 163 VPN License and Feature Compatibility, page 1-23 Licenses Per Model This section lists the feature licenses available for each model: • ASA 5505, page 1-3 • ASA 5510, page 1-4 • ASA 5520, page 1-5 Cisco ASA Series CLI Configuration Guide...
  • Page 164 If you have a No Payload Encryption model, then some of the features below are not supported. See the “No Payload Encryption Models” section on page 1-32 for a list of unsupported features. For detailed information about licenses, see the “License Notes” section on page 1-18. Cisco ASA Series CLI Configuration Guide...
  • Page 165 Use the show local-host command to view host limits. 3. For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models. Cisco ASA Series CLI Configuration Guide...
  • Page 166 Ethernet 0/2, 0/3, 0/4 (and others): Fast Eth. Security Contexts No support Optional licenses: Clustering No support No support VLANs, Maximum 1. Although the Ethernet 0/0 and 0/1 ports are Gigabit Ethernet, they are still identified as “Ethernet” in the software. Cisco ASA Series CLI Configuration Guide...
  • Page 167 Other VPN (sessions) VPN Load Balancing Supported General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 764 Security Contexts Optional licenses: Clustering No support VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
  • Page 168 Other VPN (sessions) 5000 VPN Load Balancing Supported General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 964 Security Contexts Optional licenses: Clustering No support VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
  • Page 169 Other VPN (sessions) 5000 VPN Load Balancing Supported General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 1764 Security Contexts Optional licenses: Clustering No support VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
  • Page 170 Security Contexts Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide...
  • Page 171 Opt. lic.: Strong (3DES/AES) Failover No support Active/Standby or Active/Active Interfaces of all types, Max. 716 Security Contexts No support Optional licenses: IPS Module Disabled Optional license: Available Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide...
  • Page 172 General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 916 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-10...
  • Page 173 General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 1316 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-11...
  • Page 174 General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 1716 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-12...
  • Page 175 General Licenses Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 2516 Security Contexts Optional licenses: Clustering No support IPS Module Disabled Optional license: Available VLANs, Maximum Cisco ASA Series CLI Configuration Guide 1-13...
  • Page 176 Base License: Disabled; fiber ifcs run at 1 GE Security Plus License: Enabled; fiber ifcs run at 10 GE Encryption Base (DES) Optional license: Strong (3DES/AES) Failover Active/Standby or Active/Active Interfaces of all types, Max. 4612 Security Contexts Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 Cisco ASA Series CLI Configuration Guide 1-14...
  • Page 177 Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide 1-15...
  • Page 178 Optional licenses: Clustering Disabled Optional license: Available VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide 1-16...
  • Page 179 Security Contexts Optional licenses: Clustering No support VLANs, Maximum 1024 1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Cisco ASA Series CLI Configuration Guide 1-17...
  • Page 180 • SSL VPN • IPsec remote access VPN using IKEv2 This license does not support browser-based (clientless) SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license. Note With the AnyConnect Essentials license, VPN users can use a web browser to log in, and download and start (WebLaunch) the AnyConnect client.
  • Page 181 To prevent the use of DES when you want to only use strong encryption, be sure to configure any relevant commands to use only strong encryption. Failover, Active/Active You cannot use Active/Active failover and VPN; if you want to use VPN, use Active/Standby failover. Cisco ASA Series CLI Configuration Guide 1-19...
  • Page 182 IPS version of the ASA 5515-X (part number ASA5515-IPS-K9) and try to make a failover pair with a non-IPS version (part number ASA5515-K9), then Cisco will not let you obtain IPS signature updates for the ASA5515-K9 unit, even though it has an IPS module license inherited from the other unit.
  • Page 183 1 session is used in total. However, if you start the AnyConnect client first (from a standalone client, for example) and then log into the clientless SSL VPN portal, then 2 sessions are used. Cisco ASA Series CLI Configuration Guide 1-21...
  • Page 184 IME license). Some UC applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.
  • Page 185 This section includes the following topics: • Preinstalled License, page 1-24 • Permanent License, page 1-24 • Time-Based Licenses, page 1-24 • Shared AnyConnect Premium Licenses, page 1-27 Cisco ASA Series CLI Configuration Guide 1-23...
  • Page 186 For example, if an evaluation license includes the Botnet Traffic Filter and a 1000-session AnyConnect Premium license, you cannot also activate a standalone time-based 2500-session AnyConnect Premium license. Cisco ASA Series CLI Configuration Guide 1-24...
  • Page 187 For licenses with numerical tiers, the higher value is used. Typically, you will not install a time-based license that has less capability than the permanent license, but if you do so, then the permanent license is used. Cisco ASA Series CLI Configuration Guide 1-25...
  • Page 188 1000-session AnyConnect Premium license (inactive), and a permanent 500-session AnyConnect Premium license. While the 2500-session license expires, the ASA activates the 1000-session license. After the 1000-session license expires, the ASA uses the 500-session permanent license. Cisco ASA Series CLI Configuration Guide 1-26...
  • Page 189 Note The shared licensing server can also participate in the shared license pool. It does not need a participant license as well as the server license to participate. Cisco ASA Series CLI Configuration Guide 1-27...
  • Page 190 When the main server comes back up, the backup server starts to increment again day-by-day. For example, if the main server is down for 20 days, with the backup server active during Cisco ASA Series CLI Configuration Guide 1-28...
  • Page 191 The ASA does not limit the number of participants for the shared license; however, a very large shared network could potentially affect the performance on the licensing server. In this case, you can increase the delay between participant refreshes, or you can create two shared networks. Cisco ASA Series CLI Configuration Guide 1-29...
  • Page 192 If you have licenses on multiple units, they combine into a single running ASA cluster license. The exceptions to this rule include: • Clustering license—Each unit must have a clustering license. • Encryption license—Each unit must have the same encryption license. Cisco ASA Series CLI Configuration Guide 1-30...
  • Page 193 If you do not restore communication during the 30-day period, then for time-based licenses, time is subtracted from all unit licenses, if installed. They are treated as separate licenses and do not benefit from the combined license. The time elapsed includes the 30-day grace period. Cisco ASA Series CLI Configuration Guide 1-31...
  • Page 194 No Payload Encryption Models You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA series. The ASA software senses a No Payload Encryption model, and disables the following features: •...
  • Page 195 Shared licenses are not supported in Active/Active mode. See the “Failover and Shared Licenses” section on page 1-29 for more information. • Failover units do not require the same license on each unit. Cisco ASA Series CLI Configuration Guide 1-33...
  • Page 196 (except in the case of a hardware failure). If you have to replace your device due to a hardware failure, and it is covered by Cisco TAC, contact the Cisco Licensing Team to have your existing license transferred to the new serial number. The Cisco Licensing Team will ask for the Product Authorization Key reference number and existing serial number.
  • Page 197 To obtain an activation key, you need a Product Authorization Key, which you can purchase from your Cisco account representative. You need to purchase a separate Product Activation Key for each feature license. For example, if you have the Base License, you can purchase separate keys for Advanced Endpoint Assessment and for additional AnyConnect Premium sessions.
  • Page 198 Any other keys are made inactive. – If you have mismatched licenses on a failover pair, then downgrading will disable failover. Even if the keys are matching, the license used will no longer be a combined license. Cisco ASA Series CLI Configuration Guide 1-36...
  • Page 199 Configuring the Shared Licensing Participant, page 1-39 Configuring the Shared Licensing Server This section describes how to configure the ASA to be a shared licensing server. Prerequisites The server must have a shared licensing server key. Cisco ASA Series CLI Configuration Guide 1-37...
  • Page 200 100 hostname(config)# license-server port 40000 hostname(config)# license-server backup 10.1.1.2 backup-id JMX0916L0Z4 ha-backup-id JMX1378N0W3 hostname(config)# license-server enable inside Cisco ASA Series CLI Configuration Guide 1-38...
  • Page 201 What to Do Next See the “Configuring the Shared Licensing Participant” section on page 1-39. Configuring the Shared Licensing Participant This section configures a shared licensing participant to communicate with the shared licensing server. Cisco ASA Series CLI Configuration Guide 1-39...
  • Page 202 If you have a No Payload Encryption model, then you view the license, VPN and Unified Communications licenses will not be listed. See the “No Payload Encryption Models” section on page 1-32 for more information. Cisco ASA Series CLI Configuration Guide 1-40...
  • Page 203 The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285 Botnet Traffic Filter : Enabled 646 days 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 Total UC Proxy Sessions : 10 62 days Cisco ASA Series CLI Configuration Guide 1-41...
  • Page 204 Total UC Proxy Sessions perpetual Botnet Traffic Filter : Enabled 39 days Intercompany Media Engine : Disabled perpetual The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: Cisco ASA Series CLI Configuration Guide 1-42...
  • Page 205 : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Enabled perpetual Security Contexts : 12 perpetual GTP/GPRS : Enabled perpetual AnyConnect Premium Peers perpetual AnyConnect Essentials : Disabled perpetual Cisco ASA Series CLI Configuration Guide 1-43...
  • Page 206 The “Failover Cluster” license, which is the combined licenses from the primary and secondary units. This is the license that is actually running on the ASA. The values in this license that reflect the combination of the primary and secondary licenses are in bold. Cisco ASA Series CLI Configuration Guide 1-44...
  • Page 207 This platform has an ASA 5520 VPN Plus license. Running Permanent Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Cisco ASA Series CLI Configuration Guide 1-45...
  • Page 208 : Enabled perpetual 3DES-AES : Enabled perpetual Security Contexts : 50 perpetual GTP/GPRS : Enabled perpetual Botnet Traffic Filter : Enabled 330 days This platform has an WS-SVC-ASA-SM1 No Payload Encryption license. Cisco ASA Series CLI Configuration Guide 1-46...
  • Page 209 Output in a Cluster for show activation-key hostname# show activation-key Serial Number: JMX1504L2TD Running Permanent Activation Key: 0x4a3eea7b 0x54b9f61a 0x4143a90c 0xe5849088 0x4412d4a9 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Cisco ASA Series CLI Configuration Guide 1-47...
  • Page 210 Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual...
  • Page 211 : NO Messages Tx/Rx/Error: Hello : 0 / 0 / 0 Sync : 0 / 0 / 0 Update : 0 / 0 / 0 Shared license utilization: SSLVPN: Total for network : Cisco ASA Series CLI Configuration Guide 1-49...
  • Page 212 Increased interfaces for the Base license on the 7.2(2) For the Base license on the ASA 5510, the maximum ASA 5510 number of interfaces was increased from 3 plus a management interface to unlimited interfaces. Cisco ASA Series CLI Configuration Guide 1-50...
  • Page 213 Advanced Endpoint Assessment License 8.0(2) The Advanced Endpoint Assessment license was introduced. As a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connections, the remote computer scans for a greatly expanded collection of antivirus and antispyware applications, firewalls, operating systems, and associated updates.
  • Page 214 The AnyConnect Essentials License was introduced. This license enables AnyConnect VPN client access to the ASA. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license.
  • Page 215 We modified the following commands: show activation-key and show version. Discrete activation and deactivation of 8.3(1) You can now activate or deactivate time-based licenses time-based licenses. using a command. We modified the following commands: activation-key [activate | deactivate]. Cisco ASA Series CLI Configuration Guide 1-53...
  • Page 216 No Payload Encryption hardware for export 8.4(1) For models available with No Payload Encryption (for example, the ASA 5585-X), the ASA software disables Unified Communications and VPN features, making the ASA available for export to certain countries. Cisco ASA Series CLI Configuration Guide 1-54...
  • Page 217 (you can use two SSPs of the same level in the same SSP-60); VPN support for Dual SSPs chassis). VPN is now supported when using dual SSPs. We did not modify any commands. Cisco ASA Series CLI Configuration Guide 1-55...
  • Page 218 Chapter 1 Managing Feature Licenses Feature History for Licensing Cisco ASA Series CLI Configuration Guide 1-56...
  • Page 219 A R T Configuring High Availability and Scalability...
  • Page 221 How the ASA Classifies Packets, page 1-3 • Cascading Security Contexts, page 1-6 • Management Access to Security Contexts, page 1-7 • Information About Resource Management, page 1-8 • Information About MAC Addresses, page 1-11 Cisco ASA Series CLI Configuration Guide...
  • Page 222: System Configuration

    This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context. Cisco ASA Series CLI Configuration Guide...
  • Page 223 If you disable use of unique MAC addresses, then the ASA uses the mapped addresses in your NAT configuration to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration. Cisco ASA Series CLI Configuration Guide...
  • Page 224 GE 0/0.1 (Shared Interface) Classifier MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco ASA Series CLI Configuration Guide...
  • Page 225 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco ASA Series CLI Configuration Guide...
  • Page 226 Cascading contexts requires unique MAC addresses for each context interface (the default setting). Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco ASA Series CLI Configuration Guide...
  • Page 227 “enable_15” user, or you can log in as a different name for which you provide sufficient privileges. To log in with a new username, enter the login command. For Cisco ASA Series CLI Configuration Guide...
  • Page 228 ASA sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those resources, potentially affecting service Cisco ASA Series CLI Configuration Guide...
  • Page 229 SSH sessions—5 sessions. (The maximum per context.) • IPsec sessions—5 sessions. (The maximum per context.) • MAC addresses—65,535 entries. (The maximum per context.) • VPN site-to-site tunnels—0 sessions. (You must manually configure the class to allow any VPN sessions.) Cisco ASA Series CLI Configuration Guide...
  • Page 230 Figure 1-6 Resource Oversubscription Total Number of System Connections = 999,900 Max. 20% (199,800) Maximum connections allowed. (159,984) Connections in use. (119,988) Connections denied because system limit (79,992) was reached. (39,996) Contexts in Class Cisco ASA Series CLI Configuration Guide 1-10...
  • Page 231 MAC address. This section includes the following topics: • Default MAC Address, page 1-12 • Interaction with Manual MAC Addresses, page 1-12 • Failover MAC Addresses, page 1-12 • MAC Address Format, page 1-12 Cisco ASA Series CLI Configuration Guide 1-11...
  • Page 232 For an example of how the prefix is used, if you set a prefix of 77, then the ASA converts 77 into the hexadecimal value 004D (yyxx). When used in the MAC address, the prefix is reversed (xxyy) to match the ASA native form: A24D.00zz.zzzz Cisco ASA Series CLI Configuration Guide 1-12...
  • Page 233 Base License: 2 contexts. SSP-20, -40, and -60 Optional licenses: 5, 10, 20, 50, 100, or 250 contexts. ASASM Base License: 2 contexts. Optional licenses: 5, 10, 20, 50, 100, or 250 contexts. Cisco ASA Series CLI Configuration Guide 1-13...
  • Page 234 If you store context configurations in the root directory of flash memory, on some models you might run out of room in that directory, even though there is available memory. In this case, create a subdirectory for your configuration files. Background: some models, such as the ASA 5585-X, use Cisco ASA Series CLI Configuration Guide 1-14...
  • Page 235 “Automatically Assigning MAC Addresses to Context Interfaces” section on page 1-25. Step 6 Complete interface configuration in the context. See Chapter 1, “Completing Interface Configuration (Routed Mode),” Chapter 1, “Completing Interface Configuration (Transparent Mode).” Cisco ASA Series CLI Configuration Guide 1-15...
  • Page 236 Enabling or Disabling Multiple Context Mode Your ASA might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you need to convert from single mode to multiple mode, follow the procedures in this section.
  • Page 237 Prerequisites Perform this procedure in the system execution space. Guidelines Table 1-1 lists the resource types and the limits. See also the show resource types command. Cisco ASA Series CLI Configuration Guide 1-17...
  • Page 238: Resource

    1-1 for the Other model limit. The sessions you assign for this VPN sessions available resource are guaranteed to the context. for your model. Concurrent 1 minimum SSH sessions. 5 maximum Cisco ASA Series CLI Configuration Guide 1-18...
  • Page 239 2 All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold hostname(config-class)# limit-resource mac-addresses 10000 hostname(config-class)# limit-resource conns 15% Cisco ASA Series CLI Configuration Guide 1-19...
  • Page 240 Although this context does not exist yet in your configuration, you can subsequently enter the context name command to continue the admin context configuration. Cisco ASA Series CLI Configuration Guide 1-20...
  • Page 241 “System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used. Step 2 (Optional) Adds a description for this context. description text Example: hostname(config-ctx)# description Administrator Context Cisco ASA Series CLI Configuration Guide 1-21...
  • Page 242 Specify visible to see the real interface ID in the show interface command if you set a mapped name. The default invisible keyword shows only the mapped name. Cisco ASA Series CLI Configuration Guide 1-22...
  • Page 243 [mapped_name] [default] See the “Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)” section on page 1-16 for detailed information about virtual sensors. Example: hostname(config-ctx)# allocate-ips sensor1 highsec Cisco ASA Series CLI Configuration Guide 1-23...
  • Page 244 Example: indicate from which organization the request comes. The hostname(config-ctx)# scansafe authentication key is a 16-byte hexidecimal number. “Configuring the ASA for Cisco Cloud Web Security” section on page 1-1 for detailed information about ScanSafe. Examples The following example sets the admin context to be “administrator,” creates a context called “administrator”...
  • Page 245 For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays. Cisco ASA Series CLI Configuration Guide 1-25...
  • Page 246 URL location. Removes all contexts (including the admin context). The context clear context configuration files are not removed from the config URL locations. Cisco ASA Series CLI Configuration Guide 1-26...
  • Page 247 You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. Cisco ASA Series CLI Configuration Guide 1-27...
  • Page 248 This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting. However, to add the context back to the system requires you to respecify the URL and interfaces. This section includes the following topics: • Reloading by Clearing the Configuration, page 1-29 Cisco ASA Series CLI Configuration Guide 1-28...
  • Page 249 • Viewing Context Information, page 1-30 • Viewing Resource Allocation, page 1-31 • Viewing Resource Usage, page 1-34 • Monitoring SYN Attacks in Contexts, page 1-35 • Viewing Assigned MAC Addresses, page 1-37 Cisco ASA Series CLI Configuration Guide 1-29...
  • Page 250 Mapped Interfaces: Management0/0 Flags: 0x00000013, ID: 1 Context "ctx", has been created, but initial ACL rules not complete Config URL: ctx.cfg Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20, GigabitEthernet0/2.30 Mapped Interfaces: int1, int2, int3 Flags: 0x00000011, ID: 2 Cisco ASA Series CLI Configuration Guide 1-30...
  • Page 251: Syslogs [Rate]

    % of Avail Conns [rate] 35000 Inspects [rate] 35000 Syslogs [rate] 10500 Conns 305000 30.50% Hosts 78842 35.00% Routes 5000 Telnet 35.00% Xlates 91749 Other VPN Sessions 2.66% Other VPN Burst 2.66% unlimited Cisco ASA Series CLI Configuration Guide 1-31...
  • Page 252: Ssh

    100000 100000 10.00% bronze 50000 All Contexts: 300000 30.00% Hosts default unlimited gold unlimited silver 26214 26214 bronze 13107 All Contexts: 26214 default gold 5.00% silver 10.00% bronze All Contexts: 20.00% Telnet default Cisco ASA Series CLI Configuration Guide 1-32...
  • Page 253 The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A. Cisco ASA Series CLI Configuration Guide 1-33...
  • Page 254 The following is sample output from the show resource usage summary command, which shows the resource usage for all contexts and all resources. This sample shows the limits for six contexts. hostname# show resource usage summary Cisco ASA Series CLI Configuration Guide 1-34...
  • Page 255 ASA acts as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the ASA receives an ACK back from the client, it can then authenticate the client and allow the connection to the server. Cisco ASA Series CLI Configuration Guide 1-35...
  • Page 256 959872 960000 unlimited 0 c1 chunk:channels unlimited 0 c1 chunk:dbgtrace unlimited 0 c1 chunk:fixup unlimited 0 c1 chunk:global unlimited 0 c1 chunk:hole unlimited 0 c1 chunk:ip-users unlimited 0 c1 chunk:udp-ctrl-blk unlimited 0 c1 Cisco ASA Series CLI Configuration Guide 1-36...
  • Page 257 You can view auto-generated MAC addresses within the system configuration or within the context. This section includes the following topics: • Viewing MAC Addresses in the System Configuration, page 1-38 • Viewing MAC Addresses Within a Context, page 1-39 Cisco ASA Series CLI Configuration Guide 1-37...
  • Page 258 Management0/0 a2d2.0400.125a a2d2.0400.125b config-url disk0:/admin.cfg context CTX1 allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5 mac-address auto GigabitEthernet0/0.1 a2d2.0400.11bc a2d2.0400.11bd mac-address auto GigabitEthernet0/0.2 a2d2.0400.11c0 a2d2.0400.11c1 mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c4 a2d2.0400.11c5 mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c8 a2d2.0400.11c9 Cisco ASA Series CLI Configuration Guide 1-38...
  • Page 259 The show interface command shows the MAC address in use; if you manually assign a MAC address and also have auto-generation enabled, then you can only view the unused auto-generated address from within the system configuration. Cisco ASA Series CLI Configuration Guide 1-39...
  • Page 260 Cisco ASA Series CLI Configuration Guide 1-40...
  • Page 261 50 to 100. The maximum for the ASA 5580 was increased from 50 to 250. Automatic MAC address assignment enabled by 8.5(1) Automatic MAC address assignment is now enabled by default default. We modified the following command: mac-address auto. Cisco ASA Series CLI Configuration Guide 1-41...
  • Page 262 A new resource type, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. Cisco ASA Series CLI Configuration Guide 1-42...
  • Page 263 New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. Cisco ASA Series CLI Configuration Guide 1-43...
  • Page 264 Chapter 1 Configuring Multiple Context Mode Feature History for Multiple Context Mode Cisco ASA Series CLI Configuration Guide 1-44...
  • Page 265 ASA Cluster Interfaces, page 1-4 • Cluster Control Link, page 1-6 • High Availability within the ASA Cluster, page 1-9 • Configuration Replication, page 1-10 • ASA Cluster Management, page 1-10 • Load Balancing Methods, page 1-12 Cisco ASA Series CLI Configuration Guide...
  • Page 266 70% of 80 Gbps (8 units x 10 Gbps): 56 Gbps. Cluster Members • ASA Hardware and Software Requirements, page 1-3 • Bootstrap Configuration, page 1-3 • Master and Slave Unit Roles, page 1-3 • Master Unit Election, page 1-3 Cisco ASA Series CLI Configuration Guide...
  • Page 267 Any other units with a higher priority respond to the election request; the priority is set between 1 and 100, where 1 is the highest priority. If after 45 seconds, a unit does not receive a response from another unit with a higher priority, then it becomes master. Cisco ASA Series CLI Configuration Guide...
  • Page 268: Interface Types

    IP address is assigned to the bridge group, not to the interface. The EtherChannel inherently provides load balancing as part of basic operation. See also the “Spanned EtherChannel (Recommended)” section on page 1-12. Cisco ASA Series CLI Configuration Guide...
  • Page 269 “Load Balancing Methods” section on page 1-12. Note We recommend Spanned EtherChannels instead of Individual interfaces because Individual interfaces rely on routing protocols to load-balance traffic, and routing protocols often have slow convergence during a link failure. Cisco ASA Series CLI Configuration Guide...
  • Page 270 Each unit must dedicate at least one hardware interface as the cluster control link. • Cluster Control Link Traffic Overview, page 1-7 • Cluster Control Link Network, page 1-7 • Sizing the Cluster Control Link, page 1-7 • Cluster Control Link Redundancy, page 1-8 Cisco ASA Series CLI Configuration Guide...
  • Page 271 When membership changes, the cluster needs to rebalance a large number of connections, thus temporarily using a large amount of cluster control link bandwidth. A higher-bandwidth cluster control link helps the cluster to converge faster when there are membership changes and prevents throughput bottlenecks. Cisco ASA Series CLI Configuration Guide...
  • Page 272 IP pool. However if you reload, and the unit is still inactive in the cluster, the management interface is not accessible (because it then uses the Main IP address, which is the same as the master unit). You must use the console port for any further configuration. Cisco ASA Series CLI Configuration Guide...
  • Page 273 TCP/UDP state information, so that the connection can be seamlessly transferred to a new owner in case of a failure. Cisco ASA Series CLI Configuration Guide...
  • Page 274: Management Network

    For the management interface, we recommend using one of the dedicated management interfaces. You can configure the management interfaces as Individual interfaces (for both routed and transparent modes) or as a Spanned EtherChannel interface. Cisco ASA Series CLI Configuration Guide 1-10...
  • Page 275 Main cluster IP address using ASDM, then a warning message about a mismatched IP address appears because the certificate uses the Local IP address, and not the Main cluster IP address. Cisco ASA Series CLI Configuration Guide 1-11...
  • Page 276 IP address (the default) or the source and destination port as the hashing algorithm. • Use the same type of line cards when connecting the ASAs to the switch so that hashing algorithms applied to all packets are the same. Cisco ASA Series CLI Configuration Guide 1-12...
  • Page 277 16 links in the EtherChannel. The active links are shown as solid lines, while the inactive links are dotted. cLACP load-balancing can automatically choose the best 8 links to be active in the EtherChannel. As shown, cLACP helps achieve load balancing at the link level. Cisco ASA Series CLI Configuration Guide 1-13...
  • Page 278 ASA. For example, if you have a Cisco router, redundancy can be achieved by using IOS PBR with Object Tracking. IOS Object Tracking monitors each ASA using ICMP ping. PBR can then enable or disable route maps based on reachability of a particular ASA.
  • Page 279 A connection can have multiple forwarders; the most efficient throughput is achieved by a good load-balancing method where there are no forwarders and all packets of a connection are received by the owner. Cisco ASA Series CLI Configuration Guide 1-15...
  • Page 280 If packets are delivered to any additional units, it will query the director for the owner and establish a flow. Any state change for the flow results in a state update from the owner to the director. Cisco ASA Series CLI Configuration Guide 1-16...
  • Page 281 IPsec passthrough – MGCP – – RTSP – – SCCP (Skinny) – WAAS – WCCP • Botnet Traffic Filter • Auto Update Server • DHCP client, server, relay, and proxy • VPN load balancing Cisco ASA Series CLI Configuration Guide 1-17...
  • Page 282 Authentication and Authorization for network access. Accounting is decentralized. • Filtering Services Features Applied to Individual Units These features are applied to each ASA unit, instead of the cluster as a whole or to the master unit. Cisco ASA Series CLI Configuration Guide 1-18...
  • Page 283: Dynamic Routing

    If a routing packet arrives at a slave, it is redirected to the master unit. Figure 1-1 Dynamic Routing in Spanned EtherChannel Mode Only master unit uses OSPF with neighboring routers. EtherChannel Slave units are invisible. Load Balancing Cluster members Router B Cisco ASA Series CLI Configuration Guide 1-19...
  • Page 284: Multicast Routing

    Multicast Routing in Spanned EtherChannel Mode In Spanned EtherChannel mode, the master unit handles all multicast routing packets and data packets until fast-path forwarding is established. After the connection is established, each slave can forward multicast data packets. Cisco ASA Series CLI Configuration Guide 1-20...
  • Page 285 “Per-Session PAT vs. Multi-Session PAT” section on page 1-9 in the firewall configuration guide. • No static PAT for the following inspections— – – PPTP – – SQLNET – TFTP – XDMCP – All Voice-over-IP applications Cisco ASA Series CLI Configuration Guide 1-21...
  • Page 286 For connections to an Individual interface when using PBR or ECMP, you must always connect to the Main cluster IP address, not a Local address. VPN-related keys and certificates are replicated to all units. Cisco ASA Series CLI Configuration Guide 1-22...
  • Page 287: Licensing Requirements For Asa Clustering

    IP address. – Except for the IP address used by the master unit (typically the first unit you add to the cluster), these management IP addresses are for temporary use only. Cisco ASA Series CLI Configuration Guide 1-23...
  • Page 288: Guidelines And Limitations

    PortFast on the switch ports connected to the ASA to speed up the join process for new units. • When you see slow bundling of a Spanned EtherChannel on the switch, you can enable LACP rate fast for an Individual interface on the switch. Cisco ASA Series CLI Configuration Guide 1-24...
  • Page 289 VLAN 101 Spanned Data Ifc VLAN 101 Spanned Data Ifc ASA1 ASA1 port-ch1 port-ch1 port-ch1 port-ch1 ten0/6 ten0/6 ASA2 ASA2 port-ch2 ten0/6 ten0/6 ASA3 ASA3 port-ch3 ten0/6 ten0/6 ASA4 ASA4 port-ch4 ten0/6 ten0/6 Cisco ASA Series CLI Configuration Guide 1-25...
  • Page 290 ASA cluster. These messages can result in some units of the ASA cluster experiencing high CPU, which can affect performance. We recommend that you throttle ICMP error messages. Cisco ASA Series CLI Configuration Guide 1-26...
  • Page 291 Configure the security policy on the master unit. See the chapters in this guide to configure supported features on the master unit. The configuration is replicated to the slave units. For a list of supported and unsupported features, see the “ASA Features and Clustering” section on page 1-17. Cisco ASA Series CLI Configuration Guide 1-27...
  • Page 292: Configuring Asa Clustering

    VLAN subinterface of the EtherChannel. Using subinterfaces lets both inside and outside interfaces take advantage of the benefits of an EtherChannel. • 1 Management interface. You have one switch for both the inside and outside networks. Cisco ASA Series CLI Configuration Guide 1-28...
  • Page 293 VLAN 200 for the inside and VLAN 201 for the outside. Management interface Management 0/0 4 ports total Place all interfaces on the same isolated management VLAN, for example VLAN 100. Cisco ASA Series CLI Configuration Guide 1-29...
  • Page 294 (rare), the mode is changed and the configuration is preserved. If you do not want to clear your configuration, you can exit the command by typing n. To remove the interface mode, enter the no cluster interface-mode command. Cisco ASA Series CLI Configuration Guide 1-30...
  • Page 295 For a redundant interface, see the “Configuring a Redundant Interface” section on page 1-26. Management-only interfaces cannot be redundant interfaces. – For subinterfaces, see the “Configuring VLAN Subinterfaces and 802.1Q Trunking” section on page 1-31. Cisco ASA Series CLI Configuration Guide 1-31...
  • Page 296 DHCP, PPPoE, and IPv6 autoconfiguration are not supported; you ipv6 address ipv6-address/prefix-length must manually configure the IP addresses. cluster-pool poolname Example: hostname(config-if)# ip address 192.168.1.1 255.255.255.0 cluster-pool ins hostname(config-if)# ipv6 address 2001:DB8::1002/32 cluster-pool insipv6 Cisco ASA Series CLI Configuration Guide 1-32...
  • Page 297 Mode on Each Unit” section on page 1-30. • For multiple context mode, start this procedure in the system execution space. If you are not already in the System configuration mode, enter the changeto system command. Cisco ASA Series CLI Configuration Guide 1-33...
  • Page 298 • For detailed EtherChannel guidelines, limitations, and prerequisites, see the “Configuring an EtherChannel” section on page 1-28. • See also the “EtherChannel Guidelines” section on page 1-11. Cisco ASA Series CLI Configuration Guide 1-34...
  • Page 299 ASAs to the VSS (or vPC) pair are span-cluster balanced. You must configure the vss-id keyword in the channel-group command for each member interface before enabling load balancing (see Step Cisco ASA Series CLI Configuration Guide 1-35...
  • Page 300 Sets the IPv4 and/or IPv6 address. DHCP, PPPoE, and IPv6 autoconfig are not supported. (IPv4) ip address ip_address [mask] (IPv6) ipv6 address ipv6-prefix/prefix-length Example: hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# ipv6 address 2001:DB8::1001/32 Cisco ASA Series CLI Configuration Guide 1-36...
  • Page 301 Prerequisites, page 1-38 • Enabling the Cluster Control Link Interface, page 1-38 • Configuring Basic Bootstrap Settings and Enabling Clustering, page 1-40 • Configuring Advanced Clustering Settings, page 1-42 • Examples, page 1-43 Cisco ASA Series CLI Configuration Guide 1-37...
  • Page 302 You cannot use a Management x/x interface as the cluster control link, either alone or as an EtherChannel. • For the ASA 5585-X with an ASA IPS or ASA CX module, you cannot use the module interfaces for the cluster control link. Cisco ASA Series CLI Configuration Guide 1-38...
  • Page 303 Step 4 Repeat for each additional interface you want to add to the interface interface_id channel-group channel_id mode on EtherChannel. no shutdown Example: hostname(config)# interface tengigabitethernet 0/7 hostname(config-if)# channel-group 1 mode hostname(config-if)# no shutdown Cisco ASA Series CLI Configuration Guide 1-39...
  • Page 304 Sets the priority of this unit for master unit elections, between 1 priority priority_number and 100, where 1 is the highest priority. See the “Master Unit Election” section on page 1-3 for more information. Example: hostname(cfg-cluster)# priority 1 Cisco ASA Series CLI Configuration Guide 1-40...
  • Page 305 Cryptochecksum (changed): f16b7fc2 want to remove the unit from the cluster entirely (and thus a742727e e40bc0b0 cd169999 want to have active data interfaces), see the “Leaving the INFO: Done Cluster” section on page 1-49. Cisco ASA Series CLI Configuration Guide 1-41...
  • Page 306 VSS or vPC) you should disable the health check feature. When the topology change is complete, and the configuration change is synced to all units, you can re-enable the health check feature. Cisco ASA Series CLI Configuration Guide 1-42...
  • Page 307 1 mode on no shutdown cluster group pod1 local-unit unit1 cluster-interface port-channel1 ip 192.168.1.1 255.255.255.0 priority 1 key chuntheunavoidable enable noconfirm Configuring Slave Unit Bootstrap Settings Perform the following procedures to configure the slave units. Cisco ASA Series CLI Configuration Guide 1-43...
  • Page 308 0/6 Step 2 Enables the interface. You only need to enable the interface; do no shutdown not configure a name for the interface, or any other parameters. Example: hostname(config-if)# no shutdown Cisco ASA Series CLI Configuration Guide 1-44...
  • Page 309 Configure the slave unit bootstrap settings. See the Configuring Bootstrap Settings and Joining the Cluster, page 1-45. Configuring Bootstrap Settings and Joining the Cluster Perform the following steps to configure bootstrap settings and join the cluster as a slave unit. Cisco ASA Series CLI Configuration Guide 1-45...
  • Page 310 Sets the priority of this unit for master unit elections, between 1 priority priority_number and 100, where 1 is the highest priority. See the “Master Unit Election” section on page 1-3 for more information. Example: hostname(cfg-cluster)# priority 2 Cisco ASA Series CLI Configuration Guide 1-46...
  • Page 311: Managing Asa Cluster Members

    192.168.1.2 255.255.255.0 priority 2 key chuntheunavoidable enable as-slave Managing ASA Cluster Members • Becoming an Inactive Member, page 1-48 • Inactivating a Member, page 1-48 Cisco ASA Series CLI Configuration Guide 1-47...
  • Page 312 When an ASA becomes inactive, all data interfaces are shut down; only the management-only interface can send and receive traffic. To resume traffic flow, re-enable clustering; or you can remove the unit altogether from the cluster. See the “Leaving the Cluster” section on page 1-49. The management Cisco ASA Series CLI Configuration Guide 1-48...
  • Page 313 You must use the console port; when you remove the cluster configuration, all interfaces are shut down, including the management interface and cluster control link. Moreover, you cannot enable or disable clustering from a remote CLI connection. Cisco ASA Series CLI Configuration Guide 1-49...
  • Page 314 Note, however, that for centralized features, if you force a master unit change using this procedure, then all connections are dropped, and you have to re-establish the connections on the new master unit. See the “Centralized Features” section on page 1-18 for a list of centralized features. Cisco ASA Series CLI Configuration Guide 1-50...
  • Page 315 The following sample output for the cluster exec show port-channel summary command shows EtherChannel information for each member in the cluster: hostname# cluster exec show port-channel summary primary(LOCAL):*********************************************************** Number of channel-groups in use: 2 Group Port-channel Protocol Span-cluster Ports ------+-------------+-----------+----------------------------------------------- LACP Gi0/0(P) LACP Gi0/1(P) Cisco ASA Series CLI Configuration Guide 1-51...
  • Page 316: Monitoring The Asa Cluster

    This command is useful for datapath troubleshooting. Example 1-1 show cluster info hostname# show cluster info Cluster stbu: On This is "C" in state SLAVE Version : 100.8(0.52) Cisco ASA Series CLI Configuration Guide 1-52...
  • Page 317 101 line 6 extended permit tcp host 192.168.1.177 host 192.168.43.13 (hitcnt=0, 0, 0, 0, 0) 0x1e68697c access-list 101 line 7 extended permit tcp host 192.168.1.177 host 192.168.43.132 (hitcnt=2, 0, 0, 1, 1) 0xc1ce5c49 Cisco ASA Series CLI Configuration Guide 1-53...
  • Page 318 See the “Capturing Packets” section on page 1-2. Cisco ASA Series CLI Configuration Guide 1-54...
  • Page 319 Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, c - cluster centralized, Cisco ASA Series CLI Configuration Guide 1-55...
  • Page 320: Configuration Examples For Asa Clustering

    GigabitEthernet 0/3 GigabitEthernet 1/0/16 GigabitEthernet 0/4 GigabitEthernet 1/0/17 GigabitEthernet 0/5 GigabitEthernet 1/0/18 • ASA Configuration, page 1-56 • IOS Switch Configuration, page 1-58 ASA Configuration Interface Mode on Each Unit cluster interface-mode spanned force Cisco ASA Series CLI Configuration Guide 1-56...
  • Page 321 GigabitEthernet0/3 channel-group 10 mode active no shutdown interface GigabitEthernet0/4 channel-group 11 mode active no shutdown interface GigabitEthernet0/5 channel-group 11 mode active no shutdown interface Management0/0 management-only nameif management ip address 10.53.195.230 cluster-pool mgmt-pool Cisco ASA Series CLI Configuration Guide 1-57...
  • Page 322 GigabitEthernet1/0/18 switchport access vlan 401 switchport mode access spanning-tree portfast channel-group 11 mode active interface Port-channel10 switchport access vlan 201 switchport mode access interface Port-channel11 switchport access vlan 401 switchport mode access Cisco ASA Series CLI Configuration Guide 1-58...
  • Page 323 Interface Mode on Each Unit cluster interface-mode spanned force ASA1 Master Bootstrap Configuration interface tengigabitethernet 0/8 no shutdown description CCL cluster group cluster1 local-unit asa1 cluster-interface tengigabitethernet0/8 ip 192.168.1.1 255.255.255.0 priority 1 key chuntheunavoidable enable noconfirm Cisco ASA Series CLI Configuration Guide 1-59...
  • Page 324 2.10 vlan 10 nameif inside ip address 10.10.10.5 255.255.255.0 ipv6 address 2001:DB8:1::5/64 mac-address 000C.F142.4CDE interface port-channel 2.20 vlan 20 nameif outside ip address 209.165.201.1 255.255.255.224 ipv6 address 2001:DB8:2::8/64 mac-address 000C.F142.5CDE Cisco ASA Series CLI Configuration Guide 1-60...
  • Page 325 1 mode on no shutdown interface tengigabitethernet 0/7 channel-group 1 mode on no shutdown interface port-channel 1 description CCL cluster group cluster1 local-unit asa1 cluster-interface port-channel1 ip 192.168.1.1 255.255.255.0 priority 1 key chuntheunavoidable enable noconfirm Cisco ASA Series CLI Configuration Guide 1-61...
  • Page 326 2 mode active no shutdown interface port-channel 2 port-channel span-cluster nameif inside ip address 10.10.10.5 255.255.255.0 ipv6 address 2001:DB8:1::5/64 mac-address 000C.F142.4CDE interface tengigabitethernet 0/9 channel-group 3 mode active no shutdown interface port-channel 3 Cisco ASA Series CLI Configuration Guide 1-62...
  • Page 327 Interface Mode on Each Unit cluster interface-mode individual force ASA1 Master Bootstrap Configuration interface tengigabitethernet 0/6 channel-group 1 mode on Cisco ASA Series CLI Configuration Guide 1-63...
  • Page 328 Master Interface Configuration ip local pool mgmt 10.1.1.2-10.1.1.5 ipv6 local pool mgmtipv6 2001:DB8::1002/64 4 interface management 0/0 channel-group 2 mode active no shutdown interface management 0/1 channel-group 2 mode active no shutdown Cisco ASA Series CLI Configuration Guide 1-64...
  • Page 329 VSS/vPC is used. The following diagram shows what happens when the total number of links grows as more units join the cluster: Cisco ASA Series CLI Configuration Guide 1-65...
  • Page 330 The principle is to first maximize the number of active ports in the channel, and secondly keep the number of active primary ports and the number of active secondary ports in balance. Note that when a 5th unit joins the cluster, traffic is not balanced evenly between all units. Cisco ASA Series CLI Configuration Guide 1-66...
  • Page 331 Link or device failure is handled with the same principle. You may end up with a less-than-perfect load balancing situation. The following figure shows a 4-unit cluster with a single link failure on one of the units. ASA1 ASA2 ASA3 ASA4 Cisco ASA Series CLI Configuration Guide 1-67...
  • Page 332 0/7 channel-group 1 mode on no shutdown interface tengigabitethernet 0/8 channel-group 1 mode on no shutdown interface tengigabitethernet 0/9 channel-group 1 mode on no shutdown interface port-channel 1 description CCL Cisco ASA Series CLI Configuration Guide 1-68...
  • Page 333 1 description CCL cluster group cluster1 local-unit asa3 cluster-interface port-channel1 ip 192.168.1.3 255.255.255.0 priority 3 key chuntheunavoidable enable as-slave ASA4 Slave Bootstrap Configuration interface tengigabitethernet 0/6 channel-group 1 mode on Cisco ASA Series CLI Configuration Guide 1-69...
  • Page 334 4 mode active vss-id 1 no shutdown interface tengigabitethernet 1/9 channel-group 4 mode active vss-id 2 no shutdown interface port-channel 4 port-channel span-cluster vss-load-balance nameif outside ip address 209.165.201.1 255.255.255.224 mac-address 000C.F142.5CDE Cisco ASA Series CLI Configuration Guide 1-70...
  • Page 335: Feature History For Asa Clustering

    (interface), mac-address pool, mtu cluster, port-channel span-cluster, priority (cluster group), prompt cluster-unit, show asp cluster counter, show asp table cluster chash-table, show cluster, show cluster info, show cluster user-identity, show lacp cluster, show running-config cluster. Cisco ASA Series CLI Configuration Guide 1-71...
  • Page 336 Chapter 1 Configuring a Cluster of ASAs Feature History for ASA Clustering Cisco ASA Series CLI Configuration Guide 1-72...
  • Page 337 C H A P T E R Information About Failover This chapter provides an overview of the failover features that enable you to achieve high availability on the Cisco 5500 series ASAs. For information about configuring high availability, see Chapter 1, “Configuring Active/Active Failover”...
  • Page 338: Hardware Requirements

    The two units in a failover configuration do not need to have identical licenses; the licenses combine to make a failover cluster license. See the “Failover or ASA Cluster Licenses” section on page 1-30 more information. Cisco ASA Series CLI Configuration Guide...
  • Page 339 The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX. Cisco ASA Series CLI Configuration Guide...
  • Page 340 MDIX. Enable the PortFast option on Cisco switch ports that connect directly to the ASA. If you use a data interface as the Stateful Failover link, you receive the following warning when you...
  • Page 341 Subsequently, the failover operation is suspended until the health of the failover link is restored. Cisco ASA Series CLI Configuration Guide...
  • Page 342 Switch 1 outside outside Primary Secondary inside inside Switch 2 Failover link Failover link Figure 1-4 Connecting with a Cable Switch 1 outside outside Primary Secondary inside inside Failover link Failover link Ethernet cable Cisco ASA Series CLI Configuration Guide...
  • Page 343 Switch 1 Switch 2 outside outside Switch 3 Active redundant Active redundant Primary Secondary failover link failover link Switch 4 Standby redundant Standby redundant failover link failover link Switch 5 Switch 6 inside inside Cisco ASA Series CLI Configuration Guide...
  • Page 344 The type of failover you choose depends upon your ASA configuration and how you plan to use the ASAs. If you are running the ASA in single mode, then you can use only Active/Standby failover. Active/Active failover is only available to ASAs running in multiple context mode. Cisco ASA Series CLI Configuration Guide...
  • Page 345 VPN failover subsystem, which is part of Stateful Failover. You must use Stateful Failover to synchronize these elements between the members of the failover pair. Stateless (regular) failover is not recommended for clientless SSL VPN. Cisco ASA Series CLI Configuration Guide...
  • Page 346 The call must be re-established. The following clientless SSL VPN features are not supported with Stateful Failover: • Smart Tunnels • Port Forwarding • Plugins • Java Applets Cisco ASA Series CLI Configuration Guide 1-10...
  • Page 347 Citrix authentication (Citrix users must reauthenticate after failover) Note If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Cisco CallManager.
  • Page 348 ASASM redundancy configuration. The trunk between the two switches carries the failover ASASM VLANs (VLANs 10 and 11). Note ASASM failover is independent of the switch failover operation; however, ASASM works in any switch failover scenario. Cisco ASA Series CLI Configuration Guide 1-12...
  • Page 349 Normal Operation Internet VLAN 100 Switch Switch VLAN 200 Failover Links: VLAN 10 Trunk: Active Standby VLANs 10 & 11 ASA SM ASA SM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Cisco ASA Series CLI Configuration Guide 1-13...
  • Page 350 ASASM Failure Internet VLAN 100 Switch Switch VLAN 200 Failover Links: VLAN 10 Trunk: Failed Active VLANs 10 & 11 ASA SM ASA SM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Cisco ASA Series CLI Configuration Guide 1-14...
  • Page 351 STP blocking mode. • Trunk mode—Block BPDUs on the ASA on both the inside and outside interfaces: access-list id ethertype deny bpdu access-group id in interface inside_name access-group id in interface outside_name Cisco ASA Series CLI Configuration Guide 1-15...
  • Page 352 The primary unit retrieves the appropriate files from the HTTP server using the URL from the Auto Update Server. The primary unit copies the image to the standby unit and then updates the image on itself. Cisco ASA Series CLI Configuration Guide 1-16...
  • Page 353 Fover copyfile, seq = 4 type = 1, pseq = 2001, len = 1024 auto-update: Fover copyfile, seq = 4 type = 1, pseq = 2501, len = 1024 auto-update: Fover copyfile, seq = 4 type = 1, pseq = 3001, len = 1024 Cisco ASA Series CLI Configuration Guide 1-17...
  • Page 354 The ASA monitors each unit for overall health and for interface health. See the following sections for more information about how the ASA performs tests to determine the state of each unit: • Unit Health Monitoring, page 1-19 • Interface Monitoring, page 1-19 Cisco ASA Series CLI Configuration Guide 1-18...
  • Page 355 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If an interface has IPv4 and IPv6 addresses configured on it, the ASA uses the IPv4 addresses to perform the health monitoring. Cisco ASA Series CLI Configuration Guide 1-19...
  • Page 356 If the failover condition persists, however, the unit will fail again. Failover Times Table 1-2 shows the minimum, default, and maximum failover times. Table 1-2 Cisco ASA 5500 Series ASA Failover Times Failover Condition Minimum Default Maximum Active unit loses power or stops normal operation.
  • Page 357 SNMP To receive SNMP syslog traps for failover, configure the SNMP agent to send SNMP traps to SNMP management stations, define a syslog host, and compile the Cisco syslog MIB into your SNMP management station. See Chapter 1, “Configuring SNMP”...
  • Page 358 Chapter 1 Information About Failover Failover Messages Cisco ASA Series CLI Configuration Guide 1-22...
  • Page 359 IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. Cisco ASA Series CLI Configuration Guide...
  • Page 360 The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not learn of the MAC address change for these addresses. Cisco ASA Series CLI Configuration Guide...
  • Page 361 The following commands that are not replicated to the standby ASA: • All forms of the copy command except for copy running-config startup-config • All forms of the write command except for write memory • debug • failover lan unit • firewall Cisco ASA Series CLI Configuration Guide...
  • Page 362 The unit has a hardware failure or a power failure. • The unit has a software failure. • Too many monitored interfaces fail. • You force a failover. (See the “Forcing Failover” section on page 1-16.) Cisco ASA Series CLI Configuration Guide...
  • Page 363 No action Mark standby as When the standby unit is marked as unit above threshold failed failed, then the active unit does not attempt to fail over even if the interface failure threshold is surpassed. Cisco ASA Series CLI Configuration Guide...
  • Page 364 This section includes the guidelines and limitations for this feature. Context Mode Guidelines • Supported in single and multiple context mode. • For multiple context mode, perform all steps in the system execution space unless otherwise noted. Cisco ASA Series CLI Configuration Guide...
  • Page 365 This section describes how to configure Active/Standby failover. This section includes the following topics: • Task Flow for Configuring Active/Standby Failover, page 1-8 • Configuring the Primary Unit, page 1-8 • Configuring the Secondary Unit, page 1-11 • Configuring Optional Active/Standby Failover Settings, page 1-12 Cisco ASA Series CLI Configuration Guide...
  • Page 366 Chapter 1, “Completing Interface Configuration (Transparent Mode).” • For multiple context mode, complete this procedure in the system execution space. To change from the context to the system execution space, enter the changeto system command. Cisco ASA Series CLI Configuration Guide...
  • Page 367 IP address stays with the folink 2001:a0a:b00::a0a:b70/64 standby secondary unit. 2001:a0a:b00::a0a:b71 Step 4 Enables the interface. interface interface_id no shutdown Example: hostname(config)# interface vlan100 hostname(config-if)# no shutdown Cisco ASA Series CLI Configuration Guide...
  • Page 368 If the Stateful Failover link uses the failover link or a data interface, skip this step. You have already enabled the interface. Example: hostname(config)# interface vlan100 hostname(config-if)# no shutdown Cisco ASA Series CLI Configuration Guide 1-10...
  • Page 369 Enter this command exactly as you entered it on the primary unit when you configured the failover interface hostname(config)# failover interface ip on the primary unit (including the same IP address). folink 2001:a0a:b00::a0a:b70/64 standby 2001:a0a:b00::a0a:b71 Cisco ASA Series CLI Configuration Guide 1-11...
  • Page 370 You can configure the optional Active/Standby failover settings when initially configuring the primary unit in a failover pair (see Configuring the Primary Unit, page 1-8) or on the active unit in the failover pair after the initial configuration. Cisco ASA Series CLI Configuration Guide 1-12...
  • Page 371 To enable or disable health monitoring for specific interfaces on units in single configuration mode, enter one of the following commands. Alternately, for units in multiple configuration mode, you must enter the commands within each security context. Do one of the following: Cisco ASA Series CLI Configuration Guide 1-13...
  • Page 372 Decreasing the poll and hold times enables the ASA to detect and respond to interface failures more quickly but may consume more system resources. Increasing the poll and hold times prevents the ASA from failing over on networks with higher latency. Cisco ASA Series CLI Configuration Guide 1-14...
  • Page 373 You cannot configure a virtual MAC address for the failover or Stateful Failover links. The MAC and IP addresses for those links do not change during failover. To configure the virtual MAC addresses for an interface, enter the following command on the active unit: Cisco ASA Series CLI Configuration Guide 1-15...
  • Page 374 Forces a failover when entered on the active unit in a failover pair. The no failover active active unit becomes the standby unit. Example: hostname# no failover active Disabling Failover To disable failover, enter the following command: Cisco ASA Series CLI Configuration Guide 1-16...
  • Page 375 ASA considers its status to be OK, although it is not receiving hello packets from the peer. To simulate interface holdtime, shut down the VLAN on the switch to prevent peers from receiving hello packets from each other. Cisco ASA Series CLI Configuration Guide 1-17...
  • Page 376 Displays information about the monitored interface. show monitor-interface Displays the failover commands in the running configuration. show running-config failover For more information about the output of the monitoring commands, refer to the Cisco ASA 5500 Series Command Reference. Feature History for Active/Standby Failover Table 1-2 lists the release history for this feature.
  • Page 377 You can create a maximum of two failover groups. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default. Cisco ASA Series CLI Configuration Guide...
  • Page 378 When a unit boots while the peer unit is active (with both failover groups in the active state), the failover groups remain in the active state on the active unit regardless of the primary or secondary preference of the failover group until one of the following occurs: – A failover occurs. Cisco ASA Series CLI Configuration Guide...
  • Page 379 Commands entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state. Cisco ASA Series CLI Configuration Guide...
  • Page 380 The command is replicated to the peer unit and cause the configuration to be saved to flash memory on the peer unit. Failover Triggers In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs: • The unit has a hardware failure. Cisco ASA Series CLI Configuration Guide...
  • Page 381 Formerly active failover group No failover No action No action Unless failover group preemption is recovers configured, the failover groups remain active on their current unit. Cisco ASA Series CLI Configuration Guide...
  • Page 382 Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Cisco ASA Series CLI Configuration Guide...
  • Page 383 Version 7.0(1) to Version 7.9(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility. • The same software configuration. • The same mode (multiple context mode). • The proper license. Cisco ASA Series CLI Configuration Guide...
  • Page 384 IPv6 Guidelines IPv6 failover is supported. Model Guidelines Active/Active failover is not available on the Cisco ASA 5505. Additional Guidelines and Limitations No two interfaces in the same context should be configured in the same ASR group. Configuring port security on the switch(es) connected to an ASA failover pair can cause communication problems when a failover event occurs.
  • Page 385 Configuration (Routed Mode),” Chapter 1, “Completing Interface Configuration (Transparent Mode).” • Complete this procedure in the system execution space. To change from the context to the system execution space, enter the changeto system command. Cisco ASA Series CLI Configuration Guide...
  • Page 386 Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. On the ASASM, the phy_if specifies a VLAN. This interface should not be used for any other purpose (except, optionally, the failover link). Cisco ASA Series CLI Configuration Guide 1-10...
  • Page 387 {1 | 2} Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member of failover group Example: hostname(config)# context Eng hostname(config-context)# join-failover-group 1 hostname(config-context) exit Cisco ASA Series CLI Configuration Guide 1-11...
  • Page 388 IP address stays with the folink 2001:a0a:b00::a0a:b70/64 standby secondary unit. 2001:a0a:b00::a0a:b71 Step 3 Enables the interface. interface phy_if no shutdown Example: hostname(config-if)# interface GigabitEthernet0/3 Cisco ASA Series CLI Configuration Guide 1-12...
  • Page 389 When the other unit comes online, any failover groups that have the unit as a priority d